In the process of using WAF, when we need to detect elements like hostname, URL path, HTTP request methods, and IP blacklists, we can utilize the HTTP Access Control function to meet these requirements. This article provides a detailed guide on using WAF’s HTTP Access Control feature and highlights relevant considerations.
1. HTTP Access Control Configuration Steps
Method 1: Create a new policy in Security Management > Policy Management > HTTP Access Control and reference it in Security Management > Website Protection > Website Group > Web Security Protection.
Method 2: Go to Security Management > Website Protection > Website Group > Web Security Protection > HTTP Access Control and create a new policy.
2. Pattern Matching
Before configuring the HTTP access control policy, it’s important to understand the following matching methods:
| Pattern Match Type | Description |
| Include | Matches if the content contains the pattern. Wildcards and escape characters are supported. |
| Equal to | Matches only if the content exactly equals the pattern. Wildcards are not supported, but escape characters are. |
| Directory Matching | Matches if each level of the URI-Path directories corresponds exactly to each level of directories in the pattern, separated by slashes. Example: If the pattern is /admin/*.jpg, it matches a URI-Path like /admin/123.jpg, but not /1/admin/123.jpg, because the directories don’t fully align. |
| RegExp Matching | Indicates the regular expression to be matched. The feature string must conform to the regular expression syntax. |
| Unequal to, Excluded, RegExp Non Matching Directory Not Matching | The corresponding inverse operation of the above content. |
3. HTTP Access Control Configuration Items
Below are descriptions of each configuration item, they have an “AND” relationship.
3.1. Hostname:
The hostname refers to the part of the HTTP request’s host field that includes both the domain name and the port number, which we typically see in the “host” field. The WAF follows a “what you see is what you get” principle, so when specifying a hostname pattern, the WAF will not automatically remove the default port. For example, if you configure the hostname to match “www.nsfocus.com:80,” it will only match requests where the hostname exactly matches “www.nsfocus.com:80.” Even if the request occurs on TCP port 80, if the hostname is “www.nsfocus.com” without the port, it will not match.
Example: If you require that only domain names are used to access services (for instance, “www.nsfocus.com”), and IP access is not allowed, you can configure it as follows: block requests when the domain name does not equal “www.nsfocus.com.”
3.2 URI-Path:
The URI-Path is the part of the HTTP request’s URI that excludes parameter information. Below are examples and explanations for implementing path matching.
Example 1: When a customer wants to block access to a specific URL path (e.g., /admin/index.php), directory matching can be used.
Example 2: If the customer wants to block all requests after the /admin/ path, RegExp matching can be applied.
Example 3: When a customer only allows access to specific directories (e.g., /admin/1/, /admin/2/, and /admin/3/):
Case 1: If no further security policies are needed to check, create three individual rules allowing each directory (the image below shows the configuration for /admin/1/; similar steps are needed for /admin/2/ and /admin/3/). Then, create a rule to block *. WAF will follow a top-down matching approach, forwarding allowed directories to the server, while unmatched requests are blocked.
Case 2: If further security policies are needed to check, combine HTTP access control policies with exception rules. Use HTTP access control RegExp to block all URL paths, adding exception policies to pass the specific directories. This approach is suggested to be thoroughly tested before use.
3.3 HTTP Method
The HTTP method refers to the type of HTTP request (e.g., GET, POST, or HEAD). WAF provides operations for both inclusion and exclusion matching, supporting up to 17 request methods in the latest version, which can be configured as needed.
3.4 Client IP
The client IP refers to the IP address initiating the HTTP request. If “Use Real Client IP in Policy” is enabled under proxy configuration, it allows blocking based on the IP identified in the XFF header. When client IPs are correctly recognized in security or access logs, an IP or IP segment can be added to the blacklist via HTTP access control policies.
Example 1: To block three network segments and two individual IPs, enter the corresponding segments and IPs in the dialog box and choose the appropriate action.
Note: A single policy can support up to 16 IP groups.
Example 2: When blocking 300 IPs, use the blacklist to simplify the setup, as a single policy only supports 16 IP groups. The steps are as follows:
- Navigate to Security Management > Website Protection ->Upload File Management -> IP Access Control.
- In the IP Access Control Blacklist page, import IPs (using the sample txt format provided on the web).
- In the HTTP access control policy under client IP, select the pre-existing IP blacklist file to implement access control for multiple IPs.
