Configuring a Precise Protection Rule to Block Requests with Empty Fields
You can combine common HTTP fields, such as IP, Path, Referer, User Agent, and Params in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions. In addition, JavaScript challenge verification is supported. WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests.
This topic walks you through how WAF blocks a request with null field.
Process
Procedure |
Description |
---|---|
Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign WAF permissions to the account. |
|
Purchase WAF and select the region and WAF mode. |
|
Add the website you want to protect to WAF for traffic inspection and forwarding. |
|
Configure the Referer field in the rule to block requests with null fields. |
Preparations
- Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
- Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.
- Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.
Table 1 System policies supported by WAF Role/Policy Name
Description
Category
Dependencies
WAF Administrator
Administrator permissions for WAF
System-defined role
Dependent on the Tenant Guest and Server Administrator roles.
- Tenant Guest: A global role, which must be assigned in the global project.
- Server Administrator: A project-level role, which must be assigned in the same project.
WAF FullAccess
All permissions for WAF
System-defined policy
None.
WAF ReadOnlyAccess
Read-only permissions for WAF.
System-defined policy
Step 1: Buy WAF
WAF provides three access modes, CNAME and ELB access modes for cloud WAF and dedicated access mode for dedicated WAF. For their differences, see Edition Differences.
This topic will start from how to purchase cloud WAF to how to add a website to a cloud WAF in CNAME access mode, and configure and enable CC attack protection rules. For details, see Buying a Dedicated WAF Instance.
- Log in to Huawei Cloud management console.
- On the management console page, choose .
- In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select a WAF mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: The Standard or higher is recommended.
- Expansion Package and Required Duration: Select them based on site requirements.
- Confirm the product details and click Buy Now in the lower right corner of the page.
- Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
- On the payment page, select a payment method and pay for your order.
Step 2: Add a Website to WAF
Required Information |
Parameter |
Description |
Example Value |
---|---|---|---|
Whether a proxy is used for the domain name |
Proxy Configured |
|
No proxy |
Configuration parameters |
Domain Name |
The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. |
www.example.com |
Protected Port |
The service port corresponding to the domain name of the website you want to protect. |
80 |
|
Client Protocol |
Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS. |
HTTP |
|
Server Protocol |
Protocol used by WAF to forward requests from the client (such as a browser). The options are HTTP and HTTPS. |
HTTP |
|
Server address |
Public IP address or domain name of the origin server for a client (such as a browser) to access. Generally, a public IP address maps to the A record of the domain name configured on the DNS, and a domain name to the CNAME record. |
XXX.XXX.1.1 |
|
(Optional) Certificate |
Certificate Name |
If you set Client Protocol to HTTPS, you are required to configure a certificate on WAF and associate the certificate with the domain name.
NOTICE:
Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into pem format by referring to How Do I Convert a Certificate into PEM Format? |
- |
For details, see Connecting a Website to WAF (Cloud Mode - CNAME Access).
Step 4: Configure a Precise Protection Rule
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- Click the Precise Protection configuration box to enable the precise protection.
- : enabled.
- : disabled.
- Above the precise protection rule list, click Add Rule and configure a rule as shown in Figure 1.
- Click Confirm.
Related Information
For details, see Configure Precise Protection Rules to Enable Custom Protection.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot