Modifies a rule of a specific WAF protection module, such as the web intrusion prevention, data security, advanced protection, bot management, access control or throttling, or website whitelist module.

Usage notes

You can call the ModifyProtectionModuleRule operation to modify a rule of a specific WAF protection module. The protection modules include web intrusion prevention, data security, advanced protection, bot management, access control or throttling, and website whitelist. You can set the DefenseType parameter to specify the protection module. For more information about the values of this parameter, see the description of the DefenseType parameter.

QPS limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyProtectionModuleRule

The operation that you want to perform. Set the value to ModifyProtectionModuleRule

Domain String Yes www.example.com

The domain name for which you want to modify the rule.

Note You can call the DescribeDomainNames operation to query the domain names that are protected by WAF.
DefenseType String Yes ac_custom

The protection module whose rules you want to modify. Valid values:

  • tamperproof: website tamper-proofing
  • dlp: data leak prevention
  • ng_account: account security
  • bot_intelligence: bot threat intelligence
  • antifraud: data risk control
  • antifraud_js: configuration of a webpage into which you want to insert a JavaScript plug-in for data risk control
  • bot_algorithm: intelligent algorithm for the bot management module
  • bot_wxbb_pkg: version protection for the app protection module
  • bot_wxbb: path protection for the app protection module
  • ac_blacklist: IP address blacklist
  • ac_highfreq: blocking configuration of IP addresses that initiate high-frequency web attacks
  • ac_dirscan: scan protection
  • ac_custom: custom protection policies
  • whitelist: website whitelist
Rule String Yes null

The configurations of the rule. The value is a string that consists of a JSON struct. The JSON struct contains multiple parameters.

Note The parameters that are contained in the string vary based on the protection module, which is specified by the DefenseType parameter. For more information, see the "Description of the Rule parameter" section of this topic.
RuleId Long Yes 369998

The ID of the rule that you want to modify.

Note You can call the DescribeProtectionModuleRules operation to query the IDs of existing rules.
LockVersion Long Yes 2

The version of the rule that you want to modify.

Note You can call the DescribeProtectionModuleRules operation to query the versions of existing rules.
InstanceId String Yes waf-cn-0xldbqt****

The ID of the WAF instance.

Note You can call the DescribeInstanceInfo operation to query the ID of the WAF instance.
Description of the Rule parameter
  • If the DefenseType parameter is set to tamperproof, the value of the Rule parameter consists of the following parameters:
    • uri: the URL that you want to protect. This parameter is required. Data type: string.
    • name: the name of the rule. This parameter is required. Data type: string.
    • status: the status of the rule. This parameter is optional. Data type: integer. Valid values:
      • 0: disables the rule. This is the default value.
      • 1: enables the rule.
    • Example
      
          {
              "name":"example",
              "uri":"http://www.example.com/example",
              "status":1 
          }
          
  • If the DefenseType parameter is set to dIp, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • conditions: the conditions based on which WAF searches for and protects sensitive data. You can specify a maximum of two conditions. The two conditions are specified as a JSON string and must be in an AND logical relation. This parameter is required. Data type: array. The JSON string consists of the following parameters:
      • key: the match item. Valid values:
        • 0: URL
        • 10: sensitive data
        • 11: HTTP status code
          Note You cannot specify HTTP status codes (11) and sensitive data (10) as the match items in the conditions parameter at the same time.
      • operation: the match logic. Set the value to 1, which indicates the INCLUDES logical relation.
      • value: the match value, which is formulated in a JSON string. You can specify multiple values. The JSON string consists of the following parameters:
        • v: This parameter is valid only when the key parameter is set to 0 or 11.
          • URL: If the key parameter is set to 0, the value of the v parameter is a URL.
          • HTTP status code: If the key parameter is set to 11, the valid values of the v parameter are 400,401,402,403,404,405 to 499,500,501,502,503,504, and 505 to 599.
        • k: This parameter is valid only when the key parameter is set to 10. Valid values:
          • 100: ID card numbers
          • 101: credit card numbers
          • 102: phone numbers
          • 103: default sensitive words
    • action: the action that is performed after the rule is matched
      • 3: generates alerts.
      • 10: filters sensitive data. This action is valid only when the key parameter is set to 10.
      • 11: returns the built-in block page of the system. This action is valid only when the key parameter is set to 11.
    • Example
      
        {
          "name":"example",
          "conditions":[{"key":11,"operation":1,"value":[{"v":401}]},{"key":"0","operation":1,"value":[{"v":"www.example.com"}]}],
          "action":3
        }
        
  • If the DefenseType parameter is set to ng_account, the value of the Rule parameter consists of the following parameters:
    • url_path: the URL path in the requests that are detected. The path must start with a forward slash (/). This parameter is required. Data type: string.
    • method: the method of the requests that are detected. This parameter is required. Data type: string. Valid values: POST, GET, PUT, and DELETE. You can specify multiple request methods. Separate the request methods with commas (,).
    • account_left: the account. This parameter is required. Data type: string.
    • password_left: the password. This parameter is optional. Data type: string.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • monitor: generates alerts.
      • block: blocks requests.
    • Example
      
          {
              "url_path":"/example",
              "method":"POST,GET,PUT,DELETE",
              "account_left":"aaa",
              "password_left:"123",
              "action":"monitor"
          }
          
  • If the DefenseType parameter is set to bot_intelligence, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule, which must match the ID of the rule (RuleId). This parameter is required. Data type: string.
    • urlList: the URL paths that you want to protect. You can specify a maximum of 10 protection URL paths. Data type: array. The value is a JSON string that consists of the following parameters:
      • mode: the match method. This parameter specifies a URL path in combination with the url parameter. This parameter is required. Data type: string. Valid values: eq (exact match), prefix-match (prefix match), and regex (regular expression match).
      • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • monitor: monitors requests.
      • captcha: performs common slider CAPTCHA verification.
      • captcha_strict: performs strict slider CAPTCHA verification.
      • js: performs JavaScript verification.
      • block: blocks requests.
    • status: the status of the rule. This parameter is required. Data type: integer. Valid values:
      • 0: disables the rule.
      • 1: enables the rule.
    • Example
      
          {
              "urlList":[
                  {"mode":"prefix-match","url":"/indexa"},
                  {"mode":"regex","url":"/"},
                  {"mode":"eq","url":"/"}],
              "name":"IDC IP Address Library-Tencent Cloud",
              "action":"captcha_strict",
              "status":1
          }
          
  • If the DefenseType parameter is set to bot_algorithm, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • algorithmName: the name of the algorithm. This parameter is required. Data type: string. Valid values:
      • RR: the algorithm that is used to identify special resource crawlers
      • PR: the algorithm that is used to identify specific path crawlers
      • DPR: the algorithm that is used to identify parameter round-robin crawlers
      • SR: the algorithm that is used to identify dynamic IP address crawlers
      • IND: the algorithm that is used to identify proxy device crawlers
      • Periodicity: the algorithm that is used to identify periodic crawlers
    • timeInterval: the interval of detection. This parameter is required. Data type: integer. Valid values: 30, 60, 120, 300, and 600. Unit: seconds.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • monitor: monitors requests.
      • captcha: performs slider CAPTCHA verification.
      • js: performs JavaScript verification.
      • block: blocks requests. If you set the action parameter to block, you must also specify the blocktime parameter.
    • blocktime: the period during which requests are blocked. This parameter is optional. Data type: integer. Valid values: 1 to 600. Unit: minutes.
    • config: the configuration of the algorithm, which is formulated in a JSON string. This parameter is required. Data type: string. The parameters that are contained in the JSON string vary based on the value of the algorithmName parameter.
      • If you set the algorithmName parameter to RR, the value of the config parameter consists of the following parameters:
        • resourceType: the type of resource that is requested. This parameter is optional. Data type: integer. Valid values:
          • 1: dynamic resources
          • 2: static resources
          • -1: custom resources. In this case, you must also use the extensions parameter to specify resource suffixes in a string. Separate suffixes with commas (,). Example: css,jpg,xls
        • minRequestCountPerIp: the minimum number of requests from an IP address. WAF detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. This parameter specifies the minimum number of access requests. Valid values: 5 to 10000.
        • minRatio: the threshold for the proportion of requests that access specified types of resources in requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
      • If you set the algorithmName parameter to PR, the value of the config parameter consists of the following parameters:
        • keyPathConfiguration: the requested URL paths. You can specify a maximum of 10 URL paths. This parameter is required only when the algorithmName parameter is set to PR. This parameter is optional. Data type: array. This parameter is a JSON string that consists of the following parameters:
          • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
          • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
          • matchType: the match method. This parameter specifies a requested URL path in combination with the url parameter. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
        • minRequestCountPerIp: the minimum number of requests from an IP address. WAF detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. This parameter specifies the minimum number of access requests. Valid values: 5 to 10000.
        • minRatio: the threshold for the proportion of requests that access specified URL paths in requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
      • If you set the algorithmName parameter to DPR, the value of the config parameter consists of the following parameters:
        • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
        • urlPattern: the path of key parameters. The path must start with a forward slash (/). This parameter is required. Data type: string. You can specify multiple key parameters and enclose each parameter with a pair of braces {}. Example: /company/{}/{}/{}/user.php?uid={}.
        • minRequestCountPerIp: the minimum number of requests from an IP address. WAF detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. This parameter specifies the minimum number of access requests. Valid values: 5 to 10000.
        • minRatio: the threshold for the proportion of requests that use specified key parameters in requests that are initiated from an IP address. This threshold is used to determine whether risks exist. If an actual proportion is greater than the threshold, risks exist. This parameter is required. Data type: float. Valid values: 0.01 to 1.
      • If you set the algorithmName parameter to SR, the value of the config parameter consists of the following parameters:
        • maxRequestCountPerSrSession: the minimum number of requests in each session. If the number of requests in a single session is smaller than the value of this parameter, the session is considered abnormal. This parameter is required. Data type: integer. Valid values: 1 to 8.
        • minSrSessionCountPerIp: the threshold for the number of abnormal sessions in the requests that are initiated from an IP address. The threshold is used to determine whether risks exist. If an actual number is greater than the threshold, risks exist. This parameter is required. Data type: integer. Valid values: 5 to 300.
      • If you set the algorithmName parameter to IND, the value of the config parameter consists of the following parameters:
        • minIpCount: the threshold for the number of IP addresses that the Wi-Fi connected device accesses. This parameter specifies the condition that is used to identify malicious devices. If an actual number is greater than the threshold, risks exist. This parameter is required. Data type: integer. Valid values: 5 to 500.
        • keyPathConfiguration: the requested URL path. You can specify a maximum of 10 URL paths. This parameter is optional. Data type: array. This parameter is a JSON string that consists of the following parameters:
          • method: the request method. This parameter is required. Data type: string. Valid values: POST, GET, PUT, DELETE, HEAD, and OPTIONS.
          • url: the keyword of the URL path. The path must start with a forward slash (/). This parameter is required. Data type: string.
          • matchType: the match method. This parameter specifies a requested URL path in combination with the url parameter. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), and regex (regular expression match).
      • If you set the algorithmName parameter to Periodicity, the value of the config parameter consists of the following parameters:
        • minRequestCountPerIp: the minimum number of requests from an IP address. WAF detects an IP address only when the number of requests from this IP address is greater than or equal to the value of this parameter. This parameter is required. Data type: integer. This parameter specifies the minimum number of access requests. Valid values: 5 to 10000.
        • level: the risk level, which is the extent of obviousness of periodic access from IP addresses. This parameter is required. Data type: integer. Valid values:
          • 0: obvious
          • 1: moderate
          • 2: weak
    • Example
      
          {
              "name": "Crawler identification for proxy devices",
              "algorithmName":"IND",
              "timeInterval":"60",
              "action":"warn",
              "config":{
                  "minIpCount":5,
                  "keyPathConfiguration":[{"url":"/index","method":"GET","matchType":"prefix"}]
              }
          }
          
  • If the DefenseType parameter is set to bot_wxbb_pkg, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • test: monitors requests.
      • close: blocks requests.
    • nameList: the version information of valid packages. You can specify the version information for a maximum of five valid packages. This parameter is required. Data type: array. The value is a JSON string that consists of the following parameters:
      • name: the name of the valid package. This parameter is required. Data type: string.
      • signList: the signatures for the package. You can specify a maximum of 15 signatures. Separate them with commas (,). This parameter is required. Data type: array.
    • Example
      
          {
              "name":"test",
              "action":"close",
              "nameList":[{
                  "name":"apk-xxxx",
                  "signList":["xxxxxx","xxxxx","xxxx","xx"]
              }]
          }
          
  • If the DefenseType parameter is set to bot_wxbb, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • url: the URL path that requires protection. The path must start with a forward slash (/). This parameter is required. Data type: string.
    • matchType: the match method. This parameter is required. Data type: string. Valid values: all (exact match), prefix (prefix match), regex (regular match).
    • arg: the included parameters. This parameter specifies a URL path in combination with the matchType parameter. This parameter is required. Data type: string.
    • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
      • test: monitors requests.
      • close: blocks requests.
    • hasTag: specifies whether to add a custom signature field. This parameter s required. Data type: Boolean.
      • true: In this case, you must set the wxbbVmpFieldType and wxbbVmpFieldValue parameters to specify the type and value of the field.
      • false:
    • wxbbVmpFieldType: the type of the signature field. This parameter is optional. Data type: integer. If you set the hasTag parameter to true, you must also specify this parameter. Valid values:
      • 0: header
      • 1: parameter
      • 2: cookie
    • wxbbVmpFieldValue: the value of the signature field. This parameter is optional. Data type: string. If you set the hasTag parameter to true, you must also specify this parameter.
    • blockInvalidSign: specifies whether to take actions on an invalid signature. This parameter is required. Data type: integer. Set the value to 1. The value 1 specifies that the default protection policy for path protection is enabled.
    • blockProxy: specifies whether to take actions on a proxy. This parameter is optional. Data type: integer. Set the value to 1. If you do not need to perform actions on the proxy, you can leave this parameter unspecified.
    • blockSimulator: specifies whether to take actions on a simulator. This parameter is optional. Data type: integer. Set the value to 1. If you do not need to perform actions on the simulator, you can leave this parameter unspecified.
    • Example
      
          {
              "name":"test",
              "uri":"/index",
              "matchType":"all",
              "arg":"test",
              "action":"close",
              "hasTag":true,
              "wxbbVmpFieldType":2,
              "wxbbVmpFieldValue":"test",
              "blockInvalidSign":1,
              "blockProxy":1
          }
          
  • If the DefenseType parameter is set to antifraud, the value of the Rule parameter consists of the following parameters:
    • uri: the requested URL. This parameter is required. Data type: string.
    • Example
      
          {
              "uri": "http://1.example.com/example"
          }
          
  • If the DefenseType parameter is set to antifraud_js, the value of the Rule parameter consists of the following parameters:
    • uri: the URL path of the web page into which you want to insert the JavaScript plug-in for data risk control. The path must start with a forward slash (/). WAF inserts the JavaScript plug-in into all the web pages in the specified URL path. This parameter is required. Data type: string.
    • Example
      
          {
              "uri": "/example/example"
          }
          
  • If the DefenseType parameter is set to ac_blacklist, the value of the Rule parameter consists of the following parameters:
    • remoteAddr: the IP addresses in the blacklist. This parameter is optional. Data type: array. You can enter both IP addresses and CIDR blocks. Separate multiple IP addresses with commas (,). You can enter a maximum of 200 IP addresses. If you leave this parameter unspecified, WAF clears the blacklist.
    • area: the regions in the region-level IP address blacklist. This parameter is optional. Data type: array. This parameter is a string that consists of JSON arrays. Each element in a JSON array is a JSON struct that consists of the following fields:
      • countryCodes: the code of the country. This parameter is required. Data type: array. If you set this parameter to ["CN"], WAF blocks requests from administrative regions in China, and you must also specify the regionCodes parameter. If you set this parameter to a value other than ["CN"], WAF blocks requests from countries and areas outside China, and you do not need to specify the regionCodes parameter. You can call the DescribeProtectionModuleCodeConfig operation to query the codes of administrative regions inside China and the codes of countries and areas outside China.
      • regionCodes: the code of the administrative region inside China. This parameter is optional. Data type: array.
    • Example
      
      {
          "remoteAddr": [
              "1.XX.XX.1",
              "2.XX.XX.2"
          ],
          "area": [
              {
                  "countryCodes": [
                      "CN"
                  ],
                  "regionCodes": [
                      "310000",
                      "530000"
                  ]
              },
              {
                  "countryCodes": [
                      "AD",
                      "AL"
                  ]
              }
          ]
      }
          
  • If the DefenseType parameter is set to ac_highfreq, the value of the Rule parameter consists of the following parameters:
    • interval: the interval of detection. This parameter is required. Data type: integer. Valid values: 5 to 1800. Unit: seconds.
    • ttl: the period during which an IP address is blocked. This parameter is required. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
    • count: the threshold for the number of web attacks initiated from an IP address. If the number of attacks initiated from an IP address during the specified period is greater than the threshold, the IP address is blocked. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • Example
      
          {
              "interval":60,
              "ttl":300,
              "count":60
           }
          
  • If the DefenseType parameter is set to ac_dirscan, the value of the Rule parameter consists of the following parameters:
    • interval: the interval of detection. This parameter is required. Data type: integer. Valid values: 5 to 1800. Unit: seconds.
    • ttl: the period during which an IP address is blocked. This parameter is required. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
    • count: the maximum number of requests allowed from an IP address. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • weight: the proportion of requests with HTTP 404 status codes in all requests. This parameter is required. Data type: float. Valid values: 0 to 1.
    • uriNum: the maximum number of paths that can be scanned. This parameter is required. Data type: integer. Valid values: 2 to 50000.
    • Example
      
          {
              "interval":10,
              "ttl":1800,
              "count":50,
              "weight":0.7,
              "uriNum":20 
          }
          
  • If the DefenseType parameter is set to ac_custom, the value of the Rule parameter varies based on the scene parameter.
    • To modify an ACL rule, set the scene parameter to custom_acl. The value of the Rule parameter consists of the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • scene: the type of the protection policy. This parameter is required. Data type: string. If an ACL rule is configured, set the value to custom_acl.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs common slider CAPTCHA verification.
        • captcha_strict: performs strict slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • conditions: the match condition. You can specify a maximum of five match conditions. This parameter is required. Data type: array. The value is a JSON string that consists of the following parameters:
        • key: the match item. Value values URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical operator. Valid values:
          • 0: does not include or does not belong to
          • 1: includes or belongs to
          • 2: does not exist
          • 10: does not equal
          • 11: equals
          • 20: length less than
          • 21: length equal to
          • 22: length greater than
          • 30: value less than
          • 31: value equal to
          • 32: value greater than
        • values: the match value. You can specify this parameter based on your business requirements. Data type: string.
          Note The valid values of the opCode and values parameters in the match conditions vary based on the key parameter. For more information about match conditions, see Fields in match conditions.
      • Example
        
                {
                    "action":"monitor",
                    "name":"test",
                    "scene":"custom_acl",
                    "conditions":[{"opCode":1,"key":"URL","values":"/example"}]
                }
                
    • To modify an HTTP flood protection rule, set the scene parameter to custom_acl. The value of the Rule parameter consists of the following parameters:
      • name: the name of the rule. This parameter is required. Data type: string.
      • scene: the type of the protection policy. This parameter is required. Data type: string. If an HTTP flood protection rule is configured, set the value to custom_cc.
      • conditions: the match condition. You can specify a maximum of five match conditions. This parameter is required. Data type: array. The value is a JSON string that consists of the following parameters:
        • key: the match item. Value values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
        • opCode: the logical operator. Valid values:
          • 0: does not include or does not belong to
          • 1: includes or belongs to
          • 2: does not exist
          • 10: does not equal
          • 11: equals
          • 20: length less than
          • 21: length equal to
          • 22: length greater than
          • 30: value less than
          • 31: value equal to
          • 32: value greater than
        • values: the match value. You can specify this parameter based on your business requirements. Data type: string.
          Note The valid values of the opCode and values parameters in the match conditions vary based on the key parameter.
      • action: the action that is performed after the rule is matched. This parameter is required. Data type: string. Valid values:
        • monitor: monitors requests.
        • captcha: performs slider CAPTCHA verification.
        • captcha_strict: performs strict slider CAPTCHA verification.
        • js: performs JavaScript verification.
        • block: blocks requests.
      • ratelimit: the maximum rate of requests from an object. This parameter is required. Data type: JSON string. The value is a JSON string that consists of the following parameters:
        • target: the type of the object from which the request rate is measured. This parameter is required. Data type: string. Valid values:
          • remote_addr: IP addresses.
          • cookie.acw_tc: sessions.
          • queryarg: custom parameters. If you use custom parameters, you must specify the name of the custom parameter in the subkey parameter.
          • cookie: custom cookies. If you use custom cookies, you must specify the cookie content in the subkey parameter.
          • header: custom headers. If you use custom headers, you must specify the header content in the subkey parameter.
        • subkey: This parameter is required only when you set the target parameter to cookie, header, or queryarg. The subkey parameter is optional. Data type: string.
        • interval: the period for measuring the number of requests from the specified object. This parameter must be used together with the threshold parameter. This parameter is required. Data type: integer. Unit: seconds.
        • threshold: the maximum number of requests that are allowed from an individual object during the specified period. This parameter is required. Data type: integer.
        • status: the frequency of an HTTP status code. This parameter is optional. Data type: JSON string. The value is a JSON string that consists of the following parameters:
          • code: the HTTP status code. This parameter is required. Data type: integer.
          • count: the threshold for the number of times that the specified HTTP status code is returned. The threshold is used to determine whether a rule is matched. If an actual number is greater than the threshold, the rule specified by the name parameter is matched. This parameter is optional. Data type: integer. Valid values: 1 to 999999999. You can set the count or ratio parameter. You cannot set both parameters at the same time.
          • ratio: the threshold for the percentage of times that the specified HTTP status code is returned. The threshold is used to determine whether a rule is matched. If an actual percentage is greater than the threshold, the rule specified by the name parameter is matched. This parameter is optional. Data type: integer. Valid values: 1 to 100. You can set the count or ratio parameter. You cannot set both parameters at the same time.
        • scope: the scope in which the settings take effect. This parameter is required. Data type: string. Valid values:
          • rule: the objects that match the specified conditions
          • domain: the domain names to which the rule is applied
        • ttl: the period during which the specified action is performed. This parameter is required. Data type: integer. Valid values: 60 to 86400. Unit: seconds.
        • Example
          
                  {
                      "name":"HTTP flood protection rule",
                      "conditions":[{"opCode":1,"key":"URL","values":"/example"}],
                      "action":"block", 
                      "scene":"custom_cc",  
                      "ratelimit":{
                          "target": "remote_addr", 
                          "interval": 300,
                          "threshold": 2000,
                          "status": {
                              "code": 404,
                              "count": 200
                          },
                          "scope": "rule",
                          "ttl": 1800
                      }
              }
              
  • If the DefenseType parameter is set to whitelist, the value of the Rule parameter consists of the following parameters:
    • name: the name of the rule. This parameter is required. Data type: string.
    • tags: the protection module that does not check requests. This parameter is required. Data type: array. The values of the tags parameter vary based on the types of the whitelist.
      Note The values of the tags parameter can contain only the values that are listed in a specific whitelist. For example, the values of the tags parameter cannot contain both regular and cc. This is because regular belongs to the whitelist for the web intrusion prevention module and cc belongs to the whitelist for the access control or throttling module.
      • To configure the global whitelist, set the tags parameter to the following value:
        • waf: Requests bypass all protection modules.
      • To configure the whitelist for the web intrusion prevention module, set the tags parameter to one or more of the following values:
        • regular: Requests bypass the protection rules engine module. Requests bypass all protection rules.
        • regular_rule: Requests bypass specific rules of the protection rules engine module. If you set the tags parameter to the value, you must configure the regularRules parameter to specify the IDs of the rules.
        • regular_type: Requests bypass specific types of the rules of the protection rules engine module. If you set the tags parameter to the value, you must configure the regularRules parameter to specify the types of the rules.
        • deeplearning: Requests bypass the deep learning engine module.
      • To configure the whitelist for the access control or throttling module, set the tags parameter to one or more of the following values:
        • cc: Requests bypass the HTTP flood protection module.
        • customrule: Requests bypass custom protection policies.
        • blacklist: Requests bypass the IP address blacklist module.
        • antiscan: Requests bypass the scan protection module.
      • To configure the whitelist for the data security module, set the tags parameter to one or more of the following values:
        • dlp: Requests bypass the data leakage prevention module.
        • tamperproof: Requests bypass the website tamper-proofing module.
        • account: Requests bypass the account security module.
      • To configure the whitelist for the bot management module, set the tags parameter to one or more of the following values:
        • bot_intelligence: Requests bypass the bot threat intelligence module.
        • bot_algorithm: Requests bypass the typical bot behavior identification module.
        • bot_wxbb: Requests bypass the app protection module.
        • antifraud: Requests bypass the data risk control module.
    • antifraud: Requests bypass the data risk control module. If the value of the tags parameter contains regular_rule, the regularRules parameter is required. You can view the IDs of the rules when you create a rule group. To create a rule group, go to the WAF console and click Protection Rule Group. On the page that appears, click Create Rule Group. For more information, see Customize protection rule groups.
    • regularTypes: the types of the rules that skip detection. This parameter is optional. Data type: array. If the value of the tags parameter includes regular_type, the regularTypes parameter is required. Valid values:
      • sqli: SQL injection
      • xss: cross-site scripting
      • code_exec: code execution
      • lfilei: local file inclusion
      • rfilei: remote file inclusion
      • webshell: webshell
      • vvip: custom protection rules
      • other: other types
    • conditions: the match condition. You can specify a maximum of five match conditions. This parameter is required. Data type: array. The value is a JSON string that consists of the following parameters:
      • key: the match item. Value values: URL, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, and URLPath.
      • opCode: the logical operator. Valid values:
        • 0: does not include or does not belong to
        • 1: includes or belongs to
        • 2: does not exist
        • 10: does not equal
        • 11: equals
        • 20: length less than
        • 21: length equal to
        • 22: length greater than
        • 30: value less than
        • 31: value equal to
        • 32: value greater than
      • values: the match value. You can specify this parameter based on your business requirements. Data type: string.
        Note The valid values of the opCode and values parameters in the match conditions vary based on the key parameter.
    • Example
      
          {
              "name": "test",
              "tags": ["cc","customrule"],
              "conditions":[{"opCode":1,"key":"URL","values":"/example"}],
         }
         

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common parameters.

For more information about sample requests, see the "Examples" section of this topic.

Response parameters

Parameter Type Example Description
RequestId String D7861F61-5B61-46CE-A47C-6B19160D5EB0

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=ModifyProtectionModuleRule
&Domain=www.example.com
&DefenseType=ac_custom
&Rule= {"action":"monitor","name":"test","scene":"custom_acl","conditions":[{"opCode":1,"key":"URL","values":"/example"}]}
&RuleId=369998
&LockVersion=2
&InstanceId=waf-cn-0xldbqt****
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifyProtectionModuleRuleResponse>
    <RequestId>D7861F61-5B61-46CE-A47C-6B19160D5EB0</RequestId>
</ModifyProtectionModuleRuleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "D7861F61-5B61-46CE-A47C-6B19160D5EB0"
}

Error codes

For a list of error codes, visit the API Error Center.