How to configure match conditions - Web Application Firewall

When you configure a whitelist rule, a custom rule, or a bot management rule, you must configure match conditions for the rule to specify the characteristics of the requests that you want Web Application Firewall (WAF) to detect. This topic describes the fields that you can use in the match conditions.

Introduction to match conditions

You can use match conditions to specify the characteristics of the requests that you want WAF to detect.Web Application Firewall (WAF) You can configure match conditions when you configure a whitelist rule, custom rule, or bot management rule. If a request matches the conditions that you specified in a protection rule, WAF performs the action that is specified in the rule on the request, such as allowing, blocking, and JavaScript validation. 匹配条件

A match condition consists of a match field, a logical operator, and match content. Configuration examples:

Example 1: If you set Match Field to URI, Logical Operator to Contains, and Match Content to /login.php, the rule is matched when a Uniform Resource Identifier (URI) contains /login.php.
Example 2: If you set Match Field to IP, Logical Operator to Belongs To, and Match Content to 192.XX.XX.1, the rule is matched when the source IP address of a request is 192.XX.XX.1.

Important

If the content of requests is encoded by using URL, HTML, or Unicode encoding, WAF decodes the content and then processes the requests.

Supported match fields

The following table describes the match fields that are supported in match conditions.

Note

If you use a pay-as-you-go WAF instance, you can configure advanced rules and basic rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
If you use a subscription WAF Enterprise Edition or Ultimate Edition instance, you can configure advanced rules such as regular expression match rules and you are not charged additional fees for advanced rules. For information about the rules that you can configure for different editions, see Editions.

Field	Description	Supported logical operator
URI	The URI of the request. The URI indicates the requested resource. In most cases, a URI consists of a path and a query string. The match content must start with a forward slash (`/`) and cannot contain a domain name. Example: `/login.php`.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
IP	The source IP address of the request. The IP address that you specify must meet the following requirements: You can enter IPv4 addresses, such as `1.XX.XX.1`, and IPv6 addresses, such as `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`. You can enter CIDR blocks, such as `1.XX.XX.1/16`. Press the Enter key each time you enter an IP address. You can enter up to 100 IP addresses.	Belongs To and Does Not Belong To Note You can enter up to 100 IP addresses or CIDR blocks for a single protection rule. For example, if a protection rule has two match conditions whose match field is IP, you can enter up to 100 IP addresses or CIDR blocks in the match content of the conditions. Separate multiple IP addresses or CIDR blocks with commas (,).
Referer	The URL of the source page from which the request is forwarded.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
User-Agent	The browser information of the client that sends the request. The information includes the browser, the rendering engine, and the version.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Query String	The query string in the request. The query string is the part that follows the question mark (?) in the URL.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Cookie	The cookie information in the request.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Content-Type	The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Content-Length	The number of bytes that are included in the response. Valid values: 0 to 2147483648.	Equals, Value Greater Than, and Value Less Than
X-Forwarded-For	The originating IP address. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in requests that are forwarded by an HTTP proxy or an SLB instance.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains and Does Not Contain Does Not Exist Length Equal To, Length Greater Than, and Length Less Than
Body	The content of the request. Important A custom rule that uses this match field is considered an advanced rule. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.	Equals, Does Not Equal Contains and Does Not Contain Does Not Exist Prefix Match and Suffix Match Regular Expression Match
Http-Method	The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value
Header	The request header. Custom header fields are supported.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
URI Path	The URI path of the request.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Query String Parameter	The names of the request parameters. The request parameters are the part that follows the question mark (?) in the URL of the request. For example, in `www.aliyundoc.com/request_path?param1=a&param2=b`, `param1` and `param2` are request parameters.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match
Server-Port	The port of the server.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value
File Extension	The file name extension of the requested file. Examples: .png and .php.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Filename	The file name at the end of the URI path. For example, `index.php` in `/abc/index.php` is the file name.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Host	The requested domain name.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Cookie Name	The key of the cookie. For example, `awc_tc` in `acw_tc:111` is the key of the cookie.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.
Body Parameter	The names of the parameters in the request body. For example, if the request body contains `a=1&b=2`, `a` and `b` are parameter names. Important A custom rule that uses this match field is considered an advanced rule. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match Important Custom rules that use the logical operators are considered advanced rules. The billing rules of advanced rules are different from the billing rules of basic rules. For more information, see Billable items.