Help Center> Web Application Firewall> Getting Started> Configuring a Precise Protection Rule to Block Requests with Empty Fields

Updated on 2024-06-05 GMT+08:00

View PDF

Configuring a Precise Protection Rule to Block Requests with Empty Fields

You can combine common HTTP fields, such as IP, Path, Referer, User Agent, and Params in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions. In addition, JavaScript challenge verification is supported. WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests.

This topic walks you through how WAF blocks a request with null field.

Process

Procedure	Description
Preparations	Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign WAF permissions to the account.
Step 1: Buy WAF	Purchase WAF and select the region and WAF mode.
Step 2: Add a Website to WAF	Add the website you want to protect to WAF for traffic inspection and forwarding.
Step 4: Configure a Precise Protection Rule	Configure the Referer field in the rule to block requests with null fields.

Preparations

Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.

Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.

**Table 1** System policies supported by WAF
Role/Policy Name	Description	Category	Dependencies
WAF Administrator	Administrator permissions for WAF	System-defined role	Dependent on the Tenant Guest and Server Administrator roles. Tenant Guest: A global role, which must be assigned in the global project. Server Administrator: A project-level role, which must be assigned in the same project.
WAF FullAccess	All permissions for WAF	System-defined policy	None.
WAF ReadOnlyAccess	Read-only permissions for WAF.	System-defined policy	None.

Step 1: Buy WAF

WAF provides three access modes, CNAME and ELB access modes for cloud WAF and dedicated access mode for dedicated WAF. For their differences, see Edition Differences.

This topic will start from how to purchase cloud WAF to how to add a website to a cloud WAF in CNAME access mode, and configure and enable CC attack protection rules. For details, see Buying a Dedicated WAF Instance.

Log in to Huawei Cloud management console.
On the management console page, choose Security & Compliance > Web Application Firewall.
In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select a WAF mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: The Standard or higher is recommended.
- Expansion Package and Required Duration: Select them based on site requirements.
Confirm the product details and click Buy Now in the lower right corner of the page.
Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
On the payment page, select a payment method and pay for your order.

Step 2: Add a Website to WAF

Before adding a website to WAF, you need to collect some details of the website.

**Table 2** Domain name information required
Required Information	Parameter	Description	Example Value
Whether a proxy is used for the domain name	Proxy Configured	Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services. Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS. No proxy: No proxy products are deployed in front of WAF.	No proxy
Configuration parameters	Domain Name	The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.	www.example.com
	Protected Port	The service port corresponding to the domain name of the website you want to protect. Standard ports 80: default port when the client protocol is HTTP 443: default port when the client protocol is HTTPS Non-standard ports Ports other than ports 80 and 443	80
	Client Protocol	Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS.	HTTP
	Server Protocol	Protocol used by WAF to forward requests from the client (such as a browser). The options are HTTP and HTTPS.	HTTP
	Server address	Public IP address or domain name of the origin server for a client (such as a browser) to access. Generally, a public IP address maps to the A record of the domain name configured on the DNS, and a domain name to the CNAME record.	XXX.XXX.1.1
(Optional) Certificate	Certificate Name	If you set Client Protocol to HTTPS, you are required to configure a certificate on WAF and associate the certificate with the domain name. NOTICE: Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into pem format by referring to How Do I Convert a Certificate into PEM Format?	-

For details, see Connecting a Website to WAF (Cloud Mode - CNAME Access).

Step 4: Configure a Precise Protection Rule

In the navigation pane on the left, choose Policies.
Click the name of the target policy to go to the protection configuration page.
Click the Precise Protection configuration box to enable the precise protection.
- : enabled.
- : disabled.
Above the precise protection rule list, click Add Rule and configure a rule as shown in Figure 1.

Figure 1 Blocking requests with a null referer field.
Click Confirm.

Related Information

For details, see Configure Precise Protection Rules to Enable Custom Protection.

Previous topic: Configuring CC Attack Protection Rules to Defend Against CC Attacks

Next topic: Getting Started with Common Practices

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot