Fields in match conditions - Website Protection Settings| Alibaba Cloud Documentation Center

You must add match conditions when you configure custom rules for whitelists and custom protection policies for Web Application Firewall (WAF). This topic describes the fields that you can use in the match conditions and their descriptions.

Match conditions and actions

You can configure custom rules for whitelists and custom protection policies in the WAF console. A custom rule consists of match conditions and actions. When you configure a custom rule, you must specify the match fields, logical operators, and match content to add match conditions. You also need to select an action to perform on requests that match the conditions you specify.

Match Condition
Each match condition consists of a match field, logical operator, and match content. The match content does not support regular expressions. You can add up to five match conditions to a custom rule. The logical relation among the conditions is AND. The custom rule takes effect only if all the match conditions are met.
Action
When you configure a custom rule for whitelists, you specify a module in the Modules Bypassing Check parameter. Requests are not checked by the module that you selected. If you configure a custom rule for custom protection policies, the action that you selected is performed on the requests that meet match conditions. For more information, see the following topics:

Supported match fields

The following table describes the match fields that are supported in match conditions.


Match field	Edition	Logical operator	Description
IP	Pro edition or higher	Belongs To and Does Not Belong To	The source IP address of the request. You can enter IP addresses or CIDR blocks. Example: 47.100.XX.XX/24. Note You can enter up to 50 IP addresses or CIDR blocks. Separate them with commas (,).
URL	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch	The URL of the request.
Referer	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match	The URL of the source page from which the request is redirected.
User-Agent	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match	The browser information about the client that initiates the request. The information includes the browser, rendering engine, and version.
Params	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match	The parameter part in the request URL. The parameter part follows the question mark (?) in the URL. Example: In `www.example.com/index.html?action=login`, `action=login` is the parameter part.
Query-Arg	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match	The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. Example: In `www.example.com/request_path?arg1=a&arg2=b`, arg1 or arg2 is the query string. Note If multiple query strings are included in the request and the Matching field parameter is set to Query-Arg, the Logical operator parameter is set to Includes, and the Matching content parameter is set to arg, requests that contain arg1 or arg2 are matched. If you want to filter requests based on precise match conditions, we recommend that you set the Matching field parameter to Query-Arg, the Logical operator parameter to Includes, and the Matching content parameter to arg1 or arg2.
URLPath	Pro edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Length Equal To, Length Greater Than, Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch	The URL path of the request.
Cookie	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than	The cookie information in the request.
Content-Type	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Length Equal To, Length Greater Than, Length Less Than	The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.
Content-Length	Business edition or higher	Value Less Than, Value Equals, and Value More Than	The number of bytes that is allowed in the response.
X-Forwarded-For	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Length Equal To, Length Greater Than, Length Less Than	The originating IP address. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.
Post-Body	Business edition or higher	Equals and Does Not Equal Contains and Does Not Contain Exists, Does Not Exist, and Empty Does Not Exist Prefix Match and Suffix Match	The content of the request.
Server-Port	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value	The port number of the origin server. Example: In `www.example.com:9999`, the port number is 9999.
Http-Method	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value	The request method. Valid values: GET, POST, DELETE, PUT, and OPTIONS.
Header	Business edition or higher	Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value Exists, Does Not Exist, and Empty Length Equal To, Length Greater Than, Length Less Than	The header of the request, which is used to create a custom HTTP header.