You need to define the rule match conditions when you configure the whitelist and customize protection policies for Web Application Firewall (WAF). This topic describes the fields that can be used in rule match conditions and their definitions.

Notice This topic uses the new version of the WAF console released in January 2020. If the WAF instance was created before January 2020, see HTTP ACL policy.

What are match conditions

In the WAF console, you can customize whitelist rules, access control rules, and rate limiting policies. A custom rule consists of match conditions and actions. When you create a rule, you need to define match conditions by specifying the match fields, logical operators, and match content. You also need to select an action that will be triggered when a request matches the conditions.

Each match condition consists of a match field, logical operator, and match content. Currently, match content does not support regular expressions, but can be set to null. You can set a maximum of three match conditions in a custom rule and the logical relation between each condition must be AND. That is, only when the access request matches all the conditions at the same time, the corresponding action will be triggered.

Supported match fields

The following table lists the supported match fields in match conditions. Advanced Field indicates that the field is supported only by the Business, Enterprise, or Exclusive edition of WAF instances.

Match field Advanced field Supported logical operator Description
IP No Belongs to/Does not belong to The source IP address of the access request. IP addresses or CIDR blocks are supported, for example, 1.1.1.1/24.
Note You can enter up to 50 IP addresses or CIDR blocks. Separate multiple IP addresses and CIDR blocks with commas (,).
URL No
  • Includes/Does not include
  • Equals/Does not equal
The URL of the access request.
Referer No
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
  • Does not exist
The URL of the source page from which the access request is redirected.
User-Agent No
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
The browser ID, rendering engine ID, version information, and other browser-related information of the client that initiates the access request.
Params No
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
The parameter part in the request URL, usually the part that follows the question mark (?) in the URL. For example, in www.abc.com/index.html? action=login, action=login is the parameter part.
Cookie Yes
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
  • Does not exist
The cookie information in the access request.
Content-Type Yes
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
The HTTP content type (MIME) specified in the response returned to the access request.
Content-Length Yes Value less than/Value equals/Value greater than The number of bytes in the response returned to the access request.
X-Forwarded-For Yes
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
  • Does not exist
The client IP address of the access request. X-Forwarded-For (XFF) is used to identify the HTTP request header field of the initial IP address of the client initiating the access request that is forwarded through an HTTP proxy or a Server Load Balancer (SLB) instance. XFF is only included in the access requests that are forwarded by the HTTP proxy or SLB instances.
Post-Body Yes
  • Includes/Does not include
  • Equals/Does not equal
The content of the response returned to the access request.
Http-Method Yes Equals/Does not equal The request method, such as GET and POST.
Header Yes
  • Includes/Does not include
  • Equals/Does not equal
  • Length equals/Length greater than/Length less than
  • Does not exist
The header information about the access request, which is used to customize the HTTP header fields.

Logical operator descriptions

Logical operator Description
Belongs to/Does not belong to Whether the match field belongs to the match content.
Includes/Does not include Whether the match field includes the match content.
Equals/Does not equal Whether the match field equals the match content.
Length equals/Length greater than/Length less than Whether the length of the match field is equal to, greater than, or less than that of the match content.
Does not exist The match field does not exist.
Value less than/Value equals/Value greater than The value of the match field is less than, equal to, or greater than that of the match content.

Related topics