How do I allow requests from an oversized request body to pass through WAF?

0

Hello, In the EC2 instance, there is an image processing API, and I associate a WAF on ALB, then configured the following rule in the WAF:

const awsManagedRulesCommonRuleSet: wafv2.CfnWebACL.RuleProperty = {
  name: `AWS-AWSManagedRulesCommonRuleSet`,
  priority: 0,
  overrideAction: { none: {} },
  visibilityConfig: {
    metricName: `MetricForAMRCRS`,
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  statement: {
    managedRuleGroupStatement: {
      vendorName: 'AWS',
      name: 'AWSManagedRulesCommonRuleSet',
      excludedRules: [
        { 
          name: 'SizeRestrictions_BODY',
        },
        {
          name: 'NoUserAgent_HEADER',
        },
      ],
    },
  },
};
new wafv2.CfnWebACL(this, 'ServerWebACLs', {
  name: 'ServerALB-WebACLs',
  scope: 'REGIONAL',
  defaultAction: { allow: {} },
  visibilityConfig: {
    metricName: 'ServerALB-WebACLs',
    sampledRequestsEnabled: true,
    cloudWatchMetricsEnabled: true,
  },
  rules: [
    awsManagedRulesCommonRuleSet,
    // and some other rule,such as IPRule,SqlRule...
  ],
});

The request body of the API contains image data, when I call that API through Cloudfront, I keep getting a 403 error. If I use an API that doesn't contain image data, it can be called successfully. Why is that? Am I not configured correctly?

2 Answers
1

Hi,

It could be useful to configure AWS WAF for sending web ACL traffic logs to CloudWatch and identify the rules that the request matched.

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thanks for your reply, from the traffic overview of the WAF, the blocked request shows that the attacktype is GenericLFI. but the api just adds an image file to form-data.

  • Now that you know the cause, it should be easier to find the solution.

    For example, the following StackOverflow response suggests to check the image metadata, it may help you.

1

You've included the awsManagedRulesCommonRuleSet - looking at the documentation it includes a rule that is defined as follows:

SizeRestrictions_BODY 	
Inspects for request bodies that are over 8 KB (8,192 bytes).
Rule action: Block

So perhaps don't use that rule set?

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thanks for your reply, but I'm exclude the rule in my code, not include.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions