When WAF blocks a request, it returns a default block page to the client. The custom response module lets you replace that page with your own content — including a custom HTTP status code, response headers, and response body in HTML or JSON. This topic describes how to create a protection template and configure the block page content.
By default, the custom response module is disabled.
Default block page
Without a custom response rule in place, WAF returns the following default block page:
Once you configure a protection rule, WAF replaces the default page with your custom Status Code, Response Headers, and Response Body for all protected objects the template is applied to.
Prerequisites
Before you begin, ensure that you have:
A subscription Web Application Firewall (WAF) 3.0 instance running the Enterprise or Ultimate edition, or a pay-as-you-go WAF 3.0 instance. For subscription instances, see Purchase a subscription WAF 3.0 instance. For pay-as-you-go instances, see Purchase a pay-as-you-go WAF 3.0 instance
Web services added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups
Template types
The custom response module uses two types of protection templates:
| Template type | Who creates it | Applies to |
|---|---|---|
| Default protection template | You create it manually. WAF does not provide one initially. | Automatically applied to all protected objects and object groups not associated with a custom protection template, including newly added ones. Manually adjustable. |
| Custom protection template | You create it manually. | Only the protected objects and object groups you specify in Apply To. |
Key constraints:
Each protection module supports only one default protection template.
The default template can only be set at template creation time and cannot be changed later.
Each protected object or object group can be associated with only one custom response protection template.
Create a protection template
The custom response module does not include an initial default template. Create one before enabling any protection rule.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance. Select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
On the Core Web Protection page, scroll to the Custom Response section and click Create Template.
In the Create Template - Custom Response panel, configure the following parameters and click OK.
Parameter Description Template Name Enter a name for the template. The name must be 1–255 characters and can contain letters, digits, periods ( .), underscores (_), and hyphens (-).Save As Default Template Select this option to make the template the default. The default template is automatically applied to all protected objects and object groups that are not associated with a custom protection template, including newly added ones. You can set only one default template per protection module, and the setting cannot be changed after creation. Rule Configuration Configure the block page content. Each custom response template contains exactly one protection rule. See Rule configuration parameters. Apply To Select the protected objects and object groups on the Protected Objects and Protected Object Groups tabs. If you set a default template, all unassociated objects are selected automatically. If you do not set a default template, no objects are selected automatically. For more information, see Configure protected objects and protected object groups.
Rule configuration parameters
| Parameter | Description |
|---|---|
| Status Code | The HTTP status code WAF returns to the client when a request is blocked. Valid values: 200–600. Default value: 405. |
| Custom Header | Response header fields returned to the client when a request is blocked. Each field has a Header Name and Header Value. Add up to five fields. To specify the format of the response body, add a Content-Type header field (for example, text/html for an HTML body or application/json for a JSON body). |
| Response Body | The source code of the block page. The content must be in HTML or JSON format, and the maximum length is 4,000 characters. To include the request ID on the block page so you can look up blocked requests in Simple Log Service, add {::trace_id::} at the appropriate location in the response body. |
After a protection template takes effect, it replaces the default block page for all protected objects it applies to. To revert to the default block page, disable or delete the protection template.
Newly created templates are enabled by default. After creation, the template appears in the template list where you can:
View the number of protected objects and object groups associated with the template in the Protected Object/Group column.
Toggle the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to add a protection rule to the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the
icon to the left of the template name to view its protection rules.
Next steps
For an overview of WAF 3.0 protection objects, modules, and the protection process, see Protection configuration overview.
To create a protection template using the API, see CreateDefenseTemplate.
To create a protection rule using the API, see CreateDefenseRule.