I. Introduction
Shopping rebate www.cpa5.cnIn the previous article, we used Azure Front Door to provide traffic load balancing for back-end VM deployment. Because it is a demonstration example, there is no actual back-end example code, only a static page of "Index.html", so today we will directly place the log file in the root directory of our project, as shown in the following figure
And we can directly access the files in the root directory of the project through Azure Front Door frontend host
In this case, a lot of problems arise. For example, our project program does not handle the resources of the root directory, so it may cause anyone else to connect to the server through the Azure Front Door frontend host plus the name of the root directory resource file. Follow the files in the directory, this is very dangerous. At the same time, we must prevent such attacks in our actual project code, such as "SQL injection" and "cross-site scripting attacks". At this time, we need to learn to use Web Application Firewall to provide centralized protection from common attacks and vulnerabilities.
-------------------- I am the dividing line --------------------
1. Azure Front Door (1) provides traffic forwarding for Azure App Service developed based on .net core
2. Azure Front Door (two) load balance the back-end VM
3. Azure Front Door (3) Enable Web Application Firewall (WAF) to protect Web applications and reject malicious attacks
Second, the text
1. Create Azure Web Application Firewall (WAF)
Click "Create a resource" on Azure Portal, and enter "Web Application Firewall (WAF)" in the search box to search
Click "Create"
Add/select parameters
Policy For selection: "Global WAF (Front Door)"
Front door SKU : “Front Door”
Resource group:“Web_Test_FD_RG”
Policy name:“cnbateblogwebwaf”
Click "Next: Policy settings >" to configure policy settings
Mode (mode) selection: "Prevention (protection, prevention)"
After the verification is completed, click "Create" to create
2. Configure "Web Application Firewall" blocking rules
First, we need to add the associated Front host host, select "Setting = "Assocations", click "+ Add frontend host" to add the associated host
Select the Azure Front Door "cnbateblogweb" created in the previous article, select the host "cnbateblogweb-azurefd-net" of Azure Front Door, and click "Add" to add
Click "Save" to save
Next, we need to configure custom WAF rules, select "Settings = "Custom rules", click "+ Add custom rule"
Enter relevant parameters
Customer rule name:“ProtectTXTRule”
Priority: "100"
Priority: Assign a unique number to the rule to specify the order of processing rules relative to other custom rules. Rules with lower values are evaluated before rules with higher values. The best practice is to assign numbers in increments of 100.
Next, we configure the matching conditions of the custom rule. When the requested Azure Front Door URL ends with ".txt", redirect the traffic to "https://www.baidu.com" and click "Add"
After adding, click "Save" to save the current custom strategy
3. Test the blocking power of Web Application Firewall
Visit under normal circumstances
What if we add log files to the link requesting Azure Front Door Frontend Host? https://cnbateblogweb.azurefd.net/202103261640.txt
Ok, our goal has been achieved!
Three, the end
Ok, today’s sharing is mainly to demonstrate that Web Application Firewall (WAF) does not require us to modify any code, as of configuring protection operations such as redirecting traffic and denying traffic. In the next article, we will continue to explain Web Application Firewall (WAF) , Share those knowledge points in detail. The content shared in this article also has a lot of my own understanding, some of which are not in place, I also hope to forgive me and point out the shortcomings.
Reference materials: Azure Front Door, Azure Web Application Firewall
Author: Allen
Copyright: For reprinting, please indicate the author and source in an obvious place of the article. If errors are found, criticisms and corrections are welcome.