Layer 7 Custom Rules
Custom rules for Layer 7 services can be defined in the "Filtering" page for the Layer 7 (HTTP/HTTPS) port.
A rule is made up of multiple expressions, all expressions must match for the target action to be applied. A target action can be either an operation resulting in a whitelist (ACCEPT) or a blacklist (DROP) with or without a Ratelimit. Ratelimits consist of both a global (per rule) and a client (e.g per IP) component. Whitelisted search agents and other whitelisted clients may not be affected by user custom rules. An ACCEPT target (rate limit) runs early in the mitigation process while a DROP runs later.
The language supports expressions separated by
|| giving precedence to
< are available. Language constants
false are also available.
|HttpVersion||String||HttpVersion() == "1.0"|
|HttpHost||String||HttpHost() != "google.com"|
|HttpHeader.Get||String||HttpHeader.Get("content_type")||Header name lower case, underscore not dash|
|HttpHeader.Exists||Boolean||HttpHeader.Exists("connection")||Header name lower case, underscore not dash|
|RequestLength||Numeric||RequestLength() > 3|
|RequestMethod||String||RequestMethod() == "POST"|
|RequestUri[#]||Number||RequestUri[#]() == 3|
|RequestUri.Full||String||RequestUri.Full() == "/test"|
|RequestQueryString||Boolean||RequestQueryString("key","value")||if equals value|
|RequestQueryString||Boolean||RequestQueryString("key")||if key exists|
|RequestQueryString[#]||Number||RequestQueryString[#]() == 3|
|UserAgent.Full||String||UserAgent.Full() == "bad actor"|
|Client.Ip||String||Client.Ip() == "22.214.171.124"|
|Client.ASN||Number||Client.ASN() == 123|
|Client.Country||String||Client.Country() == "AU"|
|Connection.SuspectVPN||Boolean||Connection.SuspectVPN()||Detects certain Layer4 VPN clients|
|Connection.MSS||Numeric||Connection.MSS()||Layer 4 TCP MSS|
Targets control what happens when a rule is matched. Below the available targets are described.
Performs user verification as per the ports mitigation settings (Automated or CAPTCHA).
Drop All: Hard Disconnect
Rejects the request and disconnects the users connection.
Drop Rate (Blacklist)
Drops all traffic if the traffic to a client exceeds the user configured rate, or total hits on the rule exceeds the seperate rate
Accept Rate (Whitelist)
Accepts all traffic (bypassing all reasonable mitigation) as long as the traffic is less than the configured rate from the client, and the seperate rate for the rule itself.
Anti Spam Target Alpha
This target is available to enable our customers to target specific spammers and spam runs without software modification. This target injects a CAPTCHA page after the submission of the form, but before transmission of form data to the backend server.
Limitations: - Limited to POST requests - Limited to requests of less than 8MB in size - Limited to requests of type
application/x-www-form-urlencoded, this means no file uploads or multipart submissions.
RequestMethod() == "POST" && RequestUri.Regex("^/post/new") -> Anti Spam
It is recommended that filtering be performed on either your backend or as additional custom rules to remove requests that do not meet these conditions.
RequestMethod() != "POST" || RequestLength() >= 8388608 || HttpHeader.Get("content_type") != "application/x-www-form-urlencoded" -> Hard Drop
Example 1: Whitelist all Authenticated traffic from a specific API client to the API
HttpHeader.Exists("authorization") && UserAgent.Regex("^ApiClient/v[0-9]+$") && RequestUri.Regex("^/api/")
Target Type: Accept Rate (Whitelist)
Client (IP) Limit (per second): 10/s
Global Limit (per second): 100/s (10 clients simultaniously maxing limit)
Window: 1 minute
Example 2: Drop all traffic with HTTP header
Target Type: Drop (All)
Example 3: Limit traffic to API
Target Type: Drop Rate (Blacklist)
Client (IP) Limit (per second): 1/s
Global Limit (per second): 100/s (global limit)
Window: 1 minute
Not able to achieve a legitimate goal? An expression not meeting your needs? Then please do contact support. Please be sure to fully describe your use case and any ideas you have in resolving it.