After you add web services to Web Application Firewall (WAF), you can configure website tamper-proofing rules to lock the web pages that you want to protect, such as web pages that contain sensitive information. When a locked page receives a request, a cached version of the page is returned to prevent web page tampering. This topic describes how to create a website tamper-proofing rule template and add rules to the template.
Limits
You cannot enable this feature for protected objects that are added to WAF in hybrid cloud mode and Microservices Engine (MSE) instances or custom domain names bound to web applications in Function Compute that are added to WAF in cloud native mode.
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.
Step 1: Create a website tamper-proofing rule template
WAF does not provide a default website tamper-proofing rule template. Before you enable a website tamper-proofing rule, you must create a website tamper-proofing rule template.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the lower part of the Protection Rules page, click Create Template in the Website Tamper-proofing section.
NoteIf no website tamper-proofing rule templates exist, click Configure Now in the Website Tamper-proofing card in the upper part of the Protection Rules page.
In the Create Template - Website Tamper-proofing panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Template Name
Specify a name for the template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration
Click Create Rule to create a website tamper-proofing rule for the template. You can also create a website tamper-proofing rule for the template after you create the template. For more information, see Step 2: Create a website tamper-proofing rule for the template.
Apply To
Select the protected objects and protected object groups to which you want to apply the template.
You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.
By default, a new rule template is enabled. You can perform the following operations in the rule template list:
View the number of protected objects and protected object groups that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the
icon to the left of a template name to view the rules in the template.
Step 2: Create a website tamper-proofing rule for the template
The website tamper-proofing rule template takes effect only after you create website tamper-proofing rules for the template. If you created website tamper-proofing rules when you created the template, skip this step.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Website Tamper-proofing section, find the website tamper-proofing rule template for which you want to create a rule and click Create Rule in the Actions column.
In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Rule Name
Specify a name for the rule.
The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Address of Cached Page
Specify the cache type and the path of the cached page.
The cache type can be http or https.
The path of the cached page must meet the following requirements:
The default path of the cached page is
www.waftest.cn/index.html. You can change the path.The path cannot contain wildcard characters such as
/*or parameters such asxxx=yyyin/abc?xxx=yyy.ImportantRequests whose URLs include parameters cannot be matched by website tamper-proofing rules. The requests are forwarded to the origin server by WAF. For example, the path of the cached page in a website tamper-proofing rule is
/abcand the request URL is/abc?xxx=yyy. In this case, the request is not matched by the website tamper-proofing rule.The website tamper-proofing module protects text data, HTML pages, and images in the specified path. The size of a protected file cannot exceed 1 MB.
ImportantYou can specify only a URL. You cannot specify a directory.
Specify User-Agent to Access
Specify the User-Agent strings of browsers that can be used to access the web pages that you added to WAF.
If you do not select Specify User-Agent to Access, browsers that use any User-Agent strings can be used to access the web pages that you added to WAF.
If you select Specify User-Agent to Access, you must specify the User-Agent strings.
You can open the browser and press Fn and F12 to open the developer tools. On the Network tab, click the request. In the Request Headers section, find the User-Agent field to obtain the User-Agent strings of the browser.
By default, a new rule is enabled. You can perform the following operations in the rule list:
Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.
More operations
If you want to enable website tamper-proofing for a specific dictionary on a server, you can enable the web tamper proofing feature of Security Center. For information about the operations, see Use the web tamper proofing feature.
The following table describes the differences between the website tamper-proofing module of WAF and the web tamper proofing feature of Security Center:
Comparison item | WAF | Security Center |
Implementation | The website tamper-proofing module of WAF allows you to lock web pages that you want to protect, such as web pages that contain sensitive information. When a locked web page is requested, a cached version of the page is returned to help prevent web page tampering. | The web tamper proofing feature of Security Center restores tampered files or directories based on backup files to prevent important website information from being tampered with. |
Apply to | The URL of the website. | The server directory. |
References
Protection configuration overview: describes protected objects, protection modules, and protection process.
CreateDefenseTemplate: creates a protection template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a website tamper-proofing rule, you must set the DefenseScene parameter to tamperproof.