Configuring Web Application Firewall
In the portal, environments using the v1 load balancer can also configure a web application firewall. This is done on the firewall page in the load balancer modal.
To get there:
- Environments from the main, left-hand navigation.
- Select the environment from the first column.
- Scroll down to the services tile, and click on the manage tab of the load balancer.
- Select the Firewall page.
The controller must be set to Enable Custom Config for the firewall config to be applied.
After enabling the Firewall Configuration, the user sees an example Rule entry.
Firewall Rule Fields
Each Rule is comprised of 4 fields
| Field | Description |
|---|---|
| description | A text description of the rule, providing context or notes about what the rule is intended to do. |
| skip | A boolean value indicating whether the rule should be skipped (true) or processed (false). |
| type | Specifies the action of the rule. Typical values might include "deny" or "allow". |
| conditions | An array of conditions that must be met for the rule to apply. Each condition contains: |
- type: The type of match to perform (e.g., "ip-match"). | |
- operator: The comparison operator to use (e.g., "=="). | |
| - value: The value to compare against (e.g., an IP address). For IP addresses, both addresses and CIDR's are supported. |
Supported Types
The currently supported types are:
| Type | Description |
|---|---|
ip-match | Filters traffic based on specific IP addresses or ranges using CIDR. |
url-match | Matches requests based on the URL path, excluding the domain name. |
method-match | Evaluates HTTP requests by their method, such as GET, POST, etc. |
Supported Operators
The currently supported operators are:
==!=
Example Firewall Configs
An example use case might be using url-match and ip-match together to constrain traffic from any non-VPN IP into a resource while simultaneously defining a DENY block for all IP's. Approved IP's requesting the resource would be able to connect, while all other traffic would be blocked.
[
{
description: "Only allow VPN traffic",
skip: false,
type: "allow",
conditions: [
{
type: "url-match",
operator: "==",
value: "/resource-path",
},
{
type: "ip-match",
operator: "==",
value: "10.10.24.0/24",
},
],
},
{
description: "Deny all other traffic",
skip: false,
type: "deny",
conditions: [
{
type: "ip-match",
operator: "==",
value: "0.0.0.0/0",
},
{
type: "ip-match",
operator: "==",
value: "::/0",
},
],
},
];Or a more general example showing deny rules for individual IP's.
[
{
description: "This is a rule",
skip: false,
type: "deny",
conditions: [
{
type: "ip-match",
operator: "==",
value: "50.234.222.10",
},
{
type: "ip-match",
operator: "==",
value: "2600:6b4a:223f:93cf:84a1:4afd:9221:8988",
},
],
},
];