HTTP access control policies can prevent websites from unauthorized and malicious access by controlling over HTTP requests that protected resources respond to. NSFOCUS WAF inspects requests and takes actions when a request matches any of policies you specified. Multiple policies can be applied to a single website and evaluated in top-down order. Once a packet matches a policy, the packet is acted upon and no further comparisons take place.
On the HTTP Access Control page, you can create, edit, delete, and duplicate HTTP access control policies.
To create an HTTP access control policy, do as follows:
Choose Security Management > Policy Management > HTTP Access Control, and click Create. In the Create HTTP Access Control dialog box, configure parameters as required.
Parameters for creating an HTTP access control policy:
Describes the new HTTP access control policy.
Alert or Not
Specifies whether to generate alert logs.
Specifies the action WAF will take on a matched request. Actions can be any of the following:
- Pass: WAF directly forwards such packet to the server without any more security checks.
- Accept: WAF ends the check against the current policy but will still check such request against other policies.
- Block: WAF ends the current check and tears down the current TCP connection. After selecting this action, you need to further configure Source IP Blocking.
- Redirect: WAF displays a 302 redirect page and tears down the current TCP connection.
- Disguise: WAF responds to the client with a custom HTTP response code and response file contents, and tears down the current TCP connection
Source IP Blocking
Specifies whether to block the source IP address of a packet that matches this new policy. This parameter needs to be set only when Action is set to Block.
- Unblock: WAF does not block the source IP address.
- Permanently block: WAF permanently blocks the source IP address.
- Block as customized: WAF blocks the source IP address in the customized period. You can customize the period in seconds, minutes, or hours.
Specifies the redirection URL. This parameter needs to be set only when Action is set to Redirection.
Specifies an HTTP response code. This parameter is mandatory if you select Disguise for Action.
This parameter is mandatory if you select Disguise for Action. You can upload a response file or select an existing response file.
An HTTP access control policy contains the host name, URI-Path, HTTP method, client IP address, and other conditions. If multiple conditions in a policy are selected, the policy will be applied for the packet matching all these conditions. If no conditions are selected, the policy will be applied for the packet matching any condition in the policy.