Protocol Restrictions
The Alert Logic Managed Web Application Firewall (WAF) Protocol Restrictions page includes the following sections. Click on the link to go to the corresponding section to learn more:
To go to the documentation for the previous section of Alert Logic Managed Web Application Firewall (WAF) , see Policy. To go to the documentation for next subsection in the WAF section, see Website Global Policy.
To access the Protocol restrictions section in the WAF management interface:
- On the left panel, under Services, click Websites.
- On the Websites page, click the website you want to manage.
- Under WAF, click Policy, and then scroll down to the Protocol restrictions section.
If you want to see all the settings on the Policy page, on the upper-right corner, change the Display preset to Advance.
To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.
Restrict which HTTP protocol versions are allowed.
Corresponding violation: HTTP Protocol version
| HTTP 1.0
Check box |
Allow / disallow HTTP 1.0 requests Default: |
| HTTP 1.1
Check box |
Allow / disallow HTTP 1.1 requests Default: |
| HTTP 2.0
Check box |
Allow / disallow HTTP 2.0 requests Default: |
Restrict which HTTP methods are allowed.
Corresponding violation: Method illegal
| HEAD
Check box |
Allow / disallow HTTP method HEAD. Default: |
| GET
Check box |
Allow / disallow HTTP method GET. Default: |
| POST
Check box |
Allow / disallow HTTP method POST. Default: |
| OPTIONS
Check box |
Allow / disallow HTTP method OPTIONS. Default: |
| PUT
Check box |
Allow / disallow HTTP method PUT. Default: |
| DELETE
Check box |
Allow / disallow HTTP method DELETE. Default: |
| MKCOL
Check box |
Allow / disallow HTTP method MKCOL. Default: |
| COPY
Check box |
Allow / disallow HTTP method COPY. Default: |
| MOVE
Check box |
Allow / disallow HTTP method MOVE. Default: |
| PROPFIND
Check box |
Allow / disallow HTTP method PROPFIND. Default: |
| PROPPATCH
Check box |
Allow / disallow HTTP method PROPPATCH. Default: |
| LOCK
Check box |
Allow / disallow HTTP method LOCK. Default: |
| UNLOCK
Check box |
Allow / disallow HTTP method UNLOCK. Default: |
| PATCH
Check box |
Allow / disallow HTTP method PATCH. Default: |
Web services
WAF supports inspection of XML and JSON based web services requests, including SOAP and XML RPC.
XML based requests are learned like other queries and positive and negative policies and combinations thereof can be enforced.
Corresponding violation: Content type not enabled
| Enable XML web services support
Check box |
Enable / disable support for XML web services support . If enabled, WAF will parse requests with Content-Type = text/xml and treat the XML as a query. Default: |
| Enable XML DTD validation
Check box |
Enable / disable validation for XML DTD. Default: |
| Enable JSON web services support
Check box |
Enable / disable support for JSON web services support. If enabled, WAF will parse requests with Content-Type = application/json, text/x-json or text/json and treat the JSON request payload as a query. Default: |
| Parse text/plain content type requests
Check box |
Enable / disable support for POST requests with Content Type text/plain. If enabled, WAF will accept requests with the text/plain Content Type and parse the payload of the request. As there is no standard for how the payload is composed, the parser is configurable. The default configuration parses the payload as a carriage return / newline separated list of parameter name / value pairs in the form name=value. This is the format used by the Direct Web request (or DWR) Java library. To change the way the payload is parsed, click the button. This will display the regular expression that extracts the name / value pairs. If you want to change it you may want to contact Alert Logic support to get help doing it. It not complicated if you are comfortable with regular expressions though.
The values are captured in the two parentheses. The first parenthesis The The last parenthesis ([^\n\r]*) the value but is optional as set by the asterisk (*) after the bracketed list. When changing the regular expression, it is a requirement that there is at least one pair of parentheses matching something. The simplest allowed regular expression would be (.+) which will match the entire payload. When composing regular expressions, note that the expression is run with the /gsi options meaning that the expression is iterated over until there are no more matches (/g), the payload is treated as one string (including \r and \n) (/s) which redefines the meaning of the meaning of the "anything" meta character (.) to include \r and \n and finally that matching is case insensitive (\i). Default: |
HTTP Tunneling and bypass
WAF allows for encapsulating other protocols in the HTTP protocol, so called HTTP tunneling.
Corresponding violation: Content type not enabled
| Bypass ActiveSync WBXML (binary XML) and message/rfc822
Check box |
Enable / disable WBXML (binary xml) and message/rfc822 content types. When enabled, binary XML and content type message/rfc822 will be bypassed. This is necessary for Activesync synchronization with mobile devices and outlook web access to work. Default: |
| Bypass unknown or missing PUT Content-Type requests
Check box |
Enable / disable unknown or missing PUT content types. Default: |
| Websockets
Check box |
Enable / disable websockets. Default: |
| Bypass custom content types
Check box
Content types Input field |
Enable / disable custom content types. Default:
Enter the content types you want to enable bypassing in the input field. |
Headers, restrict length and number
Restrict length and number for HTTP request headers.
If a header fails this check, the entire request is blocked and handled accordingly.
| Header name maximum length
Input field |
Maximum length for each inbound HTTP header name. Corresponding violation:
|
| Header value maximum length
Input field |
Maximum length for each inbound HTTP header value. Corresponding violation:
|
| Maximum number of headers
Input field |
Maximum number of HTTP headers in request. Corresponding violation:
|
Cookies, restrict length and number
Restrict type, length, number and type for HTTP request cookies.
If a cookie fails this check, the entire request is blocked and handled accordingly.
| Accept Version0
Check box |
Allow / disallow version 0 cookies. Version 0 is most widely used on the internet today. Corresponding violation: Default: |
| Accept Version1
Check box |
Allow / disallow version 1 cookies. Corresponding violation: Default: |
| Cookie name maximum length
Input field |
Maximum length for each cookie name. Corresponding violation:
|
| Cookie value maximum length
Input field |
Maximum length for each cookie value. Corresponding violation:
|
| Maximum number of cookies
Input field |
Maximum number of cookies in request. Corresponding violation:
|
Request, restrict length and number
Restrict length and number for HTTP request in general.
If the request fails this check, the entire request is blocked and handled accordingly.
| Request line maximum length
Input field |
Maximum allowed length of the request line. When the request is displayed in the browser address bar the request line is everything following the protocol://domain.name.tld part of the request. The request line is the emphasized part of http://domain.name.tld/path/to/resource?query=1&string=1 Corresponding violation:
|
| Request path maximum length
Input field |
Maximum allowed length of the path part of the request line. The path part is the emphasized part of http://domain.name.tld/path/to/resource?query=1&string=1 Corresponding violation:
|
| Query string maximum length
Input field |
Maximum allowed length of the query part of the request line. The query part is the emphasized part of http://domain.name.tld/path/to/resource?query=1&string=1 Corresponding violation:
|
| POST form payload limit
Input field |
Defines the maximum allowed POST content length. If a given POST request length fails the check, the entire request is blocked and handled accordingly. Corresponding violation:
|
Request parameters, restrict size and number
| GET Parameter name maximum length
Input field |
Maximum length for each GET parameter name. Corresponding violation:
|
| GET Parameter value maximum length
Input field |
Maximum length for each GET parameter value. Corresponding violation:
|
| GET Parameter combined length
Input field |
Maximum length for each GET parameter name + value pair. Corresponding violation:
|
| GET Maximum number of parameters
Input field |
Maximum number of GET parameters in request. Corresponding violation:
|
| POST Parameter name maximum length
Input field |
Maximum length for each POST parameter name. Corresponding violation:
|
| POST Parameter value maximum length
Input field |
Maximum length for each POST parameter value. Corresponding violation:
|
| POST Parameter combined length
Input field |
Maximum length for each POST parameter name + value pair. Corresponding violation:
|
| POST Maximum number of parameters
Input field |
Maximum number of POST parameters in request. Corresponding violation:
|
File uploads, restrict size and number
| Maximum number of files
Input field |
Maximum number of allowed files to upload in request. Corresponding violation:
|
| Individual file size
Input field |
Maximum allowed size for each individual file in upload request. Corresponding violation:
|
| POST upload payload limit
Input field |
Maximum allowed size for entire upload request, i.e. total size of all files in upload request. Corresponding violation:
|
File name validation
| Allowed patterns/chars
Check box Input field |
Disable/Enable patterns and chars Default: Enter regex for allows patterns/chars |
| Disallowed extensions - standard
Check box Input field |
Disable/Enable disallowed standard extensions Default: Enter regex for disallowed standard extensions |
| Disallowed extensions - custom
Check box Input field |
Disable/Enable disallowed custom extensions
Default:
Enter regex for disallowed custom extensions |