How do I configure a custom rule to allow a specific host name in AWS WAF?

3 minute read

I want to create a custom rule that allows only requests with a specific host name to access my AWS WAF application.

Resolution

To limit access to your application, create custom rules based on headers, such as host name. The rules must either allow traffic for a specific host name, or block traffic that isn't for a specific host name.

Allow traffic for a specific host name

Complete the following steps:

Open the AWS WAF console.
In the navigation pane, choose AWS WAF, and then choose Web ACLs.
For Region, select the AWS Region where you created your web access control list (web ACL).
Note: If your web ACL is set up for Amazon CloudFront, then select Global.
Select your web ACL.
Choose Rules, and then choose Add Rules.
Choose Add my own rules and rule groups.
Add the following values to set up your rule:
For Rule type , choose Rule Builder.
For Name, enter a name for the rule.
For Type, choose Regular rule.
For If a Request, choose Matches the statement.
For Inspect, choose Single header.
For Header field name, choose Host.
For Match type, choose Exactly matches String.
For String to match, choose the host name.
(Optional) Choose a text transformation, or choose None.
For Action, choose Allow.
Choose Add Rule.
For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
Choose Save.

Block traffic that isn't for a specific host name

Complete the following steps:

Open the AWS WAF console.
In the navigation pane, choose AWS WAF, and then choose Web ACLs.
For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global.
Select your web ACL.
Choose Rules, then choose Add Rules.
Choose Add my own rules and rule groups.
Add the following values to set up your rule:
For Rule type, choose Rule Builder.
For Name enter a name for the rule.
For Type, choose Regular rule.
For If a Request, choose Doesn't match the statement (NOT).
For Inspect, choose Single header.
For Header field name, choose Host.
For Match type, choose Exactly matches String.
For String to match, choose your host name to block everything except the host name.
(Optional) Choose a text transformation, or choose None.
For Action, chooses Block.
Choose Add Rule.
For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
Choose Save.

It's a best practice to use logical rule statements to combine string match statements with other statement types, such as IP set match and geographic match.

Related information

Logging AWS WAF web ACL traffic

How AWS WAF labeling works

Topics

Security, Identity, & Compliance

Relevant content

WAF rule to allow certain http headers
Accepted Answer
Ali_Valizada
asked 2 days ago
How to create customize AWS WAF Rate-based rule for 1min time window?
Accepted Answer
Mihiruk Rajaguru
asked a year ago
Unable to Access ALB URL Configured with Host-Based Routing Rule
nrunjeeth
asked 3 months ago
[AWS WAF] Can't hit the rule with managed rules included in custom rules
Nam Tran
asked 2 years ago
Create custom rule for Web ACL
bala
asked 9 days ago
How do I use an aggregation key to configure a rate limit rule in AWS WAF?
AWS OFFICIALUpdated 17 days ago
How do I configure a CAPTCHA rule for a specific URL in AWS WAF?
AWS OFFICIALUpdated 23 days ago
How do I create complex custom AWS WAF JSON rules?
AWS OFFICIALUpdated 2 years ago
How do I configure a custom response in AWS WAF for web requests blocked by a specific rule?
AWS OFFICIALUpdated 14 days ago
VMware on AWS - How to restore NSX DFW firewall rules to previous state
EXPERT
Jagadeesh_Devaraj
published a year ago