Git Interface

QuantWAF

Learn how to use the QuantCDN WAF module.

Deploy

Submit a support request by clicking the Support link in the left sidebar to have the Quant WAF module deployed.

Manage

WAF configuration

The WAF is managed via the config.json file found within the provided quantwaf directory of your CloudFlow project codebase.

A sample unconfigured config.json file:

config.json
{
    "notify_slack": "",
    "allow_ip": [],
    "block_ip": [],
    "block_ua": [],
    "block_referer": [],
    "allow_rules": [],
    "block_country": [],
    "paranoia_level": 1,
    "mode": "report",
    "log_level": "standard",
    "httpbl": {
        "httpbl_enabled": false,
        "httpbl_key": "",
        "block_suspicious": false,
        "block_harvester": true,
        "block_spam": true,
        "block_search_engine": false
    }
}

notify_slack may optionally be provided if you wish to be alerted when WAF blocks are triggered. This should be in the format: https://hooks.slack.com/services/X/Y/Z. Only one alert is sent per URL per 60 seconds.
allow_ip and block_ip should optionally be provided to always block or allow certain IP addresses or ranges. These support both IPv4 and IPv6 CIDR notation. These should be strings (e.g wrap in double quotes)
block_ua may be used to block user agents. These are case insensitive and support the wildcard (*) character.
block_referer may be used to block specific bad referers
allow_rules may be used to bypass certain WAF rules. The rule ID is displayed in both the Dashboard WAF logs as well as in Slack notifications. Note: These need to be strings not integers (e.g wrap in double quotes).
block_country is an array of ISO 3166 2 character country codes.
paranoia_level should be an integer between 1 and 4 (recommend 1).
mode should be either "disabled", "report", or "block". Report mode will still capture WAF hits in the WAF logs, slack, and return in the response headers. Disabled will not route requests through the WAF.
log_level should either be "standard", "verbose" or "none". Recommend "standard" (provided log shipping is enabled).

httpbl (Project Honeypot) configuration

httpbl_enabled should be set to true to activate
httpbl_key should be an access key provided from the httpbl access screen
block_* should be set to either a boolean value or "report"

Blocklists

You may define user-agents, IPs or referers to block in bulk.

These can be provided in the quantwaf/blocklists/user-agent.list, quantwaf/blocklists/ip.list and quantwaf/blocklists/referer.list files. Managed dictionaries of common bad bots, user-agents and referers are available, contact support if you require assistance.

To enable these blocklists ensure the following is present in your configuration:

  ...
  "block_lists": {
    "user_agent": true,
    "referer": true,
    "ip": true
  }

Custom rules

Additional ModSecurity compatible rules can be added to the quantwaf/custom-rules folder. All .conf files will be included.

Custom rules should use ids between 1-99999, however the 10000-11000 range is reserved.

It is recommended that custom rules are tested in a non-production environment as invalid rules can cause the WAF to fail.

Rate limiting

You may control access via rate limiting. This can be applied to either IP addresses or on incoming request headers.

Rate limiting allows you to specify how many requests a second a particular user (or group of users) can perform before being blocked and put in a cooldown period.

You may set the rate limit control to either report or block mode adding "mode": "report" or "mode": "block" accordingly.

Optionally provide a Slack webhook to receive notifications when thresholds are exceeded. Only one notification is sent per 60 second period to prevent a notification flood.

You may customize the error page displayed when rate limits are exceeded, see the "Custom 429 block pages" section for further detail.

Example configuration:

  "thresholds": [
    {
      "type": "ip",
      "rps": "5",
      "cooldown": "30",
      "notify_slack": ""
    },
    {
      "type": "header",
      "value": "Quant-Customer",
      "rps": "1",
      "cooldown": "5",
      "notify_slack": ""
    }
  ]

WAF Rule overrides

WAF rules may be overridden based on domain and/or URL matches. This allows for flexible configuration to alter the WAF configuration depending on the incoming domain/URL.

Add a rules block to the config.json file as per the example below:

config.json
  ...
  "rules": [
    {
      "domain": "*",
      "routes": [
        "/example",
        "/api*"
      ],
      "cookies": [
        {"name": "cookie", "value": "*"},
        {"name": "cookie2", "value": "*"},
        {"name": "*", "value": "strict"},
        {"name": "part*", "value": "strict"},
        {"name": "part2*", "value": "part*"}
      ],
      "block_ip": [],
      "allow_rules": [
        "900123"
      ],
      "block_country": [
        "RU",
        "NZ"
      ],
      "paranoia_level": 4,
      "mode": "report"
    }
  ]

Both domain and routes must be provided, even if the match is for all (e.g *).
Optionally provide cookies to allow cookies to filter the match
Cookies must be a list matching {"name": "name_value", "value": "value_value"}
Cookies may use * as a wildcard match when being evaluated
Values not provided (e.g allow_ip in the example above) will inherit the global configuration.
Empty values (e.g block_ip) will reset the global configuration.
Provided values (e.g allow_rules) will override the global configuration.
Domain may either be * for any host, or a specific individual domain.
Routes may be an array of URLs, all should start with a /. The wildcard character (*) is supported.
Routes should be url decoded if containing special characters (e.g spaces)
Many rules may be provided, only the first match will fire. Ensure rules are provided in priority order.
Mode may be disabled, report, or block.

Custom 403 block pages

The WAF block page can be customized in the quantwaf/403.html file.

You may optionally include tokens for presentation as per the example 403.html file provided:

{{ waf_rule_id }}: The WAF rule ID triggered.
{{ timestamp }}: The timestamp of the WAF rule that was triggered.

Custom 429 block pages

The rate limit block page can be customized in the quantwaf/429.html file.

You may optionally include tokens for presentation as per the example 403.html file provided:

{{ waf_rule_id }}: The WAF rule ID triggered.
{{ timestamp }}: The timestamp of the WAF rule that was triggered.

View WAF logs

Provided a QuantCDN integration has been configured you can view WAF logs directly via the QuantCDN Dashboard.

If no QuantCDN integration is configured you may use the CloudFlow log forwarding service to export logs to a platform of your choice.

Deploy​

Manage​

WAF configuration​

httpbl (Project Honeypot) configuration​

Blocklists​

Custom rules​

Rate limiting​

WAF Rule overrides​

Custom 403 block pages​

Custom 429 block pages​

View WAF logs​