Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
FUM-3033 remove hostname whitelisting
Browse files Browse the repository at this point in the history
DCamma committed Feb 22, 2024
1 parent 1a4eb6d commit 3c18239
Showing 5 changed files with 10 additions and 81 deletions.
7 changes: 3 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -12,10 +12,9 @@ It's designed to propose the following rules:
|----------|----------|------|
|0 | whitelisted_ips_v4| Automatically donwload and whitelist bots IPV4s (see variables) and whitelist any list of IPV4 ranges|
|1 | whitelisted_ips_v6| Automatically donwload and whitelist bots IPV6s (see variables) and whitelist any list of IPV6 ranges|
|2 | whitelisted_hostnames| Whitelisted host headers. Example: ['partner-xxxxx.yyyyy.domain.ch']|
|3 | rate_limit_everything_apart_from_CH| This rule is meant to be a failsafe switch in case of attack. Change "count" to "block" in the console if you are under attack and want to rate limit to a low number of requests every country except Switzerland |
|4 | count_requests_from_ch| |
|5-9 | | Free priority range for additional rules |
|2 | rate_limit_everything_apart_from_CH| This rule is meant to be a failsafe switch in case of attack. Change "count" to "block" in the console if you are under attack and want to rate limit to a low number of requests every country except Switzerland |
|3 | count_requests_from_ch| |
|4-9 | | Free priority range for additional rules |
|10-19 | AWS Managed rule groups | Each group could containt multiple labels, please refer to the [doc](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)|
|20-29 | AWS managed rule labels| For a list of labels is possibile to define an action: block, captcha or challenge. In all cases is possible to define a rate limit or directly apply the action |
|30-49 | country_rates| Geografical rules|
1 change: 0 additions & 1 deletion examples/complete/main.tf
Original file line number Diff line number Diff line change
@@ -34,7 +34,6 @@ module "waf" {
k6_ip_ranges_url = "https://ip-ranges.amazonaws.com/ip-ranges.json"
whitelisted_ips_v4 = ["1.1.1.1/16", "255.255.255.255/32"]
whitelisted_ips_v6 = []
whitelisted_hostnames = ["partner-xxxxx.yyyyy.domain.ch"]
aws_managed_rule_groups = [
{
name = "AWSManagedRulesAnonymousIpList" # Full list of labels from this group: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
5 changes: 2 additions & 3 deletions terraform-docs.md
Original file line number Diff line number Diff line change
@@ -66,17 +66,16 @@ No modules.
| enable\_logging | Enable waf logs. | `bool` | `false` | no |
| enable\_oracle\_crawler\_whitelist | Whitelist the Oracle Data Cloud Crawler IPs. (https://www.oracle.com/corporate/acquisitions/grapeshot/crawler.html) | `bool` | `true` | no |
| enable\_parsely\_crawlers\_whitelist | Whitelist the Parse.ly crawler IPs. (https://www.parse.ly/help/integration/crawler) | `bool` | `false` | no |
| everybody\_else\_limit | The blocking limit for all country\_codes which are not covered by country\_rates - not applied if it set to 0 | `number` | `0` | no |
| everybody\_else\_limit | The limit for all country\_codes which are not covered by country\_rates - not applied if it set to 0 | `number` | `0` | no |
| google\_bots\_url | The url where to get the Google bots IPs list. In case of problems the default url can be overridden. | `string` | `"https://developers.google.com/search/apis/ipranges/googlebot.json"` | no |
| k6\_ip\_ranges\_url | The url where to get the K6 load generators IPs list. In case of problems the default url can be overridden. | `string` | `"https://ip-ranges.amazonaws.com/ip-ranges.json"` | no |
| limit\_search\_requests\_by\_countries | Limit requests on the path /search that comes from the specified list of country\_codes. Rule not deployed if list of countries is empty. | ```object({ limit = optional(number, 100) country_codes = set(string) })``` | ```{ "country_codes": [], "limit": 100 }``` | no |
| logs\_bucket\_name | Override the default bucket name for waf logs. Default name: `aws-waf-logs-<lower(var.waf_scope)>-<data.aws_caller_identity.current.account_id>` | `string` | `null` | no |
| logs\_bucket\_name\_override | Override the default bucket name for waf logs. Default name: `aws-waf-logs-<lower(var.waf_scope)>-<data.aws_caller_identity.current.account_id>` | `string` | `null` | no |
| oracle\_data\_cloud\_crawlers\_url | The url whre to get the Oracle Data Cloud Crawler IPs list. In case of problems the default url can be overridden. | `string` | `"https://www.oracle.com/corporate/acquisitions/grapeshot/crawler.html"` | no |
| parsely\_crawlers\_url | The url where to get the Parse.ly crawler IPs list. In case of problems the default url can be overridden. | `string` | `"https://www.parse.ly/static/data/crawler-ips.json"` | no |
| waf\_logs\_retention | Retention time (in days) of waf logs | `number` | `7` | no |
| waf\_name | The name for WAF | `string` | `"cloudfront-waf"` | no |
| waf\_scope | The scope of the deployed waf. Available options [CLOUDFRONT,REGIONAL] | `string` | `"CLOUDFRONT"` | no |
| whitelisted\_hostnames | Whitelisted host headers. Example: ['partner-xxxxx.yyyyy.domain.ch'] | `list(string)` | `[]` | no |
| whitelisted\_ips\_v4 | List of enterprise IP ranges to be whitelisted. Set to empty list to disable the whitelisting | `list(string)` | `[]` | no |
| whitelisted\_ips\_v6 | The IPv6 to allow | `list(string)` | `[]` | no |

6 changes: 0 additions & 6 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -97,12 +97,6 @@ variable "whitelisted_ips_v6" {
}
}

variable "whitelisted_hostnames" {
default = []
description = "Whitelisted host headers. Example: ['partner-xxxxx.yyyyy.domain.ch']"
type = list(string)
}

variable "aws_managed_rule_groups" {
description = "AWS Managed Rule Groups counting and labeling requests. The labels applied by these groups can be specified in aws_managed_rule_lables to rate limit requests. Available groups are described here https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html. Not applicable for var.waf_scope = REGIONAL"
type = list(object({
72 changes: 5 additions & 67 deletions waf.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@
## Priorities:
# 0: whitelisted_ips_v4
# 1: whitelisted_ips_v6
# 2: whitelisted_hostnames
# 3: Rate_limit_everything_apart_from_CH
# 4: count_requests_from_ch
# 5-9: free
# 2: Rate_limit_everything_apart_from_CH
# 3: count_requests_from_ch
# 4-9: free
# 10-19: AWS Managed rule groups (these are the one that only counts and labels requests
# 20-29: AWS managed rule labels rate limit
# 30-49: country_rates
@@ -143,73 +142,12 @@ resource "aws_wafv2_web_acl" "waf" {
}
}

dynamic "rule" {
for_each = length(var.whitelisted_hostnames) > 0 ? [1] : []
content {
name = "whitelisted_hostnames"
priority = 2
action {
allow {}
}
dynamic "statement" {
# or_statement needs 2 arguments so handle the case when only one article is in the rule
for_each = length(var.whitelisted_hostnames) > 1 ? [1] : [] # if more than one element use or_statement
content {
or_statement {
dynamic "statement" {
for_each = var.whitelisted_hostnames
content {
byte_match_statement {
positional_constraint = "EXACTLY"
search_string = statement.value
field_to_match {
single_header {
name = "host"
}
}
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
}
}
}
dynamic "statement" {
# or_statement needs 2 arguments so handle the case when only one article is in the rule
for_each = length(var.whitelisted_hostnames) == 1 ? var.whitelisted_hostnames : [] # if just one element skip or_statement
content {
byte_match_statement {
positional_constraint = "EXACTLY"
search_string = statement.value
field_to_match {
single_header {
name = "host"
}
}
text_transformation {
priority = 0
type = "NONE"
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "whitelisted_hostnames"
sampled_requests_enabled = true
}
}
}

# This rule is meant to be a failsafe switch in case of attack
# Change "count" to "block" in the console if you are under attack and want to
# rate limit to a low number of requests every country except Switzerland
rule {
name = "rate_limit_everything_apart_from_CH"
priority = 3
priority = 2
action {
count {}
}
@@ -246,7 +184,7 @@ resource "aws_wafv2_web_acl" "waf" {
for_each = var.count_requests_from_ch ? [1] : []
content {
name = "Switzerland"
priority = 4
priority = 3
action {
count {}
}

0 comments on commit 3c18239

Please sign in to comment.