Azure 应用程序网关上 Web 应用程序防火墙 v2 的自定义规则Custom rules for Web Application Firewall v2 on Azure Application Gateway

Azure 应用程序网关 Web 应用程序防火墙 (WAF) v2 附带了一个预配置的、由平台管理的规则集,用于防范多种不同类型的攻击。The Azure Application Gateway Web Application Firewall (WAF) v2 comes with a pre-configured, platform-managed ruleset that offers protection from many different types of attacks. 这些攻击包括跨站点脚本、SQL 注入,等等。These attacks include cross site scripting, SQL injection, and others. 如果你是 WAF 管理员,则可能想要编写自己的规则来补充核心规则集 (CRS) 规则。If you're a WAF admin, you may want to write your own rules to augment the core rule set (CRS) rules. 你的规则可以根据匹配条件阻止或允许请求的流量。Your rules can either block or allow requested traffic based on matching criteria.

自定义规则允许你创建自己的规则,用于对通过 WAF 的每个请求进行评估。Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. 这些规则的优先级高于托管规则集中的其他规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 自定义规则包含规则名称、规则优先级和一系列匹配条件。The custom rules contain a rule name, rule priority, and an array of matching conditions. 如果满足这些条件,则执行相应的操作(允许或阻止)。If these conditions are met, an action is taken (to allow or block).

例如,可以阻止来自 192.168.5.4/24 范围内的某个 IP 地址的所有请求。For example, you can block all requests from an IP address in the range 192.168.5.4/24. 在此规则中,运算符是 IPMatch,matchValues 是 IP 地址范围 (192.168.5.4/24),操作是阻止流量。In this rule, the operator is IPMatch, the matchValues is the IP address range (192.168.5.4/24), and the action is to block the traffic. 还可以设置规则的名称和优先级。You also set the rule's name and priority.

自定义规则支持使用复合逻辑创建更高级的规则来解决安全需求。Custom rules support using compounding logic to make more advanced rules that address your security needs. 例如,(条件 1 and 条件 2,or 条件 3)。For example, (Condition 1 and Condition 2) or Condition 3). 这意味着,如果满足条件 1 条件 2,或者满足条件 3,则 WAF 应执行自定义规则中指定的操作。This means that if Condition 1 and Condition 2 are met, or if Condition 3 is met, the WAF should take the action specified in the custom rule.

同一规则中的不同匹配条件始终使用 and 来组合。Different matching conditions within the same rule are always compounded using and. 例如,仅当发送方使用特定浏览器时,才阻止来自特定 IP 地址的流量。For example, block traffic from a specific IP address, and only if they're using a certain browser.

若要对两个不同的条件使用 or 运算符,这两个条件必须在不同的规则中。If you want to or two different conditions, the two conditions must be in different rules. 例如,阻止来自特定 IP 地址的流量,或阻止使用特定浏览器的发送方的流量。For example, block traffic from a specific IP address or block traffic if they're using a specific browser.

备注

WAF 自定义规则的最大数目为 100。The maximum number of WAF custom rules is 100. 有关应用程序网关限制的详细信息,请参阅 Azure 订阅和服务限制、配额与约束For more information about Application Gateway limits, see Azure subscription and service limits, quotas, and constraints.

自定义规则还支持正则表达式,就像在 CRS 规则集中一样。Regular expressions are also supported in custom rules, just like in the CRS rulesets. 有关示例,请参阅创建和使用自定义 Web 应用程序防火墙规则中的示例 3 和 5。For examples, see Examples 3 and 5 in Create and use custom web application firewall rules.

允许与阻止Allowing vs. blocking

使用自定义规则可以方便地允许和阻止流量。Allowing and blocking traffic is simple with custom rules. 例如,可以阻止来自某个 IP 地址范围的所有流量。For example, you can block all traffic coming from a range of IP addresses. 可以创建另一个规则,以便在请求来自特定的浏览器时允许流量。You can make another rule to allow traffic if the request comes from a specific browser.

若要允许某种流量,请确保将 -Action 参数设置为 AllowTo allow something, ensure that the -Action parameter is set to Allow. 若要阻止某种流量,请确保将 -Action 参数设置为 BlockTo block something, ensure that the -Action parameter is set to Block.

$AllowRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example1 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Allow

$BlockRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example2 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

上面的 $BlockRule 映射到 Azure 资源管理器中的以下自定义规则:The previous $BlockRule maps to the following custom rule in Azure Resource Manager:

"customRules": [
      {
        "name": "blockEvilBot",
        "priority": 2,
        "ruleType": "MatchRule",
        "action": "Block",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RequestHeaders",
                "selector": "User-Agent"
              }
            ],
            "operator": "Contains",
            "negationConditon": false,
            "matchValues": [
              "evilbot"
            ],
            "transforms": [
              "Lowercase"
            ]
          }
        ]
      }
    ], 

此自定义规则包含名称、优先级、操作,以及执行该操作所要满足的一系列匹配条件。This custom rule contains a name, priority, an action, and the array of matching conditions that must be met for the action to take place. 有关这些字段的进一步解释,请参阅以下字段说明。For further explanation of these fields, see the following field descriptions. 有关自定义规则的示例,请参阅创建和使用自定义 Web 应用程序防火墙规则For example custom rules, see Create and use custom web application firewall rules.

自定义规则的字段Fields for custom rules

Name [可选]Name [optional]

规则的名称。The name of the rule. 它显示在日志中。It appears in the logs.

Priority [必需]Priority [required]

  • 确定规则评估顺序。Determines the rule valuation order. 值越小,规则的评估顺序越靠前。The lower the value, the earlier the evaluation of the rule. 允许的范围为 1 到 100。The allowable range is from 1-100.
  • 必须在所有自定义规则中唯一。Must be unique across all custom rules. 优先级为 40 的规则将在优先级为 80 的规则之前评估。A rule with priority 40 is evaluated before a rule with priority 80.

Rule type [必需]Rule type [required]

目前必须为 MatchRuleCurrently, must be MatchRule.

Match variable [必需]Match variable [required]

必须是以下变量之一:Must be one of the variables:

  • RemoteAddr - 远程计算机连接的 IP 地址/主机名RemoteAddr - IP Address/hostname of the remote computer connection
  • RequestMethod - HTTP 请求方法(GET、POST、PUT、DELETE 等。)RequestMethod - HTTP Request method (GET, POST, PUT, DELETE, and so on.)
  • QueryString - URI 中的变量QueryString - Variable in the URI
  • PostArgs - 在 POST 正文中发送的参数。PostArgs - Arguments sent in the POST body. 仅当“Content-Type”标头设置为“application/x-www-form-urlencoded”和“multipart/form-data”时,才会应用使用此匹配变量的自定义规则。Custom Rules using this match variable are only applied if the 'Content-Type' header is set to 'application/x-www-form-urlencoded' and 'multipart/form-data'.
  • RequestUri - 请求的 URIRequestUri - URI of the request
  • RequestHeaders - 请求的标头RequestHeaders - Headers of the request
  • RequestBody - 包含整个请求正文。RequestBody - This contains the entire request body as a whole. 仅当“Content-Type”标头设置为“application/x-www-form-urlencoded”时,才会应用使用此匹配变量的自定义规则。Custom rules using this match variable are only applied if the 'Content-Type' header is set to 'application/x-www-form-urlencoded'.
  • RequestCookies - 请求的 CookieRequestCookies - Cookies of the request

Selector [可选]Selector [optional]

描述 matchVariable 集合的字段。Describes the field of the matchVariable collection. 例如,如果 matchVariable 为 RequestHeaders,则选择器可以位于 User-Agent 标头中。For example, if the matchVariable is RequestHeaders, the selector could be on the User-Agent header.

Operator [必需]Operator [required]

必须是以下运算符之一:Must be one of the following operators:

  • IPMatch - 仅当匹配变量为 RemoteAddr 时才使用IPMatch - only used when Match Variable is RemoteAddr
  • Equal - 输入与 MatchValue 相同Equal - input is the same as the MatchValue
  • ContainsContains
  • LessThanLessThan
  • GreaterThanGreaterThan
  • LessThanOrEqualLessThanOrEqual
  • GreaterThanOrEqualGreaterThanOrEqual
  • BeginsWithBeginsWith
  • EndsWithEndsWith
  • 正则表达式Regex
  • Geomatch(预览版)Geomatch (preview)

Negate condition [可选]Negate condition [optional]

对当前条件求反。Negates the current condition.

Transform [可选]Transform [optional]

一个字符串列表,其中包含尝试匹配之前执行的转换的名称。A list of strings with names of transformations to do before the match is attempted. 这些转换可以是:These can be the following transformations:

  • 小写Lowercase
  • TrimTrim
  • UrlDecodeUrlDecode
  • UrlEncodeUrlEncode
  • RemoveNullsRemoveNulls
  • HtmlEntityDecodeHtmlEntityDecode

Match values [必需]Match values [required]

要匹配的值列表,可被视为采用 OR 运算符。List of values to match against, which can be thought of as being OR'ed. 例如,它可以是 IP 地址或其他字符串。For example, it could be IP addresses or other strings. 值的格式取决于上一个运算符。The value format depends on the previous operator.

Action [必需]Action [required]

  • Allow - 授权事务,跳过所有其他规则。Allow - Authorizes the transaction, skipping all other rules. 指定的请求将添加到允许列表,并且一旦匹配,该请求将停止进一步的评估,并会被发送到后端池。The specified request is added to the allow list and once matched, the request stops further evaluation and is sent to the backend pool. 不会根据允许列表中的规则评估任何其他自定义规则或托管规则。Rules that are on the allow list aren't evaluated for any further custom rules or managed rules.
  • Block - 基于 SecDefaultAction(检测/阻止模式)阻止事务。Block - Blocks the transaction based on SecDefaultAction (detection/prevention mode). 与 Allow 操作一样,对请求进行评估并将其添加到阻止列表后,评估将会停止,请求将被阻止。Just like the Allow action, once the request is evaluated and added to the block list, evaluation is stopped and the request is blocked. 然后,将不会评估满足相同条件的任何请求,而只会将其阻止。Any request after that meets the same conditions won't be evaluated and will just be blocked.
  • Log - 允许该规则写入日志,但允许其他规则运行以进行评估。Log - Lets the rule write to the log, but lets the rest of the rules run for evaluation. 其他自定义规则按优先顺序进行评估,后跟托管规则。The other custom rules are evaluated in order of priority, followed by the managed rules.

Geomatch 自定义规则(预览版)Geomatch custom rules (preview)

自定义规则允许创建定制的规则,以满足应用程序和安全策略的确切需要。Custom rules let you create tailored rules to suit the exact needs of your applications and security policies. 可以按国家/地区限制对 Web 应用程序的访问。You can restrict access to your web applications by country/region.

后续步骤Next steps

了解自定义规则后,可创建自己的自定义规则After you learn about custom rules, create your own custom rules.