URL access and redirect rules enable you to customize access to your web application based on the URL requested. For example, you can configure a rule to control access to certain portions of your application, based on a business requirement – without changing the configuration on the application itself.
You can configure a rule for a URL match or a Hostname/IP match. If a match is found, the request is processed according to the configured action.
Steps to Add an URL Rule
To add an URL rule for an application, do the following:
In the WAF-as-a-Service web interface, click Applications in the left panel.
On the Applications page, click on the application to which you want to add the URL rule.
On the application page, click URL Access and Redirects in the left panel.
On the URL Access and Redirects page, click Add URL Rule.
In the Create Rule window:
Name - Enter a name for URL rule.
Enable Rule - Set to ON to enable the rule.
Host Match - Enter the matching criterion for the host field in the Request Header. This is either a specific host match or a wildcard host match with a single " * " anywhere in the URL. Specify * if you want the Web application hosted on the service. If the application hosts multiple applications under different domains and you wish to add the rule only for a particular domain, enter the relevant host name such as - www.example.com or *.example.com.
URL Match - Enter the matching criterion for the URL field in the Request Header. The URL should start with a "/" and can have only one " * " anywhere in the URL. Use / if you want the rule to cover all URLs in your domain.
Example:
/*
/index.html
/public/index.htmlExtended Match - Enter an expression that consists of a combination of HTTP headers and/or query string parameters. Use '*' to not apply the Extended Match condition.
This expression is used to match against special attributes in the HTTP headers or query string parameters in the requests. For more information on how to write an extended match expression, refer to the Extended Match and Condition Expression section in the Extended Match Profile article.
Note: This feature is available only for applications deployed in custom containers. If the extended match expression is stored in your key management system (AWS or HashiCorp Vault), click the key icon and specify the secret path for the extended match expression.
Note: Extended Match now includes support for IP ranges and CIDR notation. Example: (Client-IP neq 10.0.0.0/24)Priority - Enter a number to indicate the order in which the extended match rule must be evaluated in the requests.
Action - Select the action to be taken on the request matching this URL rule.
Bypass security: Allow the request without enforcing security checks.
Deny the request: Explicitly deny the request without further processing.
Temporary Redirect/Permanent Redirect: This option informs the browser and search engines about the resource:
Temporary Redirect (Status 302) - Indicates the resource is temporarily located elsewhere. Browsers should continue requesting the original URL.
Permanent Redirect (Status 301) - Indicates the resource has permanently moved. Browsers and search engines should update their records and stop requesting the original URL.
Take no action: This option still enables you to see the rule match in the logs, even though no other action is taken. This can be helpful during policy development, for example, to check that you configured the URL correctly, without any typos, without having to switch the whole service to passive mode.
Click Add.
Note that your rules can include a maximum of one wildcard (*) character.
Redirect Details
A redirect URL can be either a:
fully-qualified URL (
http://www.example.com/index.html)full path (like
/index.html)
Optionally, append %s to the end of the URL to redirect to the domain specified, as shown in this example.
Setup
Service:
http://www.example.com/index.htmlMatch:
/*Redirect URL:
http://www.redirectexample.com%s
How it Works
Incoming Request:
http://www.example.com/a.htmlRedirects to:
http://www.redirectexample.com/a.html