概述:Web 应用程序防火墙 v2 的自定义规则Overview: Custom rules for web application firewall v2

Azure 应用程序网关 Web 应用程序防火墙 (WAF) v2 附带了一个预配置的、由平台管理的规则集,用于防范多种不同类型的攻击。Azure Application Gateway web application firewall (WAF) v2 comes with a pre-configured, platform-managed rule set that offers protection from many different types of attacks. 这些攻击包括跨站点脚本、SQL 注入,等等。These attacks include cross-site scripting, SQL injection, and others. 如果你是 WAF 管理员,你可能想要编写自己的规则来补充核心规则集规则。If you're a WAF admin, you might want to write your own rules to augment the core rule set rules. 你的规则可以根据匹配条件阻止或允许请求的流量。Your rules can either block or allow requested traffic based on matching criteria.

使用自定义规则,可以创建自己的规则,这些规则对通过 WAF 传递的每个请求进行评估。With custom rules, you can create your own rules, which are evaluated for each request that passes through WAF. 这些规则的优先级高于托管规则集中的其他规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 自定义规则包含规则名称、规则优先级和一系列匹配条件。The custom rules contain a rule name, a rule priority, and an array of matching conditions. 如果满足这些条件,则执行允许或阻止操作。If these conditions are met, an action is taken to allow or block.

例如,可以创建一个规则来阻止来自 192.168.5.4/24 范围内的某个 IP 地址的所有请求。For example, you can create a rule to block all requests from an IP address in the range 192.168.5.4/24. 在此规则中,运算符是 IPMatchmatchValues 是 IP 地址范围 (192.168.5.4/24),操作是阻止流量。 In this rule, the operator is IPMatch, matchValues is the IP address range (192.168.5.4/24), and action is to block the traffic. 还需要设置规则的名称和优先级。You also set the rule’s name and priority.

自定义规则支持使用复合逻辑创建更高级的规则来解决安全需求。Custom rules support using compounding logic to make more advanced rules that address your security needs. 例如,“(条件 1 and 条件 2,or 条件 3)”表示如果满足条件 1 条件 2,或者满足条件 3,则 WAF 应执行自定义规则中指定的操作。For example, "(Condition 1 and Condition 2) or Condition 3)" means that if Condition 1 and Condition 2 are met, or if Condition 3 is met, WAF should take the action that's specified in the custom rule.

同一规则中的不同匹配条件始终使用 and 来组合。Different matching conditions within the same rule are always compounded by using and. 例如,使用 and 的规则可以指定仅当使用特定的浏览器时,才阻止来自特定 IP 地址的流量。For example, a rule that uses and might specify to block traffic from a certain IP address, and only if a certain browser is being used.

若要对两个不同的条件使用 or 运算符,这两个条件必须在不同的规则中。If you want to use or for two different conditions, the two conditions must be in different rules. 例如,使用 or 的规则可以指定阻止来自特定 IP 地址的流量,或者在使用特定的浏览器时阻止流量。For example, the rule that uses or might specify to block traffic from a certain IP address or block traffic if a certain browser is being used.

Note

WAF 自定义规则的最大数目为 100。The maximum number of WAF custom rules is 100. 有关应用程序网关限制的详细信息,请参阅 Azure 订阅和服务限制、配额与约束For more information about Application Gateway limits, see Azure subscription and service limits, quotas, and constraints.

自定义规则还支持正则表达式,就像在核心规则集中一样。Regular expressions are also supported in custom rules, just as they are in the core rule sets. 有关这些规则的示例,请参阅创建和使用自定义 Web 应用程序防火墙规则中的“示例 3”和“示例 5”。For examples of these rules, see "Example 3" and "Example 5" in Create and use custom web application firewall rules.

允许或阻止流量Allowing or blocking traffic

使用自定义规则可以方便地允许或阻止流量。Allowing or blocking traffic is simple with custom rules. 例如,可以阻止来自某个 IP 地址范围的所有流量。For example, you can block all traffic that comes from a range of IP addresses. 可以创建另一个规则,以便在请求来自特定的浏览器时允许流量。You can make another rule to allow traffic if the request comes from a certain browser.

若要允许某种流量,请确保将 -Action 参数设置为 AllowTo allow something, ensure that the -Action parameter is set to Allow. 若要阻止某种流量,请确保将 -Action 参数设置为 Block,如以下代码所示:To block something, ensure that the -Action parameter is set to Block, as shown in the following code:

$AllowRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example1 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Allow

$BlockRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example2 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

上面的 $BlockRule 映射到 Azure 资源管理器中的以下自定义规则:The preceding $BlockRule maps to the following custom rule in Azure Resource Manager:

"customRules": [
      {
        "name": "blockEvilBot",
        "priority": 2,
        "ruleType": "MatchRule",
        "action": "Block",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RequestHeaders",
                "selector": "User-Agent"
              }
            ],
            "operator": "Contains",
            "negationConditon": false,
            "matchValues": [
              "evilbot"
            ],
            "transforms": [
              "Lowercase"
            ]
          }
        ]
      }
    ], 

此自定义规则包含名称、优先级、操作,以及执行该操作所要满足的一系列匹配条件。This custom rule contains a name, a priority, an action, and an array of matching conditions that must be met for the action to take place. 有关自定义规则字段的说明,请参阅后续部分。For descriptions of the custom-rule fields, see the following sections. 有关自定义规则的示例,请参阅创建和使用自定义 Web 应用程序防火墙规则For examples of custom rules, see Create and use custom web application firewall rules.

自定义规则字段Custom-rule fields

Name(可选)Name (optional)

这是规则的名称。This is the name of the rule. 该名称将显示在日志中。The name appears in the logs.

Priority(必需)Priority (required)

  • 优先级确定规则的评估顺序。The priority determines the order in which the rules are evaluated. 值越小,规则的评估顺序越靠前。The lower the value, the earlier the evaluation of the rule. 允许的范围为 1 到 100。The allowable range is from 1 to 100.
  • 优先级在所有自定义规则中必须唯一。The priority must be unique among all custom rules. 优先级为 40 的规则将在优先级为 80 的规则之前评估。A rule with a priority of 40 is evaluated before a rule with a priority of 80.

Rule type(必需)Rule type (required)

目前,规则类型必须是 MatchRuleCurrently, the rule type must be MatchRule.

Match variable(必需)Match variable (required)

匹配变量必须是下列其中一项:The match variable must be one of the following:

  • RemoteAddr:远程计算机连接的 IP 地址或主机名RemoteAddr: The IP address or hostname of the remote computer connection
  • RequestMethod:HTTP 请求方法(GET、POST、PUT、DELETE 等)。RequestMethod: The HTTP request method (GET, POST, PUT, DELETE, and so on).
  • QueryString:URI 中的变量。QueryString: The variable in the URI.
  • PostArgs:在 POST 正文中发送的参数。PostArgs: The arguments that are sent in the POST body. 仅当 Content-Type 标头设置为“application/x-www-form-urlencoded”和“multipart/form-data”时,才会应用使用此匹配变量的自定义规则。Custom rules that use this match variable are applied only if the Content-Type header is set to "application/x-www-form-urlencoded" and "multipart/form-data".
  • RequestUri:请求的 URI。RequestUri: The URI of the request.
  • RequestHeaders:请求的标头。RequestHeaders: The headers of the request.
  • RequestBody:包含整个请求正文的变量。RequestBody: The variable that contains the entire request body as a whole. 仅当 Content-Type 标头设置为“application/x-www-form-urlencoded”时,才会应用使用此匹配变量的自定义规则。Custom rules that use this match variable are applied only if the Content-Type header is set to "application/x-www-form-urlencoded".
  • RequestCookies:请求的 Cookie。RequestCookies: The cookies of the request.

Selector(可选)Selector (optional)

描述 matchVariable 集合字段的选择器。The selector describes the field of the matchVariable collection. 例如,如果 matchVariable 为“RequestHeaders”,则选择器可以位于 User-Agent 标头中。For example, if the matchVariable is "RequestHeaders", the selector could be on the User-Agent header.

Operator(必需)Operator (required)

运算符必须是下列其中一项:The operator must be one of the following:

  • IPMatch:仅当匹配变量为 RemoteAddr 时,才使用此运算符。IPMatch: This operator is used only when the match variable is RemoteAddr.
  • Equals:输入内容与 MatchValue 相同。Equals: The input is the same as the MatchValue.
  • ContainsContains
  • LessThanLessThan
  • GreaterThanGreaterThan
  • LessThanOrEqualLessThanOrEqual
  • GreaterThanOrEqualGreaterThanOrEqual
  • BeginsWithBeginsWith
  • EndsWithEndsWith
  • 正则表达式Regex

Negate condition(可选)Negate condition (optional)

对当前条件求反。Negates the current condition.

Transform(可选)Transform (optional)

一个字符串列表,其中包含尝试匹配之前完成的转换的名称。A list of strings with the names of transformations to complete before the match is attempted. 转换包括:The transforms include:

  • 小写Lowercase
  • TrimTrim
  • UrlDecodeUrlDecode
  • UrlEncodeUrlEncode
  • RemoveNullsRemoveNulls
  • HtmlEntityDecodeHtmlEntityDecode

Match values(必需)Match values (required)

matchValues 字段是要匹配的值列表,可被视为采用 OR 运算符。The matchValues field is a list of values to match against, which can be thought of as being or'ed. 例如,值可以是 IP 地址或其他字符串。For example, the values could be IP addresses or other strings. 值的格式取决于上一个运算符。The value format depends on the previous operator.

Action(必需)Action (required)

action 字段提供以下选项:The action field offers the following options:

  • 允许:授权事务,跳过所有后续规则。Allow: Authorizes the transaction, and skips all subsequent rules. 这意味着,指定的请求将添加到允许列表,并且在匹配后,该请求将停止进一步的评估,并发送到后端池。This means that the specified request is added to the Allow list and, after it is matched, the request stops further evaluation and is sent to the back-end pool. 不会根据允许列表中的规则评估其他自定义规则或托管规则。Rules that are on the Allow list aren't evaluated for further custom rules or managed rules.

  • 阻止:基于 SecDefaultAction(检测/阻止模式)阻止事务。Block: Blocks the transaction based on SecDefaultAction (detection/prevention mode). 与 Allow 操作一样,对请求进行评估并将其添加到阻止列表后,评估将会停止,请求将被阻止。Like the Allow action, after the request is evaluated and added to the block list, the evaluation is stopped and the request is blocked. 不会评估满足相同条件的后续请求,Subsequent requests that meet the same conditions aren't evaluated. 而只会将其阻止。They're only blocked.

  • Log:允许该规则写入日志,但允许其他规则运行以进行评估。Log: Lets the rule write to the log, and lets the rest of the rules run for evaluation. 后续的自定义规则将接在托管规则的后面按优先顺序进行评估。Subsequent custom rules are evaluated in order of priority, followed by the managed rules.

后续步骤Next steps

了解自定义规则后,可以创建自己的自定义规则Now that you've learned about custom rules, you can create your own custom rules.