WAF rule to allow certain http headers

0

Hi,

We are using WAF Web ACL rules that are receiving all requests to our Load Balancer and filtering them (ALLOW or BLOCK). However there are some application requests which we are 100% sure that coming from safe source. We have filtered them out by uri headers. We would like to set a rule or configure current rules so that requests with such header will not go through WAF rules and directly reach our ALB. We have some questions regarding that:

  1. Can we do it per rule in Web ACLs?
  2. Or we have to create new rule for that? Our concern is that if we create new rule to wh*telist these requests, they will still go through other rules which we don't want.
  3. May this help to decrease WAF costs?

Thank you

Ali

UPDATE: Guys, thank you all for responses. After two calls with support, I can sum up with the following: As if you have WAF Web ACL, mostly it doesn't matter how many Web ACL rules you requests are passing. WAF charges us per Web ACL and per number of requests, adding one more rule to whitelist certain requests to bypass other rules will not decrease our costs. On the opposite, it will add 1$ more as custom rule costs 1% per rule.

3 Answers
1
Accepted Answer

No, you cannot choose which requests arriving at your ALB get sent to WAF for processing. Either all requests are evaluated by WAF or none of them are.

Which of the rules included in your web ACL's rule groups get processed for any individual request won't affect your costs one way or another, when you are using only the standard Allow/Block/Count actions for your rules. A "web ACL capacity unit", WCU for short, is calculated as a fixed value for your entire web ACL when you create or modify it. The WCU rating is based on the total complexity of all the rules/groups in the web ACL, and it is independent of the actual number of rules evaluated for an individual request.

In other words, even if you added an override rule at the top of your rule base and many requests hit it, avoiding the other rules from getting evaluated, your costs would still be based on the fixed WCU rating of your web ACL, representing the theoretical maximum amount of work that could have been done by WAF.

Only the extra features for the "Captcha" and "Challenge" actions have a cost dependent on the actual amount of work that WAF ends up doing. Those costs you can control by controlling the hits to rules with those actions. In your case, I assume you aren't using them, so your costs are fixed, regardless of how you order the rules internally within the web ACL.

What you can accomplish with the override rule is avoiding the request getting blocked or potentially slowed down by lower priority rules. You do this simply by ordering the rule groups in your web ACL such that the override rule group is evaluated before the other groups.

EXPERT
Leo K
answered 6 days ago
1

Hello,

please try this solution it will be helpful for you.

To allow certain HTTP headers to bypass AWS WAF rules and directly reach your Application Load Balancer (ALB), you can create a specific rule in your Web ACL. First, create a custom rule that allows requests with the trusted HTTP header (e.g., X-Trusted-Source with a value of true). In the AWS WAF console, define this rule with a string match condition on the desired header and set the action to ALLOW. Then, add this rule to your Web ACL and position it at the top of the rule list to ensure it is evaluated first. This setup allows trusted requests to bypass other WAF rules, reducing the overall processing load and potentially decreasing WAF costs.

please look at AWS Document you will get information.

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html

https://aws.amazon.com/blogs/security/customize-requests-and-responses-with-aws-waf

answered 6 days ago
1

Hi Ali_Valizada,

Please go through the below steps and documentation link i hope it will be helpful to resolve your issue.

Create a Rule to White-list Safe Requests:

  • In the AWS WAF console, go to your Web ACL.
  • Create a new rule that matches the specific header values identifying your safe requests.
  • Set the action to ALLOW for this rule.

Set Rule Priority:

  • In the Web ACL configuration, ensure the whitelist rule has the highest priority (lowest numerical value) so it is evaluated first.
  • This will ensure that if a request matches this rule, it is allowed, and no further rules are evaluated for that request.

Example Rule Configuration:

Condition: Check for the specific header and its value that identifies the safe source. Action: ALLOW.

{
  "Name": "WhitelistSafeSources",
  "Priority": 1,
  "Statement": {
    "ByteMatchStatement": {
      "SearchString": "safe-header-value",
      "FieldToMatch": {
        "SingleHeader": {
          "Name": "X-Safe-Header"
        }
      },
      "TextTransformations": [
        {
          "Priority": 0,
          "Type": "NONE"
        }
      ],
      "PositionalConstraint": "EXACTLY"
    }
  },
  "Action": {
    "Allow": {}
  }
}

Ensure No Other Rules Affect These Requests:

  • By placing the white-list rule at the highest priority, any matching requests will be allowed and will not proceed to other rules.
  • This effectively ensures the requests bypass all other WAF rules and go directly to your ALB.

Cost Considerations:

WAF Cost Optimization:

  • Allowing safe requests to bypass WAF rules can help reduce the number of WAF requests processed, potentially lowering your costs.
  • Since AWS WAF charges based on the number of web requests processed and the number of rules evaluated per request, having fewer requests evaluated by fewer rules can lead to cost savings.

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html

https://aws.amazon.com/blogs/security/customize-requests-and-responses-with-aws-waf/

answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions