By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I allow requests from an oversized request body to pass through WAF?

0

Hello, In the EC2 instance, there is an image processing API, and I associate a WAF on ALB, then configured the following rule in the WAF:

const awsManagedRulesCommonRuleSet: wafv2.CfnWebACL.RuleProperty = {
  name: `AWS-AWSManagedRulesCommonRuleSet`,
  priority: 0,
  overrideAction: { none: {} },
  visibilityConfig: {
    metricName: `MetricForAMRCRS`,
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  statement: {
    managedRuleGroupStatement: {
      vendorName: 'AWS',
      name: 'AWSManagedRulesCommonRuleSet',
      excludedRules: [
        { 
          name: 'SizeRestrictions_BODY',
        },
        {
          name: 'NoUserAgent_HEADER',
        },
      ],
    },
  },
};
new wafv2.CfnWebACL(this, 'ServerWebACLs', {
  name: 'ServerALB-WebACLs',
  scope: 'REGIONAL',
  defaultAction: { allow: {} },
  visibilityConfig: {
    metricName: 'ServerALB-WebACLs',
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  rules: [
    awsManagedRulesCommonRuleSet,
    // and some other rule,such as IPRule,SqlRule...
  ],
});

The request body of the API contains image data, when I call that API through Cloudfront, I keep getting a 403 error. If I use an API that doesn't contain image data, it can be called successfully. Why is that? Am I not configured correctly?

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
AWS WAFAmazon CloudFrontSecurity
Language
English
tong_K
asked 20 days ago391 views
2 Answers
1

Hi,

It could be useful to configure AWS WAF for sending web ACL traffic logs to CloudWatch and identify the rules that the request matched.

profile picture
EXPERT
Mikel Del Tio
answered 20 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 20 days ago
  • tong_K
    19 days ago

    Thanks for your reply, from the traffic overview of the WAF, the blocked request shows that the attacktype is GenericLFI. but the api just adds an image file to form-data.

  • Mikel Del Tio EXPERT
    19 days ago

    Now that you know the cause, it should be easier to find the solution.

    For example, the following StackOverflow response suggests to check the image metadata, it may help you.

1

You've included the awsManagedRulesCommonRuleSet - looking at the documentation it includes a rule that is defined as follows:

SizeRestrictions_BODY 	
Inspects for request bodies that are over 8 KB (8,192 bytes).
Rule action: Block

So perhaps don't use that rule set?

profile pictureAWS
EXPERT
Brettski-AWS
answered 20 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 20 days ago
  • tong_K
    20 days ago

    Thanks for your reply, but I'm exclude the rule in my code, not include.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content