Layer 7 Custom Rules

Custom rules for Layer 7 services can be defined in the "Filtering" page for the Layer 7 (HTTP/HTTPS) port.

Introduction

A rule is made up of multiple expressions, all expressions must match for the target action to be applied. A target action can be either an operation resulting in a whitelist (ACCEPT) or a blacklist (DROP) with or without a Ratelimit. Ratelimits consist of both a global (per rule) and a client (e.g per IP) component. Whitelisted search agents and other whitelisted clients may not be affected by user custom rules. An ACCEPT target (rate limit) runs early in the mitigation process while a DROP runs later.

Match Expressions:

NameTypeExampleNotes
HttpVersionStringHttpVersion() == "1.0"
HttpHostStringHttpHost() != "google.com"
HttpHeader.ExistsBooleanHttpHeader.Exists("connection")Header name lower case, underscore not dash
RequestMethodStringRequestMethod() == "POST"
RequestUri[#]NumberRequestUri[#]() == 3
RequestUri.FullStringRequestUri.Full() == "/test"
RequestUri.RegexBooleanRequestUri.Regex("^/bad/[0-9]+")
RequestQueryStringBooleanRequestQueryString("key","value")
RequestQueryString[#]NumberRequestQueryString[#]() == 3
UserAgent.FullStringUserAgent.Full() == "bad actor"
UserAgent.RegexBooleanUserAgent.Regex("bots?")
Client.IpStringClient.Ip() == "1.1.1.1"
Client.ASNNumberClient.ASN() == 123
Client.CountryStringClient.Country() == "AU"

Targets

  • Drop (All): Drop all traffic matching the rule
  • Drop Rate (Blacklist): Drops all traffic if the traffic to a client exceeds the user configured rate, or total hits on the rule exceeds the seperate rate
  • Accept Rate (Whitelist): Accepts all traffic (bypassing all reasonable mitigation) as long as the traffic is less than the configured rate from the client, and the seperate rate for the rule itself.

Examples

Example 1: Whitelist all Authenticated traffic from a specific API client to the API

Match: HttpHeader.Exists("authorization") && UserAgent.Regex("^ApiClient/v[0-9]+$") && RequestUri.Regex("^/api/")

Target Type: Accept Rate (Whitelist)

Client (IP) Limit (per second): 10/s

Global Limit (per second): 100/s (10 clients simultaniously maxing limit)

Window: 1 minute

Example 2: Drop all traffic with HTTP header

Match: HttpHeader.Exists("authorization")

Target Type: Drop (All)

Example 3: Limit traffic to API

Match: RequestUri.Regex("^/api/")

Target Type: Drop Rate (Blacklist)

Client (IP) Limit (per second): 1/s

Global Limit (per second): 100/s (global limit)

Window: 1 minute

Not Enough?

Not able to achieve a legitimate goal? An expression not meeting your needs? Then please do contact support. Please be sure to fully describe your use case and any ideas you have in resolving it.