...
添加 AWSManagedRulesBotControlRuleSet 托管规则到 ACL 中,并把 Rule 级别设置为 Target,可以实现客户端请求的 token 验证。如果请求中不包含 token 或者 token 无效,这条托管规则会触发 Captcha rule action,从而触发 Client SDK 在后台静默完成 Captcha 计算任务得到 token。
选择 Bot Control inspection level 为 Targeted
Rule action 选择 Challenge
Targeted
Bot Control Rules 选择 CAPTCHA
添加:Token Domain List
webacl-alb-api-001默认规则:AWS-AWSManagedRulesBotControlRuleSet规则如下
| Code Block | ||
|---|---|---|
| ||
{
"Name": "AWS-AWSManagedRulesBotControlRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ScopeDownStatement": {
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "/waf/query",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "LOWERCASE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "POST",
"FieldToMatch": {
"Method": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
]
}
},
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "TARGETED",
"EnableMachineLearning": true
}
}
],
"RuleActionOverrides": [
{
"Name": "SignalNonBrowserUserAgent",
"ActionToUse": {
"Captcha": {}
}
},
{
"Name": "TGT_VolumetricIpTokenAbsent",
"ActionToUse": {
"Captcha": {}
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesBotControlRuleSet"
}
} |
Webacl-alb-api-001自定义规则:
| Code Block | ||
|---|---|---|
| ||
{
"Name": "Block-Requests-With-Missing-Or-Rejected-Token-Label",
"Priority": 1,
"Statement": {
"AndStatement": {
"Statements": [
{
"OrStatement": {
"Statements": [
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:token:absent"
}
},
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:token:rejected"
}
}
]
}
},
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "POST",
"FieldToMatch": {
"Method": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Block-Requests-With-Missing-Or-Rejected-Token-Label"
}
} |
4.2、步骤二:下载WAF CLIENT SDK
从 WAF 的控制台中进入Application integration,选择Captcha integration 选项,这里会显示已经开启 AWSManagedRulesBotControlRuleSet 规则的 ACL。
需要把 ACL 所对应的 JavaScript Integration URL 复制到 Web 应用的前端代码的<head></head>之间。
...