Policy
The Policy page is part of the Alert Logic Managed Web Application Firewall (WAF) section in the web based management interface. To learn about all of the features in the WAF section, see WAF.
This page contains information for the following features found under the Policy section on the WAF page :
To go to the documentation for the previous section of Alert Logic Managed Web Application Firewall (WAF), see WAF. To go to the documentation for next subsection in the WAF section, see Protocol Restrictions .
To access the Policy page in the WAF management interface:
- On the left panel, under Services, click Websites.
- On the Websites page, click the website you want to manage.
- Under WAF, click Policy.
If you want to see all the settings on the Policy page, on the upper-right corner, change the Display preset to Advance.
To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.
The Policy page is defined a list of allowed requests and parameters to a given web system. WAF filters access of the allowed requests and parameters.
The policy is defined by a collection of proxy global policies and application specific policies. This combination provides the ability to specify short yet fine grained access control policies, global and web application.
Global policy
Global policies are general rules which specify criteria that allow requests on a proxy global basis. Rules are specified by extension and by specifying a grammar (using regular expressions) for valid URLs and parameters.
Global patterns include Static content policies, Global URL policies, and Global parameters policies.
Web applications
In access policy terms, a web application is defined as an URL path which takes one or more parameters as input.
The web application policy list consists of one or more URL paths each with a specific policy, a web application policy entry.
The web application policy entry is defined by its URL path. The valid input for one or more of the URLs parameters are defined using either a list of allowed values, grammar (a regular expression) or a class which is a predefined regular expression.
Web application policy entries always take precedence over global rules. It is possible though to use a combination of global and specific rules, even for a single application.
Incoming requests are validated in the following order:
- Static content policy: If the extension and path of the requested filename matches the policy defined in static content policy and the request has no parameters, the request is allowed.
- Global URL path policy: If the request has no parameters and one of the global URL policy patterns matches, it is allowed. If the URI matches
one of the
Denied pathspolicy rules, the request is denied. - Web applications policy: If the request (including possible parameters) matches an entry in the detailed web application policy, it is allowed.
- Web applications policy + global parameters policy: If a request matches an entry in the web applications policy but one or more parameters are offending, these parameters are checked against the global parameters policy. If there is a combined match, the request is allowed.
- Global URL policy + global parameters policy:If a requested URL with parameters matches a global URL policy pattern and all supplied parameters match global parameter patterns the request is allowed.
- No match:: The request is denied.
Regular Expressions guide
WAF has full support for standard PCRE (Perl Compatible Regular Expressions). Click the drop-down to follow a brief regular expression guide. For a more thorough explanation of the subject some links and books are recommended at the end of the section.
What are regular expressions
A regular expression is a formula for matching strings that follow some pattern.
Regular expressions are made up of normal characters and special characters. Normal characters include upper and lower case letters and digits. The characters with special meanings and are described in detail below.
In the simplest case, a regular expression looks like a standard text string. For example, the regular expression "john" contains no special characters. It will match "john" and "john doe" but it will not match "John".
In an input validation context we always want the expression to match the whole string. The expression above would now be expressed as ^john$, where the characters ^ and $ means starting of line and end of line. Now john will only match "john" but not "john doe". To obtain match of "john doe" as well as "john smith" etc. we employ a few more simple special characters. In its simplest form "john lastname" could be expressed as "^john.*$" meaning: A string starting with the characters "john" followed by zero or more (the "*") occurrences of any character (the "."). For those familiar with the simple wild-card character "*" in (a.o.) DOS and Unix, ".*" equals "*" - that is: anything.
Specifying anything is not very useful in an input validation context. With regular expressions much more fine grained input validation masks can be defined with the rich set of meta characters, character classes, repetition quantifiers, etc.
A brief explanation with some examples follows below.
^
|
Beginning of string (implied in WAF) |
$
|
End of string (implied in WAF) |
.
|
Any character except newline |
*
|
Match 0 or more times |
+
|
Match 1 or more times |
?
|
Match 0 or 1 times; or: shortest match quantifier (i.e. *?) |
|
|
Alternative (like logical OR) |
()
|
Grouping |
[]
|
Set of characters (a list of characters) |
{}
|
Repetition modifier |
\
|
Quote or special |
Metacharacters in regular expressions
To present a metacharacter as a data character standing for itself, precede it with \ (e.g. \. matches the full stop character "." only).
In WAF all regular expressions are forced to match the entire string (URL path or parameter value) by automatically prefixing an expression with "^" and suffixing it with "$".
a*
|
Zero or more a's |
a+
|
One or more a's |
a?
|
Zero or one a's (i.e., optional a) |
a{m}
|
Exactly m a's |
a{m,}
|
At least m a's |
a{m,n}
|
At least m but at most n a's |
repetition?
|
Same as repetition but the shortest match is taken |
Repetition in regular expressions
Read "a's" as "occurrences of strings, each of which matches the pattern a".
Read repetition as any of the repetition expressions listed above it.
Shortest match means that the shortest string matching the pattern is taken. The default is "greedy matching", which finds the longest match.
\t
|
tab |
\n
|
newline |
\r
|
return (CR) |
\xhh
|
character with hex. code hh |
\b
|
"word" boundary (zero space assertion) |
\B
|
not a "word" boundary |
\w
|
matches any single international character classified as a "word" character (alphanumeric or _). Examples: A, z, 1, 9, Æ, â |
\W
|
matches any non-"word" character |
\s
|
matches any whitespace character (space, tab, newline) |
\S
|
matches any non-whitespace character |
\d
|
matches any digit character, equiv. to [0-9] |
\D
|
matches any non-digit character |
\pN
|
Matches any UNICODE character classified as numeric |
Notations with \ in WAF regular expressions
A character set is denoted by [...]. Different meanings apply inside a character set ("character class") so that, instead of the normal rules given here, the following apply:
[characters]
|
matches any of the characters in the list (c,h,a,r,a,c,t,e,r,s) |
[x-y]
|
matches any of the characters from x to y (inclusively) in the ASCII code |
[\-]
|
matches the hyphen character - |
[\n]
|
matches the newline; other single character denotations with \ apply normally, too |
[^something]
|
Negation. Matches any character except those that [something] denotes; that is, immediately after the leading [ the circumflex ^ means "not" applied to all of the rest |
Character sets in regular expressions