How to configure match conditions for rules - Web Application Firewall

When you configure whitelist, custom, or bot management rules, you must configure match conditions to define the features of the requests you want to match. This topic describes the supported fields for match conditions and their descriptions.

What are match conditions

Match conditions are the request features that Web Application Firewall (WAF) inspects. When you configure whitelist rules, custom rules, or bot management, you define Match Conditions to specify the request features for WAF to inspect. If a request meets the match conditions of a rule, the request hits the rule. WAF then processes the request based on the action specified in the rule, such as Allow, Block, or Challenge.

A Match Condition consists of a Match Field, a Logical Operator, and Match Content. The following are example configurations:

Example 1: If Match Field is set to URI, Logical Operator is set to Contains, and Match Content is set to /login.php, a request hits the rule when the requested path contains /login.php.
Example 2: If Match Field is set to IP, Logical Operator is set to Is, and Match Content is set to 192.XX.XX.1, a request from a client with the IP address 192.XX.XX.1 hits the rule.

Important

The content of a request that uses a common encoding method, such as URL encoding, HTML encoding, or Unicode encoding, is decoded before it is matched against the specified match content.

Supported match fields

The following table describes the match fields that are supported for match conditions.

Note

The match rules for pay-as-you-go WAF instances are categorized as advanced or basic, each with a different billing standard. For more information, see Billing.
Subscription-based WAF instances of the Enterprise edition or higher support advanced rules, such as regular expression matching. No extra fees are charged for advanced rules on these WAF instances. For more information about the rules supported by different WAF subscription editions, see Version Guide.
The match content for the following match fields is case-insensitive.

Match field	Description	Supported logical operators
URI	The Uniform Resource Identifier (URI) of a request. The URI specifies the path of the requested resource. In most cases, the URI is a combination of the URI Path and the Query String. The path must start with `/` and not include a domain name. For example, `/login.php`.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
IP	The source IP address of a request. This is the IP address of the client that initiates the request. The match content must meet the following requirements: IPv4 addresses (for example, `1.XX.XX.1`) and IPv6 addresses (for example, `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`) are supported. IP address CIDR blocks are supported. Example: `1.XX.XX.1/16`. Press Enter after you enter an IP address. You can add a maximum of 100 IP addresses.	Belongs To and Does Not Belong To Note A single protection rule can contain a maximum of 100 IP addresses or IP address CIDR blocks. For example, if a protection rule contains two match conditions where the match field is IP, the total number of IP addresses or IP address CIDR blocks in the two match conditions cannot exceed 100. Separate multiple IP addresses or IP address CIDR blocks with a comma (,).
Referer	The source URL of a request. This indicates the page from which the request is redirected.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
User-Agent	Information about the client browser that initiates the request, such as the browser identifier, rendering engine, and version.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Query String	The query string in a request. This refers to the part that follows the question mark (?) in a URL.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Cookie	The cookie information in a request.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Content-Type	The content type of the HTTP request, which is specified in the request header. This refers to the Multipurpose Internet Mail Extensions (MIME) type.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Content-Length	The number of bytes in the request body. Valid values: 0 to 2,147,483,648.	Equals, Value Greater Than, and Value Less Than
X-Forwarded-For	The originating IP address of the client that sends the request. X-Forwarded-For (XFF) is an HTTP request header field that is used to identify the originating IP address of a client that connects to a web server through an HTTP proxy or a Server Load Balancer instance. Only requests that are forwarded by an HTTP proxy or a Server Load Balancer instance contain this field.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does not contain Does not exist Length Equal To, Length Greater Than, and Length Less Than
Body	The content of a request body. Important Custom rules that use this match field are advanced rules. The billing standards for advanced rules and basic rules are different. For more information, see Billing.	Is Contains Does not exist Prefix Match and Suffix Match Matches regular expression
Http-Method	The request method, such as GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, or PATCH.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value
Header	A header in a request. You can specify custom header fields.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
URI Path	The URI path of a request.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Query String Parameter	The name of a parameter in the query string. The query string is the part of a URL that follows the question mark (?). For example, in `www.aliyundoc.com/request_path?param1=a&param2=b`, `param1` and `param2` are the names of request parameters. Note The value you enter for a custom query string parameter is case-sensitive.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match
Server-Port	The server port.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value
File Extension	The file extension in the request path, such as .png or .php.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Filename	The name of the file at the end of the request path. For example, in `/abc/index.php`, `index.php` is the filename.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Host	The requested domain name.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Cookie Name	The name of a cookie key. For example, in the cookie `acw_tc:111`, `acw_tc` is the cookie name. Note The value you enter for a custom cookie name is case-sensitive.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Matches regular expression Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Body Parameter	The name of a parameter in the request body. For example, if the request body contains the string `a=1&b=2`, `a` and `b` are parameter names. When you use this field, the match content must be longer than four characters for the rule to detect traffic correctly. Note The value you enter for a custom body parameter is case-sensitive. Important Custom rules that use this match field are advanced rules. The billing standards for advanced rules and basic rules are different. For more information, see Billing.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Matches regular expression Important Protection rules of the custom rule module that contain the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.