Configure the request-block plug-in - Microservices Engine

The request-block plug-in is used to block HTTP requests based on characteristics such as URLs and request headers. The request-block plug-in can be used to protect some website resources from external exposure. This topic describes how to configure the request-block plug-in.

Plug-in type

Security protection plug-in.

Fields

Name	Data type	Required	Default value	Description
block_urls	array of string	No (You must configure `block_urls`, `block_headers`, or `block_bodys`.)	-	The URLs that are used to match the requests to be blocked.
block_headers	array of string	No (You must configure `block_urls`, `block_headers`, or `block_bodys`.)	-	The headers that are used to match the requests to be blocked.
block_bodys	array of string	No (You must configure `block_urls`, `block_headers`, or `block_bodys`.)	-	The bodies that are used to match the requests to be blocked.
blocked_code	number	No	403	The HTTP status code that is returned if a request is blocked.
blocked_message	string	No	-	The HTTP response body that is returned if a request is blocked.
case_sensitive	bool	No	true	Specifies whether the conditions that are used to match requests are case-sensitive. By default, the conditions are case-sensitive.

Configuration examples

Block requests based on URLs

block_urls:
- swagger.html
- foo=bar
case_sensitive: false

The following requests are blocked based on the preceding configuration:

curl http://example.com?foo=Bar
curl http://exmaple.com/Swagger.html

Block requests based on request headers

block_headers:
- example-key
- example-value

The following requests are blocked based on the preceding configuration:

curl http://example.com -H 'example-key: 123'
curl http://exmaple.com -H 'my-header: example-value'

Block requests based on request bodies

block_bodys:
- "hello world"
case_sensitive: false

The following requests are blocked based on the preceding configuration:

curl http://example.com -d 'Hello World'
curl http://exmaple.com -d 'hello world'

Block requests for specific routes or domain names

Apply the following plug-in configurations to the route-a and route-b routes:

  block_bodys: 
  - "hello world"

Apply the following plug-in configurations to the *.example.com and test.com domain names:

  block_urls: 
  - "swagger.html"
  block_bodys:
  - "hello world"

Note

The route-a and route-b routes are those specified when the gateway routes are created. If a client request matches one of the routes, the rules that are configured for the matched route take effect.
The *.example.com and test.com domain names are used to match domain names in requests. If a client request matches one of the domain names, the rules that are configured for the matched domain name take effect.
Rules that you configure take effect in sequence. If the first rule is matched, subsequent rules are ignored.

Limit on the request body size

If block_bodys is configured, only requests whose bodies are less than 32 MB are used for matching based on bodies. If the body of a request is greater than 32 MB and the request does not meet the rules specified by block_urls and block_headers, the request is not blocked.

If block_bodys is configured and the request body exceeds the value of DownstreamConnectionBufferLimits that is configured for the gateway, the error message 413 Payload Too Large is returned. You can increase the value of DownstreamConnectionBufferLimits on the parameter configuration page. If you increase the value of DownstreamConnectionBufferLimits, the gateway memory usage significantly increases. Exercise caution when you perform this operation.