LogoLogo
  • Welcome
  • Landing in Transparent Edge
  • Sign up process
  • Getting Started
    • Basics concepts
      • Glosary
        • API
        • Brotli Compression
        • Cache-Control
        • Cache key
        • Caching
        • CNAME
        • Cloud Computing
        • Cloud Computing Architecture
        • Cloud Services
        • DASH
        • Data Center
        • Edge Server
        • ETag
        • GSLB
        • HLS (HTTP Live Streaming)
        • HTTP/2
        • Infrastructure as a Service (IaaS)
        • Internet Exchange Point
        • Last-Modified
        • Load Balancing
        • MultiCDN
        • NoSQL (not only SQL)
        • Origin
        • Origin Shield
        • OTT (Over The Top)
        • Platform as a Service (PaaS)
        • PoP (Point of Presence)
        • Private CDN
        • Private Cloud
        • Public Cloud
        • Purge
        • Query String
        • Reverse Proxy
        • RTT (Round-trip Time)
        • SaaS (Software as a Service)
        • SDS (Software Defined Storage)
        • Smooth Streaming
        • Status Code
        • TCP (Transmission Control Protocol)
        • TLS Acceleration
        • TLS (Transport Layer Security)
        • TTFB (Time-to-first-byte)
        • TTL (Time-to-live)
        • Virtual Machine
        • VPS (Virtual Private Server)
        • Web Services
      • Let's start at the beginning
      • Things to consider
      • Houston, we have a problem
      • HTTP, How does it work?
      • Invalidating methods
      • DNS Pointing
      • Log formats
      • Predefined headers
      • Default headers
        • geo_country_code
        • X-Device
        • Vary
        • Cache headers
        • Age
        • TP-Cache
        • True-Client-IP and X-Forwarded-For
      • Forcing No-Cache
      • Architecture
        • Transparent Edge’s IP addresses
        • Locations and PoP
        • Cache layers
      • Cache effectiveness
      • SSL
      • HTTP 5xx Error Codes
      • Features
        • Protection against origin failures
        • Rate Limit
        • Geolocation and geoblocking
        • Prefechting
        • Refetching
        • Fast purging
        • HTTP Redirects
        • Caching static vs. dynamic objects
        • Rewriting of headers
        • Device detection
    • Dashboard
      • Historic
      • Analytics
      • Invalidating content
      • Content invalidation by tags
      • Prefetching Cache
      • Log shipping
      • Provisioning
        • Initial configuration
        • Backends
        • Sites
        • Configuration deployments
        • Network ACLs
        • TLS/SSL Certificates
      • User management
  • Configuration
    • VCL Reference
      • Default Functions
      • VCL Objects
      • Callable Functions
      • Security restrictions
      • Varnish book
    • Network Access Control List
      • Initial configuration
      • Auto generated lists
      • Manage lists via API
    • i3
      • Quality adjustment
      • Cache timing allocation for transformed images
      • Conversion to grayscale
      • Conversion to WebP
      • Blurring
      • Inclusion of graphics in the footer (strip)
      • Automatic resizing
      • Definition of the maximum size (content-length)
    • Transcoding
      • Relaunch or requeue jobs
      • Create a transcode job
      • Get job information
      • Dashboard usage
    • OpenAPI de TransparentCDN
  • Security
    • HTTPS
    • Blocking User-Agent
    • Blocking by IP Address
    • Blocking Requests Geographically
    • Avoiding Hotlinking
    • Bot Mitigation
    • WAF
      • Configuration
      • CAPTCHA
      • Content protected by token
      • Rate limit
    • Anomaly Detection
      • Detection Types
      • Automatic Reactions
      • Detection History
    • Under attack mode
    • Global Whitelists
  • Integrations
    • Wordpress plugin
    • Google Cloud Platform
    • Amazon Web Services
  • GUIDES AND TUTORIALS
    • How to do things
    • Edge Computing
      • ESI Tags
    • Acting on the Query String
    • Working with cookies
    • Making decisions based on HTTP headers
    • Web Application Gateway
    • Configure your servers to send cache headers
    • Caching a version per device
    • True-Client-IP in the origin
    • A/B Testing
    • Routing traffic to different backends
    • JSON Web Tokens
    • Debug codes
    • Streaming logs
    • API
      • Authentication
      • Invalidation
Powered by GitBook
On this page
  • Conditional deactivation
  • Including exceptions

Was this helpful?

Export as PDF
  1. Security
  2. WAF

Configuration

PreviousWAFNextCAPTCHA

Last updated 1 year ago

Was this helpful?

This advanced implementation of WAF will protect your websites more effectively.

To activate the WAF, you just need to enable our TCDN-WAF-Enabled header.

For example, if you wanted to activate the WAF on your domain mi-dominio.es, you would simply deploy a configuration from the similar to the following:

# WAF avanzado
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-WAF-Enabled = "true";
    }
}

Conditional deactivation

If you want to deactivate the WAF under certain conditions, you can simply unset the previously assigned header.

For example, if you want to activate the WAF for your domain mi-dominio.es but exclude URLs that start with /path/sin/waf/, you can deploy a similar to the following from the control

# WAF avanzado
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-WAF-Enabled = "true";
        if (req.url ~ "^/path/sin/waf/") {
            unset req.http.TCDN-WAF-Enabled;
        }
    }
}

However, this is far from being the best option.

Instead, the WAF provides the header TCDN-WAF-Set-SecRuleEngine, which allows us to adjust the behavior of the rule engine. This header accepts three values:

  • #On: This is the default behavior where the WAF takes necessary actions to block requests considered dangerous.

  • #Off: Temporarily deactivates the WAF.

  • #DetectionOnly: In this case, the WAF takes necessary actions to identify requests considered dangerous, but allows them to pass through the WAF. This behavior is useful for conducting preliminary testing to detect potential false positives and subsequently include any necessary exceptions if needed.

 # WAF avanzado
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-WAF-Enabled = "true";
        if (req.url ~ "^/path/sin/waf/") {
            set req.http.TCDN-WAF-Set-SecRuleEngine = "#Off";
        }
    }
}

Including exceptions

If you notice that the WAF is considering certain requests as dangerous, even though they are perfectly valid, and you encounter false positives, you can include exceptions for such cases using the TCDN-WAF-Allow-Rule-Exceptions header.

# WAF avanzado
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-WAF-Enabled = "true";
        if (req.url ~ "^/path/sin/waf/") {
            set req.http.TCDN-WAF-Set-SecRuleEngine = "#Off";
        }
        if (req.url ~ "^/path/completamente/seguro/") {
            set req.http.TCDN-WAF-Allow-Rule-Exceptions = "ruleID_1 ruleID_2 ruleID_3 ... ruleID_n";
        }
    }
}

Thus, going back to the previous example, we just need to deploy a similar to the following from the :

Continuing with the previous example, if you observe that requests to URLs under /path/completely/secure/ are being blocked by the WAF due to rule violations (ruleID_1, ruleID_2, ruleID_3, ..., ruleID_n), you can specify that these matches should be treated as exceptions. To do so, you can deploy the following from the :

These are just small examples of very specific use cases. If you have any questions regarding how to integrate this functionality into your own domain, please don't hesitate to contact us at .

VCL
dashboard
VCL
configuration
dashboard:
VCL
configuration
dashboard
VCL
configuration
dashboard
help+cdn@transparentedge.eu