Rules Engine for Edge Firewall
The Rules Engine for Edge Firewall is a feature designed to implement security logics for your applications. The Rules Engine settings tab can be found inside a created Edge Firewall configuration. An Edge Firewall Rules Engine configuration is called an Edge Firewall Rule Set.
The Rules Engine is programmable, you define what are the conditions (Criteria) and commands (Behaviors). If the Criteria are met, the Behaviors will be executed.
You can use the Rules Engine for Edge Firewall to configure all operational aspects of your application’s firewalls. Here are some implementations examples you can use it for:
- Block a request.
- Ignore a request.
- Limit the access rate.
- Apply Web Application Firewall (WAF) policy.
- Run an Edge Function for Edge Firewall with your own security code.
- Monitor traffic to identify threats.
An Edge Firewall Rule Set can have as many rules as needed. These rules are also interchangeable, as you can share the same rule for all other Edge Firewall configurations.
go to Edge Firewall referenceHow Rules Engine for Edge Firewall works
Section titled How Rules Engine for Edge Firewall worksEach request from your users to your application is processed first by Edge Firewall. You can define a set of security rules in Edge Firewall.
The rules are composed by Criteria, which represent the conditions for executing the rules, and by Behaviors, which represent the actions that need to be executed.
The processing of the rules is sequential and you can use them as a powerful set of variables and comparison operators. If the conditions are met, the Behaviors of each rule are executed until all the rules are processed.
Rule Set details
Section titled Rule Set detailsAn Edge Firewall Rule Set is composable by:
- Identification name, visible from the Rule Set list.
- Description, visible from the Rule Set list.
- Criteria.
- Behaviors.
- Active switch, to enable/disable without deleting it.
Criteria
Section titled CriteriaCriteria determines the set of conditions that need to be met for the execution of Behaviors. The availability of criteria depends on the enabled modules of your Edge Firewall.
go to Edge Firewall modules referenceCriteria variables
Section titled Criteria variablesThese are all the Criteria variables you can set:
| Criteria | Description | Requirements |
|---|---|---|
| Header Accept | Header that tells you what types of media the customer accepts for the response. | Web Application Firewall |
| Header Accept-Encoding | Header that tells you what types of content encoding, usually compression algorithms, that the client accepts for the response. | Web Application Firewall |
| Header Accept-Language | Header that informs the expected language. | Web Application Firewall |
| Header Cookie | Header containing the cookies sent by the client in the request to the server. | Web Application Firewall |
| Header Origin | Header that informs the origin of a cross-site access request or a preflight request. The source is a URI indicating the name of the server, with no path information. | Web Application Firewall |
| Header Referer | Header indicating the address of the document, or element in a document, from which the request’s URI was obtained. | Web Application Firewall |
| Header User Agent | Header with a characteristic string that allows servers to identify the application, operating system, vendor, and/or version of the device. | Web Application Firewall |
| Request Args | All arguments sent by the user in the request string (query string). | Web Application Firewall |
| Network | The IP address of the client making the HTTP request, which can be used for any network comparison (CIDR, ASN or Country). | Network Layer Protection |
| Hostname | In order of precedence: the hostname of the request line, or the value of the Host header field of the request, or the name of the server serving the request. | - |
| Request Method | The request’s HTTP method. For example: GET, POST, PUT, etc. | - |
| Request URI | This relates to the ${uri} variable from Rules Engine for Edge Applications. The normalized (urldecoded) URI of the request. The value of ${uri} can change during the processing of a request, for example, when an internal redirect occurs or when index files are used. It doesn’t carry the Query String parameters as ${request_uri} do. | - |
| Scheme | The scheme of the request: HHTP or HTTPS. | - |
| Client Certificate Validation | Server process to authenticate client digital certificate. | - |
| SSL Verification Status | Server result to client certificate validation. It can be Success, when the client certificate validation passed; Certificate Verification Error, when the client certificate wasn’t valid; and Missing Client Certificate, when the client certificate wasn’t sent in the request. | - |
Comparison Operators
Section titled Comparison OperatorsThe condition for the execution of a rule must be the comparison of a variable with an argument. The comparison operators are:
| Operator | Description | Argument |
|---|---|---|
| is equal | The value of the variable is equal to the argument, compared character by character. | string |
| is not equal | The value of the variable isn’t exactly the same as the argument. | string |
| starts with | The value of the variable starts with the argument. | string |
| does not start with | The value of the variable doesn’t start with the argument. | string |
| matches | The value of the variable matches the regular expression or list entered as an argument. | regular expression or list |
| does not match | The value of the variable doesn’t match the regular expression entered as an argument. | regular expression or list |
| exists | The variable has a defined value. For example, Request Args exists if an argument is sent in the request’s query string. | - |
| does not exist | The variable doesn’t have a defined value. For example, Request Args doesn’t exist if an argument is sent in the request’s query string. | - |
Logic Operators
Section titled Logic OperatorsMultiple conditions can be defined using the logical operators and and or.
If explicit precedence is required, you can add multiple criteria groups under the and logic.
Behaviors
Section titled BehaviorsIn Behavior, you add the action commands you want to perform if the rule’s criteria are met.
These are all the available behaviors:
| Behavior | Description | Requirements |
|---|---|---|
| Deny (403 Forbidden) | It closes the request with HTTP 403 Forbidden response. | - |
| Drop (Close Without Response) | It closes the request without responding to the customer. | - |
| Set Rate Limit | It defines an access rate limit that, if exceeded, will result in an HTTP 429 Too Many Requests response. To configure the Rate Limit, you must inform:Type is the field to select the type of request for the Rate Limit, choosing Req/s (request per second) or Req/Min (request per minute). Average Rate Limit, which is the limit rate itself by second. Client IP address, if you want the access rate to be counted by the client’s IP address or Global, if you want total access rate counted. Maximum burst size, which indicates the maximum burst size of HTTP requests sent simultaneously, which will be queued and dispatched gradually, respecting the limit rate.The configured value will be the Rate Limit for each Azion Edge Node, implemented using the Leaky Bucket algorithm. It’s recommended to use Maximum burst size at a maximum of 10 times of the value configured in Average Rate Limit, which would result in penalizing the last request for a burst with up to a 10 second delay. | - |
| Set WAF Rule Set | It associates the WAF Rule Set to be used in the request. WAF policies must be previously configured in the Edge Libraries > WAF Rules. | Web Application Firewall |
| Run a Function | It runs a function specified as a parameter. The function must have been previously instantiated and parameterized in the Functions tab in order to be used. | Edge Functions |
| Set Custom Response | It allows a customized response when the request matches the criteria. You can customize the Status Code by changing it from 200 to 499, Content Type header, and Content Body of your request with a maximum of 500 characters. | - |
Contributors
