通过 Azure PowerShell 在应用程序网关上使用自定义规则配置 Web 应用程序防火墙 v2
使用自定义规则,可为通过 Web 应用程序防火墙 (WAF) v2 传递的每个请求创建自己的规则。 这些规则的优先级高于托管规则集中的其余规则。 自定义规则具有一个操作(允许或阻止)、一个匹配条件和一个运算符以允许完全自定义。
本文创建使用自定义规则的应用程序网关 WAF v2。 如果请求标头包含用户代理 evilbot,该自定义规则会阻止流量。
要查看更多自定义规则示例,请参阅创建和使用自定义 Web 应用程序防火墙规则
如果要按照本文使用一个可复制、粘贴和运行的连续脚本来运行 Azure PowerShell,请参阅 Azure 应用程序网关 PowerShell 示例。
先决条件
Azure PowerShell 模块
如果选择在本地安装并使用 Azure PowerShell,则此脚本需要安装 Azure PowerShell 模块 2.1.0 或更高版本。
- 若要查找版本,请运行
Get-Module -ListAvailable Az
。 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。 - 若要创建与 Azure 的连接,请运行
Connect-AzAccount -Environment AzureChinaCloud
。
如果没有 Azure 订阅,可在开始前创建一个试用帐户。
示例脚本
设置变量
$rgname = "CustomRulesTest"
$location = "China North 2"
$appgwName = "WAFCustomRules"
创建资源组
$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
创建 VNet
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
-AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)
创建静态公共 VIP
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
-location $location -AllocationMethod Static -Sku Standard
创建池和前端端口
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
-BackendIPAddresses testbackend1.chinanorth2.chinacloudapp.cn, testbackend2.chinanorth2.chinacloudapp.cn
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80
创建侦听器、HTTP 设置、规则和自动缩放
$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
-FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01
$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
-Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
-BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool -Priority 1000
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2
创建两个自定义规则并将其应用于 WAF 策略
# Create a User-Agent header custom rule
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block -State Enabled
# Create a geo-match custom rule
$var2 = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr
$condition2 = New-AzApplicationGatewayFirewallCondition -MatchVariable $var2 -Operator GeoMatch -MatchValue "US" -NegationCondition $False
$rule2 = New-AzApplicationGatewayFirewallCustomRule -Name allowUS -Priority 14 -RuleType MatchRule -MatchCondition $condition2 -Action Allow -State Enabled
# Create a firewall policy
$policySetting = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafpolicyNew -ResourceGroup $rgname -Location $location -PolicySetting $PolicySetting -CustomRule $rule,$rule2
创建应用程序网关
$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname `
-Location $location -BackendAddressPools $pool `
-BackendHttpSettingsCollection $poolSetting01 `
-GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 `
-FrontendPorts $fp01 -HttpListeners $listener01 `
-RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig `
-FirewallPolicy $wafPolicy
更新 WAF
创建 WAF 后,可以使用类似于以下代码的程序对其进行更新:
# Get the existing policy
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname
# Add an existing rule named $rule
$policy.CustomRules.Add($rule)
# Update the policy
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy