How do I configure a custom rule to allow a specific host name in AWS WAF?

3 minute read
0

I want to create a custom rule that allows only requests with a specific host name to access my AWS WAF application.

Resolution

To limit access to your application, create custom rules based on headers, such as host name. The rules must either allow traffic for a specific host name, or block traffic that isn't for a specific host name.

Allow traffic for a specific host name

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
  3. For Region, select the AWS Region where you created your web access control list (web ACL).
    Note: If your web ACL is set up for Amazon CloudFront, then select Global.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules.
  6. Choose Add my own rules and rule groups.
  7. Add the following values to set up your rule:
    For Rule type , choose Rule Builder.
    For Name, enter a name for the rule.
    For Type, choose Regular rule.
    For If a Request, choose Matches the statement.
    For Inspect, choose Single header.
    For Header field name, choose Host.
    For Match type, choose Exactly matches String.
    For String to match, choose the host name.
    (Optional) Choose a text transformation, or choose None.
    For Action, choose Allow.
  8. Choose Add Rule.
  9. For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
  10. Choose Save.

Block traffic that isn't for a specific host name

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
  3. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for CloudFront, then select Global.
  4. Select your web ACL.
  5. Choose Rules, then choose Add Rules.
  6. Choose Add my own rules and rule groups.
  7. Add the following values to set up your rule:
    For Rule type, choose Rule Builder.
    For Name enter a name for the rule.
    For Type, choose Regular rule.
    For If a Request, choose Doesn't match the statement (NOT).
    For Inspect, choose Single header.
    For Header field name, choose Host.
    For Match type, choose Exactly matches String.
    For String to match, choose your host name to block everything except the host name.
    (Optional) Choose a text transformation, or choose None.
    For Action, chooses Block.
  8. Choose Add Rule.
  9. For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
  10. Choose Save.

It's a best practice to use logical rule statements to combine string match statements with other statement types, such as IP set match and geographic match.

Related information

Logging AWS WAF web ACL traffic

How AWS WAF labeling works

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago