After you add web services to Web Application Firewall (WAF), you can configure custom rules to defend against specific requests. Custom rules include access control rules and throttling rules. This topic describes how to create a custom rule template and add rules to the template.

Background information

Custom rules are classified into the following types:
Custom rule typeDescriptionRelated settings
Access control rulesYou can use common request headers, such as the client IP address and request URL, to specify match conditions. If requests meet the specified match conditions, WAF performs a specified action on the requests. For example, you can configure a custom rule to block requests that are sent to a specified URL. You can also configure a custom rule to allow WAF to verify requests that contain a specified User-Agent string.
  • Enable an access control rule after you turn off Rate Limiting.
  • Enable a throttling rule after you turn on Rate Limiting.

For more information, see #row_zw6_71c_t23.

Throttling rulesYou can specify request rate detection conditions. If the request rate of a statistical object exceeds the upper limit, WAF performs a specified action on the requests that are sent from the statistical object. For example, if an IP address or a session frequently meets a match condition in a short period of time, you can enable rate limiting to block requests that are sent from the IP address or transmitted over the session during a specified period of time.

Prerequisites

Step 1: Create a custom rule template

WAF does not provide a default custom rule template. Before you can enable a custom rule, you must create a custom rule template.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  3. In the Custom Rule section in the lower part of the Protection Rules page, click Create Template.
    Note If no custom rule templates exist, click Configure Now in the Custom Rule card in the upper part of the Protection Rules page.
  4. In the Create Template - Custom Rule panel, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Template NameEnter a name for the template.

    The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Save as Default TemplateSpecify whether to set this template as the default template for the protection module.

    You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom protection rule templates are applied.

    Rule ConfigurationClick Create Rule to create a custom rule for the template. You can also create custom rules for the template after the template is created. For information about how to create a custom rule, see Step 2: Add a custom rule to the custom rule template.
    Apply ToSelect the protected objects and protected object groups to which you want to apply the template.

    You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.

    By default, the new rule template is enabled. You can perform the following operations in the rule template list:
    • View the number of protected objects or protected object groups that are associated with the rule template.
    • Turn on or turn off Status to enable or disable the rule template.
    • Click Edit or Delete in the Actions column to modify or delete the rule template.
    • Click the show icon on the left side of a rule template to view the rules in the template.

Step 2: Add a custom rule to the custom rule template

The custom rule template takes effect only after you create custom rules for the template. If you already created custom rules when you create the template, skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  3. In the Custom Rule section, find the custom rule template to which you want to add a custom rule and click Create Rule in the Actions column.
  4. In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Rule NameEnter a name for the rule.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Match ConditionSpecify the characteristics of requests based on which you want to match the rule.

    Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is determined to be matched only if all match conditions are met.

    Each match condition consists of Match Field, Logical Operator, and Match Content. Sample configurations:
    • Example 1: You set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to /login.php. If the requested path contains /login.php, the request matches the rule.
    • Example 2: You set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to 192.XX.XX.1. If a request is sent from a client whose IP address is 192.XX.XX.1, the request matches the rule.

    For more information, see Match conditions.

    Rate LimitingSpecify whether to enable rate limiting. If you enable rate limiting and the requests that are sent from a statistical object frequently match a protection rule, WAF performs a specified action on the requests in a specified period of time.
    If you enable rate limiting, you must configure the rate limiting parameters.
    • Request rate detection conditions

      If the number of times that a statistical object (Statistical Object) matches a protection rule in a specified statistical period (Statistical Interval (Seconds)) exceeds the upper limit (Threshold), the object is added to a blacklist.

      • Statistical Object
        Select a statistical object whose request rate you want to calculate. Valid values:
        • IP Address: calculates the frequency of requests that are sent from a specific IP address.
        • Session: calculates the frequency of requests that are transmitted over a specific session.
        • Custom Header: calculates the frequency of requests that contain a specified header.
        • Custom Parameter: calculates the frequency of requests that contain a specified parameter.
        • Custom Cookie: calculates the frequency of requests that contain a specified cookie.
      • Statistical Interval (Seconds)

        Specify the statistical period. Unit: seconds.

      • Threshold (Times)

        Specify the maximum number of times that the statistical object can match the match conditions in a specified statistical period.

    • Status code detection conditions

      If the number of times that a specified status code is included in responses exceeds the upper limit (Quantity) or the percentage of a specified status code in all status codes that are included in responses exceeds the upper limit (Percentage (%)), the statistical object is added to a blacklist.

      • Status Code

        Specify whether to detect status codes based on the detection configurations for request rates. If you select Status Code, a statistical object is added to a blacklist only if the statistical object matches the request rate detection conditions and status code detection conditions. If you select Status Code, you must specify a status code.

      • Quantity
        Specify the maximum number of times that a specified status code can be included in responses during a specified statistical period.
        Note Select Quantity or Percentage (%).
      • Proportion (%)
        Specify the maximum percentage of a specified status code in all status codes that are included in responses during a specified statistical period.
        Note Select Quantity or Percentage (%).
    • Adding a statistical object to a blacklist

      If a statistical object matches the request rate detection conditions, the statistical object is added to a blacklist and remains in the blacklist for a period of time (Timeout Period) and WAF performs a specified action (Action) on the specified requests (Apply To) that are sent from the statistical object.

      • Apply To
        Specify the requests on which you want WAF to perform an action. Valid values:
        • Current Match Condition: WAF performs a specified action on the requests that meet the match conditions.
        • Protected Object: WAF performs a specified action on all requests that are sent to the protected object.
      • Timeout Period

        Specify the period of time during which you want WAF to perform a specified action on the requests. Unit: seconds. Valid values: 60 to 86400.

    Important The throttling feature is used to limit the request rate of a statistical object for a protected object. For example, you add an Application Load Balancer (ALB) instance as a protected object and configure a throttling rule for the ALB instance. If the ALB instance forwards the requests of multiple domain names, the request rate is calculated based on multiple domain names. If you want to limit the request rate for one of the domain names, you can use one of the following methods:
    • Method 1: add the domain name as a protected object of WAF, and then configure a throttling rule for the domain name. For more information, see Manually add protected objects.
    • Method 2: configure a throttling rule for the ALB instance and specify a match condition by using the Host request header to limit the request rate for the domain name.
    Protection Rule TypeThis parameter is automatically specified. The value of this parameter varies based on whether you turn on Rate Limiting.
    • If you turn on Rate Limiting, the value of the Protection Rule Type parameter is set to Throttling.
    • If you turn off Rate Limiting, the value of the Protection Rule Type parameter is set to Access Control.
    ActionSpecify the action that you want WAF to perform on requests that match the rule. Valid values:
    • JavaScript Validation: WAF returns JavaScript code to the client. The JavaScript code can be automatically executed by the browser that is used by the client. If the client passes the JavaScript verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails the JavaScript verification, WAF blocks requests that are sent from the client.
    • Block: blocks the requests that match the rule and returns a block page to the client who initiated the requests.
      Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages.
    • Monitor: records requests that match the rule in logs without blocking the requests. You can query logs of requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on the logs.
      Important You can query logs only if the Log Service for WAF feature is enabled. For more information, see Enable Log Service for WAF.

      If you select Monitor, you can check the protection performance of the rule. You can also check whether the rule blocks normal requests. Then, you can determine whether to set the Action parameter to Block.

    • Common Slider CAPTCHA: WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes the common slider CAPTCHA verification, WAF allows requests that are sent from the client in a specified time range. By default, the time range is 30 minutes. If the client fails the common slider CAPTCHA verification, WAF blocks requests that are sent from the client.
    • Strict Slider CAPTCHA: WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes the strict slider CAPTCHA verification, WAF allows requests that are sent from the client. If the client fails the strict slider CAPTCHA verification, WAF blocks requests that are sent from the client. If you set the Action parameter to Strict Slider CAPTCHA, a client must pass strict slider CAPTCHA verification to send a request.
    By default, the new rule is enabled. You can perform the following operations in the rule list:
    • Turn on or turn off Status to enable or disable the rule.
    • Click Edit or Delete in the Actions column to modify or delete the rule.

What to do next

On the Custom Rule tab of the Security Reports page, you can view the protection details of the custom rule module. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

References

  • Protection configuration overview: describes the protected objects, protection modules, and protection procedures of WAF 3.0.
  • Match conditions: describes the match conditions and match fields that you must specify when you create a custom rule.
  • CreateDefenseTemplate: creates a protection rule template.
  • CreateDefenseRule: creates a protection rule. When you call this operation to create a custom rule, you must set the DefenseScene parameter to custom_acl.