After you set up Web Application Firewall (WAF) for a website, you can create custom protection policies to protect the website. Custom protection policies allow you to customize ACL rules based on precise match conditions and specify the maximum request rate. Custom protection policies can be tailored for different scenarios, such as hotlinking protection and website backend protection. You can customize protection rules as needed.
- An ACL rule filters requests based on the client IP address, request URL, and precise match conditions that use common request headers.
- An anti-HTTP flood rule filters requests based on the precise match conditions and request rate that you have set.
Subscription-based WAF instances have the following limits on custom protection policies.
|Number of custom rules||The maximum number of custom rules that you can create.||200||100||100|
|Advanced match fields||The advanced match fields other than IP addresses and URLs that you can specify in custom rules.||Supported||Supported||Not supported|
|Rate limiting||Custom anti-HTTP flood rules.||Supported||Supported||Not supported|
|Custom statistical objects||The custom statistical objects other than IP addresses and sessions that can be used to control the request rate.||Supported||Not supported||Not supported|
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.
- Click the Access Control/Throttling tab and find the Custom Protection Policy section. Turn on the Status switch and click Settings.
- Create a custom rule.
After a custom protection policy rule is created, it is automatically enabled. You can view newly created rules, and disable, modify, or delete rules in the rule list as needed.
- On the Custom Protection Policy page, click Create Custom Protection Policy.
- In the dialog box that appears, set the following parameters.
Parameter Description Rule name Specify a name for the rule. Matching Condition Specify the detection logic of the rule. The rule is triggered only after the specified conditions are met. Click Add rule to add more conditions. You can specify a maximum of five conditions. If you have specified multiple conditions, the rule is hit only after all the conditions are met.
For more information about match conditions, see Fields of match conditions.
Rate Limiting Enable or disable rate limiting. WAF starts calculating the request rate only after the specified match conditions are met. Before you enable rate limiting, set the parameters to specify the object to be calculated.
For more information about rate limiting parameters, see Rate limiting parameters.
Action Specify the action to be performed after the rule is triggered. Supported actions include:
- Monitor: triggers alerts but does not block requests.
- Block: blocks requests.
- Captcha: redirects requests to another page to implement CAPTCHA verification.
- Strict Captcha: redirects requests to another page to implement strict CAPTCHA verification.
If you enable Rate Limiting, you must specify the TTL (Seconds), which is the effective time period of the action.
Protection Type Specify the type of the rule. This parameter is automatically set based on the status of .
- If rate limiting is enabled, the value is set to HTTP Flood Protection.
- If rate limiting is disabled, the value is set to ACL.
The parameters required to configure rate limiting are described in the following table.
Parameter Description Statistical Object Specify the object whose request rate is calculated. Valid value:
- IP: calculates the number of requests from a specific IP address.
- Session: calculates the number of requests transmitted over a specific session.
- Custom-Header: calculates the number of requests with the same specified header content.
- Custom-Param: calculates the number of requests with the same specified parameter content.
- Custom-Cookie: calculates the number of requests with the same specified cookie content.
Interval (Seconds) The time period during which the number of requests is calculated. Threshold (Occurrences) The maximum number of requests that are allowed from the object during the specified time period. If this limit is exceeded, rate limiting is triggered. Status Code After the specified match conditions are met, the number or percentage of the specified Status Code within the specified time period is calculated. Select either the amount or the percentage.
- Amount: The maximum number of the specified status code.
- Percentage (%): The maximum percentage of the specified status code.
Take Effect For Specify the objects to which rate limiting is applied.
- Feature Matching Objects
- Applied Domains
- Click Save.