How do I use AWS WAF with AWS Global Accelerator to block Layer 7 HTTP method and headers from accessing my application?

4 minute read
0

Using the AWS WAF-enabled Application Load Balancer with AWS Global Accelerator, I want to block requests to my application if the request method is POST or if the user-agent header value matches curl/7.79.

Short description

You can use AWS WAF and the Application Load Balancer with Global Accelerator to block access to the Layer 7 HTTP method and headers. In this architecture, AWS WAF uses the web access control list (web ACL) rules with the Application Load Balancer. The load balancer becomes an endpoint to the Global Accelerator.
Note: AWS Global Accelerator itself doesn't support AWS WAF.

The web ACL rule associated with the load balancer evaluates incoming traffic and forwards only the rule-compliant requests to the endpoint.

Resolution

The web ACL rule provides fine-grained control over all of the HTTP(S) web requests to your protected resources. Use the rule to configure a string or a regex match with one or more request attributes, such as the Uniform Resource Identifier (URI), query string, HTTP method, or header key.

Prerequisites

  • Make sure you have the following traffic flow configuration for Global Accelerator, Application Load Balancer, and AWS WAF:
    User --> Global Accelerator --> Application Load Balancer with AWS WAF --> EC2 instance
    Note: In this setup, the user accesses the application by making a request to the accelerator. The accelerator routes user traffic to the Application Load Balancer and AWS WAF associated with it. AWS WAF evaluates and either blocks or allows the user request that has the Layer 7 HTTP method or the user-agent header value.

Create a rule-based web ACL

Use the following 3-step process to create a rule-based web ACL. For more information, see Creating a web ACL.

Create a web ACL

  1. Navigate to the AWS WAF Console to create web ACL.
  2. Choose Create web ACL.
  3. Name the web ACL. Select Region of the Application Load Balancer.
  4. Associate the Application Load Balance with the web ACL.
  5. Choose Next.

Add a custom rule to the web ACL

Continue to configure as follows:

  1. Choose Add Rules. Select from the drop down Add my own rules and rule groups.
  2. Under Rule builder, add a rule.
  3. Name the rule (for example, deny_User-Agent_with_POST).
  4. Under Type, select Regular rule.

Configure the match criteria for the rule

Complete the remaining steps:

  1. Select matches at least one of the statements (OR).

  2. Under statement1 complete as follows:
    Inspect: single header
    Header field name: User-Agent
    Match type: Exactly matches string
    String to match: curl/7.79.0

    Under statement2 complete as follows:
    Inspect: HTTP method
    Match type: Exactly matches string
    String to match: POST

  3. Choose Block for Action.

Test the results with user-agent header value

Access the application using the Global Accelerator's URL and user-agent header value curl/7.79.0, with the GET request method.

curl http://<your Global Accelerator URL> -v -H "User-Agent:curl/7.79.0"
> GET / HTTP/1.1
> Host: <your Global Accelerator DNS>
> User-Agent:curl/7.79.0

< HTTP/1.1 403 Forbidden  
< Server: awselb/2.0
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>

Note: Replace <your Global Accelerator URL> with your Global Accelerator URL. Replace <your Global Accelerator DNS> with your DNS.

Notice that AWS WAF blocked the request and the Application Load Balancer responded with 403 Forbidden message.

Test the results with POST request

Access the application using the Global Accelerator's URL and user-agent header value curl/7.79.1, with the POST request method.

curl -X POST http://<your Global Accelerator URL> --user "test-user:test-password" -v
> POST / HTTP/1.1
> Host: <your Global Accelerator DNS>
> Authorization: Basic dGVzdC11c2VyOnRlc3QtcGFzc3dvcmQ=
> User-Agent: curl/7.79.1
>
< HTTP/1.1 403 Forbidden
< Server: awselb/2.0
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>

Note: Replace <your Global Accelerator URL> with your Global Accelerator URL. Replace <your Global Accelerator DNS> with your DNS.

Notice that AWS WAF blocked the request and the Application Load Balancer responded with a 403 Forbidden message.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago