Rule Building¶
Rule are the core of rescaled WAF. Without rules, the WAF would just pass all requests through to your upstream server, without performing any inspections or actions.
A rule must always contain the following elements in order to be valid:
- Unique Name
- Action
- Matching Criteria
The matching criteria can either be a CEL expression or one of the direct field matchers that are described below.
Optionally, a rule can contain additional configuration overrides that alter how actions are being executed, e.g. to change the difficulty of a challenge, to add a header to a denying response or to deliver a completely different response body.
Direct Field Matchers¶
Instead of using CEL expressions, you can also use direct field matchers for an easier configuration approach. We recommend using direct field matchers whenever possible and only fallback to CEL expressions when necessary to reduce complexity and possible room for mistakes.
| Direct Field Matcher | Description | Example |
|---|---|---|
all |
Matches all requests, no matter what. Useful for baseline rules, e.g. for a starting weight. | all: {} |
path |
Accepts a string with the exact request path to match against. |
path: "/foo/bar" |
path_regex |
Accepts a string with a regular expression to match against the request path. |
path: "^/foo/.*" |
user_agent |
Accepts a string with the exact user agent to match against. |
user_agent: "Googlebot-Image/1.0" |
user_agent_regex |
Accepts a string with a regular expression to match against the user agent. |
user_agent: "(?i)google" |
ip_list |
Accepts either a string or an array with one or many IP lists to match against. |
ip_list: ["rfc1918", "googlebots"] |
geoip |
Accepts either a string or an array of country codes to match against (requires GeoIP feature). |
geoip: ["DE", "US"] |
networks |
Accepts either an integer or an array of ASNs to match against (requires ASN feature). |
networks: [12345, 67890] |
Rule Processing¶
Rules are always processed in the order they are defined. This is important to understand when building a custom ruleset for your application.
Causing a terminal action as early as possible will help with overall performance as it significantly reduces processing time, because the WAF can skip all remaining rules immediately.
General Purpose Ruleset (GPR)¶
rescaled offers a general purpose ruleset (GPR) that consists of rules that are applicable for basically any website or application. The rules make sure that standard behaviour is maintained and that commonly used features are kept usable.
For example, the included rules ensure that:
- Favicons and
robots.txtare always served and not blocked - Malicious browsers without any
User-Agentheader are immediately blocked sitemap.xmlis always served and not blocked to prevent negative impact on SEO- Files under
/.well-known/*are always served and not blocked to e.g. allow ACME http-01 challenges to pass
The GPR is available for all customers and is managed by rescaled. Customers have the possibility to individually adjust sub-rules of the GPR or disable it entirely in order to build own rulesets from scratch. However, we strongly recommend to use the GPR as a starting point for your own ruleset.