Estimated Reading time: 2 minutes | Last modified: 2024-08-23, 6:04:07 pm

Application WAF Whitelist

Directory Structure

|-- waf_whitelist/
  |-- waf_whitelist.yaml
  |-- ...

The YAML files can contain one or more application WAF whitelist configurations.

Configuration Description

Each WAF whitelist configuration is an object containing the following parameters:

Parameter NameData TypeRequiredDescription
conditionsarrayYesList of conditions to trigger the whitelist
rulesarrayYesList of WAF rules to ignore

conditions Configuration

Refer to Page Rules - Conditions

rules Configuration

Parameter NameData TypeRequiredDescription
rule_set_namestringYesName of the WAF rule set
rule_namesarrayNoList of specific rule names to ignore

Configuration Example

- conditions:
  - var: uri
    op: eq
    val: /hello
  rules:
  - rule_set_name: scanner_detection
    rule_names:
    - '913100'
    - '913110'
  - rule_set_name: protocol_enforcement

This configuration defines two WAF whitelist rules, using rule set names and rule names to specify which rules to ignore.

The '913100' and '913110' are ModSecurity rule IDs used as rule names in OpenResty Edge, so they need to be a string type. When using custom rule sets, you can specify your own rule names.

Usage Example

Update configuration to OpenResty Edge:

edge-config https://192.168.1.1 -s -t 2051e780-1897-4ea0-92b4-2c2f0169aa94 -l waf_whitelist -i /root/oredge-configs -d test.com

Export configuration from OpenResty Edge:

edge-config -u https://192.168.1.1 -s -t 2051e780-1897-4ea0-92b4-2c2f0169aa94 -E -l waf_whitelist -d test.com

Cleanup WAF whitelist from OpenResty Edge:

edge-config -u https://192.168.1.1 -s -t 2051e780-1897-4ea0-92b4-2c2f0169aa94 -c -l waf_whitelist -d test.com

The above examples all use -l waf_whitelist to specify that the command-line tool will operate only on configurations related to the WAF whitelist.

Notes

  1. Each whitelist rule must include both conditions and rules sections.

  2. Each condition in conditions must include var, op, and val (or vals) fields.

  3. Each rule in rules must include rule_set_name, rule_names is optional.

  4. If using rule_set_name, ensure the name exists in the global WAF rule sets.

  5. If rule_names is specified, only listed rules will be ignored; otherwise, the entire rule set will be ignored.

  6. When importing configurations, the tool will first delete all existing WAF whitelists and then add new whitelist rules.

  7. Whitelist rules are processed in reverse order of their appearance in the configuration file, i.e., the last defined rule will be processed first.

  8. the tool will convert rule set IDs to corresponding rule set names for better readability when exporting configurations.

  9. the tool will provide a warning message during export if the application doesn’t exist.

  10. WAF whitelists can help reduce false positives, but overuse may compromise security, so configure with caution.

  11. the tool automatically converts rule set names to corresponding IDs when processing configurations.