Configuring Web Application Firewall

In the portal, environments using the v1 load balancer can also configure a web application firewall. This is done on the firewall page in the load balancer modal.

To get there:

  1. Environments from the main, left-hand navigation.
  2. Select the environment from the first column.
  3. Scroll down to the services tile, and click on the manage tab of the load balancer.
  4. Select the Firewall page.
services section

The controller must be set to Enable Custom Config for the firewall config to be applied.

After enabling the Firewall Configuration, the user sees an example Rule entry.

Firewall Rule Fields

Each Rule is comprised of 4 fields

FieldDescription
descriptionA text description of the rule, providing context or notes about what the rule is intended to do.
skipA boolean value indicating whether the rule should be skipped (true) or processed (false).
typeSpecifies the action of the rule. Typical values might include "deny" or "allow".
conditionsAn array of conditions that must be met for the rule to apply. Each condition contains:
- type: The type of match to perform (e.g., "ip-match").
- operator: The comparison operator to use (e.g., "==").
- value: The value to compare against (e.g., an IP address). For IP addresses, both addresses and CIDR's are supported.

Supported Types

The currently supported types are:

TypeDescription
ip-matchFilters traffic based on specific IP addresses or ranges using CIDR.
url-matchMatches requests based on the URL path, excluding the domain name.
method-matchEvaluates HTTP requests by their method, such as GET, POST, etc.

Supported Operators

The currently supported operators are:

  • ==
  • !=

Example Firewall Configs

An example use case might be using url-match and ip-match together to constrain traffic from any non-VPN IP into a resource while simultaneously defining a DENY block for all IP's. Approved IP's requesting the resource would be able to connect, while all other traffic would be blocked.

[
	{
		description: "Only allow VPN traffic",
		skip: false,
		type: "allow",
		conditions: [
			{
				type: "url-match",
				operator: "==",
				value: "/resource-path",
			},
			{
				type: "ip-match",
				operator: "==",
				value: "10.10.24.0/24",
			},
		],
	},
	{
		description: "Deny all other traffic",
		skip: false,
		type: "deny",
		conditions: [
			{
				type: "ip-match",
				operator: "==",
				value: "0.0.0.0/0",
			},
			{
				type: "ip-match",
				operator: "==",
				value: "::/0",
			},
		],
	},
];

Or a more general example showing deny rules for individual IP's.

[
	{
		description: "This is a rule",
		skip: false,
		type: "deny",
		conditions: [
			{
				type: "ip-match",
				operator: "==",
				value: "50.234.222.10",
			},
			{
				type: "ip-match",
				operator: "==",
				value: "2600:6b4a:223f:93cf:84a1:4afd:9221:8988",
			},
		],
	},
];