...
访问 Web 前端,打开浏览器开发者模式。可以看到,页面在初始化后自动与 WAF 后台进行交互,获取了jsapi.js 并进行静默计算得到 token。在发起 query 请求后,会自动在 cookie header 中带上 aws-waf-token。WAF 后台的 Bot control Rule 进行 token 校验成功后,流量被发送到 ALB。Echo-Server 会把发送的请求原样返回,可以看到请求中包含了 token 信息。
请求头和报文
| Code Block | ||
|---|---|---|
| ||
POST
http://api001.bosicloud.one/waf/query
状态
200
版本HTTP/1.1
传输485 字节(大小 98 字节)
Referrer 策略strict-origin-when-cross-origin
DNS 解析系统
POST /waf/query HTTP/1.1
Host: api001.bosicloud.one
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://web001.bosicloud.one/
Origin: http://web001.bosicloud.one
Connection: keep-alive
Priority: u=4
Content-Length: 0 |
响应头和报文
| Code Block |
|---|
HTTP/1.1 200
Date: Thu, 13 Jun 2024 04:38:54 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://web001.bosicloud.one
Access-Control-Expose-Headers: X-Sms-Portal-Identity-Token
Access-Control-Allow-Credentials: true
{"msg":"success","code":0,"data":{"waf-query":"ok.","database":"ok.","redis":"ok.","status":"ok"}} |
2、增加根据 Token 判断阻断的 WAF Rule
...