All Products
Search
Document Center

Dynamic Content Delivery Network:BatchCreateDcdnWafRules

Last Updated:May 21, 2024

Creates Web Application Firewall (WAF) protection rules.

Operation description

Note You can call this operation up to 20 times per second per account.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
dcdn:BatchCreateDcdnWafRulesWrite
  • acs:dcdn::{#accountId}:*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
PolicyIdlongYes

The ID of the protection policy.

1000001
RuleConfigsstringYes

The configuration of the protection rule.

{"name":"ttttt","action":"monitor","conditions":[{"key":"URL","opValue":"match-one","values":"1,2,3,4,5"},{"key":"Header","opValue":"contain-one","subKey":"testheader","values":"6,7,8,9,10"}],"ratelimit":{"target":"header","interval":10,"threshold":5,"ttl":1800,"subKey":"testheadercc","status":{"code":"502","count":5}},"ccStatus":"on","effect":"rule","status":"on"}

Description of the RuleConfigs parameter

  • RuleConfigs is a list slice. Each struct represents a rule.
  • The fields in the RuleConfigs parameter vary based on the type of the protection policy. The protection policy ID is specified by the PolicyId parameter.

Scenario 1: web RegEx protection (waf_group)

ParameterTypeRequiredExampleDescription
statusStringNoonSpecifies whether to enable the protection rule. Valid values: on and off. Default value: on.
actionStringYesblockThe action to perform based on the rule. Valid values: block and monitor.
wafGroupIdsStringNo1012The ID of the WAF rule group. Separate multiple IDs with commas (,). Default value: 1012.

Sample code for waf_group

// You can configure only one rule for a protection policy of the waf_group type.[
  {
    "status": "on",
    "action": "block"
  }
]

Scenario 2: custom rules (custom_acl)

NameTypeRequiredExampleDescription
namestringYesacl_1The name of the protection rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
statusstringNoonValid values: on and off. Default value: on.
conditionsConditionYes[ {"key": "URI", "subKey": "","opValue": "contain", "values": "/login.php" }]The trigger conditions. For more information, see Table 1: Fields in the conditions parameter.
ccStatusstringYesoffSpecifies whether to enable rate limiting. Valid values: on and off.
rateLimitRateLimitNo{ "target": "Header", "subKey": "User-Agent", "interval": 5, "threshold": 2, "ttl": 1800}The rate limiting rule. If you set ccStatus to on, you must configure this parameter. For more information, see Table 2: Fields in the rateLimit parameter.
effectstringNoserviceThe effective scope of the rate limiting blacklist. If you set ccStatus to on, you must configure this parameter. Valid values: rule (takes effect for the current rule) and service (takes effect globally).
actionstringYesdenyThe action to perform based on the rule. Valid values: deny, js (JavaScript validation), and monitor.

Table 1: Fields in the conditions parameter

NameTypeRequiredExampleDescription
KeystringYesQuery String ParameterThe match field. For more information, see DescribeDcdnWafFilterInfo .
subKeystringNoactionThe match subfield. For more information, see DescribeDcdnWafFilterInfo .
opValueStringYeseqThe logical operator. For more information, see DescribeDcdnWafFilterInfo .
valuesStringNojsThe content to match. Separate multiple values with commas (,). For more information, see DescribeDcdnWafFilterInfo .

Table 2: Fields in the rateLimit parameter

NameTypeRequiredExampleDescription
targetstringYesHeaderThe statistical field for rate limiting. IP: calculates the frequency at which requests are sent from a specified IP address. Header: calculates the frequency of requests that contain the specified header. Query String Parameter: calculates the frequency of requests that contain the specified parameter. Cookie Name: calculates the frequency of requests that contain the specified cookie. Session: calculates the frequency of requests that are transmitted over a specified session.
subKeystringNoUser-AgentThe subfield of the target field. If you set target to Header, Query String Parameter, or Cookie Name, you must configure subKey.
IntervalIntegerYes5The statistical interval. Valid values: 5 to 1800. Unit: seconds.
thresholdIntegerYes2The number of requests that trigger rate limiting. Valid values: 2 to 500000.
ttlIntegerYes1800The validity period of the blacklist. Valid values: 60 to 86400. Unit: seconds.
statusRateLimitStatusNo{"code": "404", "ratio": 10}Information about the HTTP status code. For more information, see Table 3: Fields in the RateLimitStatus parameter.

Table 3: Fields in the RateLimitStatus parameter

NameTypeRequiredExampleDescription
codetstringYes404The HTTP status code.
ratioIntegerNo10The percentage of HTTP status codes. Valid values: 1 to 100. You can configure either ratio or count.
countIntegerNo10The number of times that the HTTP status code that was returned. Valid values: 2 to 50000. You can configure either ratio or count.

Sample code for custom_acl

[
// Access control
  {
    "name": "acl_1",
    "status": "off",
    "conditions":
    [
      {
        "key": "Query String Parameter",
        "subKey": "action",
        "opValue": "eq",
        "values": "js"
      }
    ],
    "ccStatus": "off",
    "action": "js"
  },
// Rate limiting
  {
    "name": "cc_1",
    "status": "on",
  	"conditions": 
    [
      {
        "key": "URI",
        "subKey": "",
        "opValue": "contain",
        "values": "/login.php"
      },
      {
        "key": "IP",
        "subKey": "",
        "opValue": "ip-contain",
        "values": "192.168.0.1/24"
      }
    ],
    "ccStatus": "on",
    "ratelimit":
    {
      "target": "Header",
      "subKey": "User-Agent",
      "interval": 5,
      "threshold": 2,
      "ttl": 1800,
      "status":
      {
        "code": "404",
        "ratio": 10
      }
    },
    "effect": "service",
    "action": "deny"
  }
]

Scenario 3: whitelist (whitelist)

NameTypeRequiredExampleDescription
namestringYesonThe name of the protection rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
statusstringNoonSpecifies whether to enable the protection rule. Default value: on. Valid values: on and off.
conditionsConditionYes[{ "key": "Http-Method","subKey": "","opValue": "match-one", "values": "GET,POST,DELETE" }]The conditions that trigger the rule. For more information, see Table 1: Fields in the conditions parameter.
tagsStringYes[ "waf_group", "custom_acl"]The types of the protection policies.
regularTypesStringNo[ [ "sqli", "xss","code_exec", "crlf", "lfilei", "rfilei", "webshell","vvip", "other"]The type of the regular expression. If the value of the tags field contains waf_group, you can specify this field. Valid values: ["sqli", "xss", "code_exec", "crlf", "lfilei", "rfilei", "webshell", "vvip", and "other"].
regularRulesStringNo[ "100001", "100002", "100003"]The regular expression. If the value of the tags field contains waf_group, you can configure only regularRules or regularTypes. The value must be a string that consists of six digits.

Sample code for whitelist:

[
// Skip all scenarios.
  {
    "name": "wl_all",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "waf_group",
      "custom_acl",
      "ip_blacklist",
      "region_block"
    ]
  },
// Skip the IDs of the rules that are specified in waf_group.  {
    "name": "wl_waf_id",
    "status": "off",
    "conditions":
    [
      {
        "key": "Cookie Name",
        "subKey": "cdn-sec",
        "opValue": "prefix-match",
        "values": "a7sdsa9dsa8d8sa"
      },
      {
        "key": "Referer",
        "subKey": "",
        "opValue": "none",
        "values": ""
      }
    ],
    "tags":
    [
      "waf_group"
    ],
    "regularRules":
    [
      "100001",
      "100002",
      "100003"
    ]
  },
  {
// Skip the types of the rules that are specified in waf_group.
    "name": "wl_waf_type",
    "status": "on",
    "conditions":
    [
      {
        "key": "Query String",
        "subKey": "",
        "opValue": "exists",
        "values": ""
      }
    ],
    "tags":
    [
      "waf_group"
    ],
    "regularTypes":
    [
      "sqli",
      "xss",
      "code_exec",
      "crlf",
      "lfilei",
      "rfilei",
      "webshell",
      "vvip",
      "other"
    ]
  },
// Skip custom rules.
  {
    "name": "wl_custom_acl",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "custom_acl"
    ]
  },
// Skip the IP address blacklist.
  {
    "name": "wl_ip_blacklist",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "ip_blacklist"
    ]
  },
// Skip region blocking.
  {
    "name": "wl_region_block",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "region_block"
    ]
  }
]

Scenario 4: IP address blacklist (ip_blacklist)

NameTypeRequiredExampleDescription
namestringYesipblacklistThe name of the protection rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
statusstringNoonSpecifies whether to enable the protection rule. Valid values: on and off. Default value: on.
remoteAddr[]StringYes["192.168.0.1","10.10.10.10/24","::1","abcd::abcd","BCDE::BCDE"]Filter by IP address. For more information, see DescribeDcdnWafFilterInfo .
actionstringYesdenyThe action to perform when the rule is matched. Valid values: deny and monitor.

Sample code for ipblacklist:

[
    {
    "name": "ipblacklist",
    "status": "on",
    "remoteAddr": ["192.168.0.1","10.10.10.10/24","::1","abcd::abcd","BCDE::BCDE"],
    "action": "deny"
  }
]

Scenario 5: region blacklist (region_block)

NameTypeRequiredExampleDescription
statusstringNoonSpecifies whether to enable the protection rule. Valid values: on and off. Default value: on.
cnRegionListstringNo110000,TW,MOThe blocked regions in the Chinese mainland. Separate the regions with commas (,). For more information about the regions that can be blocked, see DescribeDcdnWafGeoInfo .
otherRegionListstringNoJP,GBThe blocked regions outside the Chinese mainland. Separate the regions with commas (,). For more information about the regions that can be blocked, see DescribeDcdnWafGeoInfo .
actionstringYesdenyThe action to perform when the rule is matched. Valid values: deny and monitor.

Note You must specify at least one of the ProcessId or ProcessName parameters.

Sample code for region_block:

[
    {
    "status": "on",
    "cnRegionList": "110000,TW,MO",
    "otherRegionList": "JP,GB",
    "action": "deny"
  }
]

Scenario 6: bot management (bot)

Rule template

The following table describes the rule parameters. For more information about parameter values, see the following tables.

ParameterTypeRequiredDescription
typeStringYesThe type of the rule. For more information, see the rule classification.
statusStringYesThe status of the rule. Valid values: on and off.
configTargetTypeNoThe configuration of the rule. For more information, see Rule classification.
actionStringNoThe action to perform when the rule is matched. For more information, see Rule classification.

Rule type 1: protection object type

ParameterTypeRequiredExampleDescription
typeStringYestarget_typeThe type of the rule. Set the value to target_type.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configTargetTypeNo{"target":"app"}The configuration of the rule. Format:target: the type of the protection object. This field is required. Valid values: web (web pages and browsers) and app (apps).
actionStringNoLeft emptyThe action to perform when the rule is matched. Leave this parameter empty.

Configuration example of the protection target type:

[
  {
    "type":"target_type",
    "status":"on",
    "config":{"target":"app"},
    "action":""
  }
]

Rule type 2: Web SDK integration

ParameterTypeRequiredExampleDescription
typeStringYesweb_sdkThe type of the rule. Set the value to web_sdk.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configWebSdkNo{"mode":"automatic","crossDomain":"example.com"}The configuration of the rule.(Required) mode: the integration mode of the Web SDK. Valid values: automatic and manual.(Optional) crossDomain: cross-origin domain name calling. This parameter takes effect only when the value of mode is automatic.
actionStringNoLeft emptyThe action to perform when the rule is matched. Leave this parameter empty.

Configuration example of Web SDK integration:

[
  {
    "type":"web_sdk",
    "status":"on",
    "config":{"mode":"automatic","crossDomain":"example.com"},
    "action":""
  }
]

Rule classification 3: protection target characteristics

ParameterTypeRequiredExampleDescription
typeStringYestraffic_featureThe type of the rule. Set the value to traffic_feature.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configTrafficFeatureYes{"conditions":[{"key":"Header","subKey":"User-Agent","opValue":"contain","values":"Chrome"},{"key":"IP","subKey":"","opValue":"ip-contain","values":"192.168.0.1/24"}]}The configuration of the rule. For more information, see condition.
actionStringNoLeft emptyThe action to perform when the rule is matched. Leave this parameter empty.

condition (match condition)

ParameterTypeRequiredExampleDescription
keyStringYesHeaderThe match field. For more information, see DescribeDcdnWafFilterInfo .
subKeyStringNoUser-AgentThe match subfield. For more information, see DescribeDcdnWafFilterInfo .
opValueStringYescontainThe operator. For more information, see DescribeDcdnWafFilterInfo .
valuesStringNoChromeThe content to match. Separate multiple values with commas (,). For more information, see DescribeDcdnWafFilterInfo .

Configuration example of protection target characteristics:

[
  {
    "type":"traffic_feature",
    "status":"on",
    "config":{"conditions":[{"key":"Header","subKey":"User-Agent","opValue":"contain","values":"Chrome"},{"key":"IP","subKey":"","opValue":"ip-contain","values":"192.168.0.1/24"}]},
    "action":""
  }
]

Rule classification 4: legitimate bot management

ParameterTypeRequiredExampleDescription
typeStringYesintelligence_crawlerThe type of the rule. Set the value to intelligence_crawler.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configIntelligenceCrawlerNo{"name":"intelligence_crawler_baidu"}The configuration of the rule. For more information, see name (spider whitelist).
actionStringYesbypassThe action to perform when the rule is matched. Set the value to bypass.

name (spider whitelist)

ValueDescription
intelligence_crawler_allWhitelist for authorized search engines, such as Google, Bing, Baidu, Sogou, 360, and Yandex.
intelligence_crawler_baiduBaidu spider whitelist
intelligence_crawler_sogouSogou spider whitelist
intelligence_crawler_360360 spider whitelist
intelligence_crawler_googleGoogle spider whitelist
intelligence_crawler_bingBing spider whitelist
intelligence_crawler_yandexYandex Spider Whitelist

Configuration example of legitimate bot management:

[
  {
    "type":"intelligence_crawler",
    "status":"on",
    "config":{"name":"intelligence_crawler_baidu"},
    "action":"bypass"
  },
  {
    "type":"intelligence_crawler",
    "status":"on",
    "config":{"name":"intelligence_crawler_google"},
    "action":"bypass"
  }
]

Rule classification 5: script-based bot block (JavaScript)

ParameterTypeRequiredExampleDescription
typeStringYesjsThe type of the rule. Set the value to js.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configJsNoLeft emptyThe configuration of the rule. Leave the parameter empty.
actionStringYesjsThe action to perform when the rule is matched. Set the value to js (JavaScript validation).

Configuration example of a script-based bot block (JavaScript)

[
  {
    "type":"js",
    "status":"on",
    "config":{},
    "action":"js"
  }
]

Rule classification 6: advanced bot defense (dynamic token-based authentication)

ParameterTypeRequiredExampleDescription
typeStringYessigchlThe type of the rule. Set the value to sigchl.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configSigchlNo{"sigchl":["sig","replay","driver"]}The configuration of the rule. Format:(Required) sigchl: signature-based verification for request data. Valid values: sig (signature verification exception),replay (signature timestamp exception), and driver (WebDriver attack).
actionStringYessigchlThe action to perform when the rule is matched. Set the value to sigchl (block).

Configuration example of advanced bot defense (dynamic token-based authentication):

[
  {
    "type":"sigchl",
    "status":"on",
    "config":{"sigchl":["sig","replay","driver"]},
    "action":"sigchl"
  }
]

Rule classification 7: intelligent protection

ParameterTypeRequiredExampleDescription
typeStringYesalgorithmThe type of the rule. Set the value to algorithm.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configAlgorithmNoLeft emptyThe configuration of the rule. Leave the parameter empty.
actionStringYescaptchaThe action to perform when the rule is matched. Valid values: monitor and captcha.

Configuration example of intelligent protection:

[
  {
    "type":"algorithm",
    "status":"on",
    "config":{},
    "action":"captcha"
  }
]

Rule classification 8: IP address throttling

ParameterTypeRequiredExampleDescription
typeStringYescustom_cc_ipThe type of the rule. Set the value to custom_cc_ip.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configCustomCcIpYes{"interval":20,"target":"IP","threshold":50,"ttl":2800}The configuration of the rule. For more information, see Fields in the config parameter of IP address throttling.
actionStringYesmonitorThe action to perform when the rule is matched. Valid values: deny, monitor, and captcha (only for web).

Fields in the config parameter of IP address throttling

ParameterTypeRequiredExampleDescription
targetStringYesIPThe statistical field of rate limiting. Set the value to IP.
subKeyStringNoLeft emptyThe subfield of the target field. Leave the value empty.
IntervalIntegerYes20The statistical interval. Valid values: 5 to 1800. Unit: seconds.
thresholdIntegerYes50The number of requests that trigger rate limiting. Valid values: 2 to 50000.
ttlIntegerYes2800The validity period of the blacklist. Valid values: 60 to 86400. Unit: seconds.

Configuration example of IP address throttling:

[
  {
    "type":"custom_cc_ip",
    "status":"on",
    "config":{"interval":20,"target":"IP","threshold":50,"ttl":2800},
    "action":"monitor"
  },
  {
    "type":"custom_cc_ip",
    "status":"on",
    "config":{"interval":10,"target":"IP","threshold":30,"ttl":1800},
    "action":"monitor"
  }
]

Rule classification 9: device throttling

ParameterTypeRequiredExampleDescription
typeStringYescustom_cc_devThe type of the rule. Set the value to custom_cc_dev.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configCustomCcDevYes{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800}The configuration of the rule. For more information, see Fields in the config parameter of device throttling.
actionStringYesmonitorThe action to perform when the rule is matched. Valid values: deny and monitor.

Fields in the config parameter of device throttling

ParameterTypeRequiredExampleDescription
targetStringYesHeaderThe statistical field for rate limiting. Set the value to Header.
subKeyStringNoaliwaf_wxbb_umidThe subfield of the target field. Set the value to aliwaf_wxbb_umid.
IntervalIntegerYes20The statistical interval. Valid values: 5 to 1800. Unit: seconds.
thresholdIntegerYes50The number of requests that trigger rate limiting. Valid values: 2 to 50000.
ttlIntegerYes2800The validity period of the blacklist. Valid values: 60 to 86400. Unit: seconds.

Configuration example of device throttling:

[
  {
    "type":"custom_cc_dev",
    "status":"on",
    "config":{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800},
    "action":"monitor"
  },
  {
    "type":"custom_cc_dev",
    "status":"on",
    "config":{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800},
    "action":"deny"
  }
]

Rule classification 10: custom session-based throttling

ParameterTypeRequiredExampleDescription
typeStringYescustom_ccThe type of the rule. Set the value to custom_cc.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configCustomCcIpYes{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800}The configuration of the rule. For more information, see Fields in the config parameter of custom session-based throttling.
actionStringYesmonitorThe action to perform when the rule is matched. Valid values: deny, monitor, and captcha (only for web).

Fields in the config parameter of custom session-based throttling

ParameterTypeRequiredExampleDescription
targetStringYesQuery String ParameterThe statistical field for rate limiting. Valid values: Header, calculates the frequency of requests that contain the specified header; Query String Parameter, calculates the frequency of requests that contain the specified parameter; Cookie Name, calculates the frequency of requests that contain the specified cookie; and Session, calculates the frequency of requests that are transmitted over a specified session.
subKeyStringNoargThe subfield of the target field. You can customize the value.
IntervalIntegerYes10The statistical interval. Valid values: 5 to 1800. Unit: seconds.
thresholdIntegerYes30The number of requests that trigger rate limiting. Valid values: 2 to 50000.
ttlIntegerYes2800The validity period of the blacklist. Valid values: 60 to 86400. Unit: seconds.

Configuration example of custom session-based throttling:

[
  {
    "type":"custom_cc",
    "status":"on",
    "config":{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800},
    "action":"deny"
  },
  {
    "type":"custom_cc",
    "status":"on",
    "config":{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800},
    "action":"captcha"
  }
]

Rule classification 11: bot threat intelligence library

ParameterTypeRequiredExampleDescription
typeStringYesintelligenceThe type of the rule. Set the value to intelligence.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configIntelligenceNoLeft emptyThe configuration of the rule. Leave the parameter empty.
actionStringYescaptchaThe action to perform when the rule is matched. Valid values: monitor and captcha.

Configuration example of bot threat intelligence library:

[
  {
    "type":"intelligence",
    "status":"on",
    "config":{},
    "action":"captcha"
  }
]

Rule classification 12: data center blacklist

ParameterTypeRequiredExampleDescription
typeStringYesintelligence_idcThe type of the rule. Set the value to intelligence_idc.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configIntelligenceIdcYes{"name":"intelligence_idc_alibaba"}The configuration of the rule. For more information, see Values of name.
actionStringYescaptchaThe action to perform when the rule is matched. Valid values: deny, monitor, and captcha.

Values of name

Parameter ValueDefinition
intelligence_idc_alibabaData center IP address library-Alibaba Cloud
intelligence_idc_tencentData center IP address library-Tencent Cloud
intelligence_idc_mtyunData center IP address library-Meituan Open Services
intelligence_idc_vnetData center IP address library-21Vianet
intelligence_idc_otherData center IP address library-Others

Configuration example of data center blacklist

[
  {
    "type":"intelligence_idc",
    "status":"on",
    "config":{"name":"intelligence_idc_alibaba"},
    "action":"captcha"
  },
  {
    "type":"intelligence_idc",
    "status":"on",
    "config":{"name":"intelligence_idc_tencent"},
    "action":"captcha"
  }
]

Rule classification 13: fake spider blocking

ParameterTypeRequiredExampleDescription
typeStringYesintelligence_fake_crawlerThe type of the rule. Set the value to intelligence_fake_crawler.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off.
configIntelligenceFakeCrawlerNoLeft emptyThe configuration of the rule. Leave the parameter empty.
actionStringYesdenyThe action to perform when the rule is matched. Set the value to deny.

Configuration example of fake spider blocking:

[
  {
    "type": "intelligence_fake_crawler",
    "status": "on",
    "config":{},
    "action": "deny"
  }
]

Rule classification 14: bot characteristic detection

ParameterTypeRequiredExampleDescription
typeStringYesapp_sdkThe type of the rule. Set the value to app_sdk.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configAppSdkYes{"featureAbnormal":["simulator","proxy","root","debugged","hook","virtual","antiReplay","signInvalid"],"customSignStatus":"on","customSign":{"key":"header","value":"ua"}}The configuration of the rule. For more information, see Fields in the config parameter of bot characteristic detection.
actionStringYesmonitorThe action to perform when the rule is matched. Valid values: deny and monitor.

Fields in the config parameter of bot characteristic detection

ParameterTypeRequiredExampleDescription
featureAbnormal[]StringYessimulatorsignInvalid: The app signature is invalid.antiReplay: The signature expired.simulator: Uses a simulator.proxy: Uses a proxy.root: Root device.debugged: The debugging mode.hook: The app is hooked.virtual: Multiboxing.
customSignStatusStringNoonSpecifies whether to enable the custom signature field. Valid values: on and off.
customSignCustomSignNo{"key":"header","value":"ua"}The custom signature field. Format:(Required) key: the name of the field. Valid values: header, arg, and cookie.(Required) value: the value of the field.

Configuration example of bot characteristic detection:

[
  {
    "type": "app_sdk",
    "status": "on",
    "config": {"featureAbnormal":["simulator","proxy","root","debugged","hook","virtual","antiReplay","signInvalid"],"customSignStatus":"on","customSign":{"key":"header","value":"ua"}},
    "action": "monitor"
  }
]

Rule classification 15: advanced protection (secondary packaging detection)

ParameterTypeRequiredExampleDescription
typeStringYesapp_packageThe type of the rule. Set the value to app_package.
statusStringYesonSpecifies whether to enable the rule. Set the value to on.
configAppPackageNo{"packageSigns":[{"name":"aaaaa","sign":"bbbb"},{"name":"cccc","sign":"dddd"}]}The configuration of the rule. For more information, see Fields in the packageSigns parameter.
actionStringYesmonitorThe action to perform when the rule is matched. Valid values: deny and monitor.

Fields in the packageSigns parameter

ParameterTypeRequiredExampleDescription
nameStringYesaaaaaThe valid package name.
signStringNobbbbThe signature of the package.

Configuration examples of advanced protection (secondary packaging detection):

[
  {
    "type": "app_package",
    "status": "on",
    "config": {"packageSigns":[{"name":"aaaaa","sign":"bbbb"},{"name":"cccc","sign":"dddd"}]},
    "action": "deny"
  }
]

Configuration example of bot management and web page/browser protection

[
    {
        "type": "target_type",
        "status": "on",
        "config":
        {
            "target": "web"
        },
        "action": ""
    },
    {
        "type": "web_sdk",
        "status": "on",
        "config":
        {
            "mode": "automatic",
            "crossDomain": "example.com"
        },
        "action": ""
    },
    {
        "type": "traffic_feature",
        "status": "on",
        "config":
        {
            "conditions":
            [
                {
                    "key": "Header",
                    "subKey": "User-Agent",
                    "opValue": "contain",
                    "values": "Chrome"
                },
                {
                    "key": "IP",
                    "subKey": "",
                    "opValue": "ip-contain",
                    "values": "192.168.0.1/24"
                }
            ]
        },
        "action": ""
    },
    {
        "type": "intelligence_crawler",
        "status": "on",
        "config":
        {
            "name": "intelligence_crawler_baidu"
        },
        "action": "bypass"
    },
    {
        "type": "intelligence_crawler",
        "status": "on",
        "config":
        {
            "name": "intelligence_crawler_google"
        },
        "action": "bypass"
    },
    {
        "type": "js",
        "status": "on",
        "config":
        {},
        "action": "js"
    },
    {
        "type": "sigchl",
        "status": "on",
        "config":
        {
            "sigchl":
            [
                "sig",
                "replay",
                "driver"
            ]
        },
        "action": "sigchl"
    },
    {
        "type": "algorithm",
        "status": "on",
        "config":
        {},
        "action": "captcha"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "IP",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "IP",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "deny"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "captcha"
    },
    {
        "type": "intelligence",
        "status": "on",
        "config":
        {},
        "action": "captcha"
    },
    {
        "type": "intelligence_idc",
        "status": "on",
        "config":
        {
            "name": "intelligence_idc_alibaba"
        },
        "action": "captcha"
    },
    {
        "type": "intelligence_idc",
        "status": "on",
        "config":
        {
            "name": "intelligence_idc_tencent"
        },
        "action": "captcha"
    },
    {
        "type": "intelligence_fake_crawler",
        "status": "on",
        "config":
        {},
        "action": "deny"
    }
]

Configuration example of bot management and app protection

[
    {
        "type": "target_type",
        "status": "on",
        "config":
        {
            "target": "app"
        },
        "action": ""
    },
    {
        "type": "traffic_feature",
        "status": "on",
        "config":
        {
            "conditions":
            [
                {
                    "key": "Header",
                    "subKey": "User-Agent",
                    "opValue": "contain",
                    "values": "Chrome"
                },
                {
                    "key": "IP",
                    "subKey": "",
                    "opValue": "ip-contain",
                    "values": "192.168.0.1/24"
                }
            ]
        },
        "action": ""
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "IP",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "IP",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_dev",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "Header",
            "subKey": "aliwaf_wxbb_umid",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_dev",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "Header",
            "subKey": "aliwaf_wxbb_umid",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "deny"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "deny"
    },
    {
        "type": "app_sdk",
        "status": "on",
        "config":
        {
            "featureAbnormal":
            [
                "simulator",
                "proxy",
                "root",
                "debugged",
                "hook",
                "virtual",
                "antiReplay",
                "signInvalid"
            ],
            "customSignStatus": "on",
            "customSign":
            {
                "key": "header",
                "value": "ua"
            }
        },
        "action": "monitor"
    },
    {
        "type": "app_package",
        "status": "on",
        "config":
        {
            "packageSigns":
            [
                {
                    "name": "aaaaa",
                    "sign": "bbbb"
                },
                {
                    "name": "cccc",
                    "sign": "dddd"
                }
            ]
        },
        "action": "deny"
    }
]

Scenario 7: scan protection (anti_scan)

Rule template

The following table describes the rule parameters. For more information about parameter values, see the following tables.

ParameterTypeRequiredDescription
typeStringYesThe type of the rule. For more information, see the rule classification.
statusStringNoThe status of the rule. Valid values: on and off.
configTypeNoThe configuration of the rule. For more information, see the rule classification.
actionStringNoThe action to perform when the rule is matched. For more information, see the rule classification.

Rule type 1: high-frequency scanning blocking

ParameterTypeRequiredExampleDescription
typeStringYeshigh_frequencyThe type of the rule. Set the value to high_frequency.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off. Default value: on.
configHighFrequencyNo{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2}The configuration of the rule. For more information, see the following structure string.
actionStringNodenyThe action to perform when the rule is matched. Valid values: deny and monitor.
  • Fields in the HighFrequency parameter
ParameterTypeRequiredExampleDescription
targetStringYesIPThe statistical field for rate limiting. Valid values: IP, Session, Header, Query String Parameter, and Cookie Name.
subKeyStringNoyoursubKeyThe subfield of a statistical field. This parameter is valid if you set target to Header, Query String Parameter, or Cookie Name. For example, if you set target to Header, the value of subKey is the key of the header.
intervalIntegerYes20The statistical interval. Valid values: 5 to 1800. Unit: seconds.
wafBlockThresholdIntegerYes20The number of times that basic protection rules can be triggered. Valid values: 3 to 50000.
ttlIntegerYes1800The blocking duration. Valid values: 60 to 86400. Unit: seconds.
distinctWafRuleThresholdIntegerYes2The threshold of triggered rules. Valid values: 1 to 50.
[
  {
    "type":"high_frequency",
    "status":"on",
    "config":{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2},
    "action":"deny"
  }
]

Rule type 2: directory traversal blocking

ParameterTypeRequiredExampleDescription
typeStringYesdirectory_traversalThe type of the rule. Set the value to directory_traversal.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off. Default value: on.
configDirectoryTraversalNo{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800}The configuration of the rule. For more information, see the following structure string.
actionStringNodenyThe action to perform when the rule is matched. Valid values: deny and monitor.
  • Fields in the DirectoryTraversal parameter
ParameterTypeRequiredExampleDescription
targetStringYesIPThe statistical field for rate limiting. Valid values: IP, Session, Header, Query String Parameter, and Cookie Name.
subKeyStringNoyoursubKeyThe subfield of a statistical field. This parameter is valid if you set target to Header, Query String Parameter, or Cookie Name. For example, if you set target to Header, the value of subKey is the key of the header.
intervalIntegerYes10The statistical interval. Valid values: 5 to 1800. Unit: seconds.
thresholdIntegerYes50The number of times that the protected object is requested. Valid values: 2 to 50000.
statusRateLimitStatusYes{"code":"404","ratio":70,"count":50}The response code.
ttlIntegerYes1800The blocking duration. Valid values: 60 to 86400. Unit: seconds.
  • Fields in the RateLimitStatus parameter
ParameterTypeRequiredExampleDescription
codeStringYesExampleThe HTTP status code. Set the value to 404.
ratioIntegerYesExampleThe percentage of HTTP 404 status codes. Valid values: 1 to 100.
countIntegerYesExampleThe number of non-existent directories. Valid values: 2 to 50000.
[
  {
    "type":"directory_traversal",
    "status":"on",
    "config":{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800},
    "action":"deny"
  }
]

Rule type 3: scanner blocking

ParameterTypeRequiredExampleDescription
typeStringYesscan_toolsThe type of the rule. Set the value to scan_tools.
statusStringYesonSpecifies whether to enable the rule. Valid values: on and off. Default value: on.
configScanToolsNoNo default valueThe configuration of the rule. Leave this parameter empty.
actionStringNodenyThe action to perform when the rule is matched. Valid values: deny and monitor.
[
  {
    "type":"scan_tools",
    "status":"on",
    "config":{},
    "action":"deny"
  }
]

Final parameter combination

[
    {
    "type":"high_frequency",
    "status":"on",
    "config":{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2},
    "action":"deny"
  },
  {
    "type":"directory_traversal",
    "status":"on",
    "config":{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800},
    "action":"deny"
  },
  {
    "type":"scan_tools",
    "status":"on",
    "config":{},
    "action":"deny"
  }
]

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request.

CB1A380B-09F0-41BB-280B-72F8FD6DA2FE
RuleIdsarray

The IDs of created rules.

string
100001,200002

Examples

Sample success responses

JSONformat

{
  "RequestId": "CB1A380B-09F0-41BB-280B-72F8FD6DA2FE",
  "RuleIds": {
    "RuleId": [
      "100001,200002"
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidParameterThe specified parameter is invalid.A parameter is set to an invalid value.
400Policy.NotExistThe specified policy does not exist.The specified protection policy does not exist.
400RuleConfigs.MalformedThe specified RuleConfigs format is invalid.The RuleConfigs parameter is in an invalid format.
400RuleName.AlreadyExistsRule name already exists in specified policy.The specified rule name is already used by another rule.
400Rule.QuantityOverflowRules are overflowed quantity in specified policy.The number of rules in the specified policy has already reached the upper limit.
403%s.NotSupportThe specified resource type %s is not supported.The specified resource type is not supported. To use this type of resource, contact us.
403%s.OverQuotaThe quantity of %s exceeds the quota.The number of resources exceeds the quota. If you want to apply for more resources, contact us.
500InternalErrorAn internal error occurred; please try again later.An internal error occurred. Try again later. If the error persists, submit a ticket.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-08-29The Error code has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 500
    Added Error Codes: 403