英文:
Azure WAF with Application Gateway and Custom Domains
问题
我已设置一个带有WAF的Application Gateway V2和一些Web应用程序。
我还为Web应用程序设置了自定义域,网关的监听器将重定向到与网关监听的域相关联的Web应用程序。
假设我想要阻止外部访问不同Web应用程序的特定URL(在这种情况下包含admin或anotheradmin)。
www.webapp1.com/admin
www.webapp2.com/anotheradmin
因此,我可以配置WAF:“如果请求URI包含admin/anotheradmin,则拒绝”。
设置此规则将对WAF后面的每个Web应用程序全局生效。
是否有一种方法可以为特定的Web应用程序或域设置规则?
我想要实现以下操作:
“如果请求URI包含admin,则阻止www.webapp1.com的流量” 或
“如果请求URI包含anotheradmin,则阻止www.webapp2.com的流量”。
谢谢
英文:
I have set up an Application Gateway V2 with a WAF and some Web Apps.
I also have set up custom domains for the Web Apps and the listeners of the Gateway are redirecting to the Web App which belongs to the domain the Gateway is listening at.
Let's assume I want to block access from external for specific URLs of the different Web Apps (in this case containing f.e. admin or anotheradmin).
www.webapp1.com/admin
www.webapp2.com/anotheradmin
So I can configure the WAF "deny if requesturi contains admin/anotheradmin".
Setting up this rule will be global for every Web App behind the WAF.
Is there a way to set up a rule for a specific Web App or domain?
I would like to do this:
"block traffic for www.webapp1.com if requesturi contains admin" or
"block traffic for www.webapp2.com if requesturi contains anotheradmin"
Thank you
答案1
得分: 1
是的,可以在单个应用程序上实现此目标,而不是在全局级别配置WAF规则。为每个域创建单独的监听器,并将监听器关联到包含Web应用程序的适当后端池,以定义WAF规则。
使用WAF创建了Application Gateway V2:
在Application Gateway WAF策略中添加自定义规则如下:
即使您有全局策略,如果根据配置创建特定于监听器或路径的策略,您可以创建WAF策略并拒绝流量。通常,每个站点的策略优先于全局策略,全局策略为最低优先级。
在自定义规则中,如果要阻止来自外部站点的访问,可以阻止来自一系列IP地址的流量。
在匹配类型中选择IP地址匹配变量为remoteaddr,保持操作为'Not',如果操作不包含您的范围,将被拒绝。只有虚拟网络范围可以被允许,其他所有内容都将被拒绝。
确保在Waf策略中包括必要的规则,并将策略分配给Web应用程序的监听器。
参考资料:
Azure Web Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn
To restrict a domain from public access in Azure - Microsoft
英文:
Yes, instead of configuring WAF rules at the global level this can be achieved on individual Application. Create a separate listener for each domain and associate the listener to the appropriate backend pool containing the web app in order to define a WAF rule.
Created Application gateway V2 with WAF:
In Application gateway WAF policy add custom rule like below:
> Even you have global policy if you create listener specific or path specific depending upon configuration you can create waf policy and deny traffic. Usually per-site policy will be preferred than global policy, global policy as least preference.
In custom rule if you to block this access from external site you can block traffic coming from a range of IP addresses
In match type select Ip address match variable as remoteaddr keep operation as 'Not' if the operation does not contain your range, it will be denied. Only the virtual network range can be permitted everything else will be rejected.
Make sure in Waf policy to include the necessary rules and assign the policy to the listeners for the web apps.
References:
Azure Web Application Firewall (WAF) v2 custom rules on Application Gateway | Microsoft Learn
To restrict a domain from public access in Azure - Microsoft
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论