Match fields provide multidimensional configuration options.
Field categories
ESA supports three types of match fields:
Standard fields: indicate information about standard protocols such as HTTP, IP, and TLS carried in client requests or responses. Standard fields include the hostname, request header, and response header.
Extended fields: indicate the calculated values obtained by ESA after performing specific operations on client requests or responses. Extended fields are generally related to threat intelligence of HTTP requests.
Original fields: indicate the original property values of client requests retained by ESA. Original fields are generally used to retain the original property values when client requests are transferred among multiple ESA function modules.
Example: (http.host eq "example-1.com")
Standard fields
Standard fields include common fields in HTTP requests and in IP information.
http.cookie
The Cookie
header carried in an HTTP request.
Field name:
Cookie
Type:
String
Case-sensitive.
Empty string allowed in the match value.
Example:
"sessionid=330688;userid=abc123"
http.host
The hostname used in an HTTP request.
Field name:
Hostname
Type:
String
Case-insensitive.
Empty string not allowed in the match value.
Example:
"www.example.com"
http.referer
The Referer
header carried in an HTTP request.
Field name:
Referer
Type:
String
Case-insensitive.
Empty string allowed in the match value.
Example:
"http://www.example.com/index"
http.request.body.form
The request body in form format carried in an HTTP request when the value of the Content-Type
header is application/x-www-form-urlencoded
, represented as a Map
(associative array).
Field name:
Body
Query StringType:
Map<Array<String>>
Example:
{"username":["admin"]}
http.request.body.mime
The Multipurpose Internet Mail Extensions (MIME) type detected in the body of an HTTP request. The most common MIME types for common types of resources such as videos, audios, images, applications, and text
are supported.
Field name: MIME Type
Type:
String
Example:
"application/json"
http.request.cookies
The Cookie
header carried in an HTTP request, represented as a map (associative array).
Field name: Cookie Value
Type:
String
Case-sensitive.
Empty string allowed in the match value.
Example:
{"sessionid":["330668"]}
http.request.full_uri
The complete Uniform Resource Identifier (URI) of an HTTP request, including the protocol, hostname, path, and query string.
Field name: Full URI
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"https://www.example.com/image/cat.jpg?width=400&height=300&format=webp"
http.request.headers
The headers included in an HTTP request, represented as a map (associative array). All letters in the keys (header names) of the associative array must be lowercase.
Field name: Header
Type:
Object
Case-sensitive.
Empty string allowed in the match value.
Example:
{"content-type":["application/json"]}
http.request.method
The request method used in an HTTP request.
Field name: Request Method
Type:
String
Example:
"GET"
http.request.timestamp.sec
The UNIX timestamp (in seconds) when the ESA point of presence (POP) receives an HTTP request.
Field name: Request Timestamp
Type:
Integer
UNIX time: (1735019278)
Example:
1735019278
http.request.uri
The URI of an HTTP request, including the path and query string.
Field name: URI
Type:
String
Case-sensitive
Empty string not allowed in the match value.
Example:
"/image/cat.jpg?width=400&height=300&format=webp"
http.request.uri.args
The query string in the URI of an HTTP request, represented as a map (associative array).
Field name: URI Query String Parameter
Type:
Map<Array<String>>
Case-sensitive.
Empty string allowed in the match value.
Example:
{"format":["webp"]}
NoteYou can specify a null value only when you select one of the following match operators:
equal to
not equal to
contains
matches regex
http.request.uri.path
The URI path in an HTTP request.
Field name: URI Path
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"/image/cat.jpg"
http.request.uri.path.extension
The file name extension in the URI path in an HTTP request.
Field name: File Name Extension
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
URI path
Field value
/cat
""
/cat.jpg
"jpg"
/.jpg
""
/.cat.jpg
"jpg"
/cat.jpg.tar
"tar"
/cat.
""
/cat.JPG
"JPG"
http.request.uri.path.file_name
The file name in the URI path in an HTTP request.
Field name: File Name
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
URI path
Field value
/cat
"cat"
/cat.jpg
"cat"
/.jpg
""
/.cat.jpg
".cat"
/cat.jpg.tar
"cat.jpg"
/cat.
"cat"
/CAT.jpg
"CAT"
http.request.uri.path.full_file_name
The full file name in the URI path in an HTTP request.
Field name: Full File Name
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"cat.jpg"
http.request.uri.query
The URI query string in an HTTP request.
Field name: URI Query String
Type:
String
Case-sensitive.
Empty string not allowed in the match value.
Example:
"width=400&height=300&format=webp"
http.request.version
The HTTP version in an HTTP request.
Field name: HTTP Version
Type:
String
Example:
"HTTP/1.0"
"HTTP/1.1"
"HTTP/2.0"
"HTTP/3.0"
http.user_agent
The User-Agent header carried in an HTTP request.
Field name: User Agent
Type:
String
Case-sensitive.
Empty string allowed in the match value.
Example:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
http.x_forwarded_for
The X-Forwarded-For
header carried in an HTTP request.
Field name: X-Forwarded-For
Type:
String
Case-sensitive.
Empty string allowed in the match value.
Example:
"192.168.0.1, 10.10.0.1"
ip.geoip.asnum
The autonomous system number (ASN) of the CIDR block to which the source IP address belongs. For more information, see What is an ASN?
Field name: ASN
Example value:
Number
Example:
37963
ip.geoip.continent
The continent where the request source IP address is located.
Field name: Continent
Type:
String
Example:
AS
Continent name | Continent code |
Africa | AF |
Antarctica | AN |
Asia | AS |
Europe | EU |
North America | NA |
Oceania | OC |
South America | SA |
ip.geoip.country
The country or region where the request source IP address is located. For more information, see Introduction of the ISO 3166 standard.
Field name: Country or Region
Type:
String
Case-insensitive.
Empty string not allowed in the match value.
Example:
"CN"
ip.src
The request source IP address.
Field name: Client IP
Type:
IP address
Case-insensitive.
Empty string not allowed in the match value.
Example:
192.0.2.1
ip.src.isp
The Internet service provider (ISP) of the request source IP address.
Field name: ISP
Type:
String
Example
"100017"
ISP name | ISP code |
China Telecom | 100017 |
China Mobile | 100025 |
China Unicom | 100026 |
China Netcom | 100016 |
China Tietong | 100020 |
Great Wall Broadband | 100061 |
China Education and Research Network (CERNET) | 100027 |
China Broadcasting Network | 1000139 |
Beijing Gehua CATV Network | 100080 |
Dr.Peng Group | 1000143 |
Alibaba | 100098 |
Alibaba Cloud | 1000323 |
Tencent | 1000401 |
Baidu | 100099 |
ChinaNetCenter | 100093 |
ip.src.version
The IP version of the request source IP address.
Field name: IP Version
Type:
String
Example:
"IPv4"
"IPv6"
ip.src.subdivision_1_iso_code
The ISO code of the first-level subdivision area in the geographic location of the request source IP address. For more information, see Introduction of the ISO 3166 standard.
Field name: Province
Type:
String
Case-sensitive.
Example:
"CN-ZJ"
ip.src.region_code
The region code of the load balancer in the geographic location of the request source IP address.
Field name: Load Balancer Region
Type:
String
Case-sensitive.
Example:
"EAS"
Region name | Region code |
Eastern Europe | EEU |
Western Europe | WEU |
North America | NAM |
South America | SAM |
Middle East | ME |
North Africa | NAF |
South Africa | SAF |
Oceania | OC |
East Asia | EAS |
Southeast Asia | SEAS |
South Asia | SAS |
Chinese Mainland | CNM |
ssl
Indicates whether to use the SSL or TLS protocol.
Field name: SSL/HTTPS
Type:
Boolean
Example:
true
Extended fields
Dynamic fields are custom fields provided by ESA in special scenarios.
ali.static_resource
Indicates whether the request is a static request.
Field name: Static Request
Type:
Boolean
Example:
true
ali.tls_hash
The hash value corresponding to the TLS information carried in a request.
Field name: TLS Fingerprint
Type:
String
Example:
ABC123HASH
ali.tls_client_auth.cert_verified
The client certificate has been verified.
Field name: Client Certificate Verified
Type:
Boolean
Example:
true
ali.js_detection.passed
JavaScript verification has been passed.
Field name: JavaScript Verified
Type:
Boolean
Example:
true
Original fields
Original fields ensure that the original property values of client requests are persisted when they are transferred among multiple ESA function modules, preventing loss of source data characteristics due to internal logic processing.
http.request.body.raw
The original body content of an HTTP request.
Field name: HTTP Request Body
Type:
String
Example:
"ABC123"