diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001071109079.png b/doc/best-practice/source/_static/images/en-us_image_0000001071109079.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001071109079.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001072317940.png b/doc/best-practice/source/_static/images/en-us_image_0000001072317940.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001072317940.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001072396759.png b/doc/best-practice/source/_static/images/en-us_image_0000001072396759.png new file mode 100644 index 0000000..c48e417 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001072396759.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001072637202.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001072637202.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001072637202.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001072637504.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001072637504.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001072637504.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001072768952.png b/doc/best-practice/source/_static/images/en-us_image_0000001072768952.png new file mode 100644 index 0000000..49da9f8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001072768952.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001111161846.png b/doc/best-practice/source/_static/images/en-us_image_0000001111161846.png new file mode 100644 index 0000000..86aaed0 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001111161846.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001111161960.png b/doc/best-practice/source/_static/images/en-us_image_0000001111161960.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001111161960.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001111321856.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001111321856.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001111321856.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001132757446.png b/doc/best-practice/source/_static/images/en-us_image_0000001132757446.png new file mode 100644 index 0000000..6a16897 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001132757446.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001154964427.png b/doc/best-practice/source/_static/images/en-us_image_0000001154964427.png new file mode 100644 index 0000000..ddfea71 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001154964427.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001159784637.png b/doc/best-practice/source/_static/images/en-us_image_0000001159784637.png new file mode 100644 index 0000000..f92d289 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001159784637.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001171051129.png b/doc/best-practice/source/_static/images/en-us_image_0000001171051129.png new file mode 100644 index 0000000..59093aa Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001171051129.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001176153064.png b/doc/best-practice/source/_static/images/en-us_image_0000001176153064.png new file mode 100644 index 0000000..6e08b00 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001176153064.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001182529643.png b/doc/best-practice/source/_static/images/en-us_image_0000001182529643.png new file mode 100644 index 0000000..be77469 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001182529643.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001192108582.png b/doc/best-practice/source/_static/images/en-us_image_0000001192108582.png new file mode 100644 index 0000000..55ec0c0 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001192108582.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001192109594.png b/doc/best-practice/source/_static/images/en-us_image_0000001192109594.png new file mode 100644 index 0000000..8c2847f Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001192109594.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001192348152.png b/doc/best-practice/source/_static/images/en-us_image_0000001192348152.png new file mode 100644 index 0000000..ff474fe Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001192348152.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001192428132.png b/doc/best-practice/source/_static/images/en-us_image_0000001192428132.png new file mode 100644 index 0000000..571f2a4 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001192428132.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001192435242.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001192435242.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001192435242.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001193876233.png b/doc/best-practice/source/_static/images/en-us_image_0000001193876233.png new file mode 100644 index 0000000..2b7e9cc Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001193876233.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001206567877.png b/doc/best-practice/source/_static/images/en-us_image_0000001206567877.png new file mode 100644 index 0000000..92d43d5 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001206567877.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001206741713.png b/doc/best-practice/source/_static/images/en-us_image_0000001206741713.png new file mode 100644 index 0000000..146aba5 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001206741713.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001212182863.png b/doc/best-practice/source/_static/images/en-us_image_0000001212182863.png new file mode 100644 index 0000000..2170fbb Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001212182863.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001212341441.png b/doc/best-practice/source/_static/images/en-us_image_0000001212341441.png new file mode 100644 index 0000000..3c2ecd9 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001212341441.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001221411281.png b/doc/best-practice/source/_static/images/en-us_image_0000001221411281.png new file mode 100644 index 0000000..6e08b00 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001221411281.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001221468471.png b/doc/best-practice/source/_static/images/en-us_image_0000001221468471.png new file mode 100644 index 0000000..34e1a72 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001221468471.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001221668531.png b/doc/best-practice/source/_static/images/en-us_image_0000001221668531.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001221668531.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001229995391.png b/doc/best-practice/source/_static/images/en-us_image_0000001229995391.png new file mode 100644 index 0000000..82feae2 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001229995391.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001236748339.png b/doc/best-practice/source/_static/images/en-us_image_0000001236748339.png new file mode 100644 index 0000000..b674ec4 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001236748339.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001236914655.png b/doc/best-practice/source/_static/images/en-us_image_0000001236914655.png new file mode 100644 index 0000000..54f48b0 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001236914655.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001237195219.png b/doc/best-practice/source/_static/images/en-us_image_0000001237195219.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001237195219.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001237388053.png b/doc/best-practice/source/_static/images/en-us_image_0000001237388053.png new file mode 100644 index 0000000..c1a85bb Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001237388053.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001238311660.png b/doc/best-practice/source/_static/images/en-us_image_0000001238311660.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001238311660.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001238763806.png b/doc/best-practice/source/_static/images/en-us_image_0000001238763806.png new file mode 100644 index 0000000..6ee3d50 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001238763806.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001238764182.png b/doc/best-practice/source/_static/images/en-us_image_0000001238764182.png new file mode 100644 index 0000000..115d2a3 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001238764182.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001238834194.png b/doc/best-practice/source/_static/images/en-us_image_0000001238834194.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001238834194.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001242204650.png b/doc/best-practice/source/_static/images/en-us_image_0000001242204650.png new file mode 100644 index 0000000..c642910 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001242204650.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001256705644.png b/doc/best-practice/source/_static/images/en-us_image_0000001256705644.png new file mode 100644 index 0000000..6ecee2c Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001256705644.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001272174225.png b/doc/best-practice/source/_static/images/en-us_image_0000001272174225.png new file mode 100644 index 0000000..9ef3530 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001272174225.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001282711981.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001282711981.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001282711981.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001282874141.png b/doc/best-practice/source/_static/images/en-us_image_0000001282874141.png new file mode 100644 index 0000000..930cfd6 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001282874141.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001283050129.png b/doc/best-practice/source/_static/images/en-us_image_0000001283050129.png new file mode 100644 index 0000000..a8d256c Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001283050129.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001283085125.png b/doc/best-practice/source/_static/images/en-us_image_0000001283085125.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001283085125.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001283122541.png b/doc/best-practice/source/_static/images/en-us_image_0000001283122541.png new file mode 100644 index 0000000..036deb3 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001283122541.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001283205921.png b/doc/best-practice/source/_static/images/en-us_image_0000001283205921.png new file mode 100644 index 0000000..ba54a79 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001283205921.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001295016484.png b/doc/best-practice/source/_static/images/en-us_image_0000001295016484.png new file mode 100644 index 0000000..7690c1e Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001295016484.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001298073589.png b/doc/best-practice/source/_static/images/en-us_image_0000001298073589.png new file mode 100644 index 0000000..fb84e87 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001298073589.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001316517938.png b/doc/best-practice/source/_static/images/en-us_image_0000001316517938.png new file mode 100644 index 0000000..b4249a8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001316517938.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001323616946.png b/doc/best-practice/source/_static/images/en-us_image_0000001323616946.png new file mode 100644 index 0000000..8932f17 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001323616946.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001341710881.png b/doc/best-practice/source/_static/images/en-us_image_0000001341710881.png new file mode 100644 index 0000000..912095d Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001341710881.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001347102697.png b/doc/best-practice/source/_static/images/en-us_image_0000001347102697.png new file mode 100644 index 0000000..12443e7 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001347102697.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001367981573.png b/doc/best-practice/source/_static/images/en-us_image_0000001367981573.png new file mode 100644 index 0000000..d63d6ca Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001367981573.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369344100.png b/doc/best-practice/source/_static/images/en-us_image_0000001369344100.png new file mode 100644 index 0000000..68c8d9d Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369344100.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369483086.png b/doc/best-practice/source/_static/images/en-us_image_0000001369483086.png new file mode 100644 index 0000000..5fd5999 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369483086.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369501992.png b/doc/best-practice/source/_static/images/en-us_image_0000001369501992.png new file mode 100644 index 0000000..dd682e6 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369501992.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369643058.png b/doc/best-practice/source/_static/images/en-us_image_0000001369643058.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369643058.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369661940.png b/doc/best-practice/source/_static/images/en-us_image_0000001369661940.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369661940.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001369683888.png b/doc/best-practice/source/_static/images/en-us_image_0000001369683888.png new file mode 100644 index 0000000..cd48111 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001369683888.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001374386301.png b/doc/best-practice/source/_static/images/en-us_image_0000001374386301.png new file mode 100644 index 0000000..8932f17 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001374386301.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001402875172.png b/doc/best-practice/source/_static/images/en-us_image_0000001402875172.png new file mode 100644 index 0000000..e42a07d Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001402875172.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001420363093.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001420363093.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001420363093.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001420492921.png b/doc/best-practice/source/_static/images/en-us_image_0000001420492921.png new file mode 100644 index 0000000..74513cf Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001420492921.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001420502081.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001420502081.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001420502081.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001423609253.png b/doc/best-practice/source/_static/images/en-us_image_0000001423609253.png new file mode 100644 index 0000000..ac3bbac Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001423609253.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001426970901.png b/doc/best-practice/source/_static/images/en-us_image_0000001426970901.png new file mode 100644 index 0000000..2dc3d57 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001426970901.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001427224185.png b/doc/best-practice/source/_static/images/en-us_image_0000001427224185.png new file mode 100644 index 0000000..e3071eb Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001427224185.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001427345353.png b/doc/best-practice/source/_static/images/en-us_image_0000001427345353.png new file mode 100644 index 0000000..f638722 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001427345353.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001451278204.png b/doc/best-practice/source/_static/images/en-us_image_0000001451278204.png new file mode 100644 index 0000000..c763872 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001451278204.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001481001694.png b/doc/best-practice/source/_static/images/en-us_image_0000001481001694.png new file mode 100644 index 0000000..1136ef6 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001481001694.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001481908820.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001481908820.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001481908820.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001482517874.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001482517874.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001482517874.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001482677118.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001482677118.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001482677118.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001482853400.png b/doc/best-practice/source/_static/images/en-us_image_0000001482853400.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001482853400.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001483021752.png b/doc/best-practice/source/_static/images/en-us_image_0000001483021752.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001483021752.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001490530926.png b/doc/best-practice/source/_static/images/en-us_image_0000001490530926.png new file mode 100644 index 0000000..737e5a9 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001490530926.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001490687826.png b/doc/best-practice/source/_static/images/en-us_image_0000001490687826.png new file mode 100644 index 0000000..c321793 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001490687826.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001526543281.png b/doc/best-practice/source/_static/images/en-us_image_0000001526543281.png new file mode 100644 index 0000000..16ba469 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001526543281.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001529961950.png b/doc/best-practice/source/_static/images/en-us_image_0000001529961950.png new file mode 100644 index 0000000..df4449b Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001529961950.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001531762821.png b/doc/best-practice/source/_static/images/en-us_image_0000001531762821.png new file mode 100644 index 0000000..41a5044 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001531762821.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001532868301.png b/doc/best-practice/source/_static/images/en-us_image_0000001532868301.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001532868301.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533036717.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001533036717.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533036717.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533037229.png b/doc/best-practice/source/_static/images/en-us_image_0000001533037229.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533037229.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533157169.png b/doc/best-practice/source/_static/images/en-us_image_0000001533157169.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533157169.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533173581.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001533173581.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533173581.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533182113.png b/doc/best-practice/source/_static/images/en-us_image_0000001533182113.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533182113.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533461761.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001533461761.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533461761.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001533701661.jpg b/doc/best-practice/source/_static/images/en-us_image_0000001533701661.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001533701661.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001545291713.png b/doc/best-practice/source/_static/images/en-us_image_0000001545291713.png new file mode 100644 index 0000000..f9bbd75 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001545291713.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001545300385.png b/doc/best-practice/source/_static/images/en-us_image_0000001545300385.png new file mode 100644 index 0000000..7a3e240 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001545300385.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001550899193.png b/doc/best-practice/source/_static/images/en-us_image_0000001550899193.png new file mode 100644 index 0000000..f773b51 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001550899193.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001555783590.png b/doc/best-practice/source/_static/images/en-us_image_0000001555783590.png new file mode 100644 index 0000000..737e5a9 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001555783590.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001569566562.png b/doc/best-practice/source/_static/images/en-us_image_0000001569566562.png new file mode 100644 index 0000000..6c1da02 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001569566562.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001580602633.png b/doc/best-practice/source/_static/images/en-us_image_0000001580602633.png new file mode 100644 index 0000000..bc5cf79 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001580602633.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001580873597.png b/doc/best-practice/source/_static/images/en-us_image_0000001580873597.png new file mode 100644 index 0000000..f5712b8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001580873597.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0000001618384369.png b/doc/best-practice/source/_static/images/en-us_image_0000001618384369.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0000001618384369.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0111310053.jpg b/doc/best-practice/source/_static/images/en-us_image_0111310053.jpg new file mode 100644 index 0000000..cc595ad Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0111310053.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0198704387.jpg b/doc/best-practice/source/_static/images/en-us_image_0198704387.jpg new file mode 100644 index 0000000..4479e6e Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0198704387.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0210924450.jpg b/doc/best-practice/source/_static/images/en-us_image_0210924450.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0210924450.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0227042619.png b/doc/best-practice/source/_static/images/en-us_image_0227042619.png new file mode 100644 index 0000000..6aa85c0 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0227042619.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0227042630.png b/doc/best-practice/source/_static/images/en-us_image_0227042630.png new file mode 100644 index 0000000..a241d8f Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0227042630.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0227064467.png b/doc/best-practice/source/_static/images/en-us_image_0227064467.png new file mode 100644 index 0000000..2af5eb6 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0227064467.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0227974572.png b/doc/best-practice/source/_static/images/en-us_image_0227974572.png new file mode 100644 index 0000000..31ea361 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0227974572.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0234013368.png b/doc/best-practice/source/_static/images/en-us_image_0234013368.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0234013368.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0234015780.png b/doc/best-practice/source/_static/images/en-us_image_0234015780.png new file mode 100644 index 0000000..65ba08f Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0234015780.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0234038602.png b/doc/best-practice/source/_static/images/en-us_image_0234038602.png new file mode 100644 index 0000000..8932f17 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0234038602.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0234822736.png b/doc/best-practice/source/_static/images/en-us_image_0234822736.png new file mode 100644 index 0000000..0b8b041 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0234822736.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0235603964.jpg b/doc/best-practice/source/_static/images/en-us_image_0235603964.jpg new file mode 100644 index 0000000..4479e6e Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0235603964.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0235826013.png b/doc/best-practice/source/_static/images/en-us_image_0235826013.png new file mode 100644 index 0000000..de09967 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0235826013.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0239994530.png b/doc/best-practice/source/_static/images/en-us_image_0239994530.png new file mode 100644 index 0000000..d8c9f6d Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0239994530.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0242690001.jpg b/doc/best-practice/source/_static/images/en-us_image_0242690001.jpg new file mode 100644 index 0000000..821271f Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0242690001.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0242722489.png b/doc/best-practice/source/_static/images/en-us_image_0242722489.png new file mode 100644 index 0000000..499e955 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0242722489.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0242722510.png b/doc/best-practice/source/_static/images/en-us_image_0242722510.png new file mode 100644 index 0000000..6b12b6c Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0242722510.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0242811195.png b/doc/best-practice/source/_static/images/en-us_image_0242811195.png new file mode 100644 index 0000000..01d5f68 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0242811195.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0242812829.jpg b/doc/best-practice/source/_static/images/en-us_image_0242812829.jpg new file mode 100644 index 0000000..4479e6e Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0242812829.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0258282297.png b/doc/best-practice/source/_static/images/en-us_image_0258282297.png new file mode 100644 index 0000000..33d12ba Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0258282297.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0269288850.png b/doc/best-practice/source/_static/images/en-us_image_0269288850.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0269288850.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0293910230.png b/doc/best-practice/source/_static/images/en-us_image_0293910230.png new file mode 100644 index 0000000..acf7017 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0293910230.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294809832.png b/doc/best-practice/source/_static/images/en-us_image_0294809832.png new file mode 100644 index 0000000..ddfea71 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294809832.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294818359.png b/doc/best-practice/source/_static/images/en-us_image_0294818359.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294818359.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294824530.jpg b/doc/best-practice/source/_static/images/en-us_image_0294824530.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294824530.jpg differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294833640.png b/doc/best-practice/source/_static/images/en-us_image_0294833640.png new file mode 100644 index 0000000..4f2d645 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294833640.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294837666.png b/doc/best-practice/source/_static/images/en-us_image_0294837666.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294837666.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0294846185.png b/doc/best-practice/source/_static/images/en-us_image_0294846185.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0294846185.png differ diff --git a/doc/best-practice/source/_static/images/en-us_image_0295742770.png b/doc/best-practice/source/_static/images/en-us_image_0295742770.png new file mode 100644 index 0000000..0dd04b0 Binary files /dev/null and b/doc/best-practice/source/_static/images/en-us_image_0295742770.png differ diff --git a/doc/best-practice/source/change_history.rst b/doc/best-practice/source/change_history.rst new file mode 100644 index 0000000..63e43de --- /dev/null +++ b/doc/best-practice/source/change_history.rst @@ -0,0 +1,203 @@ +:original_name: waf_06_0026.html + +.. _waf_06_0026: + +Change History +============== + ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Released On | Description | ++===================================+=======================================================================================================================================================================+ +| 2023-06-07 | This issue is the forty-second official release. | +| | | +| | Modified :ref:`Upgrading Dedicated WAF Instances `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-06-02 | This issue is the forty-first official release. | +| | | +| | Modified :ref:`Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-03-03 | This issue is the fortieth official release. | +| | | +| | Modified the following content: | +| | | +| | - :ref:`Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports ` | +| | - :ref:`Combining WAF and HSS to Get Improved Web Tamper Protection ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-10-25 | This is the thirty-ninth official release. | +| | | +| | Modified the following topics: | +| | | +| | :ref:`Upgrading Dedicated WAF Instances ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-09-30 | This issue is the thirty-eighth official release. | +| | | +| | Added :ref:`Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-08-11 | This issue is the thirty-seventh official release. | +| | | +| | Added the following content: | +| | | +| | - :ref:`Restricting Malicious Requests in Promotions by Using Cookies and HWWAFSESID ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-07-26 | This issue is the thirty-sixth official release. | +| | | +| | Modified :ref:`Combining WAF and HSS to Get Improved Web Tamper Protection `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-07-06 | This issue is the thirty-fifth official release. | +| | | +| | Released the function for counting requests to all WAF instances. Modified the following topics: | +| | | +| | - :ref:`Configuring CC Attack Protection ` | +| | - :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-07-04 | This issue is the thirty-fourth official release. | +| | | +| | Released the global protection whitelist function. Modified the following topics: | +| | | +| | - :ref:`Handling False Alarms to Get Improved Basic Web Protection ` | +| | - :ref:`Apache Dubbo Deserialization Vulnerability ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-05-23 | This issue is the thirty-third official release. | +| | | +| | - Added :ref:`Combining WAF and HSS to Get Improved Web Tamper Protection `. | +| | - Modified :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-05-05 | This issue is the thirty-second official release. | +| | | +| | Added constraints in :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-04-19 | This issue is the thirty-first official release. | +| | | +| | Added the following content: | +| | | +| | - :ref:`Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability in Real Time ` | +| | - :ref:`Using LTS to Configure Block Alarms for WAF Rules ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-04-01 | This issue is the thirtieth official release. | +| | | +| | Added :ref:`Java Spring Framework Remote Code Execution Vulnerability `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-03-29 | This is the twenty-ninth official release. | +| | | +| | Added descriptions of some parameters in :ref:`Preparations `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-02-11 | This issue is the twenty-eighth official release. | +| | | +| | Added the method of obtaining the origin server IP address when Apache 2.4 or later is used in :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-12-22 | This issue is the twenty-seventh official release. | +| | | +| | - Added :ref:`Using LTS to Quickly Query and Analyze WAF Access Logs `. | +| | - Optimized descriptions in :ref:`Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-08-19 | This issue is the twenty-sixth official release. | +| | | +| | Updated some screenshots in :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-07-20 | This issue is the twenty-fifth official release. | +| | | +| | Modified the entry to the management console. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2021-06-15 | This issue is the twenty-fourth official release. | +| | | +| | Optimized descriptions in :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-04-02 | This issue is the twenty-third official release. | +| | | +| | Updated some screenshots. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-02-27 | This issue is the twenty-second official release. | +| | | +| | Updated screenshots and descriptions in :ref:`Handling False Alarms to Get Improved Basic Web Protection ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-02-14 | This issue is the twenty-first official release. | +| | | +| | Added section :ref:`Apache Dubbo Deserialization Vulnerability `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2020-01-03 | This issue is the twentieth official release. | +| | | +| | Modified the title in :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-12-19 | This issue is the nineteen official release. | +| | | +| | - Added the method for the IIS server to obtain the real IP address of a visitor in :ref:`Handling False Alarms to Get Improved Basic Web Protection `. | +| | - Optimized descriptions in :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-12-16 | This is the eighteenth official release. | +| | | +| | - Modified the domain name of Huawei Cloud international website. | +| | - Updated the operation entry figure. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-12-05 | This issue is the seventeenth official release. | +| | | +| | Optimized descriptions in :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-10-21 | This issue is the sixteenth official release. | +| | | +| | - Optimized descriptions in :ref:`Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections `. | +| | - Optimized the description in :ref:`CC Attack Defense ` | +| | - Optimized descriptions in :ref:`Handling False Alarms to Get Improved Basic Web Protection `. | +| | - Optimized descriptions in :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-09-06 | This issue is the fifteenth official release. | +| | | +| | Added section :ref:`DoS Vulnerability in the Open-Source Component Fastjson `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-09-04 | This issue is the fourteenth official release. | +| | | +| | Optimized descriptions in :ref:`Connecting a Domain Name to WAF for Websites with no Proxy Used `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-08-30 | This issue is the thirteenth official release. | +| | | +| | Optimized descriptions in :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-08-27 | This issue is the twelfth official release. | +| | | +| | Optimized descriptions in :ref:`Configuring Anti-Crawler Rules to Prevent Crawler Attacks `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-08-01 | This issue is the eleventh official release. | +| | | +| | Added section :ref:`Combining CDN and WAF to Get Improved Protection and Load Speed `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-07-12 | This issue is the tenth official release. | +| | | +| | Added section :ref:`Remote Code Execution Vulnerability of Fastjson `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-06-21 | This issue is the ninth official release. | +| | | +| | Added section :ref:`Obtaining Real Client IP Addresses `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-06-04 | This issue is the eighth official release. | +| | | +| | - Added section :ref:`Handling False Alarms to Get Improved Basic Web Protection `. | +| | - Added section :ref:`Domain Setup `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-05-16 | This issue is the seventh official release. | +| | | +| | - Added section :ref:`Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers `. | +| | - Added section :ref:`Configuring Basic Web Protection `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-05-05 | This issue is the sixth official release. | +| | | +| | Optimized descriptions in :ref:`Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-04-28 | This issue is the fifth official release. | +| | | +| | Added :ref:`Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2019-04-23 | This issue is the fourth official release. | +| | | +| | - Added section :ref:`Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814) `. | +| | - Optimized the description in :ref:`CC Attack Defense ` | +| | - Optimized descriptions in :ref:`Configuring Anti-Crawler Rules to Prevent Crawler Attacks `. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-11-08 | This is the third official release. | +| | | +| | Optimized some descriptions. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-10-15 | This is the second official release. | +| | | +| | Updated screenshots and descriptions. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2018-05-11 | This is the first official release. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/doc/best-practice/source/combining_cdn_and_waf_to_get_improved_protection_and_load_speed.rst b/doc/best-practice/source/combining_cdn_and_waf_to_get_improved_protection_and_load_speed.rst new file mode 100644 index 0000000..fe437f9 --- /dev/null +++ b/doc/best-practice/source/combining_cdn_and_waf_to_get_improved_protection_and_load_speed.rst @@ -0,0 +1,170 @@ +:original_name: waf_06_0022.html + +.. _waf_06_0022: + +Combining CDN and WAF to Get Improved Protection and Load Speed +=============================================================== + +How the Combination Works +------------------------- + +- When a user accesses a website that uses Huawei Cloud CDN, the local DNS server will redirect all domain requests to CDN using CNAME records. `CDN `__ uses a group of predefined policies (such as the content type, geographical location, and network load status) to respond visitors with the nearest CDN IP address so that visitors can obtain requested website content as quickly as possible. + + Objects supported by CDN: domain names of web applications on Huawei Cloud, other cloud platforms, or on-premises data centers + +- Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). + +The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises and improve website response time. :ref:`Figure 1 ` shows the configuration diagram. + +.. _waf_06_0022__fig173931354614: + +.. figure:: /_static/images/en-us_image_0000001193876233.png + :alt: **Figure 1** WAF configuration when a proxy is used + + **Figure 1** WAF configuration when a proxy is used + +After you deploy CDN and WAF for your website, traffic is accelerated by CDN and then forwarded to WAF. WAF checks received traffic and forwards only the normal traffic to the origin server. The combination protects the website against attacks while improving the website response speed and availability. + +Point your website domain name to CDN and then change the CDN back-to-source address to the WAF CNAME record. After that, you can also add a WAF subdomain name and TXT record on your DNS management platform in case others have connected the website domain name to WAF before you configure CDN. + +|image1| + +The configurations are as follows: + +- Cloud mode + + Point your website domain name to CDN and then change the CDN back-to-source address to the WAF CNAME record. After that, you can also add a WAF subdomain name and TXT record on your DNS management platform in case others have connected the website domain name to WAF before you configure CDN. + +- Dedicated mode + + Point your website domain name to CDN and change the CDN back-to-source IP address to the EIP bound to the load balancer configured for your dedicated WAF instance. + +Constraints +----------- + +If your website uses proxies such as anti-DDoS, Content Delivery Network (CDN), and cloud acceleration services, select **Per user** for **Rate Limit Mode** and enable **All WAF instances** for your CC attack protection rules. + +Prerequisites +------------- + +- `WAF has been purchased `__. +- You have `added the website domain name to WAF `__ and configured other details, including origin server IP address and port. +- You have `connected the website domain name to CDN `__. +- You have obtained the permissions from the DNS service provider to add domain names. +- (Optional) You have whitelisted WAF back-to-source IP addresses. If non-Huawei Cloud security software is used on the origin server, whitelist the WAF back-to-source IP addresses to prevent normal traffic from being blocked. For details, see :ref:`Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers `. + +Cloud WAF Configuration +----------------------- + +The following uses Huawei Cloud CDN as an example to describe how to configure domain name resolution. If you use Huawei Cloud CDN, perform the following steps directly. If you use non-Huawei Cloud CDN, configure domain name resolution on non-Huawei Cloud CDN based on the instructions in the following steps. + +#. Obtain settings of **CNAME**, **Subdomain Name**, and **TXT Record**. + + a. Log in to the management console. + + b. Click |image2| in the upper left corner of the management console and select a region or project. + + c. Click |image3| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + + d. In the **Protected Website** column, click the domain name you want to go to the **Basic Information** page. + + e. .. _waf_06_0022__li3855201411557: + + On the page for configuring basic domain information, click |image4| in the row where the CNAME is located to copy **CNAME**. In the row of **Access Status**, click **How to Access**. In the **Access Guide** dialog box, copy **Subdomain Name** and **TXT Record**. + + + .. figure:: /_static/images/en-us_image_0227974572.png + :alt: **Figure 2** Domain name access information + + **Figure 2** Domain name access information + +#. `Change the origin server domain name of the primary origin server of CDN to the CNAME of WAF. `__ +#. (Optional) Add a WAF subdomain name and TXT record at your DNS provider. + + .. note:: + + To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), this step is recommended. + + a. Access the DNS resolution page, as shown in :ref:`Figure 3 `. + + .. _waf_06_0022__fig165861648185013: + + .. figure:: /_static/images/en-us_image_0000001550899193.png + :alt: **Figure 3** DNS page + + **Figure 3** DNS page + + b. In the upper right corner of the page, click **Add Record Set**. The **Add Record Set** page is displayed. :ref:`Figure 4 ` shows an example. + + - **Name**: TXT record copied in :ref:`1.e `. + - **Type**: Select **TXT - Specify text records**. + - **Alias**: Select **No**. + - **Line**: **Default** + - **TTL (s)**: The recommended value is **5 min**. A larger TTL value will make it slower for synchronization and update of DNS records. + - **Value**: Add quotation marks to the TXT record copied in :ref:`1.e ` and paste them in the text box, for example, **TXT record**. + - Keep other settings unchanged. + + .. _waf_06_0022__fig4588144810507: + + .. figure:: /_static/images/en-us_image_0239994530.png + :alt: **Figure 4** Adding a record set + + **Figure 4** Adding a record set + + c. Click **OK**. + +#. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect. + + .. note:: + + It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again. + +Dedicated Mode WAF Configuration +-------------------------------- + +Perform the following steps to complete configurations on Huawei Cloud CDN: + +#. `Log in to the management console `__. + +#. Click |image5| in the upper left corner of the management console and select a region or project. + +#. Click |image6| in the upper left corner of the page, choose **Storage** > **CDN**. + +#. In the navigation pane on the left, choose **Domains**. + +#. In the domain list, click the domain name you want to modify or click **Settings** in the **Operation** column. + +#. Click the **Basic Settings** tab. In the **Origin Server Settings** area, click **Edit**. + +#. In the **Modify Origin Server** dialog box displayed, modify the IP address of the origin server. :ref:`Figure 5 ` shows an example. + + .. _waf_06_0022__fig862516339477: + + .. figure:: /_static/images/en-us_image_0000001111161846.png + :alt: **Figure 5** Modify Origin Server + + **Figure 5** Modify Origin Server + + .. important:: + + If you use a dedicated WAF instance, in the **Origin** text box, `enter the EIP you bind to the load balancer `__. + +#. Click **OK**. + +Verification +------------ + +If **Access Status** is **Accessible**, the traffic destined for your website domain name or IP address is routed to WAF. + +.. important:: + + WAF automatically checks the access status of protected websites every hour. If WAF detects that a protected website has received 20 access requests within 5 minutes, it considers that the website has been successfully connected to WAF. + +If a domain name fails to be connected to WAF, its access status is **Inaccessible**. To fix this issue, see `Why Is the Access Status of a Domain Name or IP Address Inaccessible? `__ + +.. |image1| image:: /_static/images/en-us_image_0000001159784637.png +.. |image2| image:: /_static/images/en-us_image_0000001072637202.jpg +.. |image3| image:: /_static/images/en-us_image_0000001071109079.png +.. |image4| image:: /_static/images/en-us_image_0198704387.jpg +.. |image5| image:: /_static/images/en-us_image_0000001111321856.jpg +.. |image6| image:: /_static/images/en-us_image_0000001111161960.png diff --git a/doc/best-practice/source/combining_waf_and_hss_to_get_improved_web_tamper_protection.rst b/doc/best-practice/source/combining_waf_and_hss_to_get_improved_web_tamper_protection.rst new file mode 100644 index 0000000..72ef7ce --- /dev/null +++ b/doc/best-practice/source/combining_waf_and_hss_to_get_improved_web_tamper_protection.rst @@ -0,0 +1,175 @@ +:original_name: waf_06_0119.html + +.. _waf_06_0119: + +Combining WAF and HSS to Get Improved Web Tamper Protection +=========================================================== + +WAF examines HTTP/HTTPS requests. If an attacker attempts to tamper with web pages using attacks like SQL injection, WAF can identify and block the attacks in a timely manner, so they cannot sneak into or change anything in the OSs of your web servers. + +Even if attacks bypass the first layer of protection, HSS WTP provides multi-level defenses. HSS WTP protects files in the web file directories from any unauthorized access. Only your website administrator can update the website content through the privileged process. Apart from that, HSS WTP also backs up web file directories locally and remotely. Once a file is tampered with, it can be quickly restored with backups. For dynamic web pages such as applications on web servers, HSS WTP uses Runtime Application Self-Protection (RASP) to monitor application access. It can detect tampering on dynamic data such as databases and prevent attackers from using applications to tamper with web pages in real time. + +With HSS and WAF in place, you can stop worrying about web page tampering. + +What Web Tampering Is and Impacts of Web Tampering +-------------------------------------------------- + +Web tampering is a type of cyberattack that exploits vulnerabilities in web applications to tamper with web application content or to insert hidden links. Web tampering attacks are often used to spread malicious information, incite unrest, and steal money. + +Links to pornographic or otherwise illegal content may be inserted into normal web pages. Tampered web pages can permanently damage the brand image of your organization. + +Differences Between The Web Tamper Protection Functions of HSS and WAF +---------------------------------------------------------------------- + +.. table:: **Table 1** Differences between the web tamper protection functions of HSS and WAF + + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+ + | Type | HSS | WAF | + +========================+==========================================================================================================================================================+=========================================================+ + | Static web pages | Locks files in driver and web file directories to prevent attackers from tampering with them. | Caches static web pages on servers. | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+ + | Dynamic web pages | - Dynamic WTP | Not supported | + | | | | + | | Protects your data while Tomcat is running, detecting dynamic data tampering in databases. | | + | | | | + | | - Privileged process management | | + | | | | + | | Allows only privileged processes to modify web pages. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+ + | Backup and restoration | - Proactive backup and restoration | Not supported | + | | | | + | | If WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local server to restore the file. | | + | | | | + | | - Remote backup and restoration | | + | | | | + | | If a file directory or backup directory on the local server becomes invalid, you can use the remote backup service to restore the tampered web page. | | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+ + | Protection object | Web tamper prevention. This function is suitable for websites that have high protection requirements. | Websites that only require application-layer protection | + +------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+ + +Configuring a Web Tamper Protection Rule in WAF +----------------------------------------------- + +.. note:: + + - This function is not supported in the starter edition. + - For more details, see `Configuring a Web Tamper Protection Rule `__. + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. (Old console) In the **Policy** column of the row containing the domain name, click **Configure Policy**. + +#. (New console) In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + + + .. figure:: /_static/images/en-us_image_0000001402875172.png + :alt: **Figure 1** Domain name list + + **Figure 1** Domain name list + +#. In the **Web Tamper Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Web Tamper Protection** page. + + + .. figure:: /_static/images/en-us_image_0234822736.png + :alt: **Figure 2** Web Tamper Protection configuration area + + **Figure 2** Web Tamper Protection configuration area + +#. In the upper left corner of the **Web Tamper Protection** page, click **Add Rule**. + +#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 2 `. + + + .. figure:: /_static/images/en-us_image_0000001451278204.png + :alt: **Figure 3** Adding a web tamper protection rule + + **Figure 3** Adding a web tamper protection rule + + .. _waf_06_0119__en-us_topic_0110861313_table2046816299203: + + .. table:: **Table 2** Rule parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=====================================================================================================================================================+=======================+ + | Domain Name | Domain name of the website to be protected | **www.example.com** | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Path | A part of the URL, not including the domain name | **/admin** | + | | | | + | | A URL is used to define the address of a web page. The basic URL format is as follows: | | + | | | | + | | Protocol name://Domain name or IP address[:Port]/[Path/.../File name]. | | + | | | | + | | For example, if the URL is **http://www.example.com/admin**, set **Path** to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path does not support regular expressions. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF converts **///** to **/**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **Confirm**. You can view the rule in the list of web tamper protection rules. + +Enabling HSS Web Tamper Protection +---------------------------------- + +#. `Log in to the management console `__. + +#. In the upper left corner of the page, select a region, click |image3|, and choose **Security & Compliance** > **Host Security Service (New)**. + + + .. figure:: /_static/images/en-us_image_0000001426970901.png + :alt: **Figure 4** Accessing HSS + + **Figure 4** Accessing HSS + +#. In the displayed dialog box, click **Try the new edition** to switch to the HSS (New) console. + + .. note:: + + - Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore. + - On the HSS (New) console, you can click **Back to Old Console** in the upper left corner to switch to the HSS (Old) console. + +#. In the navigation pane, choose **Prevention** > **Web Tamper Protection**. On the **Web Tamper Protection** page, click **Add Server**. + + + .. figure:: /_static/images/en-us_image_0000001427224185.png + :alt: **Figure 5** Adding a protected server + + **Figure 5** Adding a protected server + +#. On the **Add Server** page, select the target server, select quota from the drop-down list or retain the default value, and click **Add and Enable Protection**. + + + .. figure:: /_static/images/en-us_image_0000001427345353.png + :alt: **Figure 6** Selecting a server to enable protection + + **Figure 6** Selecting a server to enable protection + +#. View the server status on the **Web Tamper Protection** page. + + The premium edition will be enabled when you enable WTP. + + - Choose **Prevention** > **Web Tamper Protection**. If the **Protection Status** of the server is **Protected**, WTP has been enabled. + - Choose **Asset Management** > **Servers & Quota** and click the **Servers** tab. If the protection status of the target server is **Enabled** and the **Edition/Expiration Date** of it is **Premium (included with WTP)**, the premium edition provided by the WTP edition is enabled free of charge. + +.. important:: + + - Before disabling WTP, perform a comprehensive detection on the server, handle known risks, and record operation information to prevent O&M errors and attacks on the server. + - If WTP is disabled, web applications are more likely to be tampered with. Therefore, you need to delete important data on the server, stop important services on the server, and disconnect the server from the external network in a timely manner to avoid unnecessary losses caused by attacks on the server. + - After you or disable WTP, files in the protected directory are no longer protected. You are advised to process files in the protected directory before performing these operations. + - If you find some files missing after disabling WTP, search for them in the local or remote backup path. + + - The premium edition will be disabled when you disable WTP. + +.. |image1| image:: /_static/images/en-us_image_0000001481908820.jpg +.. |image2| image:: /_static/images/en-us_image_0000001532868301.png +.. |image3| image:: /_static/images/en-us_image_0000001256705644.png diff --git a/doc/best-practice/source/combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports.rst b/doc/best-practice/source/combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports.rst new file mode 100644 index 0000000..6f39daa --- /dev/null +++ b/doc/best-practice/source/combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports.rst @@ -0,0 +1,127 @@ +:original_name: waf_06_0038.html + +.. _waf_06_0038: + +Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports +=========================================================================== + +This topic walks you through how to combine dedicated WAF instances and layer-7 load balancers to protect your services over non-standard ports that cannot be protected with WAF alone. For ports supported by WAF, see `Ports Supported by WAF `__. + +Protection Scenarios +-------------------- + +The following procedure describes how WAF and ELB together protect **www.example.com:9876**. Port 9876 is a non-standard port WAF alone cannot protect. + +Prerequisites +------------- + +- You have purchased a load balancer. For details about load balancers, see `Differences Between Shared and Dedicated Load Balancers `__. + +- Related ports have been enabled in the security group to which the dedicated WAF instance belongs. + + You can configure your security group as follows: + + - Inbound rules + + Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows **TCP** and port **80**. + + - Outbound rules + + Retain the default settings. All outgoing network traffic is allowed by default. + + For more details, see `Adding a Security Group Rule `__. + +Procedure +--------- + +#. `Buy a dedicated WAF instance `__. + +#. .. _waf_06_0038__li16390019199: + + Connect www.example.com to WAF by referring to `Adding a Website to WAF (Dedicated Mode) `__. Select any non-standard port as protected port, for example, port 86, set **Server Port** to **9876**, and set **Proxy Configured** to **Yes**. + +#. .. _waf_06_0038__li1814105574611: + + Add listeners and backend server groups to the load balancer. + + a. `Log in to the management console `__. + + b. Click |image1| in the upper left corner of the management console and select a region or project. + + c. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the **Load Balancers** page. + + d. Click the name of the load balancer in the **Name** column to go to the **Basic Information** page. + + e. Click the **Listeners** tab and then click **Add Listener**. On the displayed page, configure the listener. In the **Frontend Port** text box, enter the port you want to protect. In this case, enter **9876**. + + + .. figure:: /_static/images/en-us_image_0000001369483086.png + :alt: **Figure 1** Configuring a listener + + **Figure 1** Configuring a listener + + f. Click **Next: Configure Request Routing Policy**. + + + .. figure:: /_static/images/en-us_image_0000001423609253.png + :alt: **Figure 2** Configuring a backend server group + + **Figure 2** Configuring a backend server group + + .. important:: + + - If you select **Weighted round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. + - For details about ELB traffic distribution policies, see `Load Balancing Algorithms `__. + + g. Click **Next: Add Backend Server** and click **Next: Confirm**. + +#. Add the WAF instance to the load balancer. + + a. `Log in to the management console `__. + + b. Click |image3| in the upper left corner of the management console and select a region or project. + + c. Click |image4| in the upper left corner, select a region, and choose **Security & Compliance** > **Web Application Firewall** to go to the **Dashboard** page. + + d. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001369501992.png + :alt: **Figure 3** Dedicated engine list + + **Figure 3** Dedicated engine list + + e. Locate the row containing the WAF instance. In the **Operation** column, click **More** > **Add to ELB**. + + f. In the **Add to ELB** dialog box, specify **ELB (Load Balancer)**, **ELB Listener**, and **Backend Server Group** based on :ref:`Step 3 `. + + + .. figure:: /_static/images/en-us_image_0000001369683888.png + :alt: **Figure 4** Add to ELB + + **Figure 4** Add to ELB + + g. Click **Confirm**. Then, configure service port for the WAF instance. In this example, configure **Backend Port** to **86**, which is the one we configured in :ref:`Step 2 `. + + + .. figure:: /_static/images/en-us_image_0000001369344100.png + :alt: **Figure 5** Configuring Backend Port + + **Figure 5** Configuring Backend Port + + h. Click **Confirm**. + +#. `Bind an EIP to a Load Balancer `__. + +#. `Whitelist the back-to-source IP addresses of your dedicated WAF instances `__. + +How the Combination Protects Traffic +------------------------------------ + +|image5| + +.. |image1| image:: /_static/images/en-us_image_0000001420363093.jpg +.. |image2| image:: /_static/images/en-us_image_0000001369643058.png +.. |image3| image:: /_static/images/en-us_image_0000001420502081.jpg +.. |image4| image:: /_static/images/en-us_image_0000001369661940.png +.. |image5| image:: /_static/images/en-us_image_0000001420492921.png diff --git a/doc/best-practice/source/conf.py b/doc/best-practice/source/conf.py index d6e726e..1b74bb8 100644 --- a/doc/best-practice/source/conf.py +++ b/doc/best-practice/source/conf.py @@ -30,17 +30,6 @@ otcdocs_repo_name = 'docs/web-application-firewall-dedicated' otcdocs_git_fqdn = 'gitea.eco.tsi-dev.otc-service.com' otcdocs_git_type = 'gitea' -# Those variables are needed for indexing into OpenSearch -otcdocs_doc_environment = 'internal' -otcdocs_doc_link = '/web-application-firewall-dedicated/best-practice/' -otcdocs_doc_title = 'Best Practice' -otcdocs_doc_type = 'best-practice' -otcdocs_service_category = 'security-services' -otcdocs_service_title = 'Dedicated Web Application Firewall' -otcdocs_service_type = 'wafd' -otcdocs_search_environment = 'hc_de' -otcdocs_search_url = "https://opensearch.eco.tsi-dev.otc-service.com/" - # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. diff --git a/doc/best-practice/source/configuring_an_access_control_policy_on_an_ecs_or_elb_to_protect_origin_servers.rst b/doc/best-practice/source/configuring_an_access_control_policy_on_an_ecs_or_elb_to_protect_origin_servers.rst new file mode 100644 index 0000000..4d77e11 --- /dev/null +++ b/doc/best-practice/source/configuring_an_access_control_policy_on_an_ecs_or_elb_to_protect_origin_servers.rst @@ -0,0 +1,182 @@ +:original_name: waf_06_0013.html + +.. _waf_06_0013: + +Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers +=============================================================================== + +After you connect your website to Web Application Firewall (WAF), configure an access control policy on your origin server to allow only the WAF back-to-source IP addresses. This prevents hackers from obtaining your origin server IP addresses and then bypassing WAF to attack origin servers. + +This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on ECSs or backend servers of an ELB load balancer. + +.. note:: + + - WAF will forward incoming traffic destined for the origin servers no matter whether you configure access control rules on the origin servers. However, if you have no access control rules configured on origin servers, bad actors may bypass WAF and directly attack your origin servers once they obtain your origin server IP addresses. + - If you use an NAT gateway before an ECS for forwarding data, you also need to configure an inbound rule in the security group the ECS belongs to by referring to :ref:`Configuring an Inbound Rule for an ECS `. This rule allows only WAF IP addresses to access origin servers to keep them secure. + +Precautions +----------- + +- Before configuring an access control policy on an origin server, ensure that you have connected all domain names of websites hosted on Elastic Cloud Server (ECS) or having Elastic Load Balance (ELB) deployed to WAF. +- The following issued should be considered when you configure a security group: + + - If you enable the WAF bypassed mode for your website but do not disable security group and network ACL configurations, the origin server may become inaccessible from the Internet. + - If new WAF back-to-source IP addresses are assigned to WAF after a security group is configured for your website, the website may respond 5xx errors frequently. + +.. _waf_06_0013__section153394462279: + +How Do I Check Whether the Origin Server IP Address Is Exposed? +--------------------------------------------------------------- + +In a non-Huawei Cloud environment, use a Telnet tool to establish a connection over the service port of the public IP address of your origin server (or enter the IP address of your web application in the browser). Then, check whether the connection is established. + +- Connection established + + The origin server has exposed to the public. Once a hacker obtains the public IP address of the origin server, the hacker can bypass WAF and directly attack the origin server. + +- Connection not established + + The origin server is hidden from the public and there is no exposure risk. + +For example, to check whether the origin server is exposed, check whether the origin server IP address that has been protected by WAF can be connected over port 443. If information similar to that shown in :ref:`Figure 1 ` is displayed, the connection is established and the origin server IP address is exposed. + +.. _waf_06_0013__fig563232951119: + +.. figure:: /_static/images/en-us_image_0294833640.png + :alt: **Figure 1** Testing + + **Figure 1** Testing + +Obtaining WAF Back-to-Source IP Addresses +----------------------------------------- + +A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field. For more details, see `How Do I Whitelist the WAF Back-to-Source IP Address Ranges? `__ + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. On the right of the website list, click the **WAF Back-to-Source IP Addresses** link. + + .. note:: + + WAF back-to-source IP addresses are periodically updated. Whitelist the new IP addresses in time to prevent those IP addresses from being blocked by origin servers. + + + .. figure:: /_static/images/en-us_image_0258282297.png + :alt: **Figure 2** WAF Back-to-Source IP Addresses + + **Figure 2** WAF Back-to-Source IP Addresses + +#. .. _waf_06_0013__li081419351620: + + In the displayed dialog box, click **Copy** to copy all the addresses. + + + .. figure:: /_static/images/en-us_image_0000001171051129.png + :alt: **Figure 3** WAF Back-to-Source IP Addresses dialog box + + **Figure 3** WAF Back-to-Source IP Addresses dialog box + +.. _waf_06_0013__section19785231124311: + +Configuring an Inbound Rule for an ECS +-------------------------------------- + +If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the WAF back-to-source IP addresses to access the origin server. + +.. important:: + + Ensure that all WAF back-to-source IP addresses are whitelisted by an inbound rule of the security group configured for the ECS. Otherwise, website may become inaccessible. + +#. `Log in to the management console `__. + +#. Click |image3| in the upper left corner of the management console and select a region or project. + +#. Click |image4| in the upper left corner of the page and choose **Compute** > **Elastic Cloud Server**. + +#. Locate the row containing the ECS you want. In the **Name/ID** column, click the ECS name to go to the ECS details page. + +#. Click the **Security Groups** tab. Then, click **Change Security Group**. + +#. Click the security group ID and view the details. + +#. Click the **Inbound Rules** tab and click **Add Rule**. Then, specify parameters in the **Add Inbound Rule** dialog box. For details, see :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001298073589.png + :alt: **Figure 4** Add Inbound Rule + + **Figure 4** Add Inbound Rule + + .. _waf_06_0013__table4746426132417: + + .. table:: **Table 1** Inbound rule parameters + + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+================================================================================================================================================================================+ + | Protocol & Port | Protocol and port for which the security group rule takes effect. If you select **TCP (Custom ports)**, enter the origin server port number in the text box below the TCP box. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source | Add all WAF back-to-source IP addresses copied in :ref:`Step 6 ` one by one. | + | | | + | | .. note:: | + | | | + | | One IP address is configured in a rule. Click **Add Rule** to add more rules. A maximum of 10 rules can be added. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Click **OK**. + + Then, the security group rules allow all inbound traffic from the WAF back-to-source IP addresses. + + To check whether the security group rules take effect, refer to :ref:`How Do I Check Whether the Origin Server IP Address Is Exposed? ` If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect. + +Enabling ELB Access Control +--------------------------- + +If your origin server is deployed on backend servers of an ELB load balancer, perform the following steps to configure an access control list to allow only the WAF back-to-source IP addresses to access the origin server. + +#. `Log in to the management console `__. + +#. Click |image5| in the upper left corner of the management console and select a region or project. + +#. Click |image6| in the upper left corner of the page and choose **Networking** > **Elastic Load Balance**. + +#. Locate the load balancer you want. In the **Listener** column, click the listener name to go to the details page. + +#. In the **Access Control** row of the target listener, click **Configure**. + + + .. figure:: /_static/images/en-us_image_0000001545291713.png + :alt: **Figure 5** Listener list + + **Figure 5** Listener list + +#. In the displayed dialog box, select **Whitelist** for **Access Control**. + + a. .. _waf_06_0013__li971616743419: + + Click **Create IP Address Group** and add the dedicated WAF instance IP addresses obtained in :ref:`Step 6 ` to the group being created. + + b. Select the IP address group created in :ref:`6.a ` from the **IP Address Group** drop-down list. + + + .. figure:: /_static/images/en-us_image_0000001545300385.png + :alt: **Figure 6** Configure Access Control + + **Figure 6** Configure Access Control + +#. Click **OK**. + + To check whether the security group rules take effect, refer to :ref:`How Do I Check Whether the Origin Server IP Address Is Exposed? ` If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect. + +.. |image1| image:: /_static/images/en-us_image_0294824530.jpg +.. |image2| image:: /_static/images/en-us_image_0294818359.png +.. |image3| image:: /_static/images/en-us_image_0294824530.jpg +.. |image4| image:: /_static/images/en-us_image_0294837666.png +.. |image5| image:: /_static/images/en-us_image_0294824530.jpg +.. |image6| image:: /_static/images/en-us_image_0294846185.png diff --git a/doc/best-practice/source/configuring_anti-crawler_rules_to_prevent_crawler_attacks.rst b/doc/best-practice/source/configuring_anti-crawler_rules_to_prevent_crawler_attacks.rst new file mode 100644 index 0000000..814fae4 --- /dev/null +++ b/doc/best-practice/source/configuring_anti-crawler_rules_to_prevent_crawler_attacks.rst @@ -0,0 +1,202 @@ +:original_name: waf_06_0006.html + +.. _waf_06_0006: + +Configuring Anti-Crawler Rules to Prevent Crawler Attacks +========================================================= + +Web crawlers facilitate network information collection and query, but they also introduce the following negative impacts: + +- Web crawlers always consume too much server bandwidth and increase server load as they use specific policies to browser as much information of high value on a website as possible. +- Bad actors may use web crawlers to launch DoS attacks against websites. As a result, websites may fail to provide normal services due to resource exhaustion. +- Bad actors may use web crawlers to steal mission-critical data on your websites, which will damage your economic interests. + +WAF provides three anti-crawler policies, bot detection by identifying User-Agent, website anti-crawler by checking browser validity, and CC attack protection by limiting the access frequency, to comprehensively mitigate crawler attacks against your websites. + +Prerequisites +------------- + +The domain name has been connected to WAF. + +Enabling Robot Detection to Identify User-Agent +----------------------------------------------- + +If you enable robot detection, WAF can detect and block threats such as malicious crawlers, scanners, and web shells. + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + +#. Ensure that **Basic Web Protection** is enabled (|image3|). + + + .. figure:: /_static/images/en-us_image_0234015780.png + :alt: **Figure 1** Basic Web Protection configuration area + + **Figure 1** Basic Web Protection configuration area + +#. Click **Advanced Settings**. On the **Protection Status** page, enable **General Check** and **Webshell Detection**. + +#. In the **Anti-Crawler** configuration area, enable anti-crawler using the toggle on the right. If you enable this function, click **Configure Bot Mitigation**. + + + .. figure:: /_static/images/en-us_image_0000001072396759.png + :alt: **Figure 2** Anti-Crawler configuration area + + **Figure 2** Anti-Crawler configuration area + +#. On the **Feature Library** page, enable protection functions based on your business needs. + + + .. figure:: /_static/images/en-us_image_0000001072768952.png + :alt: **Figure 3** Feature Library + + **Figure 3** Feature Library + +If WAF detects that a malicious crawler or scanner is crawling your website, WAF immediately blocks it and logs the event. You can view the crawler protection logs on the **Events** page. + +|image4| + +Enabling Anti-Crawler Protection to Verify Browser Validity +----------------------------------------------------------- + +If you enable anti-crawler protection, WAF dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification approaches. + +#. `Log in to the management console `__. + +#. Click |image5| in the upper left corner of the management console and select a region or project. + +#. Click |image6| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + +#. In the **Anti-Crawler** configuration area, enable anti-crawler using the toggle on the right. If you enable this function, click **Configure Bot Mitigation**. + + + .. figure:: /_static/images/en-us_image_0000001072396759.png + :alt: **Figure 4** Anti-Crawler configuration area + + **Figure 4** Anti-Crawler configuration area + +#. Select the **JavaScript** tab and configure **Status** and **Protective Action**. + + **JavaScript** anti-crawler is disabled by default. To enable it, click |image7| and click **Confirm** in the displayed dialog box. + + .. important:: + + - Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules. + + - If your service is connected to CDN, exercise caution when using the JS anti-crawler function. + + CDN caching may impact JS anti-crawler performance and page accessibility. + +#. Configure a JavaScript-based anti-crawler rule by referring to :ref:`Table 1 `. + + Two protective actions are provided: **Protect all requests** and **Protect specified requests**. + + - To protect all requests except requests that hit a specified rule + + Set **Protection Mode** to **Protect all requests**. Then, click **Exclude Rule**, configure the request exclusion rule, and click **Confirm**. + + + .. figure:: /_static/images/en-us_image_0000001481001694.png + :alt: **Figure 5** Exclude Path + + **Figure 5** Exclude Path + + - To protect a specified request only + + Set **Protection Mode** to **Protect specified requests**, click **Add Rule**, configure the request rule, and click **Confirm**. + + + .. figure:: /_static/images/en-us_image_0000001531762821.png + :alt: **Figure 6** Add Rule + + **Figure 6** Add Rule + + .. _waf_06_0006__en-us_topic_0110861318_table158689225415: + + .. table:: **Table 1** Parameters of a JavaScript-based anti-crawler protection rule + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Parameter | Description | Example Value | + +=======================+===================================================================================================================================================================================================================================================================================================================================================================================================================================================+=================================+ + | Rule Name | Name of the rule | waf | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | ``-`` | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Effective Date | Time the rule takes effect. | Immediate | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Condition List | Parameters for configuring a condition are as follows: | **Path** **Include** **/admin** | + | | | | + | | - **Field**: Select the field you want to protect from the drop-down list. Currently, only **Path** and **User Agent** are included. | | + | | - **Subfield** | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | | | + | | .. note:: | | + | | | | + | | If you select **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them**, a reference table must be selected for **Content**. For details about reference tables, see `Creating a Reference Table `__. | | + | | | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Priority | Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority. | 5 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + +If you enable anti-crawler, web visitors can only access web pages through a browser. + +|image8| + +Configuring CC Attack Protection to Limit Access Frequency +---------------------------------------------------------- + +A CC attack protection rule uses a specific IP address, cookie, or referer to limit the access to a specific path (URL), mitigating the impact of CC attacks on web services. + +#. `Log in to the management console `__. + +#. Click |image9| in the upper left corner of the management console and select a region or project. + +#. Click |image10| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target domain name, click the number which shows how many protection types you have enabled. On the displayed page, ensure that CC attack protection is enabled (|image11|). + + + .. figure:: /_static/images/en-us_image_0234038602.png + :alt: **Figure 7** CC Attack Protection configuration area + + **Figure 7** CC Attack Protection configuration area + +#. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. The following uses IP address-based rate limiting and human-machine verification as examples to describe how to add an IP address-based rate limiting rule, as shown in :ref:`Figure 8 `. + + .. _waf_06_0006__fig2194154173819: + + .. figure:: /_static/images/en-us_image_0000001490687826.png + :alt: **Figure 8** Per IP address + + **Figure 8** Per IP address + + If the number of access requests exceeds the configured rate limit, the visitors are required to enter a verification code to continue the access. + + |image12| + +.. |image1| image:: /_static/images/en-us_image_0000001533036717.jpg +.. |image2| image:: /_static/images/en-us_image_0000001533157169.png +.. |image3| image:: /_static/images/en-us_image_0000001176153064.png +.. |image4| image:: /_static/images/en-us_image_0000001182529643.png +.. |image5| image:: /_static/images/en-us_image_0000001533461761.jpg +.. |image6| image:: /_static/images/en-us_image_0000001483021752.png +.. |image7| image:: /_static/images/en-us_image_0234013368.png +.. |image8| image:: /_static/images/en-us_image_0000001132757446.png +.. |image9| image:: /_static/images/en-us_image_0000001533701661.jpg +.. |image10| image:: /_static/images/en-us_image_0000001533182113.png +.. |image11| image:: /_static/images/en-us_image_0000001221411281.png +.. |image12| image:: /_static/images/en-us_image_0293910230.png diff --git a/doc/best-practice/source/configuring_basic_web_protection.rst b/doc/best-practice/source/configuring_basic_web_protection.rst new file mode 100644 index 0000000..e310624 --- /dev/null +++ b/doc/best-practice/source/configuring_basic_web_protection.rst @@ -0,0 +1,122 @@ +:original_name: waf_06_0014.html + +.. _waf_06_0014: + +Configuring Basic Web Protection +================================ + +This topic describes best practices in basic web protection. + +Application Scenarios +--------------------- + +Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). + +Protection Policy +----------------- + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + +#. In the **Basic Web Protection** configuration area, change its status if needed. + + + .. figure:: /_static/images/en-us_image_0234015780.png + :alt: **Figure 1** Basic Web Protection configuration area + + **Figure 1** Basic Web Protection configuration area + + By default, **Basic Web Protection** is enabled and its mode is **Log only**. + + - Protection status + + - |image3|: **Basic Web Protection** is enabled. + - |image4|: **Basic Web Protection** is disabled. + + - Protection mode: block or log only + + - **Block**: WAF blocks and logs the detected attacks. + - **Log only**: WAF only logs the detected attacks. + +#. Click **Advanced Settings** to go to the **Basic Web Protection** page. + + + .. figure:: /_static/images/en-us_image_0000001341710881.png + :alt: **Figure 2** Basic web protection + + **Figure 2** Basic web protection + + - **Protection Level**: high, medium, and low. The default level is **Low**. + + .. table:: **Table 1** Protection levels + + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | Protection Level | Description | + +===================================+=================================================================================================+ + | Low | WAF only blocks the requests with obvious attack signatures. | + | | | + | | If a large number of false alarms are reported, **Low** is recommended. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | Medium | The default level is **Medium**, which meets a majority of web protection requirements. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | High | WAF blocks the requests with no attack signature but have specific attack patterns. | + | | | + | | **High** is recommended if you want to block SQL injection, XSS, and command injection attacks. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + + - Specify the protection type. + + By default, **General Check** is enabled in WAF. You can enable other protection types to meet your business needs. + +Usage Instructions +------------------ + +- If you are not familiar with your website's traffic pattern, select the **Log only** mode for one to two weeks and analyze the logs for those days. + + - If no record of blocking legitimate requests is found, switch to the **Block** mode. + - If legitimate requests are blocked, adjust the protection level or configure global protection whitelist (formerly false alarm masking) rules to prevent legitimate requests from being blocked. + +- Note the following points in your operations: + + - Do not transfer the original SQL statement or JAVA SCRIPT code in a legitimate HTTP request. + - Do not use special keywords (such as UPDATE and SET) in a legitimate URL. For example, **https://www.example.com/abc/update/mod.php?set=1**. + - Use Object Storage Service (OBS) or other secure methods to upload files that exceed 50 MB rather than via a web browser. + +Protection Effect +----------------- + +To check whether basic web protection takes effect, enter a test domain name in the address bar of your browser and simulate an SQL injection attack. If WAF blocks the attack, the configuration works. You can view attack event logs on the **Dashboard** page. :ref:`Figure 4 ` shows an example. + + +.. figure:: /_static/images/en-us_image_0000001206567877.png + :alt: **Figure 3** Blocking SQL attacks + + **Figure 3** Blocking SQL attacks + +.. _waf_06_0014__fig19336114310613: + +.. figure:: /_static/images/en-us_image_0000001526543281.png + :alt: **Figure 4** Security Event Statistics + + **Figure 4** Security Event Statistics + +You can also view protection logs generated in yesterday, today, past 3 days, past 7 days, 30 days, or user-defined time range on the **Events** page. Click **Details** to view event details. :ref:`Figure 5 ` shows an example. + +.. _waf_06_0014__fig87764491241: + +.. figure:: /_static/images/en-us_image_0000001580873597.png + :alt: **Figure 5** Events + + **Figure 5** Events + +.. |image1| image:: /_static/images/en-us_image_0000001482677118.jpg +.. |image2| image:: /_static/images/en-us_image_0000001071109079.png +.. |image3| image:: /_static/images/en-us_image_0000001221468471.png +.. |image4| image:: /_static/images/en-us_image_0000001221668531.png diff --git a/doc/best-practice/source/configuring_cc_attack_protection/cookie-based_cc_attack_protection.rst b/doc/best-practice/source/configuring_cc_attack_protection/cookie-based_cc_attack_protection.rst new file mode 100644 index 0000000..3198c81 --- /dev/null +++ b/doc/best-practice/source/configuring_cc_attack_protection/cookie-based_cc_attack_protection.rst @@ -0,0 +1,54 @@ +:original_name: waf_06_0004.html + +.. _waf_06_0004: + +Cookie-based CC Attack Protection +================================= + +In some cases, it may be difficult to obtain source IP addresses of visitors for a website. For example, websites use proxies that do not use the **X-Forwarded-For** HTTP header field. The cookie field should be configured to identify visitors and **All WAF instances** should be enabled for precise user-based rate limiting. + +Attack Cases +------------ + +Attackers may control several hosts and disguise as normal visitors to continuously send HTTP POST requests to website **www.example.com** through the same IP address or many different IP addresses. As a result, the website may respond slowly or even fails to respond to normal requests as the attackers exhausted website resources like connections and bandwidth. + +Protective Measures +------------------- + +#. Based on the access statistics, check whether a large number of requests are sent from a specific IP address. If yes, it is likely that the website is hit by CC attacks. + +#. Log in to the management console and route website traffic to WAF. For more details, see `Adding a Domain Name to WAF `__. + +#. In the **Policy** column of the row containing the target domain name, click the number which shows how many protection types you have enabled. On the displayed page, ensure that CC attack protection is enabled (|image1|). + + + .. figure:: /_static/images/en-us_image_0234038602.png + :alt: **Figure 1** CC Attack Protection configuration area + + **Figure 1** CC Attack Protection configuration area + +#. Add a CC attack protection rule. Set **Rate Limit Mode** to **Per user** and enter the user identifier, which is the variable in the cookie field. To identify visitors more effectively, use **sessionid** or **token**. + + .. note:: + + With a CC attack protection rule, you can configure **Protective Action** to **Block** and specify a block duration. Then, once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements. + + + .. figure:: /_static/images/en-us_image_0000001295016484.png + :alt: **Figure 2** Adding a CC attack protection rule + + **Figure 2** Adding a CC attack protection rule + + - **Rate Limit Mode**: Select **Source** and then **Per user** to distinguish a single web visitor based on cookies. + - **User Identifier**: To identify visitors more effectively, use **sessionid** or **token**. + - **Rate Limit**: Number of requests allowed from a web visitor in the rate limiting period. The visitor's access request is denied if the limit is reached. + - **All WAF instances**: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, **Per user** or **Other** (**Referer** must be configured) instead of **Per IP address** must be selected for **Rate Limit Mode**. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, **All WAF instances** must be enabled for triggering the rule precisely. + - **Protective Action**: Select **Block**. Then specify **Block Duration**. Once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements. + + - **Verification code**: A verification code is required if your website visitor's requests reaches **Rate Limit** you configured. WAF allows requests that trigger the rule as long as the website visitors complete the required verification. + - **Block**: Requests are blocked if the number of requests exceeds the configured rate limit. + - **Log only**: Requests are logged only but not blocked if the number of requests exceeds the configured rate limit. + + - **Block Page**: Select **Default settings** or **Custom**. + +.. |image1| image:: /_static/images/en-us_image_0000001221411281.png diff --git a/doc/best-practice/source/configuring_cc_attack_protection/index.rst b/doc/best-practice/source/configuring_cc_attack_protection/index.rst new file mode 100644 index 0000000..7aeb08a --- /dev/null +++ b/doc/best-practice/source/configuring_cc_attack_protection/index.rst @@ -0,0 +1,23 @@ +:original_name: waf_06_0001.html + +.. _waf_06_0001: + +Configuring CC Attack Protection +================================ + +- :ref:`Overview ` + This section guides you through configuring IP address-based rate limiting and cookie-based protection rules against Challenge Collapsar (CC) attacks. +- :ref:`IP Address-based Rate Limiting ` + If no proxy is used between WAF and web visitors, limiting source IP addresses is an effective way to detect attacks. IP address-based rate limiting policies are recommended. +- :ref:`Cookie-based CC Attack Protection ` + In some cases, it may be difficult to obtain source IP addresses of visitors for a website. For example, websites use proxies that do not use the **X-Forwarded-For** HTTP header field. The cookie field should be configured to identify visitors and **All WAF instances** should be enabled for precise user-based rate limiting. +- :ref:`Restricting Malicious Requests in Promotions by Using Cookies and HWWAFSESID ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + overview + ip_address-based_rate_limiting + cookie-based_cc_attack_protection + restricting_malicious_requests_in_promotions_by_using_cookies_and_hwwafsesid diff --git a/doc/best-practice/source/configuring_cc_attack_protection/ip_address-based_rate_limiting.rst b/doc/best-practice/source/configuring_cc_attack_protection/ip_address-based_rate_limiting.rst new file mode 100644 index 0000000..5fe6af3 --- /dev/null +++ b/doc/best-practice/source/configuring_cc_attack_protection/ip_address-based_rate_limiting.rst @@ -0,0 +1,60 @@ +:original_name: waf_06_0003.html + +.. _waf_06_0003: + +IP Address-based Rate Limiting +============================== + +If no proxy is used between WAF and web visitors, limiting source IP addresses is an effective way to detect attacks. IP address-based rate limiting policies are recommended. + +Attack Examples +--------------- + +Attackers can use several hosts to continuously send HTTP POST requests to website **www.example.com**. Those malicious requests will use up website resources, such as the website connections and bandwidth. As a result, the website fails to respond normal requests and its competitiveness decreases sharply. + +Protective Measures +------------------- + +#. Based on the access statistics, check whether a large number of requests are sent from a specific IP address. If yes, it is likely that the website is hit by CC attacks. + +#. Log in to the management console and route website traffic to WAF. For more details, see `Adding a Domain Name to WAF `__. + +#. In the **Policy** column of the row containing the target domain name, click the number which shows how many protection types you have enabled. On the displayed page, ensure that CC attack protection is enabled (|image1|). + + + .. figure:: /_static/images/en-us_image_0234038602.png + :alt: **Figure 1** CC Attack Protection configuration area + + **Figure 1** CC Attack Protection configuration area + +#. Then, add a CC attack protection rule. Specify a path, set **Rate Limit Mode** to **Per IP address**, **Rate Limit** based on service features, and **Protective Action** to **Verification code** to prevent blocking legitimate users. :ref:`Figure 2 ` shows the settings. + + .. _waf_06_0003__fig13919382403: + + .. figure:: /_static/images/en-us_image_0000001490687826.png + :alt: **Figure 2** Per IP address + + **Figure 2** Per IP address + + - **Rate Limit Mode**: Select **Source** and then **Per IP address** to distinguish a single web visitor based on IP addresses. + - **Rate Limit**: Number of requests allowed from a website visitor in the rate limiting period. The visitor's access request is denied if the limit is reached. + - **Protective Action**: To prevent legitimate requests from being blocked, select **Verification code**. + + - **Verification code**: A verification code is required if your website visitor's requests reaches **Rate Limit** you configured. WAF allows requests that trigger the rule as long as the website visitors complete the required verification. + - **Block**: Requests are blocked if the number of requests exceeds the configured rate limit. + - **Log only**: Requests are logged only but not blocked if the number of requests exceeds the configured rate limit. + +If the number of access requests exceeds the configured rate limit, the visitors are required to enter a verification code to continue the access. + +|image2| + +Go to the **Events** page and view details about attack events. + + +.. figure:: /_static/images/en-us_image_0227064467.png + :alt: **Figure 3** Querying CC attack event logs + + **Figure 3** Querying CC attack event logs + +.. |image1| image:: /_static/images/en-us_image_0000001221411281.png +.. |image2| image:: /_static/images/en-us_image_0111310053.jpg diff --git a/doc/best-practice/source/configuring_cc_attack_protection/overview.rst b/doc/best-practice/source/configuring_cc_attack_protection/overview.rst new file mode 100644 index 0000000..5081f5d --- /dev/null +++ b/doc/best-practice/source/configuring_cc_attack_protection/overview.rst @@ -0,0 +1,23 @@ +:original_name: waf_06_0002.html + +.. _waf_06_0002: + +Overview +======== + +This section guides you through configuring IP address-based rate limiting and cookie-based protection rules against Challenge Collapsar (CC) attacks. + +What Is WAF? +------------ + +Web Application Firewall (WAF) is used to defend against web attacks, such as cross-site scripting (XSS), SQL injection, web shells, and CC attacks. A CC attack is a type of denial of service (DoS) attack. In a CC attack, the attacker uses a proxy server to generate and send disguised requests to the target host. + +How Can We Know Whether a CC Attack Occurs? +------------------------------------------- + +If you find that the website processing speed decreases and network bandwidth usage is high, your website may suffer from CC attacks. In this case, check whether the number of access logs or network connections increases significantly. If yes, your website is suffering from CC attacks. Then you can configure the protection policies to block CC attacks, thereby ensuring website availability. + +.. note:: + + - WAF protects application-layer traffic against DoS attacks, such as HTTP GET attacks. + - WAF does not provide protection for layer 4 or lower traffic, such as ACK Flood and UDP flood attacks. It is recommended that Anti-DDoS and Advanced Anti-DDoS (AAD) be used to defend against such attacks. diff --git a/doc/best-practice/source/configuring_cc_attack_protection/restricting_malicious_requests_in_promotions_by_using_cookies_and_hwwafsesid.rst b/doc/best-practice/source/configuring_cc_attack_protection/restricting_malicious_requests_in_promotions_by_using_cookies_and_hwwafsesid.rst new file mode 100644 index 0000000..c37cf05 --- /dev/null +++ b/doc/best-practice/source/configuring_cc_attack_protection/restricting_malicious_requests_in_promotions_by_using_cookies_and_hwwafsesid.rst @@ -0,0 +1,84 @@ +:original_name: waf_06_0031.html + +.. _waf_06_0031: + +Restricting Malicious Requests in Promotions by Using Cookies and HWWAFSESID +============================================================================ + +This document describes how WAF restricts malicious requests during promotions by using service cookies and HWWAFSESID. + +Application Scenarios +--------------------- + +- **Scenario 1**: To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use the same account to send requests to a website by changing IP addresses or terminals. + + Protective measures: :ref:`Using Cookies (or User IDs) to Configure a Path-based CC Attack Protection Rule ` + +- **Scenario 2**: To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use multiple accounts to send requests to a website through the same PC by frequently changing its IP address. + + Protective measures: :ref:`Using HWWAFSESID to Configure a CC Attack Protection Rule ` + +.. _waf_06_0031__section540952217462: + +Using Cookies (or User IDs) to Configure a Path-based CC Attack Protection Rule +------------------------------------------------------------------------------- + +#. Log in to the management console and connect your website to WAF. + + - Cloud WAF: `Adding a Domain Name to WAF (Cloud Mode) `__ + - Dedicated WAF instances: `Adding a Website to WAF (Dedicated Mode) `__ + +#. In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + +#. In the **CC Attack Protection** configuration area, enable **CC Attack Protection** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001323616946.png + :alt: **Figure 1** CC Attack Protection configuration area + + **Figure 1** CC Attack Protection configuration area + +#. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. + +#. Configure a CC attack protection rule using a cookie or user ID to limit traffic to the path. :ref:`Figure 2 ` shows an example. + + .. _waf_06_0031__fig10264172114018: + + .. figure:: /_static/images/en-us_image_0000001490530926.png + :alt: **Figure 2** Configuring service cookies + + **Figure 2** Configuring service cookies + +#. Click **Confirm**. + +.. _waf_06_0031__section1711145514479: + +Using HWWAFSESID to Configure a CC Attack Protection Rule +--------------------------------------------------------- + +#. Log in to the management console and connect your website to WAF. + + - Cloud WAF: `Adding a Domain Name to WAF (Cloud Mode) `__ + - Dedicated WAF instances: `Adding a Website to WAF (Dedicated Mode) `__ + +#. In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page. + +#. In the **CC Attack Protection** configuration area, enable **CC Attack Protection** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001374386301.png + :alt: **Figure 3** CC Attack Protection configuration area + + **Figure 3** CC Attack Protection configuration area + +#. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. + +#. Configure a CC attack protection rule using HWWAFSESID to limit traffic to the path. + + + .. figure:: /_static/images/en-us_image_0000001555783590.png + :alt: **Figure 4** HWWAFSESID-based rate limiting + + **Figure 4** HWWAFSESID-based rate limiting + +#. Click **Confirm**. diff --git a/doc/best-practice/source/configuring_the_minimum_tls_version_and_cipher_suite_to_better_secure_connections.rst b/doc/best-practice/source/configuring_the_minimum_tls_version_and_cipher_suite_to_better_secure_connections.rst new file mode 100644 index 0000000..d703164 --- /dev/null +++ b/doc/best-practice/source/configuring_the_minimum_tls_version_and_cipher_suite_to_better_secure_connections.rst @@ -0,0 +1,304 @@ +:original_name: waf_06_0012.html + +.. _waf_06_0012: + +Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections +================================================================================= + +HTTPS is a network protocol constructed based on Transport Layer Security (TLS) and HTTP for encrypted transmission and identity authentication. When you `add a domain name to WAF `__, set **Client Protocol** to **HTTPS**. Then, you can configure the minimum TLS version and cipher suite to harden website security. The details are as follows: + +- Minimum TLS version + + The minimum TLS version that can be used by a client to access the website. After you configure the minimum TLS version, only the requests over the connections secured with the minimum TLS version or the later version can access your website. This helps you meet security requirements for industrial websites. + + .. note:: + + - Up to now, four TLS versions (TLS v1.0, TLS v1.1, TLS v1.2 and TLS v1.3) have been released, among which TLS v1.0 and TLS v1.1 have been released for a long time. Some encryption algorithms (such as SHA1 and RC4) used by TLS v1.0 and TLS v1.1 are vulnerable to attacks. TLS v1.0 and TLS v1.1 cannot meet the geometric growth of data transmission encryption requirements, which might bring potential security risks. To secure the communication and meet the Payment Card Industry Data Security Standard (PCI DSS), PCI Security Standards Council (PCI SSC) stated that it no longer accepted TLS v1.0 as of June 30, 2018. Vendors of mainstream browsers, such as Mozilla Firefox, Apple Safari, Google Chrome, and Microsoft Edge, also declared that they would stop supporting TLS v1.0 and TLS v1.1 by 2020. + - You can query the TLS version supported by the website through other tools. + +- Cipher suites + + A cipher suite is a set of algorithms that help secure a network connection through TLS. A more secure cipher suite can better secure the confidentiality and data integrity of websites. + +Recommended Minimum TLS Versions for Different Scenarios +-------------------------------------------------------- + +The default minimum TLS version configured in WAF is **TLS v1.0**. To better secure your website, configure an appropriate TLS version. :ref:`Table 1 ` lists the recommended minimum TLS versions for different scenarios. + +.. _waf_06_0012__table19196118195712: + +.. table:: **Table 1** Recommended minimum TLS versions + + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+--------------------------------------------------------------------------------------------+ + | Scenario | Minimum TLS Version (Recommended) | Protection Effect | + +==================================================================================================================+===================================+============================================================================================+ + | Websites with high security requirements but no requirements for compatibility with other TLS versions | TLS v1.3 | WAF automatically blocks website access requests that use TLS v1.0, TLS v1.1, or TLS v1.2. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+--------------------------------------------------------------------------------------------+ + | Websites that handle critical business data, such as sites used in banking, finance, securities, and e-commerce. | TLS v1.2 | WAF automatically blocks website access requests that use TLS v1.0 or TLS v1.1. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+--------------------------------------------------------------------------------------------+ + | Websites with basic security requirements, for example, small- and medium-sized enterprise websites. | TLS v1.1 | WAF automatically blocks website access requests that use TLS v1.0. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+--------------------------------------------------------------------------------------------+ + | Client applications with no special security requirements | TLS v1.0 | Requests using any TLS protocols can access the website. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+--------------------------------------------------------------------------------------------+ + +Recommended Cipher Suites +------------------------- + +The default cipher suite in WAF is **Cipher suite 1**. Cipher suite 1 offers a good mix of browser compatibility and security. For details about each cipher suite, see :ref:`Table 2 `. + +.. _waf_06_0012__table687919215563: + +.. table:: **Table 2** Description of cipher suites + + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher Suite Name | Supported cryptographic algorithms | Description | + +=======================+====================================+===================================================================================================================================================================+ + | Default cipher suite | - ECDHE-RSA-AES256-SHA384 | - Compatibility: Good. | + | | - AES256-SHA256 | | + | | - HIGH | A wide range of browsers are supported. | + | | - !MD5 | | + | | - !aNULL | - Security: Average | + | | - !eNULL | | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + | | - !AESGCM | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 1 | - ECDHE-ECDSA-AES256-GCM-SHA384 | Recommended configuration. | + | | - HIGH | | + | | - !MEDIUM | - Compatibility: Good. | + | | - !LOW | | + | | - !aNULL | A wide range of browsers are supported. | + | | - !eNULL | | + | | - !DES | - Security: Good | + | | - !MD5 | | + | | - !PSK | | + | | - !kRSA | | + | | - !SRP | | + | | - !3DES | | + | | - !DSS | | + | | - !EXP | | + | | - !CAMELLIA | | + | | - @STRENGTH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 2 | - EECDH+AESGCM | - Compatibility: Average. | + | | - EDH+AESGCM | | + | | | Strict compliance with forward secrecy requirements of PCI DSS and excellent protection, but browsers of earlier versions may be unable to access the website. | + | | | | + | | | - Security: Excellent | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 3 | - ECDHE-RSA-AES128-GCM-SHA256 | - Compatibility: Average. | + | | - ECDHE-RSA-AES256-GCM-SHA384 | | + | | - ECDHE-RSA-AES256-SHA384 | Earlier versions of browsers may be unable to access the website. | + | | - HIGH | | + | | - !MD5 | - Security: Excellent. | + | | - !aNULL | | + | | - !eNULL | Multiple algorithms, such as ECDHE, DHE-GCM, and RSA-AES-GCM, are supported. | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 4 | - ECDHE-RSA-AES256-GCM-SHA384 | - Compatibility: Good. | + | | - ECDHE-RSA-AES128-GCM-SHA256 | | + | | - ECDHE-RSA-AES256-SHA384 | A wide range of browsers are supported. | + | | - AES256-SHA256 | | + | | - HIGH | - Security: Average. | + | | - !MD5 | | + | | - !aNULL | The GCM algorithm is supported. | + | | - !eNULL | | + | | - !NULL | | + | | - !EDH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +The cipher suites provided by WAF are compatible with the latest browsers and clients, but are incompatible with some browsers of earlier versions. Compatible browsers or clients of a certain cipher suite may vary depending on the TLS version configured. Using TLS v1.0 as an example, :ref:`Table 3 ` describes the browser and client compatibility. + +.. important:: + + It is recommended that compatibility tests should be carried out on the service environment to ensure service stability. + +.. _waf_06_0012__table17250179131020: + +.. table:: **Table 3** Incompatible browsers and clients for cipher suites under TLS v1.0 + + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Browser/Client | Default Cipher Suite | Cipher Suite 1 | Cipher Suite 2 | Cipher Suite 3 | Cipher Suite 4 | + +=============================================+======================+================+================+================+================+ + | Google Chrome 63 /macOS High Sierra 10.13.2 | Not compatible | Compatible | Compatible | Compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Google Chrome 49/ Windows XP SP3 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 6 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + | | | | | | | + | /Windows XP | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 8 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + | | | | | | | + | /Windows XP | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 6/iOS 6.0.1 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 7/iOS 7.1 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 7/OS X 10.9 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 8/iOS 8.4 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 8/OS X 10.10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | 7/Windows Vista | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 8, 9, or 10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | /Windows 7 | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | /Windows Phone 8.0 | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Java 7u25 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | OpenSSL 0.9.8y | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 5.1.9/OS X 10.6.8 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 6.0.4/OS X 10.8.4 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + +Configuring the Minimum TLS Version and Cipher Suite +---------------------------------------------------- + +The following describes how to configure TLS v1.2 and cipher suite 1 as the minimum TLS version and how to verify that the configuration takes effect. + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Protected Website** column, click the domain name of the website to go to the basic information page. + +#. Click |image3| in the **TLS Configuration** row. + + + .. figure:: /_static/images/en-us_image_0000001529961950.png + :alt: **Figure 1** TLS configuration modification + + **Figure 1** TLS configuration modification + + .. note:: + + WAF allows you to enable PCI DSS and PCI 3-Domain Secure (3DS) compliance certification checks with just a few clicks. After they are enabled, WAF will configure the minimum TLS version in accordance with the PCI DSS and PCI 3DS compliance certification requirements. + + - If you enable the PCI DSS certification check: + + - The minimum TLS version and cypher suite are automatically set to **TLS v1.2** and **EECDH+AESGCM:EDH+AESGCM**, respectively, and cannot be changed. + - To change the minimum TLS version and cipher suite, disable the check. + + - If you enable the PCI 3DS certification check: + + - The minimum TLS version is automatically set to **TLS v1.2** and cannot be changed. + - The check cannot be disabled. + +#. In the displayed **TLS Configuration** dialog box, select **TLS v1.2** as the minimum TLS version and **Cipher suite 1**. :ref:`Figure 2 ` + + .. _waf_06_0012__fig2289104051016: + + .. figure:: /_static/images/en-us_image_0000001580602633.png + :alt: **Figure 2** TLS Configuration + + **Figure 2** TLS Configuration + +#. Click **OK**. + +Verification +------------ + +If the **Minimum TLS Version** is set to **TLS v1.2**, verify that the website can be accessed over connections secured by TLS v1.2 or later but cannot be accessed over connections secured by TLS v1.1 or earlier. + +You can run commands on the local PC to check whether the TLS is configured successfully. Before the verification, ensure that `OpenSSL `__ has been installed on your local PC. + +#. Copy the CNAME record of the protected domain name and use the CNAME record to obtain WAF back-to-source IP addresses. + + a. `Log in to the management console `__. + + b. Click |image4| in the upper left corner of the management console and select a region or project. + + c. Click |image5| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + + d. In the navigation pane on the left, choose **Website Settings**. + + e. In the **Protected Website** column, click the domain name of the website to go to the basic information page. + + f. In the **CNAME** row, click |image6| to copy the CNAME record. + + + .. figure:: /_static/images/en-us_image_0242811195.png + :alt: **Figure 3** Copying the CNAME record + + **Figure 3** Copying the CNAME record + +#. Obtain the WAF back-to-source IP addresses. + + - Cloud mode + + In the command line interface (CLI) of the Windows OS, run the following command to obtain WAF back-to-source IP addresses: + + **ping** *CNAME record* + + The command output displays WAF back-to-source IP addresses. :ref:`Figure 4 ` shows an example. + + .. _waf_06_0012__fig3609445192: + + .. figure:: /_static/images/en-us_image_0000001212341441.png + :alt: **Figure 4** ping cname + + **Figure 4** ping cname + + - Dedicated mode + + a. In the navigation pane on the left, choose **Instances Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + b. In the **Subnet IP Address** column, obtain the subnet IP addresses of all dedicated WAF instances. Those subnet IP addresses are back-to-source IP addresses of dedicated WAF instances. + + + .. figure:: /_static/images/en-us_image_0000001212182863.png + :alt: **Figure 5** Subnet IP Address of a dedicated WAF instance + + **Figure 5** Subnet IP Address of a dedicated WAF instance + +#. Run the following command to verify that the protected website can be accessed using TLS v1.2. + + **openssl** **s_client** **-connect** *WAF back-to-source IP address* **-servername** "*Domain name of the protected website*" **-tls1_2** + + If the certificate information similar to the one shown in :ref:`Figure 6 ` is displayed, the website can be accessed using TLS v1.2. + + .. _waf_06_0012__fig12701330111811: + + .. figure:: /_static/images/en-us_image_0242722489.png + :alt: **Figure 6** Verifying TLS v1.2 + + **Figure 6** Verifying TLS v1.2 + +#. Run the following command to verify that the protected website cannot be accessed using TLS v1.1. + + **openssl** **s_client** **-connect** *WAF back-to-source IP address* **-servername** "*Protected domain name*" **-tls1_1** + + If no certificate information is displayed, as shown in :ref:`Figure 7 `, WAF has blocked the access that used TLS v1.1. + + .. _waf_06_0012__fig19423257172014: + + .. figure:: /_static/images/en-us_image_0242722510.png + :alt: **Figure 7** Verifying TLS v1.1 + + **Figure 7** Verifying TLS v1.1 + +.. |image1| image:: /_static/images/en-us_image_0000001072637202.jpg +.. |image2| image:: /_static/images/en-us_image_0000001071109079.png +.. |image3| image:: /_static/images/en-us_image_0242690001.jpg +.. |image4| image:: /_static/images/en-us_image_0000001072637504.jpg +.. |image5| image:: /_static/images/en-us_image_0000001072317940.png +.. |image6| image:: /_static/images/en-us_image_0242812829.jpg diff --git a/doc/best-practice/source/connecting_a_domain_to_waf/connecting_a_domain_name_to_waf_for_websites_with_no_proxy_used.rst b/doc/best-practice/source/connecting_a_domain_to_waf/connecting_a_domain_name_to_waf_for_websites_with_no_proxy_used.rst new file mode 100644 index 0000000..4911ffe --- /dev/null +++ b/doc/best-practice/source/connecting_a_domain_to_waf/connecting_a_domain_name_to_waf_for_websites_with_no_proxy_used.rst @@ -0,0 +1,123 @@ +:original_name: waf_06_0018.html + +.. _waf_06_0018: + +Connecting a Domain Name to WAF for Websites with no Proxy Used +=============================================================== + +If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic. This section describes how to change DNS settings for WAF to take effect. + +Schematic Diagram +----------------- + + +.. figure:: /_static/images/en-us_image_0000001154964427.png + :alt: **Figure 1** No proxy used + + **Figure 1** No proxy used + +Prerequisites +------------- + +- Website domain names are available. +- `WAF has been purchased `__. +- The website information (such as the IP address and port number of the origin server) `has been added to WAF `__. +- The account to update the DNS configuration is available. +- (Optional) You have whitelisted WAF back-to-source IP addresses. If other security software is used on the origin server, whitelist the WAF back-to-source IP addresses to prevent normal traffic from being blocked. For details, see :ref:`Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers `. +- (Optional) You have tested WAF before changing DNS settings. This can prevent service interruption due to incorrect configurations. For details, see `Testing WAF `__. + +Scenario +-------- + +- If the **Type** of the domain name host record added on DNS is **CNAME - Map one domain to another**, complete the configuration based on the instructions in :ref:`CNAME Access `. + +For details, see `Record Set Types and Configuration Rules `__. + +.. _waf_06_0018__section14456184764810: + +CNAME Access +------------ + +If the **Type** of the domain name host record added on DNS is **CNAME - Map one domain to another**, add the domain name to WAF by following the steps below. + +The methods to change DNS records on different DNS platforms are similar. The following example is based on our Domain Name Service (DNS). + +#. Obtain the CNAME record. + + - If you are adding a domain name, perform the following operations to obtain the CNAME record of the domain name after configuring the basic information about the domain name: + + Click |image1| to obtain the CNAME record of the protected domain name. + + + .. figure:: /_static/images/en-us_image_0000001367981573.png + :alt: **Figure 2** Connecting a domain name to WAF + + **Figure 2** Connecting a domain name to WAF + + - If you have added a domain name, perform the following steps to obtain the CNAME record of the domain name: + + a. Click |image2| in the upper left corner of the management console and select a region or project. + + b. Click |image3| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + + c. In the navigation pane, choose **Website Settings**. + + d. In the row of the desired domain name, click the domain name you want to test. + + + .. figure:: /_static/images/en-us_image_0000001242204650.png + :alt: **Figure 3** Basic Information + + **Figure 3** Basic Information + + e. In the **CNAME** row, click |image4| to copy the CNAME record. + +#. Change the DNS settings. + + a. Access the DNS resolution page, as shown in :ref:`Figure 4 `. + + .. _waf_06_0018__waf_06_0022_fig165861648185013: + + .. figure:: /_static/images/en-us_image_0000001550899193.png + :alt: **Figure 4** DNS page + + **Figure 4** DNS page + + b. In the **Operation** column of the target domain name, click **Modify**. The **Modify Record Set** page is displayed. + + c. In the displayed **Modify Record Set** dialog box, change the record. + + - **Name**: Domain name configured in WAF + - **Type**: Select **CNAME - Map one domain to another**. + - **Line**: **Default** + - **TTL (s)**: The recommended value is **5 min**. A larger TTL value will make it slower for synchronization and update of DNS records. + - **Value**: Change it to the copied CNAME value from WAF. + - Keep other settings unchanged. + + .. note:: + + About modifying the resolution record: + + - The CNAME record must be unique for the same host record. The existing CNAME record must be changed to the WAF CNAME record. + - Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with another record, such as the A record, MX record, or TXT record. If the record type cannot be changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail. + + For details about the restrictions on domain name resolution types, see `Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set? `__ + + + .. figure:: /_static/images/en-us_image_0235826013.png + :alt: **Figure 5** Modifying a record set + + **Figure 5** Modifying a record set + + d. Click **OK**. + +#. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect. + + .. note:: + + It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again. + +.. |image1| image:: /_static/images/en-us_image_0000001316517938.png +.. |image2| image:: /_static/images/en-us_image_0210924450.jpg +.. |image3| image:: /_static/images/en-us_image_0269288850.png +.. |image4| image:: /_static/images/en-us_image_0235603964.jpg diff --git a/doc/best-practice/source/connecting_a_domain_to_waf/index.rst b/doc/best-practice/source/connecting_a_domain_to_waf/index.rst new file mode 100644 index 0000000..83cea55 --- /dev/null +++ b/doc/best-practice/source/connecting_a_domain_to_waf/index.rst @@ -0,0 +1,17 @@ +:original_name: waf_06_0016.html + +.. _waf_06_0016: + +Connecting a Domain to WAF +========================== + +- :ref:`Preparations ` + To enable WAF protection, you need to add domain names of your web services to WAF and route website traffic to WAF. Before you start, get familiar with what you want to protect with WAF. +- :ref:`Connecting a Domain Name to WAF for Websites with no Proxy Used ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + preparations + connecting_a_domain_name_to_waf_for_websites_with_no_proxy_used diff --git a/doc/best-practice/source/connecting_a_domain_to_waf/preparations.rst b/doc/best-practice/source/connecting_a_domain_to_waf/preparations.rst new file mode 100644 index 0000000..b9ab39c --- /dev/null +++ b/doc/best-practice/source/connecting_a_domain_to_waf/preparations.rst @@ -0,0 +1,87 @@ +:original_name: waf_06_0017.html + +.. _waf_06_0017: + +Preparations +============ + +To enable WAF protection, you need to add domain names of your web services to WAF and route website traffic to WAF. Before you start, get familiar with what you want to protect with WAF. + +Website Service Review +---------------------- + +Sort out all website services you want to protect with WAF. This helps you learn about status quo and specific data for making right decisions in configuring protection policies. + +.. table:: **Table 1** Website services + + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Item | Description | + +=============================================================================================================+=================================================================================================================================================================================================================================+ + | **Website and Service Information** | | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS | Use it as the basis for selecting the service bandwidth and QPS specifications. | + | | | + | | .. note:: | + | | | + | | If your website traffic peak exceeds the maximum QPS specifications you are using, WAF will stop checking the traffic and directly forward it to the origin server. There is no protection for your website or applications. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Major user group (for example, major area that the requests originate from) | Determine the attack source and then set geolocation access control rules to block users from these areas. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the service is a C/S architecture | If yes, check whether there is an app client, Windows client, Linux client, code callback, or any other client. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Location where the origin server is deployed | Decide which region to buy. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server | Check whether access control is enabled for the origin server. If yes, whitelist WAF back-to-source IP addresses. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Domain protocol | Check whether WAF supports the communication protocol used by your site. | + | | | + | | .. note:: | + | | | + | | WAF can protect your website only when **Client Protocol** and **Server Protocol** are configured based on the real situation of your website. | + | | | + | | - **Client Protocol**: the protocol used by a client (for example, a browser) to access your website. You can select **HTTP** or **HTTPS**. | + | | - **Server Protocol**: the protocol used by WAF to forward requests from the client (such as a browser) to the origin server. You can select **HTTP** or **HTTPS**. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service port | Check whether your service ports are within the port range supported by WAF. | + | | | + | | - Standard ports | + | | | + | | - Port 80: default port when the client protocol is set to HTTP | + | | - Port 443: default port when the client protocol is set to HTTPS | + | | | + | | - Non-standard ports | + | | | + | | Ports other than ports 80 and 443 | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether TLSv1.0 or weak encryption suite is supported | Check whether WAF supports the encryption suite used by your site. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether advanced anti-DDoS, CDN, or other proxy services are deployed in front of WAF. | Check whether a proxy is used and whether domain name is resolved to a correct address. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the client supports Server Name Indication (for HTTPS services) | If your domain name supports HTTPS, the client and server must support Server Name Indication (SNI). | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service interaction | Understand the service interaction process and service processing logic to facilitate subsequent configuration of protection policies. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Active users | Determine the severity of an attack event to take a low-risk measure to respond it. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | **Services and Attacks** | | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service types and features (such as games, cards, websites, or apps) | Help analyze the attack signatures. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Inbound traffic range and connection status of a single user or a single IP address | Help determine whether a rate limiting policy can be configured per IP address. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | User group attribute | For example, individual users, Internet cafe users, or proxy users | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether your website experienced large-volumetric attacks, the attack type, and maximum peak traffic | Determine whether a DDoS protection service is required and determine the DDoS protection specifications based on the peak attack traffic. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether your website experienced CC attacks and the maximum peak QPS in a CC attack | Configure the protection policies based on attack signatures. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the pressure test has been performed | Evaluate the request processing performance of the origin server to determine whether service anomaly occurs due to attacks. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Prerequisites +------------- + +- The domain information (such as the IP address and port number of the origin server) has been added to WAF. +- An administrator account is available for you to change DNS records for WAF to take effect. +- The pressure test has been performed. +- The IP addresses of trusted clients have been whitelisted if your website has trusted clients (such as certain monitoring systems, APIs invoked by internal IP addresses or IP address ranges, and program clients). diff --git a/doc/best-practice/source/docutils.conf b/doc/best-practice/source/docutils.conf new file mode 100644 index 0000000..7cbe4c1 --- /dev/null +++ b/doc/best-practice/source/docutils.conf @@ -0,0 +1,2 @@ +[html writers] +table-style: table, caption-top \ No newline at end of file diff --git a/doc/best-practice/source/handling_false_alarms_to_get_improved_basic_web_protection.rst b/doc/best-practice/source/handling_false_alarms_to_get_improved_basic_web_protection.rst new file mode 100644 index 0000000..5b3f3fd --- /dev/null +++ b/doc/best-practice/source/handling_false_alarms_to_get_improved_basic_web_protection.rst @@ -0,0 +1,140 @@ +:original_name: waf_06_0015.html + +.. _waf_06_0015: + +Handling False Alarms to Get Improved Basic Web Protection +========================================================== + +After you connect your website to Web Application Firewall (WAF) and enable basic web protection, WAF detects and blocks requests that match the rules you configured. If a normal request matches a basic web protection rule and is blocked by WAF, you can handle the event as false alarm. In this way, WAF will no longer block the same type of request. + +Prerequisites +------------- + +You can view false alarm events on the **Events** page. + +Constraints +----------- + +An event can only be handled as a false alarm once. + +Application scenarios +--------------------- + +Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on an ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application. + +Impact on the System +-------------------- + +- The event will not be displayed on the **Events** page and you will not receive any alarm notifications about the event. +- If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the **Global Protection Whitelist (Formerly False Alarm Masking)** page to manage the rule, including querying, disabling, deleting, and modifying the rule. + +Procedure +--------- + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + +#. In the navigation pane on the left, choose **Events**. + +#. In the event list, search for false alarms by protected website, event type, source IP address, and URL. + + + .. figure:: /_static/images/en-us_image_0000001580873597.png + :alt: **Figure 1** Events + + **Figure 1** Events + +#. In the **Operation** column of an event you consider as a false alarm, click **Details**. On the displayed page, confirm that the event is a false alarm. + + + .. figure:: /_static/images/en-us_image_0295742770.png + :alt: **Figure 2** Event Details + + **Figure 2** Event Details + +#. In the row containing the event, click **Handle False Alarm** in the **Operation** column. + +#. In the displayed dialog box, add a false alarm handling policy. + + + .. figure:: /_static/images/en-us_image_0000001347102697.png + :alt: **Figure 3** Add Global Protection Whitelist Rule + + **Figure 3** Add Global Protection Whitelist Rule + +Verification +------------ + +A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the event list. You can clear the cache, refresh the browser, and access the page again to verify whether the false alarm was successfully handled. If the requested page responds normally, the configuration takes effect. + +Basic Web Protection Check Items +-------------------------------- + +WAF basic web protection defends against common Open Web Application Security Project (OWASP) security threats. WAF uses built-in semantic analysis and regular expression engines for basic web protection to detect and block threats such as malicious scanners, IP addresses, and web shells. You can enable all protection rules in basic web protection or only the ones you want. For details, see :ref:`Table 1 `. + +.. _waf_06_0015__table1054818371898: + +.. table:: **Table 1** Protection types + + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type | Description | + +===================================+===============================================================================================================================================================================================================================================================================================+ + | General Check | Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics. | + | | | + | | .. note:: | + | | | + | | If you enable **General Check**, WAF checks your websites based on the built-in rules. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Webshell Detection | Protects against web shells from upload interface. | + | | | + | | .. note:: | + | | | + | | If you enable **Webshell Detection**, WAF detects web page Trojan horses inserted through the upload interface. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Deep Inspection | Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. | + | | | + | | .. note:: | + | | | + | | If you enable **Deep Inspection**, WAF detects and defends against evasion attacks in depth. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Header Inspection | This function is disabled by default. When it is disabled, General Check will check some of the header fields, such as User-Agent, Content-type, Accept-Language, and Cookie. | + | | | + | | .. note:: | + | | | + | | If you enable this function, WAF checks all header fields in the requests. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Shiro Decryption Check | This function is disabled by default. After this function is enabled, WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked. There are hundreds of known leaked keys included and checked for. | + | | | + | | .. note:: | + | | | + | | If your website uses Shiro 1.2.4 or earlier, or your website uses Shiro 1.2.5 or later but AES is not configured, it is strongly recommended that you enable Shiro decryption detection to prevent attackers from using leaked keys to construct attacks. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Basic Web Protection Levels +--------------------------- + +WAF provides three basic web protection levels, **Low**, **Medium**, and **High**. The default level is **Medium**. The lower the protection level, the higher the false negative rate and the lower the false positive rate. For details, see :ref:`Table 2 `. + +.. _waf_06_0015__table4686152913388: + +.. table:: **Table 2** Protection levels + + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | Protection Level | Description | + +===================================+=================================================================================================+ + | Low | WAF only blocks the requests with obvious attack signatures. | + | | | + | | If a large number of false alarms are reported, **Low** is recommended. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | Medium | The default level is **Medium**, which meets a majority of web protection requirements. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + | High | WAF blocks the requests with no attack signature but have specific attack patterns. | + | | | + | | **High** is recommended if you want to block SQL injection, XSS, and command injection attacks. | + +-----------------------------------+-------------------------------------------------------------------------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0000001482517874.jpg +.. |image2| image:: /_static/images/en-us_image_0000001533037229.png diff --git a/doc/best-practice/source/index.rst b/doc/best-practice/source/index.rst index 0d12113..af929a7 100644 --- a/doc/best-practice/source/index.rst +++ b/doc/best-practice/source/index.rst @@ -1,3 +1,25 @@ -================================================================== -Welcome to the documentation of web-application-firewall-dedicated -================================================================== +================================================== +Dedicated Web Application Firewall - Best Practice +================================================== + +.. toctree:: + :maxdepth: 1 + + mitigating_web_security_vulnerabilities/index + configuring_the_minimum_tls_version_and_cipher_suite_to_better_secure_connections + configuring_cc_attack_protection/index + configuring_anti-crawler_rules_to_prevent_crawler_attacks + configuring_an_access_control_policy_on_an_ecs_or_elb_to_protect_origin_servers + configuring_basic_web_protection + handling_false_alarms_to_get_improved_basic_web_protection + verifying_a_global_protection_whitelist_formerly_false_alarm_masking_rule_by_simulating_requests_with_postman + connecting_a_domain_to_waf/index + upgrading_dedicated_waf_instances + obtaining_real_client_ip_addresses + using_lts_to_quickly_query_and_analyze_waf_access_logs + using_lts_to_analyze_how_waf_blocks_spring_core_rce_vulnerability_in_real_time + using_lts_to_configure_block_alarms_for_waf_rules + combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports + combining_cdn_and_waf_to_get_improved_protection_and_load_speed + combining_waf_and_hss_to_get_improved_web_tamper_protection + change_history diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/apache_dubbo_deserialization_vulnerability.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/apache_dubbo_deserialization_vulnerability.rst new file mode 100644 index 0000000..8b44b6e --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/apache_dubbo_deserialization_vulnerability.rst @@ -0,0 +1,29 @@ +:original_name: waf_06_0024.html + +.. _waf_06_0024: + +Apache Dubbo Deserialization Vulnerability +========================================== + +On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, Huawei Cloud WAF provides protection against this vulnerability. + +Affected Versions +----------------- + +This vulnerability affects Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.\ *x*. versions. + +Mitigation Version +------------------ + +`Apache Dubbo 2.7.5 `__ + +Solutions +--------- + +Upgrade Apache Dubbo to version 2.7.5. + +If a quick upgrade is not possible or you want to defend against more vulnerabilities, use Huawei Cloud WAF. The procedure is as follows: + +#. `Buy WAF `__. +#. Add the website domain name to WAF and connect it to WAF. For details, see `Adding a Domain Name `__. +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. For details, see `Configuring Basic Web Protection Rules `__. diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/dos_vulnerability_in_the_open-source_component_fastjson.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/dos_vulnerability_in_the_open-source_component_fastjson.rst new file mode 100644 index 0000000..10cb398 --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/dos_vulnerability_in_the_open-source_component_fastjson.rst @@ -0,0 +1,32 @@ +:original_name: waf_06_0023.html + +.. _waf_06_0023: + +DoS Vulnerability in the Open-Source Component Fastjson +======================================================= + +On September 3, 2019, the Huawei Cloud security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. Huawei Cloud WAF provides protection against this vulnerability. + +Affected Versions +----------------- + +Versions earlier than Fastjson 1.2.60 + +Mitigation Version +------------------ + +Fastjson 1.2.60 + +Official Solution +----------------- + +Upgrade the open-source component Fastjson to 1.2.60. + +Mitigation +---------- + +WAF can detect and defend against this vulnerability. The procedure is as follows: + +#. `Buy WAF `__. +#. Add the website domain name to WAF and connect it to WAF. For details, see `Adding a Domain Name `__. +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. For details, see `Enabling Basic Web Protection `__. diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/index.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/index.rst new file mode 100644 index 0000000..f67a889 --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/index.rst @@ -0,0 +1,22 @@ +:original_name: waf_06_0009.html + +.. _waf_06_0009: + +Mitigating Web Security Vulnerabilities +======================================= + +- :ref:`Java Spring Framework Remote Code Execution Vulnerability ` +- :ref:`Apache Dubbo Deserialization Vulnerability ` +- :ref:`DoS Vulnerability in the Open-Source Component Fastjson ` +- :ref:`Remote Code Execution Vulnerability of Fastjson ` +- :ref:`Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814) ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + java_spring_framework_remote_code_execution_vulnerability + apache_dubbo_deserialization_vulnerability + dos_vulnerability_in_the_open-source_component_fastjson + remote_code_execution_vulnerability_of_fastjson + oracle_weblogic_wls9-async_deserialization_remote_command_execution_vulnerability_cnvd-c-2019-48814 diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/java_spring_framework_remote_code_execution_vulnerability.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/java_spring_framework_remote_code_execution_vulnerability.rst new file mode 100644 index 0000000..5628468 --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/java_spring_framework_remote_code_execution_vulnerability.rst @@ -0,0 +1,43 @@ +:original_name: waf_06_0035.html + +.. _waf_06_0035: + +Java Spring Framework Remote Code Execution Vulnerability +========================================================= + +Spring Framework is a lightweight open-source application framework for developing enterprise Java applications. A remote code execution (RCE) vulnerability was disclosed in the Spring framework and classified as critical. This vulnerability can be exploited to attack Java applications running on JDK 9 or later versions. + +Vulnerability Name +------------------ + +Zero-Day RCE Vulnerability in the Spring Framework + +Affected Versions +----------------- + +- JDK 9 or later +- Applications developed using the Spring Framework or derived framework + +Mitigation +---------- + +#. `Buy WAF `__. + +#. Add the website domain name to WAF and connect it to WAF. For details, see `Adding a Domain Name to WAF `__. + +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. For details, see `Configuring Basic Web Protection Rules `__. + + + .. figure:: /_static/images/en-us_image_0000001272174225.png + :alt: **Figure 1** Basic Web Protection + + **Figure 1** Basic Web Protection + + .. important:: + + There are two types of malicious payload in this vulnerability. Whether to enable **Header Inspection** depends on the type of payloads in your services. + + - Type 1: Malicious payloads are included in submitted parameters. In this situation, **Header Inspection** can be disabled. + - Type 2: Malicious payloads are included in a custom header field. In this situation, **Header Inspection** must be enabled to block attacks. + + Type 2 malicious payloads depend on Type 1 malicious payloads so whether to enable **Header Inspection** is determined by your service requirements. diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/oracle_weblogic_wls9-async_deserialization_remote_command_execution_vulnerability_cnvd-c-2019-48814.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/oracle_weblogic_wls9-async_deserialization_remote_command_execution_vulnerability_cnvd-c-2019-48814.rst new file mode 100644 index 0000000..fe1d20f --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/oracle_weblogic_wls9-async_deserialization_remote_command_execution_vulnerability_cnvd-c-2019-48814.rst @@ -0,0 +1,53 @@ +:original_name: waf_06_0008.html + +.. _waf_06_0008: + +Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814) +===================================================================================================== + +On April 17, 2019, Huawei Cloud Emergency Response Center found that China's National Vulnerability Database (CNVD) released a security notice on Oracle WebLogic wls9-async component. It revealed that the Oracle WebLogic wls9-async component had a deserialization vulnerability. Unauthorized remote attackers can use this vulnerability to implement remote code execution and gain server permissions. + +Vulnerability ID +---------------- + +CNVD-C-2019-48814 + +Vulnerability Name +------------------ + +Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability + +Vulnerability Description +------------------------- + +The WebLogic wls9-async component has a defect. The website built on the WebLogic Server has security risks. Attackers can construct HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. + +Affected Products +----------------- + +- Oracle WebLogic Server 10.X +- Oracle WebLogic Server 12.1.3 + +Official Solution +----------------- + +The patch for fixing this vulnerability has not been released. + +Mitigation +---------- + +Configure precise protection rules to restrict access from the URLs whose prefixes are **/_async/** or **/wls-wsat/** by referring to :ref:`Figure 1 ` and :ref:`Figure 2 ` and block remote code execution requests initiated by exploiting this vulnerability. For details, see `Configuring a Precise Protection Rule `__. + +.. _waf_06_0008__fig19459101814218: + +.. figure:: /_static/images/en-us_image_0227042619.png + :alt: **Figure 1** async configuration + + **Figure 1** async configuration + +.. _waf_06_0008__fig1293635719110: + +.. figure:: /_static/images/en-us_image_0227042630.png + :alt: **Figure 2** wls-wsat configuration + + **Figure 2** wls-wsat configuration diff --git a/doc/best-practice/source/mitigating_web_security_vulnerabilities/remote_code_execution_vulnerability_of_fastjson.rst b/doc/best-practice/source/mitigating_web_security_vulnerabilities/remote_code_execution_vulnerability_of_fastjson.rst new file mode 100644 index 0000000..5b8383b --- /dev/null +++ b/doc/best-practice/source/mitigating_web_security_vulnerabilities/remote_code_execution_vulnerability_of_fastjson.rst @@ -0,0 +1,32 @@ +:original_name: waf_06_0021.html + +.. _waf_06_0021: + +Remote Code Execution Vulnerability of Fastjson +=============================================== + +On July 12, 2019, the Huawei Cloud Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage. + +Affected Versions +----------------- + +Versions earlier than Fastjson 1.2.51 + +Mitigation Version +------------------ + +Fastjson 1.2.51 or later + +Official Solution +----------------- + +Upgrade Fastjson to 1.2.51 or the latest 1.2.58 version. + +Mitigation +---------- + +The built-in protection rules of Huawei Cloud WAF can defend against this vulnerability. The procedure is as follows: + +#. `Buy WAF `__. +#. Add the website domain name to WAF and connect it to WAF. For details, see `Adding a Domain Name `__. +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. For details, see `Enabling Basic Web Protection `__. diff --git a/doc/best-practice/source/obtaining_real_client_ip_addresses.rst b/doc/best-practice/source/obtaining_real_client_ip_addresses.rst new file mode 100644 index 0000000..5ed9490 --- /dev/null +++ b/doc/best-practice/source/obtaining_real_client_ip_addresses.rst @@ -0,0 +1,319 @@ +:original_name: waf_06_0020.html + +.. _waf_06_0020: + +Obtaining Real Client IP Addresses +================================== + +A client IP address refers to an IP address of a visitor (or the device a visitor uses to initiate the request). Sometimes, a web application needs to require the client IP address. For example, a voting system needs to obtain the client IP addresses to ensure that each client casts only once. + +After your website is connected to WAF, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden, and only the IP addresses of WAF are visible to web visitors. In this case, you can directly obtain the real IP address of the client through WAF or configure the website server to obtain the real IP address of the client. + +The following describes how to obtain the client IP address from WAF and how to configure different types of web application servers, including Tomcat, Apache, Nginx, IIS 6, and IIS 7, to obtain the client IP address. + +Background +---------- + +Generally, a browser request does not directly reach the web server. Proxy servers, such as CDN, WAF, and advanced anti-DDoS, may be deployed between the browser and the origin server. Using WAF as an example, see :ref:`Figure 1 `. + +.. _waf_06_0020__fig1624119317528: + +.. figure:: /_static/images/en-us_image_0294809832.png + :alt: **Figure 1** WAF deployment diagram + + **Figure 1** WAF deployment diagram + +.. note:: + + - DNS resolves your domain name to the origin server IP address before your website is connected to WAF. Therefore, web visitors can directly access the server. + - After your website is connected to WAF, DNS resolves your domain name to the CNAME record of WAF. In this way, the traffic passes through WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server. + +In this case, the access request may be forwarded by multiple layers of security or acceleration proxies before reaching the origin server. So, how does the server obtain the real IP address of the client that initiates the request? + +When forwarding HTTP requests to the downstream server, the transparent proxy server adds an **X-Forwarded-For** field to the HTTP header to identify the client IP address in the format of **X-Forwarded-For: client IP address, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->...**. + +Then, you can obtain the client IP address from the **X-Forwarded-For** field, the first IP address in which is the client IP address. + +Constraints +----------- + +- Ensure that **Proxy Configured** is configured correctly when you add the website to the WAF instance, or WAF cannot obtain the real IP address of your website visitors. + + To ensure that WAF obtains real client IP addresses and takes protective actions configured in protection policies, if your website has layer-7 proxy server such as CDN and cloud acceleration products deployed in front of WAF, select **Yes** for **Proxy Configured**. In other cases, select **No** for **Proxy Configured**. + +- In normal cases, the first IP address in the **X-Forwarded-For** field is the real IP address of the client. If the length of an IPv6 address exceeds the length limit of the **X-Forwarded-For** field, the IP address cannot be read. In NAT64, the load balancer uses IPv4 listeners, which cannot read IPv6 addresses. + +Obtaining the Client IP Address from WAF +---------------------------------------- + +After a website is connected to WAF, WAF is deployed between the client and server as a reverse proxy to protect the website. You can use either of the following methods to obtain the client IP address: + +- Using the **X-Forwarded-For** field to obtain the client IP address + + The client IP address is placed in the **X-Forwarded-For** HTTP header field. The format is as follows: + + :: + + X-Forwarded-For: Client IP address,Proxy 1-IP address,Proxy 2-IP address,... + + .. note:: + + The first IP address included in the **X-Forwarded-For** field is the client IP address. + + The methods to obtain the **X-Forwarded-For** field by invoking the SDK interface in different programming languages are as follows: + + - **ASP** + + .. code-block:: text + + Request.ServerVariables("HTTP_X_FORWARDED_FOR") + + - **ASP.NET(C#)** + + .. code-block:: text + + Request.ServerVariables["HTTP_X_FORWARDED_FOR"] + + - **PHP** + + .. code-block:: text + + $_SERVER["HTTP_X_FORWARDED_FOR"] + + - **JSP** + + .. code-block:: text + + request.getHeader("HTTP_X_FORWARDED_FOR") + +- Using the **X-Real-IP** field to obtain the client IP address (modifications caused by reverse proxies is considered) + + The methods to obtain the **X-Real-IP** field by invoking the SDK interface in different programming languages are as follows: + + - **ASP** + + .. code-block:: text + + Request.ServerVariables("HTTP_X_REAL_IP") + + - **ASP.NET(C#)** + + .. code-block:: text + + Request.ServerVariables["HTTP_X_REAL_IP"] + + - **PHP** + + .. code-block:: text + + $_SERVER["HTTP_X_REAL_IP"] + + - **JSP** + + .. code-block:: text + + request.getHeader("HTTP_X_REAL_IP") + +How Does Tomcat Obtain the Client IP Address from Access Logs? +-------------------------------------------------------------- + +If Tomcat is deployed on your origin server, you can enable the X-Forwarded-For function of Tomcat to obtain the client IP address. + +#. Open the **server.xml** file in the **tomcat/conf/** directory. Partial information about the AccessLogValue logging function is as follows: + + .. code-block:: + + + + +#. Add **%{X-Forwarded-For}i** to **pattern**. Part of the modified **server.xml** file is as follows: + + .. code-block:: + + + + + +#. View the **localhost_access_log** file to obtain the client IP address from the **X-Forwarded-For** field. + +How Does Apache Obtain the Client IP Address from Access Logs? +-------------------------------------------------------------- + +If Apache HTTP Server 2.4 or later is deployed on your origin server, you can use the **mod_remoteip.so** file under **remoteip_module** in the Apache installation package to obtain the real client IP address. + +- CentOS 7.6 + + #. Add the following content to the **httpd.conf** file: + + .. code-block:: + + LoadModule remoteip_module modules/mod_remoteip.so ##Load the mod_remoteip.so module. + RemoteIPHeader X-Forwarded-For ## Set RemoteIPHeader. + RemoteIPInternalProxy WAF IP address range##Set the WAF back-to-source IP address range. + + For more details, see `How Do I Whitelist the WAF Back-to-Source IP Address Ranges? `__ + + .. note:: + + - File **/etc/httpd/conf.modules.d/00-base.conf:46** has been added to the **mod_remoteip.so** module. + - Use spaces to separate multiple back-to-source IP address ranges. + + #. Replace **%h** with **%a** in the log format file. + + .. code-block:: + + LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%a %l %u %t \"%r\" %>s %b" common + + #. Restart the Apache service to make the configuration take effect. + +- Ubuntu 20.04.2 + + #. Add the following content to the **apache2.conf** file: + + .. code-block:: + + ln -s ../mods-available/remoteip.load /etc/apache2/mods-enabled/remoteip.load ##Load the mod_remoteip.so module. + RemoteIPHeader X-Forwarded-For ## Set RemoteIPHeader. + RemoteIPInternalProxy WAF IP address range##Set the WAF back-to-source IP address range. + + For more details, see `How Do I Whitelist the WAF Back-to-Source IP Address Ranges? `__ + + .. note:: + + - You can also add the following content to load the **mod_remoteip.so** module: + + **LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so** + + - Use spaces to separate multiple back-to-source IP address ranges. + + #. Replace **%h** with **%a** in the log format file. + + .. code-block:: + + LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%a %l %u %t \"%r\" %>s %b" common + + #. Restart the Apache service to make the configuration take effect. + +If Apache 2.2 or earlier is deployed on your origin server, to obtain the real client IP address, you can run commands to install third-party module **mod_rpaf** of Apache and modify the **http.conf** file + +#. Run the following commands to install third-party module **mod_rpaf** for Apache: + + .. code-block:: + + wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz + tar xvfz mod_rpaf-0.6.tar.gz + cd mod_rpaf-0.6 + /usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c + +#. Open the **httpd.conf** configuration file and modify the file content as follows: + + .. code-block:: + + LoadModule rpaf_module modules/mod_rpaf-2.0.so ##Load module mod_rpaf. + + RPAFenable On + RPAFsethostname On + RPAFproxy_ips 127.0.0.1 + RPAFheader X-Forwarded-For + + +#. Define the log format. + + .. code-block:: + + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common + +#. Enable customized logs. + + .. code-block:: + + CustomLog"[Apache server directory]/logs/$access.log"common + +#. Restart the Apache server for the configuration to take effect. + + .. code-block:: + + /[Apache server directory]/httpd/bin/apachectl restart + +#. View the **access.log** file to obtain the client IP address from the **X-Forwarded-For** field. + +How Does Nginx Obtain the Client IP Address from Access Logs? +------------------------------------------------------------- + +If an Nginx reverse proxy is deployed on your origin server, you can configure location information on the Nginx reverse proxy so that the backend web server can use similar functions to obtain the client IP address + +#. Configure the following information in the corresponding location of the Nginx reverse proxy to obtain the information about the client IP address: + + :: + + Location ^ / { + proxy_pass ....; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + +#. The backend web server obtains the real IP address of your website visitors by defining the Nginx log parameter **$http_x_forwarded_for**. + + **Example** + + .. code-block:: + + log_format main ' "<$http_Cdn_Src_IP>" "{$http_x_real_ip}" "[$http_x_forwarded_for]" "$remote_addr" ' '$http_user_agent - $remote_user [$time_local] "$request" ' ' $status $body_bytes_sent "$http_referer" '; + +How Does IIS 6 Obtain the Client IP Address from Access Logs? +------------------------------------------------------------- + +If you have deployed an IIS 6 server on your origin server, you can install the **F5XForwardedFor.dll** plug-in and obtain the client IP address from the access logs recorded by the IIS 6 server. + +#. Download the `F5XForwardedFor `__ module. +#. Copy the **F5XForwardedFor.dll** file in the **x86\\Release** or **x64\\Release** directory to a specified directory (for example, **C:\\ISAPIFilters**) based on the operating system version of your server. Ensure that the IIS process has the read permission for the directory. +#. Open the IIS manager, right-click the website that is currently open, and choose **Attribute** from the shortcut menu. The **Attribute** page is displayed. +#. On the **Attribute** page, switch to **ISAPI filter** and click **Add**. In the dialog box that is displayed, configure the following information: + + - **Filter Name**: Set this parameter to **F5XForwardedFor**. + - **Executable file**: Set this parameter to the full path of **F5XForwardedFor.dll**, for example, **C:\\ISAPIFilters\\F5XForwardedFor.dll**. + +#. Click **OK** to restart the IIS 6 server. +#. View the access logs recorded by the IIS 6 server (the default log path is **C:\\WINDOWS\\system32\\LogFiles\\**, and the IIS log file name extension is **.log**). You can obtain client IP address from the **X-Forwarded-For** field. + +How Does IIS 7 Obtain the Client IP Address from Access Logs? +------------------------------------------------------------- + +If you have deployed an IIS 7 server on your origin server, you can install the **F5XForwardedFor.dll** module and obtain the client IP address from the access logs recorded by the IIS 7 server. + +#. Download the `F5XForwardedFor `__ module. +#. Copy the **F5XFFHttpModule.dll** and **F5XFFHttpModule.ini** files in the **x86\\Release** or **x64\\Release** directory to a specified directory (for example, **C:\\x_forwarded_for\\x86** or **C:\\x_forwarded_for\\x64**) based on the operating system version of your server. Ensure that the IIS process has the read permission for the directory. +#. On the server home page, double-click **Modules** to go to the **Modules** page. +#. Click **Configure Native Module**. In the dialog box displayed, click **Register**. +#. In the displayed dialog box, register the downloaded DLL file according to the operating system, and then click **OK**. + + - x86 operating system: registration module **x_forwarded_for_x86** + + - **Name**: **x_forwarded_for_x86** + - **Path**: **C:\\x_forwarded_for\\x86\\F5XFFHttpModule.dll** + + - x64: Register the module **x_forwarded_for_x64**. + + - **Name**: **x_forwarded_for_x64** + - **Path**: **C:\\x_forwarded_for\\x64\\F5XFFHttpModule.dll** + +#. After the registration is complete, select the newly registered module (**x_forwarded_for_x86** or **x_forwarded_for_x64**) and click **OK**. +#. In **ISAPI and CGI restriction**, add the registered DLL files by operating system and change **Restriction** to **Permitting**. + + - x86 operating system: + + - **ISAPI or CGI path**: **C:\\x_forwarded_for\\x86\\F5XFFHttpModule.dll** + - **Description**: **x86** + + - x64 operating system: + + - **ISAPI or CGI path**: **C:\\x_forwarded_for\\x64\\F5XFFHttpModule.dll** + - **Description**: **x64** + +#. Restart the IIS 7 server and wait for the configuration to take effect. +#. View the access logs recorded by the IIS 7 server (the default log path is **C:\\WINDOWS\\system32\\LogFiles\\**, and the IIS log file name extension is **.log**). You can obtain the client IP address from the **X-Forwarded-For** field. diff --git a/doc/best-practice/source/upgrading_dedicated_waf_instances.rst b/doc/best-practice/source/upgrading_dedicated_waf_instances.rst new file mode 100644 index 0000000..29f77e9 --- /dev/null +++ b/doc/best-practice/source/upgrading_dedicated_waf_instances.rst @@ -0,0 +1,144 @@ +:original_name: waf_06_0027.html + +.. _waf_06_0027: + +Upgrading Dedicated WAF Instances +================================= + +You can upgrade your dedicated WAF instances on the WAF console to obtain the latest protection performance. To ensure business availability during the upgrade, upgrade your dedicated WAF instances by following the procedure below. + +.. important:: + + If your workloads have high reliability requirements, at least two dedicated WAF instances should be deployed in dual-active or multi-active architecture. A single dedicated WAF instance may cause single points of failure (SPOFs) once the ECS hosting it becomes faulty. + +Prerequisites +------------- + +You have connected the website to a dedicated WAF instance. + +Upgrading a Single Dedicated WAF Instance +----------------------------------------- + +If you have deployed only one dedicated WAF instance for your workloads, perform the following operations: + +#. `Buy a dedicated WAF instance `__. + + - The new dedicated WAF instance is of the latest version. So its **Upgrade** button is grayed out. + - The VPC, subnet, security group, and other settings of the new instance must be the same as those of the original one. In this way, the new instance automatically synchronizes all WAF protection configurations of the original instance. + +#. Run the curl command on any ECS in the VPC the original dedicated WAF instance locates to check whether the workloads are normal. + + - HTTP workloads + + **curl http://**\ *IP-address-of-the-dedicated-WAF-instance* **:**\ *Service-port* **-H "host:**\ *Service-domain-name*\ **" -H "User-Agent: Test"** + + - HTTPS workloads + + **curl https://**\ *IP-address-of-the-dedicated-WAF-instance* **:**\ *Service-port* **-H "host:**\ *Service-domain-name*\ **" -H "User-Agent: Test"** + + Check whether the service is normal. If the service is normal, go to :ref:`Step 3 `. If the service is abnormal, fix the issue by referring to `Why Is the Access Status of a Domain Name Inaccessible? `__ and `How Do I Troubleshoot 404/502/504 Errors? `__. After the fault is rectified, go to :ref:`Step 3 `. + + .. note:: + + To run a curl command, your ECS must meet the following requirements: + + - The network communication is normal. + - A curl command line tool has been installed. If you are using a Windows ECS, manually install a `curl `__ command line tool on it. If you are a using a non-Windows ECS, no such action is required as the curl tool is installed automatically along with the operating system. + +#. .. _waf_06_0027__li8786445165813: + + Add the new dedicated WAF instance to the backend server group of the ELB load balancer you are using. + + The following uses a shared load balancer to show how to add an instance to a backend server group. + + a. Click |image1| in the upper left corner, select a region, and choose **Security & Compliance** > **Web Application Firewall** to go to the **Dashboard** page. + b. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + c. Locate the row containing the WAF instance. In the **Operation** column, click **More** > **Add to ELB**. + d. In the **Add to ELB** dialog box, specify **ELB (Load Balancer)**, **ELB Listener**, and **Backend Server Group** you configure for the original dedicated instance. + e. Click **Confirm**. Then, configure service port for the WAF instance. In this example, configure **Backend Port** to the one we configured for the original dedicated instance. + +#. On the ELB console, set the weight of the original dedicated instance to **0**. For details, see `Changing Backend Server Weights `__. + + Requests are not forwarded to a backend server if its weight is set to 0. + +#. Delete the original dedicated WAF instance during off-peak hours. + + View the monitored metrics on Cloud Eye for the dedicated WAF instance, if there are less than five new connections, the traffic to the instance has decreased. For details, see `Viewing Metrics of a Dedicated WAF Instance `__. + + a. Go to the **Dedicated Engine** page. :ref:`Figure 1 ` shows an example. + + .. _waf_06_0027__waf_06_0027_en-us_topic_0257940801_fig7658182717546: + + .. figure:: /_static/images/en-us_image_0000001206741713.png + :alt: **Figure 1** Accessing the dedicated engine page + + **Figure 1** Accessing the dedicated engine page + + b. In the row of the target instance, click **Delete** in the **Operation** column. + + c. Click **OK**. + + Resources on deleted instance are released and cannot be restored. + +Upgrading Multiple Dedicated WAF Instances +------------------------------------------ + +If you have deployed multiple dedicated WAF instances for your workloads, perform the following steps to upgrade them: + +#. .. _waf_06_0027__li19413161002313: + + On the ELB console, obtain the weight of a dedicated instance and then change the weight to **0**. For details, see `Changing Backend Server Weights `__. + + Requests are not forwarded to a backend server if its weight is set to 0. + +#. Upgrade the dedicated WAF instance during off-peak hours. + + View the monitored metrics on Cloud Eye for the dedicated WAF instance, if there are less than five new connections, the traffic to the instance has decreased. For details, see `Viewing Metrics of a Dedicated WAF Instance `__. + + a. Go to the **Dedicated Engine** page. :ref:`Figure 2 ` shows an example. + + .. _waf_06_0027__en-us_topic_0257940801_fig7658182717546: + + .. figure:: /_static/images/en-us_image_0000001206741713.png + :alt: **Figure 2** Accessing the dedicated engine page + + **Figure 2** Accessing the dedicated engine page + + b. In the row containing the desired instance, click **Upgrade** in the **Operation** column. + + c. Confirm the upgrade conditions and click **OK**. + + It takes about 5 minutes for the upgrade to complete. + + + .. figure:: /_static/images/en-us_image_0000001569566562.png + :alt: **Figure 3** Upgrading the Edition of a Dedicated WAF Instance + + **Figure 3** Upgrading the Edition of a Dedicated WAF Instance + +#. Run the curl command on any ECS in the VPC the dedicated WAF instance locates to check whether the workloads are normal. + + - HTTP workloads + + **curl http://**\ *IP-address-of-the-dedicated-WAF-instance* **:**\ *Service-port* **-H "host:**\ *Service-domain-name*\ **" -H "User-Agent: Test"** + + - HTTPS workloads + + **curl https://**\ *IP-address-of-the-dedicated-WAF-instance* **:**\ *Service-port* **-H "host:**\ *Service-domain-name*\ **" -H "User-Agent: Test"** + + Check whether the service is normal. If the service is normal, go to :ref:`Step 4 `. If the service is abnormal, fix the issue by referring to `Why Is the Access Status of a Domain Name Inaccessible? `__ and `How Do I Troubleshoot 404/502/504 Errors? `__. After the fault is rectified, go to :ref:`Step 4 `. + + .. note:: + + To run a curl command, your ECS must meet the following requirements: + + - The network communication is normal. + - A curl command line tool has been installed. If you are using a Windows ECS, manually install a `curl `__ command line tool on it. If you are a using a non-Windows ECS, no such action is required as the curl tool is installed automatically along with the operating system. + +#. .. _waf_06_0027__li201167421444: + + On the ELB console, change the weight of the dedicated instance from **0** to the one you obtain in :ref:`Step 1 `. For details, see `Configuring Weights for Backend Servers `__. + +#. Upgrade other dedicated WAF instances one by one by referring to :ref:`Step 1 ` to :ref:`Step 4 `. + +.. |image1| image:: /_static/images/en-us_image_0000001618384369.png diff --git a/doc/best-practice/source/using_lts_to_analyze_how_waf_blocks_spring_core_rce_vulnerability_in_real_time.rst b/doc/best-practice/source/using_lts_to_analyze_how_waf_blocks_spring_core_rce_vulnerability_in_real_time.rst new file mode 100644 index 0000000..e5d8ec8 --- /dev/null +++ b/doc/best-practice/source/using_lts_to_analyze_how_waf_blocks_spring_core_rce_vulnerability_in_real_time.rst @@ -0,0 +1,80 @@ +:original_name: waf_06_0037.html + +.. _waf_06_0037: + +Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability in Real Time +============================================================================== + +After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by `LTS `__ for quick and efficient real-time analysis, device O&M management, and analysis of service trends. + +This topic walks you through on how to enable the LTS quick analysis for WAF attack logs and use the Spring rule ID to quickly query and analyze the logs of the blocked Spring Core RCE vulnerabilities. + +Prerequisites +------------- + +- You have connected the website you want to protect to WAF. +- You have `enabled LTS for WAF logging `__. +- You have obtained the Spring rule ID. + +Procedure +--------- + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**. + + + .. figure:: /_static/images/en-us_image_0000001283050129.png + :alt: **Figure 1** Log management page + + **Figure 1** Log management page + +#. In the log group list, expand the WAF log group and choose log stream **attack**. + +#. In the navigation pane on the left, choose **Log Configuration**. Then, click the **Log Structuring** tab. + + + .. figure:: /_static/images/en-us_image_0000001238763806.png + :alt: **Figure 2** Log Structuring + + **Figure 2** Log Structuring + +#. Select **JSON** for log structuring. Then, click **Select from existing events** and select a log in the dialog box displayed on the right. + +#. Click **Intelligent Extraction** to find the fields you want to analyze quickly. Enable these fields in the **Quick Analysis** column. After this, you can collect and analyze periodic logs. + + + .. figure:: /_static/images/en-us_image_0000001238764182.png + :alt: **Figure 3** Log extraction field + + **Figure 3** Log extraction field + +#. Find the **category** field, click |image3| in the **Alias** column, change the field name, and click |image4| to save the settings. + + .. note:: + + There is already a built-in **category** field in the system so you need to change the alias name of the **category** field, or your settings cannot be saved. + +#. In the lower right corner of the list, click **Save**. LTS quickly analyzes and collects statistics on logs in the specified period. + +#. In the navigation pane on the left, choose **Visualization**. Enter the following command and click **Query** to view the logs of the blocked Spring core RCE vulnerability. + + **select rule, hit_data where rule IN('XX','XX','XX','XX',)** + + .. note:: + + - *XX* indicates the rule ID of the Spring core RCE vulnerability. Obtain the rule ID before you query. + - The **Visualization** module is available only to whitelisted users in **CN North-Beijing 4**. + + + .. figure:: /_static/images/en-us_image_0000001283122541.png + :alt: **Figure 4** Visualization query + + **Figure 4** Visualization query + +.. |image1| image:: /_static/images/en-us_image_0000001282711981.jpg +.. |image2| image:: /_static/images/en-us_image_0000001238311660.png +.. |image3| image:: /_static/images/en-us_image_0000001238834194.png +.. |image4| image:: /_static/images/en-us_image_0000001282874141.png diff --git a/doc/best-practice/source/using_lts_to_configure_block_alarms_for_waf_rules.rst b/doc/best-practice/source/using_lts_to_configure_block_alarms_for_waf_rules.rst new file mode 100644 index 0000000..b9f6924 --- /dev/null +++ b/doc/best-practice/source/using_lts_to_configure_block_alarms_for_waf_rules.rst @@ -0,0 +1,140 @@ +:original_name: waf_06_0036.html + +.. _waf_06_0036: + +Using LTS to Configure Block Alarms for WAF Rules +================================================= + +After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by `LTS `__ for quick and efficient real-time analysis, device O&M management, and analysis of service trends. + +This topic walks you through how to enable LTS quick analysis for WAF attack logs and configure alarm rules to analyze WAF attack logs and generate alarms. In this way, you can gain insight into the protection status of your workloads in WAF in real time and make informed decisions. + +Prerequisites +------------- + +- You have connected the website you want to protect to WAF. +- You have enabled WAF attack log stream in LTS. +- You have enabled Simple Message Notification (SMN). + +Quickly Analyzing Rule Block Logs +--------------------------------- + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**. + + + .. figure:: /_static/images/en-us_image_0000001283050129.png + :alt: **Figure 1** Log management page + + **Figure 1** Log management page + +#. In the log group list, expand the WAF log group and choose log stream **attack**. + +#. In the navigation pane on the left, choose **Log Configuration**. Then, click the **Log Structuring** tab. + + + .. figure:: /_static/images/en-us_image_0000001238763806.png + :alt: **Figure 2** Log Structuring + + **Figure 2** Log Structuring + +#. Select **JSON** for log structuring. Then, click **Select from existing events** and select a log in the dialog box displayed on the right. + +#. Click **Intelligent Extraction** to find the fields you want to analyze quickly. Enable these fields in the **Quick Analysis** column. After this, you can collect and analyze periodic logs. + + + .. figure:: /_static/images/en-us_image_0000001238764182.png + :alt: **Figure 3** Log extraction field + + **Figure 3** Log extraction field + +#. Find the **category** field, click |image3| in the **Alias** column, change the field name, and click |image4| to save the settings. + + .. note:: + + There is already a built-in **category** field in the system so you need to change the alias name of the **category** field, or your settings cannot be saved. + +#. In the lower right corner of the list, click **Save**. LTS quickly analyzes and collects statistics on logs in the specified period. + +#. .. _waf_06_0036__li135241834114910: + + In the navigation pane, choose **Visualization**. On the right pane, select a log query time range, enter an SQL statement in the search box, and click **Query**. + + You can group logs by rule and URI. Enter the following SQL statement in the search box to query logs of a specified rule: + + **select rule, rui, count(*) as cnt where action = 'block' group by rule, uri order by cnt desc** + + .. note:: + + The **Visualization** module is available only to whitelisted users in **CN North-Beijing 4**. + +Creating an Alarm Rule +---------------------- + +#. Click |image5| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**. + +#. In the navigation pane on the left, choose **Alarms** > **Alarm Rules**. + +#. Click **Create**. In the dialog box displayed on the right, specify related parameters. :ref:`Table 1 ` describes the parameters. :ref:`Figure 4 ` shows an example. + + .. _waf_06_0036__fig114371136347: + + .. figure:: /_static/images/en-us_image_0000001283205921.png + :alt: **Figure 4** Create Alarm Rule + + **Figure 4** Create Alarm Rule + + .. _waf_06_0036__table2236113351: + + .. table:: **Table 1** Parameter description + + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +========================+==================================================================================================================================================================================================================================================================================================================================================+=======================+ + | Rule Name | Name of the custom rule | WAF alarms | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Statistics | Select **By SQL**. | By SQL | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Charts | Click **Configure from Scratch**. | None | + | | | | + | | - Specify **Log Group Name** and **Log Stream Name**. | | + | | - **Query Time Range**: Time range for log statistics | | + | | - **Query Statement**: Enter the SQL statement configured in :ref:`Step 10 `, for example, **select rule,uri,count(*) as cnt where action='block' group by rule,uri order by cnt desc**. | | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Query Frequency | Frequency which triggers alarms Generally, a fixed custom interval of 5 minutes is selected. | Custom interval | + | | | | + | | | 5 | + | | | | + | | | minutes | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Conditional Expression | Alarm threshold | cnt>5 | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Alarm Severity | Select an alarm severity based on the blocking emergency of the rule. The options are **critical**, **major**, **minor**, and **info**. | Major | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Send Notification | Select **Yes**. | Yes | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | SMN Topic | Select a topic from the drop-down list or create a topic. | None | + | | | | + | | If there are no topics, click **View Topic** and perform the following steps to create a topic: | | + | | | | + | | a. Create a topic. For details, see `Creating a Topic `__. | | + | | b. Add one or more subscriptions to the topic. You will need to provide a phone number, email address, function, platform application endpoint, DMS endpoint, or HTTP/HTTPS endpoint for receiving alarm notifications. For details, see `Adding a Subscription `__. | | + | | c. Confirm the subscription. After the subscription is added, confirm the subscription. | | + | | | | + | | For details about topics and subscriptions, see the *Simple Message Notification User Guide*. | | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Time Zone/Language | You can modify the language and time zone for receiving messages. | None | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Message Templates | Select an existing template from the drop-down list box or click **Create Message Template** and create a template. | sql_template | + +------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Confirm all parameters and click **OK**. The alarm rule is configured. When the alarm rule is triggered, you will receive an alarm email or SMS message. + +.. |image1| image:: /_static/images/en-us_image_0000001282711981.jpg +.. |image2| image:: /_static/images/en-us_image_0000001238311660.png +.. |image3| image:: /_static/images/en-us_image_0000001238834194.png +.. |image4| image:: /_static/images/en-us_image_0000001282874141.png +.. |image5| image:: /_static/images/en-us_image_0000001283085125.png diff --git a/doc/best-practice/source/using_lts_to_quickly_query_and_analyze_waf_access_logs.rst b/doc/best-practice/source/using_lts_to_quickly_query_and_analyze_waf_access_logs.rst new file mode 100644 index 0000000..9b70144 --- /dev/null +++ b/doc/best-practice/source/using_lts_to_quickly_query_and_analyze_waf_access_logs.rst @@ -0,0 +1,90 @@ +:original_name: waf_06_0028.html + +.. _waf_06_0028: + +Using LTS to Quickly Query and Analyze WAF Access Logs +====================================================== + +After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by `LTS `__ for quick and efficient real-time analysis, device O&M management, and analysis of service trends. + +This practice uses the access log stream **lts-waf-access** of log group **lts-waf** as an example to describe how to use LTS to quickly query and analyze logs. + +Prerequisites +------------- + +- You have connected the website you want to protect to WAF. +- You have `enabled LTS for WAF logging `__. + +Procedure +--------- + +#. `Log in to the management console `__. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**. + +#. In the **Log Group Name/ID** column, click the name of the target log group (for example, **lts-waf**) to go the log stream page. + +#. In the **Log Stream Name/ID** column, click the name of log stream used for WAF access logs (for example, **lts-waf-access**), as shown in :ref:`Figure 1 `. Then, select the **Raw Logs** tab. + + .. _waf_06_0028__fig118409019616: + + .. figure:: /_static/images/en-us_image_0000001192428132.png + :alt: **Figure 1** Accessing the log stream page + + **Figure 1** Accessing the log stream page + +#. In the navigation pane on the left, choose **Log Configuration**. Then, go to the **Log Content** tab. + +#. Select **JSON** as the log structure, as shown in :ref:`Figure 2 `. + + .. _waf_06_0028__fig15640523147: + + .. figure:: /_static/images/en-us_image_0000001236748339.png + :alt: **Figure 2** JSON + + **Figure 2** JSON + + .. note:: + + If log content has been configured for the log stream, click |image3| in the upper right corner of the parameter configuration area to reconfigure log content. + +#. In the **Step 1 Select a sample log event.** area, click **Select from existing log event**. In the displayed **Select Log Event** dialog box, select a log and click **OK**. + + + .. figure:: /_static/images/en-us_image_0000001192108582.png + :alt: **Figure 3** Select Log Event + + **Figure 3** Select Log Event + +#. In the **Step 2 Extract fields** area, click **Intelligent Extraction** and enable (|image4|) quick analysis for the log field you want to analyze (for example, **remote_ip**) as shown in :ref:`Figure 4 `. + + **remote_IP**: IP address of a client from which the request originates. + + .. _waf_06_0028__fig70238181820: + + .. figure:: /_static/images/en-us_image_0000001192348152.png + :alt: **Figure 4** Selecting log fields for quick analysis + + **Figure 4** Selecting log fields for quick analysis + +#. Click **Save**. Then, LTS will start a quick analysis and do statistics for logs collected in a certain period. :ref:`Figure 5 ` shows an example. + + .. _waf_06_0028__fig1955422842214: + + .. figure:: /_static/images/en-us_image_0000001192109594.png + :alt: **Figure 5** Quickly analysis of access logs + + **Figure 5** Quickly analysis of access logs + +#. In the navigation pane, choose **Visualization**. On the right pane, select a log query time range, enter an SQL statement in the search box, and click **Query** to query the specified log. + + You can enter either of the following SQL statements in the search box to query logs of a specified IP address: + + **select \* where remote_ip = 'xx.xx.xx.xx'** or **select \* where remote_ip like 'xx.xx.xx%'** + +.. |image1| image:: /_static/images/en-us_image_0000001192435242.jpg +.. |image2| image:: /_static/images/en-us_image_0000001237195219.png +.. |image3| image:: /_static/images/en-us_image_0000001237388053.png +.. |image4| image:: /_static/images/en-us_image_0000001236914655.png diff --git a/doc/best-practice/source/verifying_a_global_protection_whitelist_formerly_false_alarm_masking_rule_by_simulating_requests_with_postman.rst b/doc/best-practice/source/verifying_a_global_protection_whitelist_formerly_false_alarm_masking_rule_by_simulating_requests_with_postman.rst new file mode 100644 index 0000000..db86a07 --- /dev/null +++ b/doc/best-practice/source/verifying_a_global_protection_whitelist_formerly_false_alarm_masking_rule_by_simulating_requests_with_postman.rst @@ -0,0 +1,95 @@ +:original_name: waf_06_0029.html + +.. _waf_06_0029: + +Verifying a Global Protection Whitelist (Formerly False Alarm Masking) Rule by Simulating Requests with Postman +=============================================================================================================== + +After your website is connected to WAF, you can use an API test tool to send HTTP/HTTPS requests to the website and verify that WAF protection rules take effect. This topic uses Postman as an example to describe how to verify a global protection whitelist (formerly false alarm masking) rule. + +Example +------- + +Assume that your workloads are deployed in the **/product** directory, and parameter ID contains scripts or rich text submitted by your customers. To ensure service running and improve WAF protection accuracy, you plan to mask false alarms generated for content submitted by the customers. + +Prerequisites +------------- + +- You have connected the website you want to protect to WAF. +- **Basic Web Protection** has been enabled and its **Mode** is **Block**. **General Check** has been enabled. + +Procedure +--------- + +#. `Download `__ and install Postman. + +#. On Postman, set the request path to **/product** and parameter ID to a common test script and send the request. The access request to the protected website is blocked. + +#. .. _waf_06_0029__li1752418191200: + + Handle the false alarm. + + a. `Log in to the management console `__. + + b. Click |image1| in the upper left corner of the management console and select a region or project. + + c. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**. + + d. In the navigation pane on the left, choose **Events**. + + e. On the **Events** page, WAF **010000** rule for **XSS Attack** is hit. + + f. In the row containing the event, click **Handle False Alarm** in the **Operation** column. + + g. In the **Handle False Alarm** dialog box, add a global protection whitelist (formerly false alarm masking) rule as shown in :ref:`Figure 1 `. + + .. _waf_06_0029__fig20814122652012: + + .. figure:: /_static/images/en-us_image_0000001347102697.png + :alt: **Figure 1** Add Global Protection Whitelist Rule + + **Figure 1** Add Global Protection Whitelist Rule + + h. Click **OK**. + + It takes about 5 minutes for a protection rule to take effect. + +#. On Postman, set the request path to **/product** and parameter ID to a common test script and send the request again. The access request to the protected website is blocked again. + +#. Handle the false alarms that hit the **110053 XSS attack** rule by referring to :ref:`Step 3 `. + + + .. figure:: /_static/images/en-us_image_0000001347102697.png + :alt: **Figure 2** Add Global Protection Whitelist Rule + + **Figure 2** Add Global Protection Whitelist Rule + +#. On Postman, set the request path to **/product** and parameter ID to a common test script and send the request third time. The access request to the protected website is still blocked. + +#. Handle the false alarm that hits the **110060** rule for **XSS attack** by referring to :ref:`Step 3 `. + + + .. figure:: /_static/images/en-us_image_0000001347102697.png + :alt: **Figure 3** Add Global Protection Whitelist Rule + + **Figure 3** Add Global Protection Whitelist Rule + +#. On Postman, set the request path to **/product** and the parameter ID to a common test script and send the request forth time. In this case, the access request to the protected website is not blocked. All global protection whitelist rules have taken effect. + + |image3| + + Go to the **Event** page, no new XSS attack event is displayed. + +#. Simulate an attack on Postman to verify that the configured global protection whitelist (formerly false alarm masking) rules do not stop WAF from blocking XSS attacks against other parameters. + + a. On Postman, set the request path to **/product** and parameter **item** to a common test script and send the request. The access request to the protected website is blocked. + b. On the **Events** page, view the XSS attack against parameter **item**. + +#. Simulate an attack on Postman to verify that the configured global protection whitelist (formerly false alarm masking) rules do not stop WAF from blocking XSS attacks against other paths. + + a. On Postman, set the request path to **/order** and parameter ID to a common test script and send the request. The access request to the protected website is blocked. + b. On the **Events** page, view the event generated for blocked XSS attack against **/order** (**URL**) and parameter ID. + +.. |image1| image:: /_static/images/en-us_image_0000001533173581.jpg +.. |image2| image:: /_static/images/en-us_image_0000001482853400.png +.. |image3| image:: /_static/images/en-us_image_0000001229995391.png