Azure 应用程序网关上 Web 应用程序防火墙 v2 的自定义规则Custom rules for Web Application Firewall v2 on Azure Application Gateway

Azure 应用程序网关 Web 应用程序防火墙 (WAF) v2 附带了一个预配置的、由平台管理的规则集,用于防范多种不同类型的攻击。The Azure Application Gateway Web Application Firewall (WAF) v2 comes with a pre-configured, platform-managed ruleset that offers protection from many different types of attacks. 这些攻击包括跨站点脚本、SQL 注入,等等。These attacks include cross site scripting, SQL injection, and others. 如果你是 WAF 管理员,你可能想要编写自己的规则来补充核心规则集 (CRS) 规则。If you're a WAF admin, you may want to write you own rules to augment the core rule set (CRS) rules. 你的规则可以根据匹配条件阻止或允许请求的流量。Your rules can either block or allow requested traffic based on matching criteria.

自定义规则允许你创建自己的规则,用于对通过 WAF 的每个请求进行评估。Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. 这些规则的优先级高于托管规则集中的其他规则。These rules hold a higher priority than the rest of the rules in the managed rule sets. 自定义规则包含规则名称、规则优先级和一系列匹配条件。The custom rules contain a rule name, rule priority, and an array of matching conditions. 如果满足这些条件,则执行相应的操作(允许或阻止)。If these conditions are met, an action is taken (to allow or block).

例如,可以阻止来自 192.168.5.4/24 范围内的某个 IP 地址的所有请求。For example, you can block all requests from an IP address in the range 192.168.5.4/24. 在此规则中,运算符是 IPMatch,matchValues 是 IP 地址范围 (192.168.5.4/24),操作是阻止流量。In this rule, the operator is IPMatch, the matchValues is the IP address range (192.168.5.4/24), and the action is to block the traffic. 还需要设置规则的名称和优先级。You also set the rule’s name and priority.

自定义规则支持使用复合逻辑创建更高级的规则来解决安全需求。Custom rules support using compounding logic to make more advanced rules that address your security needs. 例如,(条件 1 and 条件 2,or 条件 3)。For example, (Condition 1 and Condition 2) or Condition 3). 此示例表示,如果满足条件 1 条件 2,或者满足条件 3,则 WAF 应执行自定义规则中指定的操作。This example means that if Condition 1 and Condition 2 are met, or if Condition 3 is met, the WAF should take the action specified in the custom rule.

同一规则中的不同匹配条件始终使用 and 来组合。Different matching conditions within the same rule are always compounded using and. 例如,仅当发送方使用特定的浏览器时,才阻止来自特定 IP 地址的流量。For example, block traffic from a specific IP address, and only if they’re using a certain browser.

若要对两个不同的条件使用 or 运算符,这两个条件必须在不同的规则中。If you want to or two different conditions, the two conditions must be in different rules. 例如,阻止来自特定 IP 地址的流量,或阻止使用特定浏览器的发送方的流量。For example, block traffic from a specific IP address or block traffic if they’re using a specific browser.

Note

WAF 自定义规则的最大数目为 100。The maximum number of WAF custom rules is 100. 有关应用程序网关限制的详细信息,请参阅 Azure 订阅和服务限制、配额与约束For more information about Application Gateway limits, see Azure subscription and service limits, quotas, and constraints.

自定义规则还支持正则表达式,就像在 CRS 规则集中一样。Regular expressions are also supported in custom rules, just like in the CRS rulesets. 有关示例,请参阅创建和使用自定义 Web 应用程序防火墙规则中的示例 3 和 5。For examples of these, see Examples 3 and 5 in Create and use custom web application firewall rules.

允许与阻止Allowing vs. blocking

使用自定义规则可以方便地允许和阻止流量。Allowing and blocking traffic is simple with custom rules. 例如,可以阻止来自某个 IP 地址范围的所有流量。For example, you can block all traffic coming from a range of IP addresses. 可以创建另一个规则,以便在请求来自特定的浏览器时允许流量。You can make another rule to allow traffic if the request comes from a specific browser.

若要允许某种流量,请确保将 -Action 参数设置为 AllowTo allow something, ensure that the -Action parameter is set to Allow. 若要阻止某种流量,请确保将 -Action 参数设置为 BlockTo block something, ensure that the -Action parameter is set to Block.

$AllowRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example1 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Allow

$BlockRule = New-AzApplicationGatewayFirewallCustomRule `
   -Name example2 `
   -Priority 2 `
   -RuleType MatchRule `
   -MatchCondition $condition `
   -Action Block

上面的 $BlockRule 映射到 Azure 资源管理器中的以下自定义规则:The previous $BlockRule maps to the following custom rule in Azure Resource Manager:

"customRules": [
      {
        "name": "blockEvilBot",
        "priority": 2,
        "ruleType": "MatchRule",
        "action": "Block",
        "matchConditions": [
          {
            "matchVariables": [
              {
                "variableName": "RequestHeaders",
                "selector": "User-Agent"
              }
            ],
            "operator": "Contains",
            "negationConditon": false,
            "matchValues": [
              "evilbot"
            ],
            "transforms": [
              "Lowercase"
            ]
          }
        ]
      }
    ], 

此自定义规则包含名称、优先级、操作,以及执行该操作所要满足的一系列匹配条件。This custom rule contains a name, priority, an action, and the array of matching conditions that must be met for the action to take place. 有关这些字段的进一步解释,请参阅以下字段说明。For further explanation of these fields, see the following field descriptions. 有关自定义规则的示例,请参阅创建和使用自定义 Web 应用程序防火墙规则For example custom rules, see Create and use custom web application firewall rules.

自定义规则的字段Fields for custom rules

Name [可选]Name [optional]

这是规则的名称。This is the name of the rule. 此名称将显示在日志中。This name appears in the logs.

Priority [必需]Priority [required]

  • 确定规则评估顺序。Determines the rule valuation order. 值越小,规则的评估顺序越靠前。The lower the value, the earlier the evaluation of the rule. 允许的范围为 1 到 100。The allowable range is from 1-100.
  • 必须在所有自定义规则中唯一。Must be unique across all custom rules. 优先级为 40 的规则将在优先级为 80 的规则之前评估。A rule with priority 40 is evaluated before a rule with priority 80.

Rule type [必需]Rule type [required]

目前必须为 MatchRuleCurrently, must be MatchRule.

Match variable [必需]Match variable [required]

必须是以下变量之一:Must be one of the variables:

  • RemoteAddr - 远程计算机连接的 IP 地址/主机名RemoteAddr - IP Address/hostname of the remote computer connection
  • RequestMethod - HTTP 请求方法(GET、POST、PUT、DELETE 等。)RequestMethod - HTTP Request method (GET, POST, PUT, DELETE, and so on.)
  • QueryString - URI 中的变量QueryString - Variable in the URI
  • PostArgs - 在 POST 正文中发送的参数。PostArgs - Arguments sent in the POST body. 仅当“Content-Type”标头设置为“application/x-www-form-urlencoded”和“multipart/form-data”时,才会应用使用此匹配变量的自定义规则。Custom Rules using this match variable are only applied if the 'Content-Type' header is set to 'application/x-www-form-urlencoded' and 'multipart/form-data'.
  • RequestUri - 请求的 URIRequestUri - URI of the request
  • RequestHeaders - 请求的标头RequestHeaders - Headers of the request
  • RequestBody - 包含整个请求正文。RequestBody - This contains the entire request body as a whole. 仅当“Content-Type”标头设置为“application/x-www-form-urlencoded”时,才会应用使用此匹配变量的自定义规则。Custom rules using this match variable are only applied if the 'Content-Type' header is set to 'application/x-www-form-urlencoded'.
  • RequestCookies - 请求的 CookieRequestCookies - Cookies of the request

Selector [可选]Selector [optional]

描述 matchVariable 集合的字段。Describes the field of the matchVariable collection. 例如,如果 matchVariable 为 RequestHeaders,则选择器可以位于 User-Agent 标头中。For example, if the matchVariable is RequestHeaders, the selector could be on the User-Agent header.

Operator [必需]Operator [required]

必须是以下运算符之一:Must be one of the following operators:

  • IPMatch - 仅当匹配变量为 RemoteAddr 时才使用IPMatch - only used when Match Variable is RemoteAddr
  • Equals - 输入内容与 MatchValue 相同Equals - input is the same as the MatchValue
  • ContainsContains
  • LessThanLessThan
  • GreaterThanGreaterThan
  • LessThanOrEqualLessThanOrEqual
  • GreaterThanOrEqualGreaterThanOrEqual
  • BeginsWithBeginsWith
  • EndsWithEndsWith
  • 正则表达式Regex
  • Geomatch(预览版)Geomatch (preview)

Negate condition [可选]Negate condition [optional]

对当前条件求反。Negates the current condition.

Transform [可选]Transform [optional]

一个字符串列表,其中包含尝试匹配之前执行的转换的名称。A list of strings with names of transformations to do before the match is attempted. 这些转换可以是:These can be the following transformations:

  • 小写Lowercase
  • TrimTrim
  • UrlDecodeUrlDecode
  • UrlEncodeUrlEncode
  • RemoveNullsRemoveNulls
  • HtmlEntityDecodeHtmlEntityDecode

Match values [必需]Match values [required]

要匹配的值列表,可被视为采用 OR 运算符。List of values to match against, which can be thought of as being OR'ed. 例如,它可以是 IP 地址或其他字符串。For example, it could be IP addresses or other strings. 值的格式取决于上一个运算符。The value format depends on the previous operator.

Action [必需]Action [required]

  • Allow - 授权事务,跳过所有后续规则。Allow - Authorizes the transaction, skipping all subsequent rules. 这意味着,指定的请求将添加到允许列表,并且一旦匹配,该请求将停止进一步的评估,并发送到后端池。This means that the specified request is added to the allow list and once matched, the request stops further evaluation and is sent to the backend pool. 不会根据允许列表中的规则评估任何其他自定义规则或托管规则。Rules that are on the allow list aren't evaluated for any further custom rules or managed rules.
  • Block - 基于 SecDefaultAction(检测/阻止模式)阻止事务。Block - Blocks the transaction based on SecDefaultAction (detection/prevention mode). 与 Allow 操作一样,对请求进行评估并将其添加到阻止列表后,评估将会停止,请求将被阻止。Just like the Allow action, once the request is evaluated and added to the block list, evaluation is stopped and the request is blocked. 然后,将不会评估满足相同条件的任何请求,而只会将其阻止。Any request after that meets the same conditions will not be evaluated and will just be blocked.
  • Log - 允许该规则写入日志,但允许其他规则运行以进行评估。Log - Lets the rule write to the log, but lets the rest of the rules run for evaluation. 后续的自定义规则将接在托管规则的后面按优先顺序进行评估。Subsequent custom rules are evaluated in order of priority, followed by the managed rules.

Geomatch 自定义规则(预览版)Geomatch custom rules (preview)

自定义规则允许创建定制的规则,以满足应用程序和安全策略的确切需要。Custom rules allow for the creation of tailored rules to suit the exact needs of your applications, and your security policies. 现在,可以按国家/地区限制对 Web 应用程序的访问,此功能在公共预览版中提供。Now, you are able restrict access to your web applications by country/region, which is available in public preview. 与所有自定义规则一样,此逻辑可以与其他规则组合,以满足应用程序需求。As with all custom rules, this logic can be compounded with other rules to suit the needs of your application.

如果使用的是 Geomatch 运算符,则选择器可以是以下任何一个两位数国家/地区代码。If you are using the Geomatch operator, the selectors can be any of the following two-digit country codes.

国家/地区代码Country code 国家/地区名称Country name
ADAD 安道尔Andorra
AEAE 阿拉伯联合酋长国United Arab Emirates
AFAF 阿富汗Afghanistan
AGAG 安提瓜和巴布达Antigua and Barbuda
ALAL 阿尔巴尼亚Albania
AMAM 亚美尼亚Armenia
AOAO 安哥拉Angola
ARAR 阿根廷Argentina
ASAS 美属萨摩亚American Samoa
ATAT 奥地利Austria
AUAU 澳大利亚Australia
AZAZ 阿塞拜疆Azerbaijan
BABA 波斯尼亚和黑塞哥维那Bosnia and Herzegovina
BBBB 巴巴多斯Barbados
BDBD 孟加拉Bangladesh
BEBE 比利时Belgium
BFBF 布基纳法索Burkina Faso
BGBG 保加利亚Bulgaria
BHBH 巴林Bahrain
BIBI 布隆迪Burundi
BJBJ 贝宁Benin
BLBL 圣巴泰勒米Saint Barthélemy
BNBN 文莱Brunei Darussalam
BOBO 玻利维亚Bolivia
BRBR 巴西Brazil
BSBS 巴哈马Bahamas
BTBT 不丹Bhutan
BWBW 博茨瓦纳Botswana
BYBY 白俄罗斯Belarus
BZBZ 伯利兹Belize
CACA 加拿大Canada
CDCD 刚果民主共和国Democratic Republic of the Congo
CFCF 中非共和国Central African Republic
CHCH 瑞士Switzerland
CICI 科特迪瓦Cote d'Ivoire
CLCL 智利Chile
CMCM 喀麦隆Cameroon
CNCN 中国China
COCO 哥伦比亚Colombia
CRCR 哥斯达黎加Costa Rica
CUCU 古巴Cuba
CVCV 佛得角Cabo Verde
CYCY 塞浦路斯Cyprus
CZCZ 捷克共和国Czech Republic
DEDE 德国Germany
DKDK 丹麦Denmark
DODO 多米尼加共和国Dominican Republic
DZDZ 阿尔及利亚Algeria
ECEC 厄瓜多尔Ecuador
EEEE 爱沙尼亚Estonia
EGEG 埃及Egypt
ESES 西班牙Spain
ETET 埃塞俄比亚Ethiopia
FIFI 芬兰Finland
FJFJ 斐济Fiji
FMFM 密克罗尼西亚联邦Micronesia, Federated States of
FRFR 法国France
GBGB 英国United Kingdom
GEGE 格鲁吉亚Georgia
GFGF 法属圭亚那French Guiana
GHGH 加纳Ghana
GNGN 几内亚Guinea
GPGP 瓜德罗普岛Guadeloupe
GRGR 希腊Greece
GTGT 危地马拉Guatemala
GYGY 圭亚那Guyana
HKHK 香港特别行政区Hong Kong SAR
HNHN 洪都拉斯Honduras
HRHR 克罗地亚Croatia
HTHT 海地Haiti
HUHU 匈牙利Hungary
IDID 印度尼西亚Indonesia
IEIE 爱尔兰Ireland
ILIL 以色列Israel
ININ 印度India
IQIQ 伊拉克Iraq
IRIR 伊朗伊斯兰共和国Iran, Islamic Republic of
ISIS 冰岛Iceland
ITIT 意大利Italy
JMJM 牙买加Jamaica
JOJO 约旦Jordan
JPJP 日本Japan
KEKE 肯尼亚Kenya
KGKG 吉尔吉斯斯坦Kyrgyzstan
KHKH 柬埔寨Cambodia
KIKI 基里巴斯Kiribati
KNKN 圣基茨和尼维斯Saint Kitts and Nevis
KPKP 朝鲜民主主义人民共和国Korea, Democratic People's Republic of
KRKR 韩国Korea, Republic of
KWKW 科威特Kuwait
KYKY 开曼群岛Cayman Islands
KZKZ 哈萨克斯坦Kazakhstan
LALA 老挝人民民主共和国Lao People's Democratic Republic
LBLB 黎巴嫩Lebanon
LILI 列支敦士登Liechtenstein
LKLK 斯里兰卡Sri Lanka
LRLR 利比里亚Liberia
LSLS 莱索托Lesotho
LTLT 立陶宛Lithuania
LULU 卢森堡Luxembourg
LVLV 拉脱维亚Latvia
LYLY 利比亚Libya
MAMA 摩洛哥Morocco
MDMD 摩尔多瓦共和国Moldova, Republic of
MGMG 马达加斯加岛Madagascar
MKMK 北马其顿North Macedonia
MLML 马里Mali
MMMM 缅甸Myanmar
MNMN 蒙古Mongolia
MOMO 澳门特别行政区Macao SAR
MQMQ 马提尼克岛Martinique
MRMR 毛利塔尼亚Mauritania
MTMT 马耳他Malta
MVMV 马尔代夫Maldives
MWMW 马拉维Malawi
MXMX 墨西哥Mexico
MYMY 马来西亚Malaysia
MZMZ 莫桑比克Mozambique
不可用NA 纳米比亚Namibia
NENE 尼日尔Niger
NGNG 尼日利亚Nigeria
NINI 尼加拉瓜Nicaragua
NLNL 荷兰Netherlands
NO 挪威Norway
NPNP 尼泊尔Nepal
NRNR 瑙鲁Nauru
NZNZ 新西兰New Zealand
OMOM 阿曼Oman
PAPA 巴拿马Panama
PEPE 秘鲁Peru
PHPH 菲律宾Philippines
PKPK 巴基斯坦Pakistan
PLPL 波兰Poland
PRPR 波多黎各Puerto Rico
PTPT 葡萄牙Portugal
PWPW 帕劳群岛Palau
PYPY 巴拉圭Paraguay
QAQA 卡塔尔Qatar
RERE 留尼汪Reunion
RORO 罗马尼亚Romania
RSRS 塞尔维亚Serbia
RURU 俄罗斯联邦Russian Federation
RWRW 卢旺达Rwanda
SASA 沙特阿拉伯Saudi Arabia
SDSD 苏丹Sudan
SESE 瑞典Sweden
SGSG 新加坡Singapore
SISI 斯洛文尼亚Slovenia
SKSK 斯洛伐克Slovakia
SNSN 塞内加尔Senegal
SOSO 索马里Somalia
SRSR 苏里南Suriname
SSSS 南苏丹South Sedan
SVSV 萨尔瓦多El Salvador
SYSY 阿拉伯叙利亚共和国Syrian Arab Republic
SZSZ 斯威士兰Swaziland
TCTC 特克斯和凯科斯群岛Turks and Caicos Islands
TGTG 多哥Togo
THTH 泰国Thailand
TNTN 突尼斯Tunisia
TRTR 土耳其Turkey
TTTT 特立尼达和多巴哥Trinidad and Tobago
TWTW 中国台湾Taiwan
TZTZ 坦桑尼亚联合共和国Tanzania, United Republic of
UAUA 乌克兰Ukraine
UGUG 乌干达Uganda
USUS 美国United States
UYUY 乌拉圭Uruguay
UZUZ 乌兹别克斯坦Uzbekistan
VCVC 圣文森特和格林纳丁斯Saint Vincent and the Grenadines
VEVE 委内瑞拉Venezuela
VGVG 英属维尔京群岛Virgin Islands, British
VIVI 美属维尔京群岛Virgin Islands, U.S.
VNVN 越南Vietnam
ZAZA 南非South Africa
ZMZM 赞比亚Zambia
ZWZW 津巴布韦Zimbabwe

后续步骤Next steps

了解自定义规则后,可创建自己的自定义规则After you learn about custom rules, create your own custom rules.