在应用程序网关上创建和使用 Web 应用程序防火墙 v2 自定义规则Create and use Web Application Firewall v2 custom rules on Application Gateway

Azure 应用程序网关上的 Web 应用程序防火墙 (WAF) v2 可为 Web 应用程序提供保护。The Web Application Firewall (WAF) v2 on Azure Application Gateway provides protection for web applications. 该保护通过打开 Web 应用程序安全性项目 (OWASP) 核心规则集 (CRS) 来提供。This protection is provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). 在某些情况下,可能需要根据具体需求创建自己的自定义规则。In some cases, you may need to create your own custom rules to meet your specific needs. 有关 WAF 自定义规则的详细信息,请参阅自定义 Web 应用程序防火墙规则概述For more information about WAF custom rules, see Custom web application firewall rules overview.

本文介绍一些示例性的自定义规则,这些规则可以通过 v2 WAF 创建并使用。This article shows you some example custom rules that you can create and use with your v2 WAF. 若要了解如何使用 Azure PowerShell 通过自定义规则来部署 WAF,请参阅使用 Azure PowerShell 配置 Web 应用程序防火墙自定义规则To learn how to deploy a WAF with a custom rule using Azure PowerShell, see Configure Web Application Firewall custom rules using Azure PowerShell.

备注

如果应用程序网关未使用 WAF 层,会在右侧窗格中显示“将应用程序网关升级到 WAF 层”选项。If your application gateway is not using the WAF tier, the option to upgrade the application gateway to the WAF tier appears in the right pane.

启用 WAF

示例 1Example 1

你知道有一个名为 evilbot 的机器人,你想要阻止其对你的网站进行爬网。You know there's a bot named evilbot that you want to block from crawling your website. 在这种情况下,需在请求标头中阻止 User-Agent evilbotIn this case, you’ll block on the User-Agent evilbot in the request headers.

逻辑:pLogic: p

$variable = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable `
   -Operator Contains `
   -MatchValue "evilbot" `
   -Transform Lowercase `
   -NegationCondition $False

$rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name blockEvilBot `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

下面是相应的 JSON:And here is the corresponding JSON:

  {
    "customRules": [
      {
        "name": "blockEvilBot",
        "ruleType": "MatchRule",
        "priority": 2,
        "action": "Block",
        "matchConditions": [
          {
            "matchVariable": "RequestHeaders",
            "operator": "User-Agent",
            "matchValues": [
              "evilbot"
            ]
          }
        ]
      }
    ]
  }

若要查看使用此自定义规则部署的 WAF,请参阅使用 Azure PowerShell 配置 Web 应用程序防火墙自定义规则To see a WAF deployed using this custom rule, see Configure a Web Application Firewall custom rule using Azure PowerShell.

示例 1aExample 1a

可以使用正则表达式完成同样的事情:You can accomplish the same thing using a regular expression:

$variable = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable `
   -Operator Regex `
   -MatchValue "evilbot" `
   -Transform Lowercase `
   -NegationCondition $False

$rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name blockEvilBot `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

相应的 JSON:And the corresponding JSON:

  {
    "customRules": [
      {
        "name": "blockEvilBot",
        "ruleType": "MatchRule",
        "priority": 2,
        "action": "Block",
        "matchConditions": [
          {
            "matchVariable": "RequestHeaders",
            "operator": "User-Agent",
            "matchValues": [
              "evilbot"
            ]
          }
        ]
      }
    ]
  }

示例 2Example 2

你想要阻止来自范围 198.168.5.0/24 内 IP 地址的所有请求。You want to block all requests from IP addresses in the range 198.168.5.0/24.

在此示例中,需阻止来自某个 IP 地址范围的所有流量。In this example, you'll block all traffic that comes from an IP addresses range. 规则名称为 myrule1 ,优先级设置为 10。The name of the rule is myrule1 and the priority is set to 10.

逻辑:pLogic: p

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RemoteAddr

$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator IPMatch `
   -MatchValue "192.168.5.0/24" `
   -NegationCondition $False

$rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule1 `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1 `
   -Action Block

下面是相应的 JSON:Here's the corresponding JSON:

  {
    "customRules": [
      {
        "name": "myrule1",
        "ruleType": "MatchRule",
        "priority": 10,
        "action": "Block",
        "matchConditions": [
          {
            "matchVariable": "RemoteAddr",
            "operator": "IPMatch",
            "matchValues": [
              "192.168.5.0/24"
            ]
          }
        ]
      }
    ]
  }

相应的 CRS 规则:SecRule REMOTE_ADDR "@ipMatch 192.168.5.0/24" "id:7001,deny"Corresponding CRS rule: SecRule REMOTE_ADDR "@ipMatch 192.168.5.0/24" "id:7001,deny"

示例 3Example 3

在此示例中,需阻止用户代理 evilbot 和 192.168.5.0/24 范围内的流量。For this example, you want to block User-Agent evilbot, and traffic in the range 192.168.5.0/24. 为此,可以创建两个独立的匹配条件,将其置于同一规则中。To accomplish this, you can create two separate match conditions, and put them both in the same rule. 这样可以确保,如果 User-Agent 标头中的 evilbot 192.168.5.0/24 范围内的 IP 地址都匹配,则请求将被阻止。This ensures that if both evilbot in the User-Agent header and IP addresses from the range 192.168.5.0/24 are matched, then the request is blocked.

逻辑:p and qLogic: p and q

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RemoteAddr

 $variable2 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator IPMatch `
   -MatchValue "192.168.5.0/24" `
   -NegationCondition $False

$condition2 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable2 `
   -Operator Contains `
   -MatchValue "evilbot" `
   -Transform Lowercase `
   -NegationCondition $False

 $rule = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1, $condition2 `
   -Action Block

下面是相应的 JSON:Here's the corresponding JSON:

{ 

    "customRules": [ 
      { 
        "name": "myrule", 
        "ruleType": "MatchRule", 
        "priority": 10, 
        "action": "block", 
        "matchConditions": [ 
            { 
              "matchVariable": "RemoteAddr", 
              "operator": "IPMatch", 
              "negateCondition": false, 
              "matchValues": [ 
                "192.168.5.0/24" 
              ] 
            }, 
            { 
              "matchVariable": "RequestHeaders", 
              "selector": "User-Agent", 
              "operator": "Contains", 
              "transforms": [ 
                "Lowercase" 
              ], 
              "matchValues": [ 
                "evilbot" 
              ] 
            } 
        ] 
      } 
    ] 
  } 

示例 4Example 4

在此示例中,需阻止 IP 地址范围 192.168.5.0/24 之外的请求,或者阻止用户代理字符串不为 chrome (即用户不使用 Chrome 浏览器)的请求。For this example, you want to block if the request is either outside of the IP address range 192.168.5.0/24, or the user agent string isn't chrome (meaning the user isn’t using the Chrome browser). 由于此逻辑使用 or,因此这两个条件位于不同的规则中,如以下示例所示。Since this logic uses or, the two conditions are in separate rules as seen in the following example. myrule1myrule2 都需要匹配才能阻止流量。myrule1 and myrule2 both need to match to block the traffic.

逻辑:not (p and q) = not p or not q。Logic: not (p and q) = not p or not q.

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RemoteAddr

$variable2 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestHeaders `
   -Selector User-Agent

$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator IPMatch `
   -MatchValue "192.168.5.0/24" `
   -NegationCondition $True

$condition2 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable2 `
   -Operator Contains `
   -MatchValue "chrome" `
   -Transform Lowercase `
   -NegationCondition $True

$rule1 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule1 `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1 `
   -Action Block

$rule2 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule2 `
   -Priority 20 `
   -RuleType MatchRule `
   -MatchCondition $condition2 `
   -Action Block

相应的 JSON:And the corresponding JSON:

{
    "customRules": [
      {
        "name": "myrule1",
        "ruleType": "MatchRule",
        "priority": 10,
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestHeaders",
            "operator": "IPMatch",
            "negateCondition": true,
            "matchValues": [
              "192.168.5.0/24"
            ]
          }
        ]
      },
      {
        "name": "myrule2",
        "ruleType": "MatchRule",
        "priority": 20,
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestHeaders",
            "selector": "User-Agent",
            "operator": "Contains",
            "negateCondition": true,
            "transforms": [
              "Lowercase"
            ],
            "matchValues": [
              "chrome"
            ]
          }
        ]
      }
    ]
  }

示例 5Example 5

你希望阻止自定义 SQLI。You want to block custom SQLI. 由于此处使用的逻辑为 or,且所有值都在 RequestUri 中,因此可以将所有 MatchValues 置于逗号分隔的列表中。Since the logic used here is or, and all the values are in the RequestUri, all of the MatchValues can be in a comma-separated list.

逻辑:p or q or rLogic: p or q or r

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestUri 
$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator Contains `
   -MatchValue "1=1", "drop tables", "'—" `
   -NegationCondition $False

$rule1 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule4 `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1 `
   -Action Block

相应的 JSON:Corresponding JSON:

  {
    "customRules": [
      {
        "name": "myrule4",
        "ruleType": "MatchRule",
        “priority”: 10
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestUri",
            "operator": "Contains",
            "matchValues": [
              "1=1",
              "drop tables",
              "'--"
            ]
          }
        ]
      }
    ]
  }

备用 Azure PowerShell:Alternative Azure PowerShell:

$variable1 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestUri
$condition1 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable1 `
   -Operator Contains `
   -MatchValue "1=1" `
   -NegationCondition $False

$rule1 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule1 `
   -Priority 10 `
   -RuleType MatchRule `
   -MatchCondition $condition1 `
-Action Block

$variable2 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestUri

$condition2 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable2 `
   -Operator Contains `
   -MatchValue "drop tables" `
   -NegationCondition $False

$rule2 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule2 `
   -Priority 20 `
   -RuleType MatchRule `
   -MatchCondition $condition2 `
   -Action Block

$variable3 = New-AzApplicationGatewayFirewallMatchVariable `
   -VariableName RequestUri

$condition3 = New-AzApplicationGatewayFirewallCondition `
   -MatchVariable $variable3 `
   -Operator Contains `
   -MatchValue "’—" `
   -NegationCondition $False

$rule3 = New-AzApplicationGatewayFirewallCustomRule `
   -Name myrule3 `
   -Priority 30 `
   -RuleType MatchRule `
   -MatchCondition $condition3 `
   -Action Block

相应的 JSON:Corresponding JSON:

  {
    "customRules": [
      {
        "name": "myrule1",
        "ruleType": "MatchRule",
        "priority": 10,
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestUri",
            "operator": "Contains",
            "matchValues": [
              "1=1"
            ]
          }
        ]
      },
      {
        "name": "myrule2",
        "ruleType": "MatchRule",
        "priority": 20,
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestUri",
            "operator": "Contains",
            "transforms": [
              "Lowercase"
            ],
            "matchValues": [
              "drop tables"
            ]
          }
        ]
      },
      {
        "name": "myrule3",
        "ruleType": "MatchRule",
        "priority": 30,
        "action": "block",
        "matchConditions": [
          {
            "matchVariable": "RequestUri",
            "operator": "Contains",
            "matchValues": [
              "'--"
            ]
          }
        ]
      }
    ]
  }

后续步骤Next steps

创建自定义规则后,可以了解如何查看 WAF 日志。After you create your custom rules, you can learn how to view your WAF logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.