After you add your web services to Web Application Firewall (WAF), you can configure protection rules for the custom response module to customize the style and content of block pages that are returned to clients when their requests are blocked by WAF. You can specify a custom status code, response header, and response body. By default, the custom response module is disabled. This topic describes how to create a protection template and protection rules for the custom response module.
Background information
If you do not configure protection rules for the custom response module, a default block page is returned to clients when requests are blocked.
You can configure protection rules for the custom response module to customize the content of block pages, including the Status Code, Response Headers, and Response.
Prerequisites
A subscription WAF 3.0 instance that runs the Enterprise or Ultimate edition or a pay-as-you-go WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Template types
The custom response module supports the following types of protection templates:
Protection template | Description | Apply to |
Default protection template | WAF does not provide an initial default protection template. You must manually create one. | When you create a default protection template, the template is automatically applied to protected objects or groups that are not associated with custom protection templates. The template is also automatically applied to newly added protected objects. You can manually adjust the settings. |
Custom protection template | You must manually create custom protection templates. | You need to specify Apply To. The template takes effect only on the protected objects and object groups that are associated with the template. |
Create a protection template of the custom response module
The custom response module does not provide an initial default protection template. Before you can enable a protection rule of the custom response module, you must create a protection template.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Core Web Protection page, scroll down to the Custom Response section and click Create Template.
In the Create Template - Custom Response panel, configure the parameters and click OK.
Parameter
Description
Template Name
Specify a name for the template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save As Default Template
The default protection template does not require you to specify protected objects. The template is automatically applied to all protected objects and object groups that are not associated with custom protection templates. This includes newly added protected objects and object groups, and those removed from custom protection templates. You can also manually remove them from the default template. You can set only one default template for a protection module, and you can set a default template only when you create a template.
Rule Configuration
Configure rule settings. A protection template of the custom response module contains only one protection rule.
Status Code
Specify the HTTP status code that is returned by WAF to the client when WAF blocks a request. Valid values: 200 to 600. Default value: 405.
Custom Header
Specify the header field in the response that is returned by WAF to the client when WAF blocks a request. Each header field consists of Header Name and Header Value. You can add up to five header fields.
Response Body
Specify the source code of the block page. Make sure that the following requirements are met:
The response body is in the HTML or JSON format.
The response body can contain up to 4,000 characters.
ImportantIf you want to retain request IDs on the block page to query blocked requests in Simple Log Service, reference the
{::trace_id::}string in an appropriate location.You can configure the Custom Header parameter to add the
content-typeheader field to specify the format of the response body.
Apply To
Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups.
A protected object or object group can be associated with only one custom response protection template. If you set a default protection template, all protected objects and object groups that are not associated with custom protection templates are automatically selected. If you do not set a default template, no protected objects or object groups are automatically selected. You can manually modify the selection of protected objects and object groups.
By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:
View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to create a protection rule for the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the
icon to the left of the template name to view the protection rules in the template.
After the protection template takes effect, the default block page for the Protected Objects to which the protection template is applied is replaced by the custom block page that you specify in the Rule Configuration section. If you want WAF to return the default block page to clients, disable or delete the protection template.
References
For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.