通过 Azure PowerShell 在应用程序网关上使用自定义规则配置 Web 应用程序防火墙 v2Configure Web Application Firewall v2 on Application Gateway with a custom rule using Azure PowerShell

使用自定义规则,可为通过 Web 应用程序防火墙 (WAF) v2 传递的每个请求创建自己的规则。Custom rules allow you to create your own rules evaluated for each request that passes through the Web Application Firewall (WAF) v2. 这些规则的优先级高于托管规则集中的其余规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 自定义规则具有一个操作(允许或阻止)、一个匹配条件和一个运算符以允许完全自定义。The custom rules have an action (to allow or block), a match condition, and an operator to allow full customization.

本文创建使用自定义规则的应用程序网关 WAF v2。This article creates an Application Gateway WAF v2 that uses a custom rule. 如果请求标头包含用户代理 evilbot,该自定义规则会阻止流量。The custom rule blocks traffic if the request header contains User-Agent evilbot.

若要查看更多自定义规则示例,请参阅创建和使用自定义 Web 应用程序防火墙规则To see more custom rule examples, see Create and use custom web application firewall rules

先决条件Prerequisites

Azure PowerShell 模块Azure PowerShell module

如果选择在本地安装并使用 Azure PowerShell,则此脚本需要安装 Azure PowerShell 模块 2.1.0 或更高版本。If you choose to install and use Azure PowerShell locally, this script requires the Azure PowerShell module version 2.1.0 or later.

  1. 若要查找版本,请运行 Get-Module -ListAvailable AzTo find the version, run Get-Module -ListAvailable Az. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module.
  2. 若要创建与 Azure 的连接,请运行 Connect-AzAccount -Environment AzureChinaCloudTo create a connection with Azure, run Connect-AzAccount -Environment AzureChinaCloud.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

示例脚本Example script

设置变量Set up variables

$rgname = "CustomRulesTest"

$location = "China North 2"

$appgwName = "WAFCustomRules"

创建资源组Create a resource group

$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location

创建 VNetCreate a VNet

$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"

$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"

$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)

创建静态公共 VIPCreate a Static Public VIP

$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

创建池和前端端口Create pool and frontend port

$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet

$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip

$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
  -BackendIPAddresses testbackend1.chinanorth2.chinacloudapp.cn, testbackend2.chinanorth2.chinacloudapp.cn

$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80

创建侦听器、HTTP 设置、规则和自动缩放Create a listener, http setting, rule, and autoscale

$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01

$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled

$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool

$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3

$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2

创建两个自定义规则并将其应用于 WAF 策略Create two custom rules and apply it to WAF policy

# Create WAF config
$wafConfig = New-AzApplicationGatewayWebApplicationFirewallConfiguration -Enabled $true -FirewallMode "Prevention" -RuleSetType "OWASP" -RuleSetVersion "3.0"
# Create a User-Agent header custom rule 
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False  
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block
 
# Create a geo-match custom rule
$var2 = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestUri
$condition2 = New-AzApplicationGatewayFirewallCondition -MatchVariable $var2 -Operator GeoMatch -MatchValue "US"  -NegationCondition $False
$rule2 = New-AzApplicationGatewayFirewallCustomRule -Name allowUS -Priority 14 -RuleType MatchRule -MatchCondition $condition2 -Action Allow

# Create a firewall policy
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafpolicyNew -ResourceGroup $rgname -Location $location -CustomRule $rule,$rule2

创建应用程序网关Create the Application Gateway

$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname `
  -Location $location -BackendAddressPools $pool `
  -BackendHttpSettingsCollection  $poolSetting01 `
  -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 `
  -FrontendPorts $fp01 -HttpListeners $listener01 `
  -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig `
  -WebApplicationFirewallConfig $wafConfig `
  -FirewallPolicy $wafPolicy

更新 WAFUpdate your WAF

创建 WAF 后,可以使用类似于以下代码的程序对其进行更新:After you create your WAF, you can update it using a procedure similar to the following code:

# Get the existing policy
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname
# Add an existing rule named $rule
$policy.CustomRules.Add($rule)
# Update the policy
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

后续步骤Next steps

详细了解应用程序网关上的 Web 应用程序防火墙Learn more about Web Application Firewall on Application Gateway