Cloud Firewall
VergeCloud Firewall Settings
The VergeCloud Firewall allows you to control HTTP requests to your website or application, providing flexible configuration options to secure your online resources.
Introduction
The VergeCloud Firewall helps users define custom rules to monitor and control incoming and outgoing HTTP requests, ensuring website and application security. These settings allow granular control of traffic based on parameters like IP address, country, HTTP method, and more.
Glossary
- IP Address: A unique identifier assigned to each device connected to the internet.
- HTTP Method: A set of request methods to indicate desired actions to be performed on a resource, such as GET or POST.
- Referer Header: A part of the HTTP header that indicates the address of the previous web page linked to the current request.
- User Agent: A string that identifies the operating system and browser of the requester.
- JA3 Fingerprint: SSL/TLS client fingerprint used to identify tools or bots based on handshake patterns.
- AS Number (ASN): Identifier for the ISP or network from which the request originates.
Field/Option Descriptions
The following are configurable fields in the VergeCloud Firewall:
- Source IP Address: Specifies the IP address or range of the requester.
- Country: Identifies the country of origin of the request.
- URI Path: The requested URI path.
- Hostname: The requested Hostname (domain or subdomain) in the request header.
- HTTP Version: Filters requests based on the HTTP protocol version used (e.g., HTTP/1.1, HTTP/2).
- URI Query String: Matches requests containing specific query parameters or keywords in the query string.
- Request Method: The HTTP method used for the request (GET, POST, PUT, DELETE, etc.).
- Referer: The HTTP referer header in the request.
- User Agent: The client’s browser or application identifier.
- Cookie: Validates the presence or value of specific cookies.
- AS Number (ASN): Filters based on Autonomous System Numbers.
- JA3 Fingerprint: Identifies SSL/TLS client fingerprints to detect bots or tools.
- Request Headers (Raw): Matches requests based on custom or raw HTTP headers for advanced filtering.
Firewall Behavior Options
VergeCloud offers several response actions based on defined conditions:
- Allow: Permits requests matching conditions.
- Deny: Blocks and responds with 403 error for matched requests.
- Cookie Challenge: Requires client to validate cookies.
- JS Challenge: Uses JavaScript validation to block bots.
- CAPTCHA Challenge: Requires users to pass CAPTCHA test.
- Bypass Security Modules: Ignores selected security modules under specific conditions.
How to Configure VergeCloud Firewall in the User Panel
To configure the firewall, follow these steps in the VergeCloud Dashboard:
- Navigate to Firewall Settings: Go to the CDN section and access Firewall Settings.
- Set Default Rule: Choose whether unmatched requests are Allow or Deny.
- Create New Rule: Click New Rule and define conditions and actions.
- Define Parameters and Actions: Select fields, operators, values, and actions like Allow, Block, or Challenge.
Testing and Validation
To test and validate firewall rules, you can use the following methods:
- curl Testing: Use curl to send crafted requests matching firewall rules and check responses.
- Ping and Traceroute: Use ping or traceroute to test IP blocking rules.
- Browser Dev Tools: Check cookie or header-based rules using developer tools.
Common Usage
Common use cases of VergeCloud Firewall include:
- IP Blocking: Restrict access from specific IPs or ranges.
Fields: Source IP Address
Operator: Equals or In Range
Sample Value: 203.0.113.0/24
Action: Block - Geo-Blocking: Block access from high-risk regions.
Fields: Country
Operator: Equals
Sample Value: RU, CN
Action: CAPTCHA Challenge or Block - Login Path Protection: Secure admin areas using JS or CAPTCHA challenges.
Fields: URI Path, Request Method
Operator: Equals
Sample Value: /admin, /login
Action: JS Challenge or CAPTCHA Challenge - Anti-Scraping: Block bots using JA3 fingerprint and User-Agent checks.
Fields: User-Agent, JA3 Fingerprint
Operator: Contains, Equals
Sample Value: curl, Python, suspicious JA3 hashes
Action: JS Challenge or Block - API Abuse Prevention: Require valid cookies and referers for API access.
Fields: URI Path, Cookie, Referer
Operator: Equals, Contains
Sample Value: /api/v1/orders, SessionID=12345, referer must be your domain
Action: Block if cookie or referer invalid - Form Submission Protection: Enforce POST method and referer checks for forms.
Fields: URI Path, Request Method, Referer
Operator: Equals
Sample Value: /form/submit, Method must be POST, referer must be your domain
Action: Block if not POST or referer is invalid - AS Number Blocking: Block requests from known data center ASNs, ensuring only home ISP ranges access your services.
Fields: AS Number
Operator: Equals
Sample Value: AS12345, AS67890
Action: Block or CAPTCHA Challenge - Cookie-Based API Protection: For APIs like /api/v1/orders, block requests missing valid session cookies or having an invalid User-Agent.
Fields: URI Path, Cookie, User-Agent
Operator: Equals, Contains
Sample Value: /api/v1/orders, SessionID=abc123, Known browser User-Agent
Action: Block if session cookie or User-Agent does not match expected values - Hostname Filtering for Multi-Domain Setup: Apply specific rules only for certain hostnames in a multi-domain environment.
Fields: Hostname
Operator: Equals
Sample Value: shop.example.com
Action: JS Challenge or Block - HTTP Version Enforcement: Block outdated HTTP versions to enforce best practices and security.
Fields: HTTP Version
Operator: Equals
Sample Value: HTTP/1.0
Action: Block - Query String Filtering for Sensitive Parameters: Block requests with suspicious or dangerous query strings.
Fields: URI Query String
Operator: Contains
Sample Value: ?debug=true, ?admin=1
Action: Block - Hotlink Protection Using Referer Header: Prevent content hotlinking by validating the referer header.
Fields: Referer
Operator: Does Not Contain
Sample Value: example.com
Action: Block - Advanced Bot Blocking Using Raw Headers: Identify and block suspicious bots or scrapers by matching abnormal raw headers (e.g., missing User-Agent or unusual Accept headers).
Fields: Request Headers (Raw)
Operator: Does Not Contain or Contains
Sample Value: User-Agent header missing, Accept: */* only
Action: Block or JS Challenge
Related Articles
DNS Cloud Option
DNS Records Cloud Option After migrating your website to VergeCloud and completing your DNS configurations, you can view and manage the A Records of your domain and its subdomains under the DNS Records section in the CDN settings of your user ...Steps to Activate Cloud Icon for VergeCloud
Checks Before Activating Cloud Icon For Domain Once you've transferred your website to VergeCloud and updated your DNS settings, there are a few steps to complete before activating the Cloud icon for the records in the VergeCloud user panel. These ...Web Application Firewall
Web Application Firewall | VergeCloud Introduction VergeCloud’s Web Application Firewall (WAF) employs Regex rules to block malicious requests using the Anomaly Scoring method. This method accurately recognizes threats by assigning values to every ...How to Whitelist VergeCloud’s IP Addresses in Your Firewall
Why You Need Whitelist VergeCloud’s IP Addresses in Your Firewall To ensure smooth and uninterrupted communication between VergeCloud’s edge servers and your main host server, it's crucial to whitelist VergeCloud’s IP addresses in your firewall ...Getting Started
The first step in utilizing our CDN service involves registering your domain within your VergeCloud account. Read more about CDN. This guide will walk you through the necessary steps. NOTICE DNSSEC: Ensure that DNSSEC is disabled on your domain ...