All Products
Search

This Product

    Microservices Engine:waf

    Document Center

    Microservices Engine:waf

    Last Updated:Aug 28, 2024

    The waf plug-in is a rules protection engine based on ModSecurity. You can use the waf plug-in to block suspicious requests based on the configured rules. The waf plug-in supports OWASP ModSecurity Core Rule Set (CRS) to provide basic protection features for websites. This topic describes how to configure the waf plug-in.

    Note

    The waf plug-in is based on the open source ModSecurity rules. The default rule is a static rule. You cannot use the default rule to identify the latest security risks and update the rule set in real time. To obtain more powerful security protection capabilities, you must enable WAF protection for MSE instances. For more information, see Add an MSE instance to WAF.

    Plug-in type

    Security protection plug-in.

    Fields

    Name

    Data type

    Required

    Default value

    Description

    useCRS

    bool

    No

    false

    Specifies whether to enable OWASP CRS. For more information, see coreruleset.

    secRules

    array of string

    No

    -

    The custom protection rules configured for the waf plug-in. For more information about the syntax, see ModSecurity documentation.

    Configuration examples

    Use the default rule

    Enable the default rule to block suspicious requests. 

    useCRS: true

    Enable the default rule to detect suspicious requests but not block suspicious requests. 

    useCRS: true
secRules:
  - "SecRuleEngine DetectionOnly"

    Use custom protection rules

    useCRS: true
secRules: 
  - "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""
  - "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\""

    The following requests are blocked based on the preceding rule configuration. 

    curl http://example.com/admin
curl http://example.com -d "maliciouspayload"

    Enable protection rules for a specific route or domain name

    useCRS: true
secRules: 
  - "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""
  - "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\""

    Apply the following plug-in configurations to the route-1 route:

    secRules:
  - "SecAction \"id:102,phase:1,deny\""

    Apply the following plug-in configurations to the *.example.com and test.com domain names:

    secRules:
  - "SecAction \"id:102,phase:1,pass\""
    Note

    • The route-1 route is the route specified when the gateway route is created. If a client request matches the route, the rules that are configured for the route take effect.

    • The *.example.com and test.com domain names are used to match domain names in requests. If a client request matches one of the domain names, the rules that are configured for the matched domain name take effect.

    • Rules that you configure take effect in sequence. If the first rule is matched, subsequent rules are ignored.