Configuring Web Application Firewall
In the portal, environments using the v1 load balancer can also configure a web application firewall. This is done on the firewall page in the load balancer modal.
To get there:
- Environments from the main, left-hand navigation.
- Select the environment from the first column.
- Scroll down to the services tile, and click on the manage tab of the load balancer.
- Select the Firewall page.
The controller must be set to Enable Custom Config
for the firewall config to be applied.
After enabling the Firewall Configuration
, the user sees an example Rule
entry.
Firewall Rule Fields
Each Rule
is comprised of 4 fields
Field | Description |
---|---|
description | A text description of the rule, providing context or notes about what the rule is intended to do. |
skip | A boolean value indicating whether the rule should be skipped (true ) or processed (false ). |
type | Specifies the action of the rule. Typical values might include "deny" or "allow" . |
conditions | An array of conditions that must be met for the rule to apply. Each condition contains: |
- type: The type of match to perform (e.g., "ip-match" ). | |
- operator: The comparison operator to use (e.g., "==" ). | |
- value: The value to compare against (e.g., an IP address). For IP addresses, both addresses and CIDR's are supported. |
Supported Types
The currently supported types are:
Type | Description |
---|---|
ip-match | Filters traffic based on specific IP addresses or ranges using CIDR. |
url-match | Matches requests based on the URL path, excluding the domain name. |
method-match | Evaluates HTTP requests by their method, such as GET, POST, etc. |
Supported Operators
The currently supported operators are:
==
!=
Example Firewall Configs
An example use case might be using url-match
and ip-match
together to constrain traffic from any non-VPN IP into a resource while simultaneously defining a DENY block for all IP's. Approved IP's requesting the resource would be able to connect, while all other traffic would be blocked.
Or a more general example showing deny rules for individual IP's.