![](/img/trans.png)
[英]How to extract region information from aws s3 virtual path uri using regex using java?
[英]When using Terraform with AWS, how can I set a rate limit on a specific URI path (or regex of a URI path) on an ALB
我正在尝试使用附加到 Cloudfront 上的 ALB 的 WAFv2 规则对忘记密码更改 URL 的限制请求进行评级。
我认为我需要做的是..
创建两个资源 aws_wafv2_web_acl.afv2_rate_limit 和另一个名为 aws_wafv2_regex_pattern_set.wafv2_password_url
费率示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl
正则表达式示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set
将这些组合成一个规则组,称之为 aws_wafv2_rule_group.wafv2_rule_group_pw_rate_group
组示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_rule
我已经创建了速率限制和正则表达式,但我无法创建规则组。 我把这个规则放在参考速率限制
rule {
name = "rate_limit"
priority = 1
action {
block {}
}
statement {
and_statement {
statement {
rule_group_reference_statement { # !!FIXME!! doesn't work
arn = aws_wafv2_web_acl.wafv2_rate_limit.arn
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "password_url"
sampled_requests_enabled = false
}
}
我在 rule_group_reference_statement 行收到错误:
Blocks of type "rule_group_reference_statement" are not expected here.
我可以将规则组附加到 ALB。
当然,第一个问题是这是否是go的正确方式呢?!
感谢您的任何想法。
不能嵌套 rule_group_reference_statement,例如在 and_statement、not_statement 或 or_statement 中使用。 它只能作为规则中的顶级语句引用。
在职的!
resource "aws_wafv2_web_acl" "wafv2_alb_pw5pm_acl" {
name = "wafv2_alb_pw5pm-acl"
description = "prevent brute forcing password setting or changing"
scope = "REGIONAL" # if using this, no need to set provider
default_action {
allow {} # pass traffic until the rules trigger a block
}
rule {
name = "rate_limit_pw5pm"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
#limit = 300 # 5 per sec = 300 per min
limit = 100 # smallest value for testing
aggregate_key_type = "IP"
scope_down_statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.wafv2_password_uri.arn
text_transformation {
priority = 1
type = "NONE"
}
field_to_match {
uri_path {}
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "wafv2_alb_pw5pm_acl_rule_vis"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "wafv2_alb_pw5pm_acl_vis"
sampled_requests_enabled = false
}
tags = {
managedby = "terraform"
}
}
resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" {
resource_arn = aws_lb.xxxxxx.arn
web_acl_arn = aws_wafv2_web_acl.wafv2_alb_pw5pm_acl.arn
}
是的你可以。 基本上你需要声明一个aws_wafv2_regex_pattern_set
,在这个例子中我使用 URI "/api/*" 但它也可以是一个固定的。
resource "aws_wafv2_regex_pattern_set" "regex_pattern_api" {
name = "regex-path-api"
scope = "REGIONAL"
regular_expression {
regex_string = "/api/.+"
}
}
这是一个关于如何在 waf 声明中使用它的示例:
resource "aws_wafv2_web_acl" "waf" {
name = "waf"
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "RateLimit"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
aggregate_key_type = "IP"
limit = 100
scope_down_statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.regex_pattern_api.arn
field_to_match {
uri_path {}
}
text_transformation {
priority = 1
type = "NONE"
}
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimit"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "waf"
sampled_requests_enabled = false
}
}
这个很酷的部分是它是一个速率限制,使用scope_down_statement
缩小基于客户端 IP 的过滤器
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.