Match conditions define the request attributes that WAF inspects when evaluating whitelist rules, custom rules, and bot management rules. When a request meets the match conditions of a rule, WAF applies the action specified in that rule — Allow, Block, or Challenge.
How match conditions work
Each match condition consists of three parts: a Match Field, a Logical Operator, and Match Content.
Example 1: Match Field = URI, Logical Operator = Contains, Match Content = /login.php — matches any request whose path contains /login.php.
Example 2: Match Field = IP, Logical Operator = Is, Match Content = 192.XX.XX.1 — matches requests from the client IP address 192.XX.XX.1.
WAF decodes request content that uses URL encoding, HTML encoding, or Unicode encoding before matching it against the specified match content.
Supported match fields
For pay-as-you-go WAF instances, match rules are categorized as advanced or basic, each with different billing rates. For details, see Billing.
Subscription-based WAF instances of the Enterprise edition or higher support advanced rules (such as regular expression matching) at no extra charge. For details about supported rules by edition, see Version guide.
Custom rule module rules that use Regular Expression Match or Regular Expression Mismatch operators are advanced rules and billed accordingly.
The match content for the following match fields is case-insensitive.
| Match field | Description | Supported logical operators |
|---|---|---|
| URI | The Uniform Resource Identifier (URI) of a request — the path of the requested resource. In most cases, URI = URI Path + Query String. The path must start with / and must not include a domain name. For example: /login.php. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| IP | The source IP address of the client that initiates the request. Supported formats: IPv4 (for example, 1.XX.XX.1), IPv6 (for example, 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff), and CIDR blocks (for example, 1.XX.XX.1/16). A single protection rule supports a maximum of 100 IP addresses or CIDR blocks across all IP match conditions combined. Separate multiple IP addresses or CIDR blocks with a comma (,). | Belongs To, Does Not Belong To |
| Referer | The source URL of the request — the page from which the request originates. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| User-Agent | Information about the client browser, including the browser identifier, rendering engine, and version. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Query String | The query string in the request URL — the part following the question mark (?). | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Cookie | The cookie data in the request. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Content-Type | The MIME type of the HTTP request body, as specified in the Content-Type request header. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Content-Length | The size of the request body in bytes. Valid values: 0 to 2,147,483,648. | Equals, Value Greater Than, Value Less Than |
| X-Forwarded-For | The originating IP address of the client when the request is forwarded through an HTTP proxy or Server Load Balancer (SLB) instance. Only requests forwarded by a proxy or SLB contain this header. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain<br>Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than |
| Body | The content of the request body. Rules using this field are advanced rules. | Is<br>Contains<br>Does Not Exist<br>Prefix Match, Suffix Match<br>Matches regular expression |
| Http-Method | The HTTP request method: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, or PATCH. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value |
| Header | An HTTP request header. Supports custom header fields. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| URI Path | The path component of the request URI. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Query String Parameter | A parameter name in the query string. For example, in www.aliyundoc.com/request_path?param1=a¶m2=b, param1 and param2 are parameter names. Parameter names are case-sensitive. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match |
| Server-Port | The server port number. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value |
| File Extension | The file extension in the request path, such as .png or .php. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Filename | The filename at the end of the request path. For example, in /abc/index.php, index.php is the filename. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Host | The domain name in the request. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)* |
| Cookie Name | The name of a cookie key. For example, in the cookie acw_tc:111, acw_tc is the cookie name. Cookie names are case-sensitive. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Matches regular expression *(advanced)* |
| Body Parameter | A parameter name in the request body. For example, in a=1&b=2, a and b are parameter names. Parameter names are case-sensitive, and the match content must be longer than four characters. Rules using this field are advanced rules. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Matches regular expression *(advanced)* |
What's next
To allow specific requests to bypass WAF inspection, see Configure whitelist rules to allow specific requests.
To build custom access control or rate-limiting rules, see Configure custom rules to defend against specific requests.