Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How do I allow requests from an oversized request body to pass through WAF?

0

Hello, In the EC2 instance, there is an image processing API, and I associate a WAF on ALB, then configured the following rule in the WAF:

const awsManagedRulesCommonRuleSet: wafv2.CfnWebACL.RuleProperty = {
  name: `AWS-AWSManagedRulesCommonRuleSet`,
  priority: 0,
  overrideAction: { none: {} },
  visibilityConfig: {
    metricName: `MetricForAMRCRS`,
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  statement: {
    managedRuleGroupStatement: {
      vendorName: 'AWS',
      name: 'AWSManagedRulesCommonRuleSet',
      excludedRules: [
        { 
          name: 'SizeRestrictions_BODY',
        },
        {
          name: 'NoUserAgent_HEADER',
        },
      ],
    },
  },
};
new wafv2.CfnWebACL(this, 'ServerWebACLs', {
  name: 'ServerALB-WebACLs',
  scope: 'REGIONAL',
  defaultAction: { allow: {} },
  visibilityConfig: {
    metricName: 'ServerALB-WebACLs',
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  rules: [
    awsManagedRulesCommonRuleSet,
    // and some other rule,such as IPRule,SqlRule...
  ],
});

The request body of the API contains image data, when I call that API through Cloudfront, I keep getting a 403 error. If I use an API that doesn't contain image data, it can be called successfully. Why is that? Am I not configured correctly?

Argomenti
Sicurezza, identità e conformitàNetworking e distribuzione di contenutiAWS Well-Architected Framework
Tag
AWS WAFAmazon CloudFrontSicurezza
Lingua
English
tong_K
posta un mese fa435 visualizzazioni
2 Risposte
1

Hi,

It could be useful to configure AWS WAF for sending web ACL traffic logs to CloudWatch and identify the rules that the request matched.

profile picture
ESPERTO
Mikel Del Tio
con risposta un mese fa
profile picture
ESPERTO
Oleksii Bebych
verificato un mese fa
  • tong_K
    un mese fa

    Thanks for your reply, from the traffic overview of the WAF, the blocked request shows that the attacktype is GenericLFI. but the api just adds an image file to form-data.

  • Mikel Del Tio ESPERTO
    un mese fa

    Now that you know the cause, it should be easier to find the solution.

    For example, the following StackOverflow response suggests to check the image metadata, it may help you.

1

You've included the awsManagedRulesCommonRuleSet - looking at the documentation it includes a rule that is defined as follows:

SizeRestrictions_BODY 	
Inspects for request bodies that are over 8 KB (8,192 bytes).
Rule action: Block

So perhaps don't use that rule set?

profile pictureAWS
ESPERTO
Brettski-AWS
con risposta un mese fa
profile picture
ESPERTO
Oleksii Bebych
verificato un mese fa
  • tong_K
    un mese fa

    Thanks for your reply, but I'm exclude the rule in my code, not include.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente