Web 应用程序防火墙请求大小限制和排除列表Web Application Firewall request size limits and exclusion lists

Azure 应用程序网关 Web 应用程序防火墙 (WAF) 可为 Web 应用程序提供保护。The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. 本文介绍了 WAF 请求大小限制和排除列表配置。This article describes WAF request size limits and exclusion lists configuration. 这些设置位于与应用程序网关关联的 WAF 策略中。These settings are located in the WAF Policy associated to your Application Gateway. 若要详细了解 WAF 策略,请参阅 Azure 应用程序网关上的 Azure Web 应用程序防火墙To learn more about WAF Policies, see Azure Web Application Firewall on Azure Application Gateway.

WAF 排除列表WAF exclusion lists

请求大小限制

WAF 排除列表允许你忽略 WAF 评估中的某些请求属性。WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. 常见示例是 Active Directory 插入的令牌,这些令牌用于身份验证或密码字段。A common example is Active Directory inserted tokens that are used for authentication or password fields. 此类属性容易在 WAF 规则中包含可能触发误报的特殊字符。Such attributes are prone to contain special characters that may trigger a false positive from the WAF rules. 将某个属性添加到 WAF 排除列表后,任何已配置且激活的 WAF 规则都不会考虑该属性。Once an attribute is added to the WAF exclusion list, it isn't considered by any configured and active WAF rule. 排除列表的范围具有全局性。Exclusion lists are global in scope.

可以按名称向排除列表添加以下属性。The following attributes can be added to exclusion lists by name. 所选字段的值不会根据 WAF 规则进行评估,但其名称仍会这样进行评估(请参阅下面的示例 1,User-Agent 标头的值会从 WAF 评估中排除)。The values of the chosen field aren't evaluated against WAF rules, but their names still are (see Example 1 below, the value of the User-Agent header is excluded from WAF evaluation). 排除列表删除了对该字段值的检查。The exclusion lists remove inspection of the field's value.

  • 请求标头Request Headers

  • 请求 CookieRequest Cookies

  • 请求属性名称(参数)可以添加为排除元素,例如:Request attribute name (args) can be added as an exclusion element, such as:

    • 表单字段名称Form field name
    • JSON 实体JSON entity
    • URL 查询字符串参数URL query string args

可以指定请求标头、正文、cookie 或查询字符串属性的完全匹配项。You can specify an exact request header, body, cookie, or query string attribute match. 也可以选择指定部分匹配项。Or, you can optionally specify partial matches. 排除规则的范围具有全局性,将应用于所有页面和所有规则。Exclusion rules are global in scope, and apply to all pages and all rules.

下面是受支持的匹配条件运算符:The following are the supported match criteria operators:

  • 等于:此运算符用于完全匹配。Equals: This operator is used for an exact match. 例如,要选择名为“bearerToken”的标头,请结合使用等号运算符和设为“bearerToken”的选择器 。As an example, for selecting a header named bearerToken, use the equals operator with the selector set as bearerToken.
  • 开头为:此运算符与以指定选择器值开头的所有字段匹配。Starts with: This operator matches all fields that start with the specified selector value.
  • 结尾为:此运算符与以指定选择器值结尾的所有请求字段匹配。Ends with: This operator matches all request fields that end with the specified selector value.
  • 包含:此运算符与包含指定选择器值的所有请求字段匹配。Contains: This operator matches all request fields that contain the specified selector value.
  • 等于任何值:此运算符与所有请求字段匹配。Equals any: This operator matches all request fields. * 将是选择器值。* will be the selector value.

在所有情况下,匹配不区分大小写,并且正则表达式不允许作为选择器。In all cases matching is case insensitive and regular expression aren't allowed as selectors.

备注

有关详细信息和故障排除帮助,请参阅 WAF 故障排除For more information and troubleshooting help, see WAF troubleshooting.

示例Examples

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

以下示例演示如何使用排除。The following examples demonstrate the use of exclusions.

示例 1Example 1

在此示例中,需排除 user-agent 标头。In this example, you want to exclude the user-agent header. user-agent 请求标头包含特征性字符,网络协议对等方可以通过这些字符了解请求软件用户代理的应用程序类型、操作系统、软件供应商或软件版本。The user-agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor, or software version of the requesting software user agent. 有关详细信息,请参阅 User-AgentFor more information, see User-Agent.

在许多情况下,需要禁用对此标头进行评估的功能。There can be any number of reasons to disable evaluating this header. WAF 可能会将看到的某个字符串定性为恶意字符串。There could be a string that the WAF sees and assumes it’s malicious. 例如,字符串中出现的经典 SQL 攻击“x=x”。For example, the classic SQL attack “x=x” in a string. 在某些情况下,这可能是合法的流量。In some cases, this can be legitimate traffic. 因此,可能需要将此标头从 WAF 评估中排除。So you might need to exclude this header from WAF evaluation.

以下 Azure PowerShell cmdlet 从评估中排除 user-agent 标头:The following Azure PowerShell cmdlet excludes the user-agent header from evaluation:

$exclusion1 = New-AzApplicationGatewayFirewallExclusionConfig `
   -MatchVariable "RequestHeaderNames" `
   -SelectorMatchOperator "Equals" `
   -Selector "User-Agent"

示例 2Example 2

此示例排除通过 URL 在请求中传递的 user 参数中的值。This example excludes the value in the user parameter that is passed in the request via the URL. 例如,假设在你的环境中,user 字段常常包含某个字符串,而 WAF 会将该字符串视为恶意内容并将其阻止。For example, say it’s common in your environment for the user field to contain a string that the WAF views as malicious content, so it blocks it. 在这种情况下,可以排除 user 参数,这样 WAF 就不会评估此字段中的任何内容。You can exclude the user parameter in this case so that the WAF doesn't evaluate anything in the field.

以下 Azure PowerShell cmdlet 从评估中排除 user 参数:The following Azure PowerShell cmdlet excludes the user parameter from evaluation:

$exclusion2 = New-AzApplicationGatewayFirewallExclusionConfig `
   -MatchVariable "RequestArgNames" `
   -SelectorMatchOperator "StartsWith" `
   -Selector "user"

因此,如果将 URL http://www.contoso.com/?user%281%29=fdafdasfda 传递给 WAF,后者就不会评估字符串 fdafdasfda,但仍会评估参数名称 user%281%29So if the URL http://www.contoso.com/?user%281%29=fdafdasfda is passed to the WAF, it won't evaluate the string fdafdasfda, but it will still evaluate the parameter name user%281%29.

WAF 请求大小限制WAF request size limits

Web 应用程序防火墙允许你在下限和上限内配置请求大小限制。Web Application Firewall allows you to configure request size limits within lower and upper bounds. 有以下两个大小限制配置可用:The following two size limits configurations are available:

  • 最大请求正文大小字段以 KB 为单位进行指定并控制整个请求大小限制(不包括任何文件上传)。The maximum request body size field is specified in kilobytes and controls overall request size limit excluding any file uploads. 此字段的最小值可以为 1 KB,最大值可以为 128 KB。This field can range from 1-KB minimum to 128-KB maximum value. 请求正文大小的默认值为 128 KB。The default value for request body size is 128 KB.

  • 文件上传限制字段以 MB 为单位进行指定并控制允许的最大文件上传大小。The file upload limit field is specified in MB and it governs the maximum allowed file upload size. 此字段的最小值可以为 1 MB,最大值可以为:This field can have a minimum value of 1 MB and the following maximums:

    • 对于 v1 中型 WAF 网关为 100 MB100 MB for v1 Medium WAF gateways
    • 对于 v1 大型 WAF 网关为 500 MB500 MB for v1 Large WAF gateways
    • 对于 v2 WAF 网关为 750 MB750 MB for v2 WAF gateways

文件上传限制的默认值为 100 MB。The default value for file upload limit is 100 MB.

WAF 还提供了可配置的旋钮以打开或关闭请求正文检查。WAF also offers a configurable knob to turn the request body inspection on or off. 默认情况下,请求正文检查处于启用状态。By default, the request body inspection is enabled. 如果请求正文检查处于关闭状态,则 WAF 不会评估 HTTP 消息正文的内容。If the request body inspection is turned off, WAF doesn't evaluate the contents of HTTP message body. 在这种情况下,WAF 会继续对标头、cookie 和 URI 强制实施 WAF 规则。In such cases, WAF continues to enforce WAF rules on headers, cookies, and URI. 如果请求正文检查处于关闭状态,则最大请求正文大小字段不适用,且无法设置。If the request body inspection is turned off, then maximum request body size field isn't applicable and can't be set. 关闭请求正文检查允许将大于 128 KB 的消息发送到 WAF,但不会检查消息正文中是否有漏洞。Turning off the request body inspection allows for messages larger than 128 KB to be sent to WAF, but the message body isn't inspected for vulnerabilities.

后续步骤Next steps

配置 WAF 设置后,可以了解如何查看 WAF 日志。After you configure your WAF settings, you can learn how to view your WAF logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.