Pricing
Contact Us

Docsright arrowEdge Stackright arrowConfiguring Web Application Firewall rules in Ambassador Edge Stack

3 min • read

Configuring Web Application Firewall rules in Ambassador Edge Stack

When writing your own firewall rules, it's important to consider a few ways that Ambassador Edge Stack's WebApplicationFirewalls work.

  • Requests are either denied or allowed, and redirects and dropped requests aren't supported.
  • If a firewall rule is configured with the deny action but without a specified status, the response status code defaults to 403.
  • State isn't retained across the various phases of request processing. Therefore, we recommend using early blocking mode instead of anomaly scoring mode and avoiding firewall rules that depend on state or rely on information generated by rules in a different phase. For more information about WAF phases, see Execution flow in the OWASP Coraza documentation.

Ambassador Labs Firewall Ruleset

Ambassador Labs publishes and maintains a set of firewall rules that are ready to use. The latest version of the Ambassador Labs Web Application Firewall ruleset can be downloaded with these commands:

Each file must be imported into Ambassador Edge Stack's Web Application Firewall in the following order:

  1. aes-waf.conf
  2. crs-setup.conf
  3. waf-rules.conf

The Ambassador Labs ruleset largely focuses on incoming requests and by default it does not perform processing on response bodies from upstream services to minimize the request round-trip latency.

If processing of responses is desired, then you can create your own custom rule set or add additional rules to be loaded after the Ambassador Labs ruleset to add custom validation of responses from upstream services.

If you are adding rules to process response bodies after the Ambassador Labs ruleset, then you will need to set SecResponseBodyAccess On in your rules to enable access to the response body.

If you'd like to customize the Ambassador Labs default ruleset, you can load your own files before or after waf-rules.conf. Keep in mind that the WebApplicationFirewall resource loads firewall configurations via a list of rules sources, and sources lower in the list can overwrite rules and settings from sources higher in the list. See files REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example for more information.

Web Application Firewall Rules Release Notes

Version v1-20230825

Initial version of Ambassador Edge Stack's Web Application Firewall rules.

Files:

ON THIS PAGE

Questions?

We’re here to help if you have questions.