WafConfig
Advanced load balancer WafConfig object
Name | Description | Type | Notes |
---|---|---|---|
allowed_http_versions | Allowed http versions WAF allowed HTTP Versions. Enum options - ZERO_NINE, ONE_ZERO, ONE_ONE, TWO_ZERO. Maximum of 8 items allowed. |
array of ALBHTTPVersion | |
allowed_methods | Allowed methods WAF allowed HTTP methods. Enum options - HTTP_METHOD_GET, HTTP_METHOD_HEAD, HTTP_METHOD_PUT, HTTP_METHOD_DELETE, HTTP_METHOD_POST, HTTP_METHOD_OPTIONS, HTTP_METHOD_TRACE, HTTP_METHOD_CONNECT, HTTP_METHOD_PATCH, HTTP_METHOD_PROPFIND, HTTP_METHOD_PROPPATCH, HTTP_METHOD_MKCOL, HTTP_METHOD_COPY, HTTP_METHOD_MOVE, HTTP_METHOD_LOCK, HTTP_METHOD_UNLOCK. |
array of ALBHTTPMethod | |
allowed_request_content_types | Allowed request content types WAF allowed Content Types. Maximum of 64 items allowed. |
array of string | |
argument_separator | Argument separator Argument seperator. Default value when not specified in API or module is interpreted by ALB Controller as &. |
string | Default: "&" |
client_request_max_body_size | Client request max body size Maximum size for the client request body scanned by WAF. Allowed values are 1-32768. Unit is KB. Default value when not specified in API or module is interpreted by ALB Controller as 32. |
integer | Minimum: 1 Maximum: 32768 Default: "32" |
cookie_format_version | Cookie format version 0 For Netscape Cookies. 1 For version 1 cookies. Allowed values are 0-1. Default value when not specified in API or module is interpreted by ALB Controller as 0. |
integer | Minimum: 0 Maximum: 1 Default: "0" |
ignore_incomplete_request_body_error | Ignore incomplete request body error Ignore request body parsing errors due to partial scanning. Default value when not specified in API or module is interpreted by ALB Controller as true. |
boolean | Default: "True" |
max_execution_time | Max execution time The maximum period of time WAF processing is allowed to take for a single request. A value of 0 (zero) means no limit and should not be chosen in production deployments. It is only used for exceptional situations where crashes of se_dp processes are acceptable. The behavior of the system if this time is exceeded depends on two other configuration settings, the WAF policy mode and the WAF failure mode. In WAF policy mode 'Detection', the request is allowed and flagged for both failure mode 'Closed' and 'Open'. In enforcement node, 'Closed' means the request is rejected, 'Open' means the request is allowed and flagged. Irrespective of these settings, no subsequent WAF rules of this or other phases will be executed once the maximum execution time has been exceeded. Allowed values are 0-5000. Unit is MILLISECONDS. Default value when not specified in API or module is interpreted by ALB Controller as 50. |
integer | Minimum: 0 Maximum: 5000 Default: "50" |
regex_match_limit | Regex match limit Limit CPU utilization for each regular expression match when processing rules. Default value when not specified in API or module is interpreted by ALB Controller as 30000. |
integer | Default: "30000" |
regex_recursion_limit | Regex recursion limit Limit depth of recursion for each regular expression match when processing rules. Default value when not specified in API or module is interpreted by ALB Controller as 10000. |
integer | Default: "10000" |
request_body_default_action | Request body default action WAF default action for Request Body Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:2,deny,status:403,log,auditlog. |
string | Default: "phase:2,deny,status:403,log,auditlog" |
request_hdr_default_action | Request hdr default action WAF default action for Request Header Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:1,deny,status:403,log,auditlog. |
string | Default: "phase:1,deny,status:403,log,auditlog" |
response_body_default_action | Response body default action WAF default action for Response Body Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:4,deny,status:403,log,auditlog. |
string | Default: "phase:4,deny,status:403,log,auditlog" |
response_hdr_default_action | Response hdr default action WAF default action for Response Header Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:3,deny,status:403,log,auditlog. |
string | Default: "phase:3,deny,status:403,log,auditlog" |
restricted_extensions | Restricted extensions WAF Restricted File Extensions. Maximum of 256 items allowed. |
array of string | |
restricted_headers | Restricted headers WAF Restricted HTTP Headers. Maximum of 64 items allowed. |
array of string | |
server_response_max_body_size | Server response max body size Maximum size for response body scanned by WAF. Allowed values are 1-32768. Unit is KB. Default value when not specified in API or module is interpreted by ALB Controller as 128. |
integer | Minimum: 1 Maximum: 32768 Default: "128" |
static_extensions | Static extensions WAF Static File Extensions. GET and HEAD requests with no query args and one of these extensions are allowed and not checked by the ruleset. Maximum of 64 items allowed. |
array of string | |
status_code_for_rejected_requests | Status code for rejected requests HTTP status code used by WAF Positive Security Model when rejecting a request. Enum options - HTTP_RESPONSE_CODE_0, HTTP_RESPONSE_CODE_100, HTTP_RESPONSE_CODE_101, HTTP_RESPONSE_CODE_200, HTTP_RESPONSE_CODE_201, HTTP_RESPONSE_CODE_202, HTTP_RESPONSE_CODE_203, HTTP_RESPONSE_CODE_204, HTTP_RESPONSE_CODE_205, HTTP_RESPONSE_CODE_206, HTTP_RESPONSE_CODE_300, HTTP_RESPONSE_CODE_301, HTTP_RESPONSE_CODE_302, HTTP_RESPONSE_CODE_303, HTTP_RESPONSE_CODE_304, HTTP_RESPONSE_CODE_305, HTTP_RESPONSE_CODE_307, HTTP_RESPONSE_CODE_400, HTTP_RESPONSE_CODE_401, HTTP_RESPONSE_CODE_402... Default value when not specified in API or module is interpreted by ALB Controller as HTTP_RESPONSE_CODE_403. |
ALBHTTPResponseCodes | Default: "HTTP_RESPONSE_CODE_403" |
xml_xxe_protection | Xml xxe protection Block or flag XML requests referring to External Entities. Default value when not specified in API or module is interpreted by ALB Controller as true. |
boolean | Default: "True" |