Versions Compared

Old Version 5

changes.mady.by.user 于海宝

Saved on

compared with

New Version 6

changes.mady.by.user 于海宝

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

3、WEB集成-Captcha Integration

...

第1步:创建WebACL和添加BotControl托管规则

如果请求中不包含 token 或者 token 无效,这条托管规则会触发 Captcha rule action,从而触发 Client SDK 在后台静默完成 Captcha 计算任务得到 token。

...

Code Block
themeRDark
{
  "Name": "Block-Requests-With-Missing-Or-Rejected-Token-Label",
  "Priority": 1,
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "OrStatement": {
            "Statements": [
              {
                "LabelMatchStatement": {
                  "Scope": "LABEL",
                  "Key": "awswaf:managed:token:absent"
                }
              },
              {
                "LabelMatchStatement": {
                  "Scope": "LABEL",
                  "Key": "awswaf:managed:token:rejected"
                }
              }
            ]
          }
        },
        {
          "NotStatement": {
            "Statement": {
              "ByteMatchStatement": {
                "SearchString": "POST",
                "FieldToMatch": {
                  "Method": {}
                },
                "TextTransformations": [
                  {
                    "Priority": 0,
                    "Type": "NONE"
                  }
                ],
                "PositionalConstraint": "EXACTLY"
              }
            }
          }
        }
      ]
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "Block-Requests-With-Missing-Or-Rejected-Token-Label"
  }
}

...



第2步:查看和复制JavaScript Integration URL地址

从 WAF 的控制台中进入Application integration,选择Captcha integration 选项,这里会显示已经开启 AWSManagedRulesBotControlRuleSet 规则的 ACL。

把ACL所对应的JavaScript Integration URL添加到前端代码的<head></head>之间。

...



第3步,集成和部署前端代码

WAF client API 向后端发起了Post的waf/query请求,后端使用 AWS EC2做为测试服务器部署了waf/query服务,实现返回http response,并通过 ALB 提供对外访问,ALB 被刚才配置的 WEB ACL 所保护。

...

Code Block
themeRDark
    server {
        listen       80;
        #listen       [::]:80;
        #server_name  _;
        root         /usr/share/nginx/html;
        index index.html index.htm

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }


效果如下:

...


第4步:配置AWF、ALB和TokenDomain

1、在WAF ACL关联ALB


2、配置Token Domain列表

...

WAF 后台的 Bot control Rule 进行 token 校验成功后,流量被发送到 ALB。

Echo-Server 会把发送的请求原样返回,可以看到请求中包含了 EC2后台服务器,会把发送的请求原样返回,可以看到请求中包含了 token 信息。


效果如下:


请求头和报文

Code Block
themeRDark
POST
	http://api001.bosicloud.one/waf/query
状态
200
版本HTTP/1.1
传输485 字节(大小 98 字节)
Referrer 策略strict-origin-when-cross-origin
DNS 解析系统


POST /waf/query HTTP/1.1
Host: api001.bosicloud.one
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://web001.bosicloud.one/
Origin: http://web001.bosicloud.one
Connection: keep-alive
Priority: u=4
Content-Length: 0

...

通过 Chrome 浏览器开发者模式可以看到,由于请求不带 token,请求被 WAF 所拒绝。

效果如下: