You need to define the rule match conditions when you configure the whitelist and customize protection policies for Web Application Firewall (WAF). This topic describes the fields that can be used in rule match conditions and their definitions.
What are match conditions
In the WAF console, you can customize whitelist rules, access control rules, and rate limiting policies. A custom rule consists of match conditions and actions. When you create a rule, you need to define match conditions by specifying the match fields, logical operators, and match content. You also need to select an action that will be triggered when a request matches the conditions.
Each match condition consists of a match field, logical operator, and match content. Currently, match content does not support regular expressions, but can be set to null. You can set a maximum of three match conditions in a custom rule and the logical relation between each condition must be AND. That is, only when the access request matches all the conditions at the same time, the corresponding action will be triggered.
Supported match fields
The following table lists the supported match fields in match conditions. Advanced Field indicates that the field is supported only by the Business, Enterprise, or Exclusive edition of WAF instances.
| Match field | Advanced field | Supported logical operator | Description |
|---|---|---|---|
| IP | No | Belongs to/Does not belong to | The source IP address of the access request. IP addresses or CIDR blocks are supported,
for example, 1.1.1.1/24.
Note You can enter up to 50 IP addresses or CIDR blocks. Separate multiple IP addresses
and CIDR blocks with commas (,).
|
| URL | No |
|
The URL of the access request. |
| Referer | No |
|
The URL of the source page from which the access request is redirected. |
| User-Agent | No |
|
The browser ID, rendering engine ID, version information, and other browser-related information of the client that initiates the access request. |
| Params | No |
|
The parameter part in the request URL, usually the part that follows the question
mark (?) in the URL. For example, in www.abc.com/index.html? action=login, action=login is the parameter part.
|
| Cookie | Yes |
|
The cookie information in the access request. |
| Content-Type | Yes |
|
The HTTP content type (MIME) specified in the response returned to the access request. |
| Content-Length | Yes | Value less than/Value equals/Value greater than | The number of bytes in the response returned to the access request. |
| X-Forwarded-For | Yes |
|
The client IP address of the access request. X-Forwarded-For (XFF) is used to identify the HTTP request header field of the initial IP address of the client initiating the access request that is forwarded through an HTTP proxy or a Server Load Balancer (SLB) instance. XFF is only included in the access requests that are forwarded by the HTTP proxy or SLB instances. |
| Post-Body | Yes |
|
The content of the response returned to the access request. |
| Http-Method | Yes | Equals/Does not equal | The request method, such as GET and POST. |
| Header | Yes |
|
The header information about the access request, which is used to customize the HTTP header fields. |
Logical operator descriptions
| Logical operator | Description |
|---|---|
| Belongs to/Does not belong to | Whether the match field belongs to the match content. |
| Includes/Does not include | Whether the match field includes the match content. |
| Equals/Does not equal | Whether the match field equals the match content. |
| Length equals/Length greater than/Length less than | Whether the length of the match field is equal to, greater than, or less than that of the match content. |
| Does not exist | The match field does not exist. |
| Value less than/Value equals/Value greater than | The value of the match field is less than, equal to, or greater than that of the match content. |