Match fields in rule expressions - Edge Security Acceleration

Match fields provide multidimensional configuration options.

Field categories

ESA supports three types of match fields:

Standard fields: indicate information about standard protocols such as HTTP, IP, and TLS carried in client requests or responses. Standard fields include the hostname, request header, and response header.
Extended fields: indicate the calculated values obtained by ESA after performing specific operations on client requests or responses. Extended fields are generally related to threat intelligence of HTTP requests.
Original fields: indicate the original property values of client requests retained by ESA. Original fields are generally used to retain the original property values when client requests are transferred among multiple ESA function modules.

Example: (http.host eq "example-1.com")

Standard fields

Standard fields include common fields in HTTP requests and in IP information.

http.cookie

The Cookie header carried in an HTTP request.

Field name: Cookie
Type: String
Case-sensitive.
Empty string allowed in the match value.
Example:
"sessionid=330688;userid=abc123"

http.host

The hostname used in an HTTP request.

Field name: Hostname
Type: String
Case-insensitive.
Empty string not allowed in the match value.
Example:
"www.example.com"

http.referer

The Referer header carried in an HTTP request.

Field name: Referer
Type: String
Case-insensitive.
Empty string allowed in the match value.
Example:
"http://www.example.com/index"

http.request.body.form

The request body in form format carried in an HTTP request when the value of the Content-Type header is application/x-www-form-urlencoded, represented as a Map (associative array).

Field name: Body Query String
Type: Map<Array<String>>
Example:
{"username":["admin"]}

http.request.body.mime

The Multipurpose Internet Mail Extensions (MIME) type detected in the body of an HTTP request. The most common MIME types for common types of resources such as videos, audios, images, applications, and text are supported.

Field name: MIME Type
Type: String
Example:
"application/json"

http.request.cookies

The Cookie header carried in an HTTP request, represented as a map (associative array).

Field name: Cookie Value
Type: String
Case-sensitive.
Empty string allowed in the match value.
Example:
{"sessionid":["330668"]}

http.request.full_uri

The complete Uniform Resource Identifier (URI) of an HTTP request, including the protocol, hostname, path, and query string.

Field name: Full URI
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"https://www.example.com/image/cat.jpg?width=400&height=300&format=webp"

http.request.headers

The headers included in an HTTP request, represented as a map (associative array). All letters in the keys (header names) of the associative array must be lowercase.

Field name: Header
Type: Object
Case-sensitive.
Empty string allowed in the match value.
Example:
{"content-type":["application/json"]}

http.request.method

The request method used in an HTTP request.

Field name: Request Method
Type: String
Example:
"GET"

http.request.timestamp.sec

The UNIX timestamp (in seconds) when the ESA point of presence (POP) receives an HTTP request.

Field name: Request Timestamp
Type: Integer
UNIX time: (1735019278)
Example:
1735019278

http.request.uri

The URI of an HTTP request, including the path and query string.

Field name: URI
Type: String
Case-sensitive
Empty string not allowed in the match value.
Example:
"/image/cat.jpg?width=400&height=300&format=webp"

http.request.uri.args

The query string in the URI of an HTTP request, represented as a map (associative array).

Field name: URI Query String Parameter
Type: Map<Array<String>>
Case-sensitive.
Empty string allowed in the match value.
Example:
{"format":["webp"]}
Note
You can specify a null value only when you select one of the following match operators:
- equal to
- not equal to
- contains
- matches regex

http.request.uri.path

The URI path in an HTTP request.

Field name: URI Path
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"/image/cat.jpg"

http.request.uri.path.extension

The file name extension in the URI path in an HTTP request.

Field name: File Name Extension
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
URI path
Field value
/cat
""
/cat.jpg
"jpg"
/.jpg
""
/.cat.jpg
"jpg"
/cat.jpg.tar
"tar"
/cat.
""
/cat.JPG
"JPG"

http.request.uri.path.file_name

The file name in the URI path in an HTTP request.

Field name: File Name
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
URI path
Field value
/cat
"cat"
/cat.jpg
"cat"
/.jpg
""
/.cat.jpg
".cat"
/cat.jpg.tar
"cat.jpg"
/cat.
"cat"
/CAT.jpg
"CAT"

http.request.uri.path.full_file_name

The full file name in the URI path in an HTTP request.

Field name: Full File Name
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"cat.jpg"

http.request.uri.query

The URI query string in an HTTP request.

Field name: URI Query String
Type: String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"width=400&height=300&format=webp"

http.request.version

The HTTP version in an HTTP request.

Field name: HTTP Version
Type: String
Example:
"HTTP/1.0"
"HTTP/1.1"
"HTTP/2.0"
"HTTP/3.0"

http.user_agent

The User-Agent header carried in an HTTP request.

Field name: User Agent
Type: String
Case-sensitive.
Empty string allowed in the match value.
Example:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.X.X Safari/537.36"

http.x_forwarded_for

The X-Forwarded-For header carried in an HTTP request.

Field name: X-Forwarded-For
Type: String
Case-sensitive.
Empty string allowed in the match value.
Example:
"192.168.0.1, 10.10.0.1"

ip.geoip.asnum

The autonomous system number (ASN) of the CIDR block to which the source IP address belongs. For more information, see What is an ASN?

Field name: ASN
Example value: Number
Example:
37963

ip.geoip.continent

The continent where the request source IP address is located.

Field name: Continent
Type: String
Example:
AS

Continent name	Continent code
Africa	AF
Antarctica	AN
Asia	AS
Europe	EU
North America	NA
Oceania	OC
South America	SA

ip.geoip.country

The country or region where the request source IP address is located. For more information, see Introduction of the ISO 3166 standard.

Field name: Country or Region
Type: String
Case-insensitive.
Empty string not allowed in the match value.
Example:
"CN"

ip.src

The request source IP address.

Field name: Client IP
Type: IP address
Case-insensitive.
Empty string not allowed in the match value.
Example:
192.0.2.1

ip.src.isp

The Internet service provider (ISP) of the request source IP address.

Field name: ISP
Type: String
Example
"100017"

ISP name	ISP code
China Telecom	100017
China Mobile	100025
China Unicom	100026
China Netcom	100016
China Tietong	100020
Great Wall Broadband	100061
China Education and Research Network (CERNET)	100027
China Broadcasting Network	1000139
Beijing Gehua CATV Network	100080
Dr.Peng Group	1000143
Alibaba	100098
Alibaba Cloud	1000323
Tencent	1000401
Baidu	100099
ChinaNetCenter	100093

ip.src.version

The IP version of the request source IP address.

Field name: IP Version
Type: String
Example:
"IPv4"
"IPv6"

ip.src.subdivision_1_iso_code

The ISO code of the first-level subdivision area in the geographic location of the request source IP address. For more information, see Introduction of the ISO 3166 standard.

Field name: Province
Type: String
Case-sensitive.
Example:
"CN-ZJ"

ip.src.region_code

The region code of the load balancer in the geographic location of the request source IP address.

Field name: Load Balancer Region
Type: String
Case-sensitive.
Example:
"EAS"

Region name	Region code
Eastern Europe	EEU
Western Europe	WEU
North America	NAM
South America	SAM
Middle East	ME
North Africa	NAF
South Africa	SAF
Oceania	OC
East Asia	EAS
Southeast Asia	SEAS
South Asia	SAS
Chinese Mainland	CNM

ssl

Indicates whether to use the SSL or TLS protocol.

Field name: SSL/HTTPS
Type: Boolean
Example:
true

Extended fields

Dynamic fields are custom fields provided by ESA in special scenarios.

ali.ja3_hash

The JA3 fingerprint is generated by collecting specific fields from the Client Hello message during the TLS handshake process. These fields include TLS version, acceptable cipher suites, extension list, elliptic curves, and elliptic curve point format. An MD5 hashing is then performed on these fields.

Field name: JA3 Fingerprint
Type: String
Example:
d0bfcdbbf2c6aeb4e0fbcf8234fd6cb6

ali.ja4

The JA4 fingerprint is an evolved version of the JA3 fingerprint technology. It contains more handshake procedure information and uses different processing methods for existing information to improve the uniqueness and accuracy of the fingerprint.

Field name: JA4 Fingerprint
Type: String
Example:
d0bfcdbbf2c6aeb4e0fbcf8234fd6cb6

ali.js_detection.passed

JavaScript verification has been passed.

Field name: JavaScript Verified
Type: Boolean
Example:
true

ali.static_resource

Indicates whether the request is a static request.

Field name: Static Request
Type: Boolean
Example:
true

ali.tls_client_auth.cert_verified

The client certificate has been verified.

Field name: Client Certificate Verified
Type: Boolean
Example:
true

ali.tls_hash

The hash value corresponding to the TLS information carried in a request.

Field name: TLS Fingerprint
Type: String
Example:
ABC123HASH

Original fields

Original fields ensure that the original property values of client requests are persisted when they are transferred among multiple ESA function modules, preventing loss of source data characteristics due to internal logic processing.

http.request.body.raw

The original body content of an HTTP request.

Field name: HTTP Request Body
Type: String
Example:
"ABC123"

URI path	Field value
/cat	""
/cat.jpg	"jpg"
/.jpg	""
/.cat.jpg	"jpg"
/cat.jpg.tar	"tar"
/cat.	""
/cat.JPG	"JPG"