When writing your own firewall rules it's important to first take note of a few ways that Ambassador Edge Stack's
- Requests are either denied or allowed, redirects and dropped requests are not supported
- If you have a rule in your firewall configuration that specifies the
denyaction and you do not specify a
status, then we will default to using status code
- State is not preserved across the different phases of proceeing a request. For this reason it is advised to use early blocking mode rather than anamoly scoring mode and to avoid creating any firewall rules that require state or information created by rules in a different phase. For more information about waf phases refer to the Coraza Seclang Execution Flow docs.
Ambassador Labs publishes and maintains a set of firewall rules that are ready to use. The latest version of the Ambassador Labs Web Application Firewall ruleset can be downloaded with these commands:
Each file must be imported into Ambassador Edge Stack's Web Application Firewall in the following order:
The Ambassador Labs ruleset largely focuses on incoming requests and by default it does not perform processing on response bodies from upstream services to minimize the request round-trip latency.
If processing of responses is desired, then you can create your own custom rule set or add additional rules to be loaded after the Ambassador Labs ruleset to add custom validation of responses from upstream services.
If you are adding rules to process response bodies after the Ambassador Labs ruleset, then you will need to set
SecResponseBodyAccess On in your rules to enable access to the response body.
If you'd like to customize the Ambassador Labs default ruleset, you can load your own files before or after waf-rules.conf. Keep in mind that the
WebApplicationFirewall resource loads firewall configurations via a list of rules sources, and sources lower in the list can overwrite rules and settings from sources higher in the list. See files REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example for more information.
Initial version of Ambassador Edge Stack's Web Application Firewall rules.