共用方式為

使用 Azure PowerShell 以自訂規則在應用程式閘道上設定 Web 應用程式防火牆 v2

  • 發行項

自訂規則可讓您建立自己的規則,以針對每個通過 Web 應用程式防火牆 (WAF) v2 的要求進行評估。 這些規則的優先順序高於受控規則集中的其餘規則。 自訂規則具有動作 (允許或封鎖)、比對條件,以及允許完整自訂的運算子。

本文會建立使用自訂規則的應用程式閘道 WAF v2。 如果要求標頭包含使用者代理程式 evilbot,則自訂規則會封鎖流量。

若要查看更多自訂規則範例,請參閱建立和使用自訂 Web 應用程式防火牆規則

如果您想要在可複製、貼上及執行的一個連續指令碼中執行本文中的 Azure PowerShell,請參閱 Azure 應用程式閘道 PowerShell 範例

必要條件

Azure PowerShell 模組

如果您選擇在本機安裝和使用 Azure PowerShell,此指令碼需要 Azure PowerShell 模組 2.1.0 版或更新版本。

  1. 若要尋找版本,請執行 Get-Module -ListAvailable Az。 如果您需要升級,請參閱安裝 Azure PowerShell 模組
  2. 若要建立與 Azure 的連線,請執行 Connect-AzAccount

如果您沒有 Azure 訂用帳戶,請在開始之前先建立 Azure 免費帳戶

範例指令碼

設定變數

$rgname = "CustomRulesTest"

$location = "East US"

$appgwName = "WAFCustomRules"

建立資源群組

$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location

建立 VNet

$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"

$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"

$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)

建立靜態公用 VIP

$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

建立集區和前端連接埠

$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet

$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip

$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
  -BackendIPAddresses testbackend1.westus.cloudapp.azure.com, testbackend2.westus.cloudapp.azure.com

$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 80

建立接聽程式、HTTP 設定、規則和自動調整

$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01

$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled

$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool -Priority 1000

$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3

$sku = New-AzApplicationGatewaySku -Name WAF_v2 -Tier WAF_v2

建立兩個自訂規則並將其套用至 WAF 原則

# Create a User-Agent header custom rule 
$variable = New-AzApplicationGatewayFirewallMatchVariable -VariableName RequestHeaders -Selector User-Agent
$condition = New-AzApplicationGatewayFirewallCondition -MatchVariable $variable -Operator Contains -MatchValue "evilbot" -Transform Lowercase -NegationCondition $False  
$rule = New-AzApplicationGatewayFirewallCustomRule -Name blockEvilBot -Priority 2 -RuleType MatchRule -MatchCondition $condition -Action Block -State Enabled
 
# Create a geo-match custom rule
$var2 = New-AzApplicationGatewayFirewallMatchVariable -VariableName RemoteAddr
$condition2 = New-AzApplicationGatewayFirewallCondition -MatchVariable $var2 -Operator GeoMatch -MatchValue "US"  -NegationCondition $False
$rule2 = New-AzApplicationGatewayFirewallCustomRule -Name allowUS -Priority 14 -RuleType MatchRule -MatchCondition $condition2 -Action Allow -State Enabled

# Create a firewall policy
$policySetting = New-AzApplicationGatewayFirewallPolicySetting -Mode Prevention -State Enabled
$wafPolicy = New-AzApplicationGatewayFirewallPolicy -Name wafpolicyNew -ResourceGroup $rgname -Location $location -PolicySetting $PolicySetting -CustomRule $rule,$rule2

建立應用程式閘道

$appgw = New-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname `
  -Location $location -BackendAddressPools $pool `
  -BackendHttpSettingsCollection  $poolSetting01 `
  -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 `
  -FrontendPorts $fp01 -HttpListeners $listener01 `
  -RequestRoutingRules $rule01 -Sku $sku -AutoscaleConfiguration $autoscaleConfig `
  -FirewallPolicy $wafPolicy

更新您的 WAF

建立 WAF 之後,您可使用類似下列程式碼的程序來加以更新:

# Get the existing policy
$policy = Get-AzApplicationGatewayFirewallPolicy -Name $policyName -ResourceGroupName $RGname
# Add an existing rule named $rule
$policy.CustomRules.Add($rule)
# Update the policy
Set-AzApplicationGatewayFirewallPolicy -InputObject $policy

下一步

深入了解應用程式閘道上的 Web 應用程式防火牆