How to Configure WAF on VergeCloud for Enhanced Website Security

Setting Up WAF on VergeCloud: Secure Your Website from Malicious Traffic

Web Application Firewall | VergeCloud

Introduction

VergeCloud’s Web Application Firewall (WAF) employs Regex rules to block malicious requests using the Anomaly Scoring method. This method accurately recognizes threats by assigning values to every rule, and the total score of each request is calculated. If this score meets or exceeds the defined WAF threshold, the request is blocked. This document outlines the settings and configuration of VergeCloud's WAF.

Firewalls, particularly Web Application Firewalls, are essential for protecting web applications from a variety of cyber threats. They act as a shield between web applications and potential attackers by monitoring, filtering, and blocking harmful traffic. Key applications of firewalls include:

  • Threat Detection and Prevention: WAFs can detect and prevent threats such as Cross-Site Scripting (XSS) and SQL Injection, which exploit vulnerabilities in web applications. By analyzing incoming requests and applying specific rules, WAFs block malicious attempts while allowing legitimate traffic to pass.
  • Traffic Monitoring: Firewalls continuously monitor traffic patterns and behaviors, helping identify unusual activities that may indicate an attack. This capability allows organizations to respond quickly to emerging threats.
  • Compliance Requirements: Many industries are subject to regulations that require strong security measures. A WAF helps organizations comply with standards such as PCI DSS by safeguarding sensitive data during online transactions.
  • Application Layer Security: WAFs focus on the application layer, where most web attacks occur, providing a specialized defense that traditional firewalls may not address effectively.

In addition to XSS attacks, WAFs safeguard against other vulnerabilities, such as SQL Injection, which targets the database layer of web applications. By filtering requests and blocking those that exhibit harmful characteristics, VergeCloud's WAF helps maintain the integrity and security of web applications, ensuring that legitimate users can interact safely while preventing unauthorized access or data breaches.

Real Usage Scenarios

Consider a scenario where an e-commerce website is experiencing a surge in malicious traffic targeting its payment page. By configuring VergeCloud's WAF, the website can automatically block these harmful requests while allowing legitimate users to complete their purchases seamlessly.

Glossary

  • WAF: Web Application Firewall, a security tool that monitors and filters incoming traffic to protect web applications from attacks.
  • Regex: A sequence of characters that forms a search pattern, used for string matching within texts.
  • Anomaly Scoring: A method for identifying threats based on the assessment of incoming requests against established thresholds.
  • False Positive: A non-malicious request that is incorrectly identified as a threat by the WAF.

Settings and Configuration of VergeCloud’s WAF

To change WAF settings, navigate to your VergeCloud user panel in the CDN section and click on WAF.

WAF settings panel

General Settings

In the WAF general settings, you can configure the WAF to one of the options provided in the Web Application Firewall section:

Turning WAF Off

To disable the WAF on your website:

curl --location --request PATCH 'https://napi.vergecloud.ir/cdn/4.0/domains/example.com/waf' \
--header 'authority: napi.vergecloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data-raw '{"mode":"off"}'
Detection Mode

When set to Detection mode, the WAF logs requests but does not block any:

curl --location --request PATCH 'https://napi.vergecloud.ir/cdn/4.0/domains/example.com/waf' \
--header 'authority: napi.vergecloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data-raw '{"mode":"detect"}'
Activating WAF

To protect your website against suspicious requests:

curl --location --request PATCH 'https://napi.vergecloud.ir/cdn/4.0/domains/example.com/waf' \
--header 'authority: napi.vergecloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data-raw '{"mode":"protect"}'

Configuring WAF

Before activating the WAF, configure settings to recognize possible threats. This helps distinguish real threats during an initial observation period.

After monitoring, access the WAF Attacks Analysis to review logs and identify any False Positives. This information allows you to deactivate unnecessary rules based on specific IDs from the logs.

Disabling Specific Rules

To disable a specific rule via the API:

curl --location --request PATCH 'https://napi.vergecloud.ir/cdn/4.0/domains/example.com/waf/packages/default?revelio' \
--header 'authority: napi.vergecloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data-raw '{"disabled_rules":["21001","21003","21006","21009","40026","99001","21002"]}'

Packages

Utilizing security packages allows you to apply predefined WAF settings based on your requirements. Currently, VergeCloud offers a default WAF package along with two additional standard packages: CRS and Comodo.

WAF Packages

VergeCloud’s WAF Package

This package contains VergeCloud’s default WAF rules, designed to prevent various types of attacks:

  • Executing Malicious Codes (XSS)
  • SQL Injection Attacks
  • Unusual Requests
  • Malicious Bots
  • Preventing Untypical HTTP Requests
  • General Attacks
CRS Package

This package includes general rules for identifying attacks and can be utilized in conjunction with VergeCloud’s CRM feature:

  • SQL Injection (SQLi)
  • Cross Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • PHP Code Injection
  • Java Code Injection
  • HTTPoxy
  • Shellshock
  • Unix/Windows Shell Injection
  • Session Fixation
  • Scripting/Scanner/Bot Detection
  • Metadata/Error Leakages
Comodo Package

This package can be activated alongside other packages within the VergeCloud user panel and includes advanced filtering and intrusion protection rules.

Custom Rules

In VergeCloud’s Web Firewall, you can enable or disable WAF protection for specific paths or IP ranges. To do this, navigate to the WAF section in the CDN panel and click on "Add New Rule".

Creating Custom Rules

To create a custom rule:

curl --location --request POST 'https://napi.vergecloud.ir/cdn/4.0/domains/example.com/waf/rules' \
--header 'authority: napi.vergecloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY 1 2 3 4' \
--header 'content-type: application/json' \
--data-raw '{"id":null,"url_pattern":"example.com/**","sources":["192.168.1.1/32"],"description":"Test For Docs","action":"protect"}'

WAF Attacks Analysis

Review and analyze identified attacks in the VergeCloud WAF Attacks Analytics. Here, you can view detailed attack logs to adjust your rules according to your website's expected behavior.

Attack Log Details

Each attack log contains the following information:

  • Attacker’s IP
  • Request Method