Custom Policy

Last updated: 2020-02-25 14:46:50

PDF

Feature Overview

The custom policy allows for controlling the access of public network users by combining multiple features such as request paths, GET parameters, POST parameters, Referer, and User-Agent of HTTP messages, and performing feature matching. For various attacks on the Internet, Tencent Cloud users can respond flexibly with custom policies, using a combination of rules to block them easily.

Each custom policy can set up to five conditions for feature control.
The relationship between multiple conditions in each custom policy is "AND", that is, the policy does not take effect unless all the conditions are matched.
For each custom policy to be matched, you can configure two consequential actions: block and allow.

Sample Case

Case 1: Prohibiting specific IP addresses from accessing a designated site

When the webmaster needs to prohibit a specific IP address Access from specifying a site, it can be configured in the following ways:

  1. Login Web Application Firewall console In Left sidebar, click "Web Application Firewall"-> "Protection Settings". In the domain name list, select the site domain name to be protected. In the right operation bar, click "Protection configuration" to enter the protection settings page, and select "Custom Policy"-> "add rules".
  2. Click Add Rules , enter the name of the rule (001), select a field (such as source IP) in Matched Field, select "match" in Logic Operator and enter the source IP ( 192.168.1.1 ) prohibited from accessing in Matched Content. Then select Action (e.g. block).

    Custom policies of the WAF allow you to use masks to control access requests from source IPs within a range. We can enter a specific IP address range (e.g. 10.10.10.10/24 ) in Matched Content.
  3. Click OK To save the rule, and then the rule will take effect immediately. All HTTP access requests from specific source IPs will be blocked.

Case 2: Prohibiting public network users from accessing specific Web resources

When the webmaster does not want the public network user Access to have some specific Web resources (such as managing Backend Background /admin.html ), you can configure the following: select "request path" for the matching field, select "equal to" for the logical symbol, and match the content input. /admin.html Select "block" to perform the action, and click "add" after the configuration is completed.

Case 3: Prohibiting an external site from hot-linking certain resources

When webmasters need to block external sites, such as www.test.com ), the custom policy can be used to capture and block the Referer feature of the hotlink request. The configuration is as follows: select "Referer" for matching field, select "include" for logical symbol, and match content input. www.test.com Select "block" to perform the action, and click "add" after the configuration is completed.

For details, refer to Configuring Route Tables .