为什么 AWS WAF 托管规则通过操作覆盖自定义响应不起作用?
这里有明确记录:
这不起作用,我仍然看到默认的 AWS WAF 403 响应,而不是我的自定义纯文本错误:
Resources:
Waf:
Type: AWS::WAFv2::WebACL
Properties:
Scope: CLOUDFRONT
DefaultAction:
Allow: {} # Allow for requests that don't match any rules
CustomResponseBodies:
SecurityViolationError:
ContentType: TEXT_PLAIN
Content: Request blocked due to security concerns as it was detected as malicious.
Rules:
- Priority: 0
Name: BlockSqlInjection
OverrideAction:
None: {}
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
Version: Version_2.0
RuleActionOverrides:
- Name: SQLi_QUERYARGUMENTS
ActionToUse:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
- Name: SQLi_BODY
ActionToUse:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
- Name: SQLi_COOKIE
ActionToUse:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
- Name: SQLiExtendedPatterns_QUERYARGUMENTS
ActionToUse:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
- Name: SQLiExtendedPatterns_BODY
ActionToUse:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
我确实知道托管规则的自定义响应正在与标签匹配一起使用:
这有效,我可以看到我的自定义纯文本错误:
Resources:
Waf:
Type: AWS::WAFv2::WebACL
Properties:
Scope: CLOUDFRONT
DefaultAction:
Allow: {} # Allow for requests that don't match any rules
CustomResponseBodies:
SecurityViolationError:
ContentType: TEXT_PLAIN
Content: Request blocked due to security concerns as it was detected as malicious.
Rules:
- Priority: 0
Name: LabelSqlInjection
OverrideAction:
Count: {}
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
Version: Version_2.0
- Priority: 1
Name: BlockSecurityViolationError
Statement:
LabelMatchStatement:
Scope: NAMESPACE
Key: "awswaf:managed:aws:sql-database:"
Action:
Block:
CustomResponse:
ResponseCode: 403
CustomResponseBodyKey: SecurityViolationError
但这需要有一个额外的规则,引入额外成本。
我错过了什么吗? 自定义响应可以通过托管规则组操作覆盖实现吗?
AWS 文档中是否缺少某些内容?
您无法更改托管规则的自定义响应。您可以更改的只是操作类型。如果您深入研究托管规则的云形成文档,您会发现“RuleActionsOverides”仅允许您更改“ActionToUse”。没有像模板中那样的“CustomResponse”字段。
正如您所提到的,目前实现自定义响应的唯一方法是在标签上设置自定义规则。