Web Application Firewall (WAF) Rules
The Web Application Firewall (WAF) provides protection against common web vulnerabilities and attacks. WAF rules use Wirefilter expressions to define conditions for blocking or logging requests.
Configuration Structure
waf:
- name: test
action: block
rule: (ip.src.country eq "FR" and http.request.headers[*].user_agent contains "curl")
enabled: true
Configuration Options
Name
- Type: String
- Required: Yes
- Description: Unique identifier for the WAF rule
- Example:
name: "test"
Action
- Type: String
- Required: Yes
- Options:
block,log - Description: Action to take when the rule matches
block: Block the requestlog: Log the request but allow it to proceed- Example:
action: "block"
Rule
- Type: String
- Required: Yes
- Description: Wirefilter expression defining the rule conditions
- Example:
rule: (ip.src.country eq "FR" and http.request.headers[*].user_agent contains "curl")
Enabled
- Type: Boolean
- Default:
true - Description: Whether the rule is active
- Example:
enabled: true
Supported fields
| Field | Description |
|---|---|
http.request.method |
The HTTP method of the request (GET, POST, PUT, DELETE, etc.) |
http.request.headers |
All HTTP headers in the request |
http.request.body |
The raw body content of the request |
http.request.uri.query |
The query string parameters of the request |
http.request.uri.full |
The complete URI including protocol, host, path, and query |
http.request.uri.scheme |
The protocol scheme (http, https) |
http.request.uri.host |
The hostname from the request |
http.request.uri.port |
The port number from the request |
http.request.uri.path |
The path portion of the URI |
ip.src |
The source IP address of the request |
ip.src.country |
The country of origin based on the source IP |
ip.src.city |
The city of origin based on the source IP |
These fields can be used in Wirefilter expressions to create complex rules. For example:
# Block requests from specific countries
rule: (ip.src.country eq "RU" or ip.src.country eq "CN")
# Block specific HTTP methods
rule: (http.request.method eq "PUT" or http.request.method eq "DELETE")
# Block requests with specific paths
rule: (http.request.uri.path contains "/wp-admin")
Wirefilter Expressions
Wirefilter is a powerful expression language for defining WAF rules. Here are some common patterns:
IP-based Rules
Header-based Rules
orPath-based Rules
orCombined Rules
orBest Practices
- Start with logging rules before blocking
- Use specific and targeted rules
- Test rules in a staging environment
- Monitor rule effectiveness
- Keep rules organized and documented
Example Configurations
Basic Security Rules
waf:
- name: "block-bad-bots"
action: block
rule: (http.request.headers["user-agent"] contains "bad-bot")
enabled: true
- name: "log-admin-access"
action: log
rule: (http.request.uri.path contains "/admin")
enabled: true
Advanced Security Rules
waf:
- name: "block-sql-injection"
action: block
rule: (http.request.uri.query contains "SELECT" or http.request.uri.query contains "UNION")
enabled: true
- name: "block-xss"
action: block
rule: (http.request.uri.query contains "<script" or http.request.uri.query contains "javascript:")
enabled: true
Common Use Cases
- Bot Protection: Block known bad bots
- SQL Injection: Prevent SQL injection attacks
- XSS Protection: Block cross-site scripting attempts
- Path Protection: Restrict access to sensitive paths
- Country-based Rules: Block traffic from specific countries