Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflect latest recommend CDN rules #465

Merged
merged 1 commit into from
Aug 14, 2024
Merged

Reflect latest recommend CDN rules #465

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 68 additions & 43 deletions config/cdn.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,49 +1,74 @@
kind: "CDN"
version: "1"
metadata:
envTypes: ["dev"]
envTypes: ["dev", "stage", "prod"]
data:
trafficFilters:
rules:
# Block access to a given path
# - name: block-path
# when:
# allOf:
# - reqProperty: tier
# matches: "author|publish"
# - reqProperty: path
# equals: '/block/me'
# action: block
# Block access to OFAC countries
- name: block-ofac-countries
when:
allOf:
- reqProperty: tier
matches: "author|publish"
- reqProperty: clientCountry
in:
- SY
- BY
- MM
- KP
- IQ
- CD
- SD
- IR
- LR
- ZW
- CU
- CI
action: block
# Block client for 5m when it exceeds 100 req/sec on a time window of 1sec
- name: limit-requests-per-client-ip
when:
reqProperty: tier
matches: "author|publish"
rateLimit:
limit: 100
window: 1
penalty: 300
groupBy:
- reqProperty: clientIp
action: block
# Block client for 5m when it exceeds an average of 100 req/sec to origin on a time window of 10sec
- name: limit-origin-requests-client-ip
when:
reqProperty: tier
equals: 'publish'
rateLimit:
limit: 100
window: 10
count: fetches
penalty: 300
groupBy:
- reqProperty: clientIp
action: log
# Block client for 5m when it exceeds an average of 500 req/sec on a time window of 10sec
- name: limit-requests-client-ip
when:
reqProperty: tier
equals: 'publish'
rateLimit:
limit: 500
window: 10
count: all
penalty: 300
groupBy:
- reqProperty: clientIp
action: log
# Block requests coming from OFAC countries
- name: block-ofac-countries
when:
allOf:
- { reqProperty: tier, in: ["author", "publish"] }
- reqProperty: clientCountry
in:
- SY
- BY
- MM
- KP
- IQ
- CD
- SD
- IR
- LR
- ZW
- CU
- CI
action: log
# Enable recommended WAF protections (only works if WAF is licensed enabled for your environment)
- name: block-waf-flags-globally
when:
reqProperty: tier
in: ["author", "publish"]
action:
type: log
wafFlags:
- TRAVERSAL
- CMDEXE-NO-BIN
- XSS
- LOG4J-JNDI
- BACKDOOR
- USERAGENT
- SQLI
- SANS
- TORNODE
- NOUA
- SCANNER
- PRIVATEFILE
- NULLBYTE
Loading