Waf
is the core implementation of gateway to realize firewall function for network traffic.Please refer to the deployment
document, choose a way to start shenyu-admin
. For example, through Local Deployment to start the Apache ShenYu
management system.
In shenyu-admin
BasicConfig --> plugin -> waf
set to enable.If you don't want to use this function, please disable this plugin in the shenyu-admin
.
Add configuration mode in plugin editing.
{"model":"black"} # model can be 'black' or 'mixed' # The default mode is blacklist mode; If setting is mixed, it will be mixed mode. We will explain it specifically below.
waf
dependency in the pom.xml of the gateway.<!-- apache shenyu waf plugin start--> <dependency> <groupId>org.apache.shenyu</groupId> <artifactId>shenyu-spring-boot-starter-plugin-waf</artifactId> <version>${project.version}</version> </dependency> <!-- apache shenyu waf plugin end-->
For more instructions on selector and rule configuration, please refer to: Selector And Rule Config, here only some fields are introduced.
Waf
plugin rule configuration page:
For requests that are denied access by Waf
, the response header status code is: 403
.
model
is set to black
mode, only the matched traffic will execute the rejection policy, and the unmatched traffic will be skipped directly.Handler
feild in the rule configuration is invalid and can be configured to be empty.When model
is set to mixed
mode, all traffic will pass through waf plugin. For different matching traffic, users can set whether to reject or pass.
The Handler
feild in the rule configuration must be configured:
permission
: The handle logic that matches the rule. reject
: deny access, allow
: allow access.
statusCode
: When access is denied, the value of the code field in the response body. Will not modify the status code of the response header
.
e.g.:statusCode=10001
,The rejected response body is :
{"code":10001,"message":"You are forbidden to visit"}
Waf
is also the pre-plugin of ShenYu
, which is mainly used to intercept illegal requests or exception requests and give relevant rejection policies.ip
and host
, and set reject strategy according to matched ip
or host
.ip
and host
, please refer to: parsing-ip-and-host