Updating a CC Attack Protection Rule

Function

This API is used to update a CC attack protection rule.

Calling Method

For details, see Calling APIs.

URI

PUT /v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID. To obtain it, go to Huawei Cloud management console and hover the cursor over your username. On the displayed window, choose My Credentials. Then, in the Projects area, view Project ID of the corresponding project.
policy_id	Yes	String	ID of a protection policy. You can specify a protection policy ID to query the rules used in the protection policy. You can obtain the policy ID by calling the ListPolicy API.
rule_id	Yes	String	"ID of the cc rule. It can be obtained by calling the ListCcRules API."

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	You can obtain the ID by calling the ListEnterpriseProject API of EPS.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header).
Content-Type	Yes	String	Content type.

**Table 4** Request body parameters
Parameter	Mandatory	Type	Description
name	No	String	Rule name.
mode	Yes	Integer	Mode. 0: Standard. 1: Advanced.
url	No	String	Path to be protected in the CC attack protection rule. This parameter is mandatory when the CC attack protection rule is in standard mode (i.e. the value of mode is 0).
conditions	Yes	Array of CcCondition objects	Condition list. This parameter is returned when mode is set to 1.
action	Yes	action object	Action to take if the number of requests reaches the upper limit.
tag_type	Yes	String	Protection mode. ip: IP-based rate limiting. Website visitors are identified by IP address. cookie: User-based rate limiting. Website visitors are identified by the cookie key value. other: Website visitors are identified by the Referer field (user-defined request source).
tag_index	No	String	User identifier. This parameter is mandatory when the rate limit mode is set to user (cookie or header). cookie: Set the cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported. For example, if a website uses the name field in the cookie to uniquely identify a website visitor, select name. header: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements.
tag_condition	No	tag_condition object	User tag. This parameter is mandatory when the rate limit mode is set to other. -other: A website visitor is identified by the Referer field (user-defined request source).
limit_num	Yes	Integer	Rate limit frequency based on the number of requests. The value ranges from 1 to 2,147,483,647.
limit_period	Yes	Integer	Rate limit period, in seconds. The value ranges from 1 to 3,600.
unlock_num	No	Integer	Allowable frequency based on the number of requests. The value ranges from 0 to 2,147,483,647. This parameter is required only when the protection action type is dynamic_block.
lock_time	No	Integer	Block duration, in seconds. The value ranges from 0 to 65,535. Access requests are blocked during the configured block duration, and an error page is displayed.
domain_aggregation	No	Boolean	Whether to enable domain name aggregation statistics
region_aggregation	No	Boolean	Whether to enable global counting.
description	No	String	Rule description.

**Table 5** CcCondition
Parameter	Mandatory	Type	Description
category	Yes	String	Field type.
logic_operation	Yes	String	Logic for matching the condition. If the category is url, the optional operations are contain, not_contain, equal, not_equal, prefix, not_prefix, suffix, not_suffix, contain_any, not_contain_all, equal_any, not_equal_all, equal_any, not_equal_all, prefix_any, not_prefix_all, suffix_any, not_suffix_all, len_greater, len_less, len_equal and len_not_equal If the category is ip, the optional operations are: equal, not_equal, , equal_any and not_equal_all If the category is params, cookie and header, the optional operations are: contain, not_contain, equal, not_equal, prefix, not_prefix, suffix, not_suffix, contain_any, not_contain_all, equal_any, not_equal_all, equal_any, not_equal_all, prefix_any, not_prefix_all, suffix_any, not_suffix_all, len_greater, len_less, len_equal, len_not_equal, num_greater, num_less, num_equal, num_not_equal, exist and not_exist
contents	No	Array of strings	Content of the conditions. This parameter is mandatory when the suffix of logic_operation is not any or all.
value_list_id	No	String	Reference table ID. It can be obtained by calling the API Querying the Reference Table List. This parameter is mandatory when the suffix of logic_operation is any or all. The reference table type must be the same as the category type.
index	No	String	Subfield. When Field Type is set to params, cookie, or header, set this parameter based on the site requirements and this parameter is mandatory.

**Table 6** action
Parameter	Mandatory	Type	Description
category	Yes	String	Action type: captcha: Verification code. WAF requires visitors to enter a correct verification code to continue their access to requested page on your website. block: WAF blocks the requests. When tag_type is set to other, the value can only be block. log: WAF logs the event only. dynamic_block: In the previous rate limit period, if the request frequency exceeds the value of Rate Limit Frequency, the request is blocked. In the next rate limit period, if the request frequency exceeds the value of Permit Frequency, the request is still blocked. Note: The dynamic_block protection action can be set only when the advanced protection mode is enabled for the CC protection rule.
detail	No	detail object	Block page information. When protection action category is set to block or dynamic_block, you need to set the returned block page. If you want to use the default block page, this parameter can be excluded. If you want to use a custom block page, set this parameter.

**Table 7** detail
Parameter	Mandatory	Type	Description
response	No	response object	Block Page.

**Table 8** response
Parameter	Mandatory	Type	Description
content_type	No	String	Content type. The value can only be application/json, text/html, or text/xml.
content	No	String	Block page information.

**Table 9** tag_condition
Parameter	Mandatory	Type	Description
category	No	String	User identifier. The value is fixed at referer.
contents	No	Array of strings	Content of the user identifier field.

Response Parameters

Status code: 200

**Table 10** Response body parameters
Parameter	Type	Description
name	String	Rule name.
id	String	Rule ID.
policyid	String	Policy ID.
url	String	When the value of mode is 0, this parameter has a return value. URL to which the rule applies, excluding a domain name. Prefix match: A path ending with * indicates that the path is used as a prefix. For example, to protect /admin/test.php or /adminabc, you can set Path to /admin*. Exact match: The path you enter must exactly match the path you want to protect. If the path you want to protect is /admin, set url to /admin.
prefix	Boolean	Whether a prefix is used for the path. If the protected URL ends with an asterisk (*), a path prefix is used.
mode	Integer	Mode. 0: Standard. 1: Advanced.
conditions	Array of CcCondition objects	Condition list. This parameter is returned when mode is set to 1.
action	action object	Action to take if the number of requests reaches the upper limit.
tag_type	String	Protection mode. ip: IP-based rate limiting. Website visitors are identified by IP address. cookie: User-based rate limiting. Website visitors are identified by the cookie key value. other: Website visitors are identified by the Referer field (user-defined request source).
tag_index	String	User identifier. This parameter is mandatory when the rate limit mode is set to user (cookie or header). cookie: Set the cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported. For example, if a website uses the name field in the cookie to uniquely identify a website visitor, select name. header: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements.
tag_condition	tag_condition object	User tag. This parameter is mandatory when the rate limit mode is set to other. -other: A website visitor is identified by the Referer field (user-defined request source).
limit_num	Integer	Rate limit frequency based on the number of requests. The value ranges from 1 to 2,147,483,647.
limit_period	Integer	Rate limit period, in seconds. The value ranges from 1 to 3,600.
unlock_num	Integer	Allowable frequency based on the number of requests. The value ranges from 0 to 2,147,483,647. This parameter is required only when the protection action type is dynamic_block.
lock_time	Integer	Block duration, in seconds. The value ranges from 0 to 65,535. Access requests are blocked during the configured block duration, and an error page is displayed.
domain_aggregation	Boolean	Whether to enable domain name aggregation statistics
region_aggregation	Boolean	Whether to enable global counting.
description	String	Rule description.
total_num	Integer	This parameter is reserved and can be ignored currently.
unaggregation	Boolean	This parameter is reserved and can be ignored currently.
aging_time	Integer	Rule aging time. This parameter is reserved and can be ignored currently.
producer	Integer	Rule creation object. This parameter is reserved and can be ignored currently.

**Table 11** CcCondition
Parameter	Type	Description
category	String	Field type.
logic_operation	String	Logic for matching the condition. If the category is url, the optional operations are contain, not_contain, equal, not_equal, prefix, not_prefix, suffix, not_suffix, contain_any, not_contain_all, equal_any, not_equal_all, equal_any, not_equal_all, prefix_any, not_prefix_all, suffix_any, not_suffix_all, len_greater, len_less, len_equal and len_not_equal If the category is ip, the optional operations are: equal, not_equal, , equal_any and not_equal_all If the category is params, cookie and header, the optional operations are: contain, not_contain, equal, not_equal, prefix, not_prefix, suffix, not_suffix, contain_any, not_contain_all, equal_any, not_equal_all, equal_any, not_equal_all, prefix_any, not_prefix_all, suffix_any, not_suffix_all, len_greater, len_less, len_equal, len_not_equal, num_greater, num_less, num_equal, num_not_equal, exist and not_exist
contents	Array of strings	Content of the conditions. This parameter is mandatory when the suffix of logic_operation is not any or all.
value_list_id	String	Reference table ID. It can be obtained by calling the API Querying the Reference Table List. This parameter is mandatory when the suffix of logic_operation is any or all. The reference table type must be the same as the category type.
index	String	Subfield. When Field Type is set to params, cookie, or header, set this parameter based on the site requirements and this parameter is mandatory.

**Table 12** action
Parameter	Type	Description
category	String	Action type: captcha: Verification code. WAF requires visitors to enter a correct verification code to continue their access to requested page on your website. block: WAF blocks the requests. When tag_type is set to other, the value can only be block. log: WAF logs the event only. dynamic_block: In the previous rate limit period, if the request frequency exceeds the value of Rate Limit Frequency, the request is blocked. In the next rate limit period, if the request frequency exceeds the value of Permit Frequency, the request is still blocked. Note: The dynamic_block protection action can be set only when the advanced protection mode is enabled for the CC protection rule.
detail	detail object	Block page information. When protection action category is set to block or dynamic_block, you need to set the returned block page. If you want to use the default block page, this parameter can be excluded. If you want to use a custom block page, set this parameter.

**Table 13** detail
Parameter	Type	Description
response	response object	Returned page

**Table 14** response
Parameter	Type	Description
content_type	String	Content type. The value can only be application/json, text/html, or text/xml.
content	String	Content

**Table 15** tag_condition
Parameter	Type	Description
category	String	User identifier. The value is fixed at referer.
contents	Array of strings	Content of the user identifier field.

Status code: 400

**Table 16** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 17** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 401

**Table 18** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 19** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 500

**Table 20** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 21** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Example Requests

The following example shows how to change the rate limit settings of a CC protection rule. The project ID is specified by project_id and protection policy ID is specified by policy_id. The rule name is test55, the rate limit mode is IP-based rate limit, rate limit frequency is 10, the rate limit duration is 60s, and the protective action is verification code. The protection mode of the CC rule is advanced. The field type of the rate limit condition is the URL that contains /url. There is no subfield. Requests are counted only for the current WAF instance.

PUT https://{Endpoint}/v1/{project_id}/waf/policy/{policy_id}/cc/{rule_id}?

{
  "description" : "",
  "tag_type" : "ip",
  "limit_num" : 10,
  "limit_period" : 60,
  "action" : {
    "category" : "captcha"
  },
  "mode" : 1,
  "name" : "test55",
  "domain_aggregation" : false,
  "conditions" : [ {
    "category" : "url",
    "logic_operation" : "contain",
    "contents" : [ "/url" ],
    "index" : null
  } ],
  "region_aggregation" : false
}

Example Responses

Status code: 200

Request succeeded.

{
  "id" : "f88c5eabff9b4ff9ba6e7dd8e38128ba",
  "policyid" : "d471eef691684f1c8d7784532fd8f4bd",
  "name" : "test55",
  "description" : "",
  "mode" : 1,
  "conditions" : [ {
    "category" : "url",
    "contents" : [ "/url" ],
    "logic_operation" : "contain"
  } ],
  "action" : {
    "category" : "captcha"
  },
  "producer" : 1,
  "unaggregation" : false,
  "total_num" : 0,
  "limit_num" : 10,
  "limit_period" : 60,
  "lock_time" : 0,
  "tag_type" : "ip",
  "aging_time" : 0,
  "region_aggregation" : false,
  "domain_aggregation" : false
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.waf.v1.region.WafRegion;
import com.huaweicloud.sdk.waf.v1.*;
import com.huaweicloud.sdk.waf.v1.model.*;

import java.util.List;
import java.util.ArrayList;

public class UpdateCcRuleSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        WafClient client = WafClient.newBuilder()
                .withCredential(auth)
                .withRegion(WafRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateCcRuleRequest request = new UpdateCcRuleRequest();
        request.withPolicyId("{policy_id}");
        request.withRuleId("{rule_id}");
        UpdateCcRuleRequestBody body = new UpdateCcRuleRequestBody();
        CreateCcRuleRequestBodyAction actionbody = new CreateCcRuleRequestBodyAction();
        actionbody.withCategory(CreateCcRuleRequestBodyAction.CategoryEnum.fromValue("captcha"));
        List<String> listConditionsContents = new ArrayList<>();
        listConditionsContents.add("/url");
        List<CcCondition> listbodyConditions = new ArrayList<>();
        listbodyConditions.add(
            new CcCondition()
                .withCategory(CcCondition.CategoryEnum.fromValue("url"))
                .withLogicOperation("contain")
                .withContents(listConditionsContents)
        );
        body.withDescription("");
        body.withRegionAggregation(false);
        body.withDomainAggregation(false);
        body.withLimitPeriod(60);
        body.withLimitNum(10);
        body.withTagType(UpdateCcRuleRequestBody.TagTypeEnum.fromValue("ip"));
        body.withAction(actionbody);
        body.withConditions(listbodyConditions);
        body.withMode(1);
        body.withName("test55");
        request.withBody(body);
        try {
            UpdateCcRuleResponse response = client.updateCcRule(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkwaf.v1.region.waf_region import WafRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkwaf.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = WafClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(WafRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateCcRuleRequest()
        request.policy_id = "{policy_id}"
        request.rule_id = "{rule_id}"
        actionbody = CreateCcRuleRequestBodyAction(
            category="captcha"
        )
        listContentsConditions = [
            "/url"
        ]
        listConditionsbody = [
            CcCondition(
                category="url",
                logic_operation="contain",
                contents=listContentsConditions
            )
        ]
        request.body = UpdateCcRuleRequestBody(
            description="",
            region_aggregation=False,
            domain_aggregation=False,
            limit_period=60,
            limit_num=10,
            tag_type="ip",
            action=actionbody,
            conditions=listConditionsbody,
            mode=1,
            name="test55"
        )
        response = client.update_cc_rule(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    waf "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := waf.NewWafClient(
        waf.WafClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateCcRuleRequest{}
	request.PolicyId = "{policy_id}"
	request.RuleId = "{rule_id}"
	actionbody := &model.CreateCcRuleRequestBodyAction{
		Category: model.GetCreateCcRuleRequestBodyActionCategoryEnum().CAPTCHA,
	}
	var listContentsConditions = []string{
        "/url",
    }
	var listConditionsbody = []model.CcCondition{
        {
            Category: model.GetCcConditionCategoryEnum().URL,
            LogicOperation: "contain",
            Contents: &listContentsConditions,
        },
    }
	descriptionUpdateCcRuleRequestBody:= ""
	regionAggregationUpdateCcRuleRequestBody:= false
	domainAggregationUpdateCcRuleRequestBody:= false
	nameUpdateCcRuleRequestBody:= "test55"
	request.Body = &model.UpdateCcRuleRequestBody{
		Description: &descriptionUpdateCcRuleRequestBody,
		RegionAggregation: &regionAggregationUpdateCcRuleRequestBody,
		DomainAggregation: &domainAggregationUpdateCcRuleRequestBody,
		LimitPeriod: int32(60),
		LimitNum: int32(10),
		TagType: model.GetUpdateCcRuleRequestBodyTagTypeEnum().IP,
		Action: actionbody,
		Conditions: listConditionsbody,
		Mode: int32(1),
		Name: &nameUpdateCcRuleRequestBody,
	}
	response, err := client.UpdateCcRule(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     