Using the AWS WAF-enabled Application Load Balancer with AWS Global Accelerator, I want to block requests to my application if the request method is POST or if the user-agent header value matches curl/7.79.
Short description
You can use AWS WAF and the Application Load Balancer with Global Accelerator to block access to the Layer 7 HTTP method and headers. In this architecture, AWS WAF uses the web access control list (web ACL) rules with the Application Load Balancer. The load balancer becomes an endpoint to the Global Accelerator.
Note: AWS Global Accelerator itself doesn't support AWS WAF.
The web ACL rule associated with the load balancer evaluates incoming traffic and forwards only the rule-compliant requests to the endpoint.
Resolution
The web ACL rule provides fine-grained control over all of the HTTP(S) web requests to your protected resources. Use the rule to configure a string or a regex match with one or more request attributes, such as the Uniform Resource Identifier (URI), query string, HTTP method, or header key.
Prerequisites
Create a rule-based web ACL
Use the following 3-step process to create a rule-based web ACL. For more information, see Creating a web ACL.
Create a web ACL
- Navigate to the AWS WAF Console to create web ACL.
- Choose Create web ACL.
- Name the web ACL. Select Region of the Application Load Balancer.
- Associate the Application Load Balance with the web ACL.
- Choose Next.
Add a custom rule to the web ACL
Continue to configure as follows:
- Choose Add Rules. Select from the drop down Add my own rules and rule groups.
- Under Rule builder, add a rule.
- Name the rule (for example, deny_User-Agent_with_POST).
- Under Type, select Regular rule.
Configure the match criteria for the rule
Complete the remaining steps:
-
Select matches at least one of the statements (OR).
-
Under statement1 complete as follows:
Inspect: single header
Header field name: User-Agent
Match type: Exactly matches string
String to match: curl/7.79.0
Under statement2 complete as follows:
Inspect: HTTP method
Match type: Exactly matches string
String to match: POST
-
Choose Block for Action.
Test the results with user-agent header value
Access the application using the Global Accelerator's URL and user-agent header value curl/7.79.0, with the GET request method.
curl http://<your Global Accelerator URL> -v -H "User-Agent:curl/7.79.0"
> GET / HTTP/1.1
> Host: <your Global Accelerator DNS>
> User-Agent:curl/7.79.0
< HTTP/1.1 403 Forbidden
< Server: awselb/2.0
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>
Note: Replace <your Global Accelerator URL> with your Global Accelerator URL. Replace <your Global Accelerator DNS> with your DNS.
Notice that AWS WAF blocked the request and the Application Load Balancer responded with 403 Forbidden message.
Test the results with POST request
Access the application using the Global Accelerator's URL and user-agent header value curl/7.79.1, with the POST request method.
curl -X POST http://<your Global Accelerator URL> --user "test-user:test-password" -v
> POST / HTTP/1.1
> Host: <your Global Accelerator DNS>
> Authorization: Basic dGVzdC11c2VyOnRlc3QtcGFzc3dvcmQ=
> User-Agent: curl/7.79.1
>
< HTTP/1.1 403 Forbidden
< Server: awselb/2.0
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>
Note: Replace <your Global Accelerator URL> with your Global Accelerator URL. Replace <your Global Accelerator DNS> with your DNS.
Notice that AWS WAF blocked the request and the Application Load Balancer responded with a 403 Forbidden message.