Using rules within Yottaa’s Web Application Firewall you have the ability to secure your site by filtering out undesired traffic. There are 4 different kinds of rules. They are applied in the following order: Whitelist, Block, Throttle, & Redirect.
Example Scenario: A visitor matches both a whitelist and a block list rule then they will be permitted access to the site, however they will still be subject to any throttle or redirect rules.
Whitelist rules tell the firewall to explicitly let in specific types of traffic, such as users with certain cookies or from certain IP addresses.
Block rules will stop specified kinds of traffic from accessing your site. It will return HTTP 403 (Forbidden) to whatever request comes to your site. These requests will not make it to your origin server.
Throttle rules are utilized when you want to protect your site from excessive site requests. You can control the amount of requests by time interval for a number of conditions (URL, user agent, client IP, etc..). When a throttle limit has been met the user will receive HTTP 429 (Too Many Requests).
Redirect rules enable you to direct a desired user(s) to another location within your domain instead of the page they requested.
Across all rules you can set values by 5 different methods:
- HTTP request header
- Request URL
- Client User Agent
- Client IP
Note: One rule can use multiple methods.
HTTP Request header
This is what the HTTP Request header rule interface looks like:
As you can see, you select the header type for the incoming header. This could include a Cookie, or Accept-Language, or any sort of header. If you are using a Cookie, put "Cookie" in the top box and then the second box should have CookieName=CookieValue. You can use Equals, Contains, or Matches Regular Expression, or the counter to any of those three. Note that this only checks HTTP Request headers, not HTTP Response headers.
The request URL has a similar look to the HTTP Request header, with fewer boxes:
This is useful if a certain page on your site is being requested too often. It can also be used in concert with one of the other rules. If you don't want users from a certain country or countries to see certain pages on your site, you'd use this rule with the Country rule.
Client user agent
Here is the Client User Agent rule interface:
You can use this to throttle traffic from certain bots, assuming the bot uses the same user agent string each time. You could also use this to whitelist the site for iphone users, or block people using certain versions of Internet Explorer. There are tens of thousands of unique User Agent strings out there, so a "contains" or Regular Expressions rule is recommended instead of "equals".
The Client IP rule is a powerful tool that lets you direct traffic. You can either include or exclude the list of IPs:
Once you've selected "in" (apply to all IPs in the list) or "not in" (apply to all IPs not on the list), you can click the "Click to add/remove ips and cidrs." You will get this screen:
There are a few options on this tool that make it particularly robust. As you can see, you can use both individual IP addresses or CIDR blocks in the list.
What's a CIDR block?
CIDR is short for "Classless Inter-Domain Routing." It allows you to specify a range of IP addresses instead of individually listing them. In IPv4, they look like a normal IP address, with a slash added onto the end. The IP address is where the range starts, and the slash tells you how far the range goes. The higher the number after the slash, the smaller the range. For example, a.b.c.d/32 would just be the IP address a.b.c.d. Here are some examples of common CIDR block slash values:
- b.c.d/31: Covers the IP listed and the next one (e.g. 127.0.0.1 and 127.0.0.2)
- b.c.d/30: Covers the IP listed and the next 3 (e.g. 127.0.0.1 to 127.0.0.4)
- b.c.d/29: Covers the IP listed and the next 7 (e.g. 127.0.0.1 to 127.0.0.8)
- b.c.d/28-25 proceed in the same way, covering a range of 16, 32, 64, and 128 IP Addresses.
- b.c.0/24: Covers all IP Addresses that start a.b.c. (e.g. 127.0.0.0 to 127.0.0.255)
- b.0.0/16: Covers all IP addresses that start a.b. (It's unlikely that you'll need to use this)
- 0.0.0/8: Covers all IP addresses that start a. (It's very unlikely that you'll need to use this)
A CIDR block is a group of IP addresses. If there is a particular group of IP addresses that you would like to block, whitelist, or throttle, this is the way to do it.
You can import a comma-separated list of IP addresses and CIDRs, such as one you might export from your previous firewall. Importing a list overwrites the current listing, so if you have some in there already, either add it to the list you're about to import or create a new rule. You can also export the list you have created in Yottaa as a .csv file.
We recommend whitelisting the Yottaa IP addresses in whatever firewall you are using, as described in this FAQ: What IP Addresses is Yottaa using to gather content from my origin server?.
Creating a rule by country allows the same "in"/"not in" selection as the IP address rule:
Once you have selected whether to exclude or explicitly include the list of countries, you can click on the "Click to add/remove countries" to get this window:
To select countries, click on a country on the left and click the ">" arrow to move it over to the right. If you'd like to move the whole list, click the ">>" to add it to the selected countries list, or "<<" to clear the list.