After you add web services to Web Application Firewall (WAF), you can configure access control rules and throttling rules in the custom rule module to defend against specific requests. This topic describes how to create a protection template of the custom rule module and add protection rules to the template.
Overview
The following table describes access control rules and throttling rules.
Rule type | Description | Setting notes |
Access control rules | You can use common request headers, such as the client IP address and request URL, to specify match conditions. If requests meet the specified match conditions, WAF performs a specified action on the requests. For example, you can configure a custom rule to block requests that are sent to a specific Uniform Resource Identifier (URI). You can also configure a custom rule to allow WAF to verify requests that contain a specific user agent string. |
For more information, see Step 2: Add protection rules to a protection template of the custom rule module. |
Throttling rules | You can specify request rate detection conditions. If the request rate of a statistical object exceeds the upper limit, WAF performs a specified action on the requests that are sent from the statistical object. For example, if an IP address or a session frequently triggers a match condition within a short period of time, you can enable the throttling feature to block requests that are sent from the IP address or transmitted over the session during a specified period of time. |
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Step 1: Create a protection template of the custom rule module
The custom rule module does not provide default protection templates. Before you can enable protection rules of the custom rule module, you must create a protection template of the module and add protection rules to the template.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Custom Rule section of the Basic Web Protection page, click Create Template.
NoteIf this is your first time to create a protection template of the custom rule module, you can also click Configure Now in the Custom Rule card in the upper part of the Basic Web Protection page.
In the Create Template - Custom Rule panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Template Name
Specify a name for the template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template
Specify whether to set the template as the default template for the protection module.
You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom templates are applied.
Rule Configuration
Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the custom rule module.
Apply To
Select the Protected Objects and Protected Object Group to which you want to apply the template.
You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.
By default, a newly created protection template is enabled. You can perform the following operations on the protection template in the template list:
View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the icon to the left of the template name to view the protection rules in the template.
Step 2: Add protection rules to a protection template of the custom rule module
A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, you can skip this step.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Custom Rule section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.
In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Rule Name
Specify a name for the rule.
The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition
Specify the characteristics of requests that match the rule.
Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only if all match conditions are met.
Each match condition consists of Match Field, Logical Operator, and Match Content. Examples:
Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to
/login.php
. If the URI of a request contains/login.php
, the request matches the rule.Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to
192.1X.XX.XX
. If a request is sent from a client whose IP address is192.1.XX.XX
, the request matches the rule.
For more information about the match fields and logical operators, see Match conditions.
Rate Limiting
Specify whether to enable the rate limiting feature. If you enable the rate limiting feature and the requests that are sent from a statistical object frequently match a protection rule, WAF performs a specific action on the requests in a specific period of time.
ImportantThe rate throttling feature is used to limit the request rate of a statistical object for a protected object. For example, you add an Application Load Balancer (ALB) instance as a protected object and configure a throttling rule for the ALB instance. If the ALB instance forwards the requests of multiple domain names, the request rate is calculated based on multiple domain names. If you want to limit the request rate for a specific domain name, you can use one of the following methods:
Method 1: Add the domain name as a protected object of WAF, and then configure a throttling rule for the domain name. For more information, see Configure protected objects and protected object groups.
Method 2: Configure a throttling rule for the ALB instance and specify a match condition by using the Host field to limit the request rate for the domain name.
If you enable the rate limiting feature, you must configure the rate limiting parameters.
Request rate detection conditions
If the number of times that a statistical object (Statistical Object) matches a protection rule within a specific statistical period (Statistical Interval (Seconds)) exceeds the upper limit (Threshold (Times)), the object is added to a blacklist.
Status code detection conditions
If the number of times that a specific status code is included in responses exceeds the upper limit (Quantity) or the percentage of a specific status code in all status codes that are included in responses exceeds the upper limit (Percentage (%)), the statistical object is added to a blacklist.
Conditions for adding a statistical object to a blacklist
If a statistical object matches the request rate detection conditions, the statistical object is added to a blacklist and remains in the blacklist for a specific period of time (Timeout Period). Then, WAF performs a specific action (Action) on all requests from the protected object or only the requests that meet the match conditions (Apply To).
Protection Rule Type
This parameter is automatically specified. The value of this parameter varies based on whether you turn on Rate Limiting.
If you turn on Rate Limiting, the Protection Rule Type parameter has a fixed value of Throttling.
If you turn off Rate Limiting, the Protection Rule Type parameter has a fixed value of Access Control.
Action
Select the action that you want WAF to perform when a request matches the rule. Valid values:
Block: blocks a request that matches the rule and returns a block page to the client that initiates the request.
NoteBy default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages.
Monitor: records the requests that match the rule in logs without blocking the requests. You can query logs about the requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs.
ImportantYou can query logs only when the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature.
If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block.
Run JavaScript Validation: WAF returns JavaScript code to the client. The JavaScript code can be automatically executed by the browser that is used by the client. If the client passes the JavaScript verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails the JavaScript verification, WAF blocks requests that are sent from the client.
Run Slider CAPTCHA: WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes the common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails the common slider CAPTCHA verification, WAF blocks requests that are sent from the client.
Run Strict Slider CAPTCHA: WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes the strict slider CAPTCHA verification, WAF allows requests that are sent from the client. If the client fails the strict slider CAPTCHA verification, WAF blocks requests that are sent from the client. If you set the Action parameter to Strict Slider CAPTCHA, a client must pass strict slider CAPTCHA verification to send a request.
NoteRun Slider CAPTCHA is supported for pay-as-you-go WAF instances and subscription WAF instances that run the Enterprise or Ultimate edition.
When you create a protection rule in the custom rule module, you can select Run JavaScript Validation and Run Slider CAPTCHA only for static pages. To ensure compatibility with the responses of asynchronous APIs, such as XMLHttpRequest and Fetch, you can enable JavaScript validation and slider CAPTCHA verification in the bot management module. For more information, see Enable and configure the bot management module.
If a request from a client matches a protection rule in which the Action parameter is set to Run JavaScript Validation or Slider CAPTCHA, WAF performs JavaScript validation or slider CAPTCHA verification on the client. If the client passes the validation or verification, WAF adds the
acw_sc__v2
oracw_sc__v3
cookie to the header of the request to indicate that the client passed the validation or verification.
Advanced Settings
You can configure Advanced Settings only if you use a pay-as-you-go WAF instance or a subscription WAF instance that runs the Enterprise or Ultimate edition.
Canary Release: You can turn on Canary Release to apply the rule to a specific proportion of objects.
If you turn on Canary Release, you must configure the Dimension and Canary Release Ratio parameters. Valid values of the Dimension parameter: IP Address, Custom Header, Custom Header, Custom Cookie, and Session.
Effective Mode
Permanently Effective (default): If you select Permanently Effective, the protection rule is permanently in effect.
Fixed Schedule: You can specify a time zone and a period of time during which you want the template to be in effect.
Recurring Schedule: You can specify a time zone, days of the week, and a period of time in a day. The template is in effect during the same period of time in a day on the same days of the week.
By default, a newly created protection rule is enabled. You can perform the following operations on the protection rule in the rule list:
Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.
What to do next
On the Custom Rule tab of the Security Reports page, you can view the protection details of the configured protection rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.
References
For more information about the match conditions and match fields that are involved when you configure a protection rule for the custom rule module, see Match conditions.
For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.