oci_waas_policy – Manage a WaasPolicy resource in Oracle Cloud Infrastructure¶
New in version 2.5.
Synopsis¶
- This module allows the user to create, update and delete a WaasPolicy resource in Oracle Cloud Infrastructure
- For state=present, creates a new Web Application Acceleration and Security (WAAS) policy in the specified compartment. A WAAS policy must be established before creating Web Application Firewall (WAF) rules. To use WAF rules, your web application’s origin servers must defined in the WaasPolicy schema.
- A domain name must be specified when creating a WAAS policy. The domain name should be different from the origins specified in your WaasPolicy. Once domain name is entered and stored, it is unchangeable.
- Use the record data returned in the cname field of the WaasPolicy object to create a CNAME record in your DNS configuration that will direct your domain’s traffic through the WAF.
- For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.
- You must specify a display name and domain for the WAAS policy. The display name does not have to be unique and can be changed. The domain name should be different from every origin specified in WaasPolicy.
- All Oracle Cloud Infrastructure resources, including WAAS policies, receive a unique, Oracle-assigned ID called an Oracle Cloud Identifier (OCID). When a resource is created, you can find its OCID in the response. You can also retrieve a resource’s OCID by using a list API operation for that resource type, or by viewing the resource in the Console. Fore more information, see Resource Identifiers.
- Note: After sending the POST request, the new object’s state will temporarily be CREATING. Ensure that the resource’s state has changed to ACTIVE before use.
- This resource has the following action operations in the oci_waas_policy_actions module: accept_recommendations.
Requirements¶
The below requirements are needed on the host that executes this module.
- python >= 2.7
- Python SDK for Oracle Cloud Infrastructure https://oracle-cloud-infrastructure-python-sdk.readthedocs.io
Parameters¶
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
|
additional_domains
list
|
An array of additional domains for the specified web application.
|
||||
|
api_user
string
|
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See
config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
||||
|
api_user_fingerprint
string
|
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See
config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
||||
|
api_user_key_file
string
|
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See
config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided. |
||||
|
api_user_key_pass_phrase
string
|
Passphrase used by the key referenced in
api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location). |
||||
|
auth_type
string
|
|
The type of authentication to use for making API requests. By default
auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance. |
|||
|
compartment_id
-
|
The OCID of the compartment in which to create the WAAS policy.
Required for create using state=present.
|
||||
|
config_file_location
string
|
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
|
||||
|
config_profile_name
string
|
The profile to load from the config file referenced by
config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location. |
||||
|
defined_tags
dictionary
|
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.
|
||||
|
display_name
-
|
A user-friendly name for the WAAS policy. The name is can be changed and does not need to be unique.
aliases: name |
||||
|
domain
-
|
The web application domain that the WAAS policy protects.
Required for create using state=present.
|
||||
|
force_create
boolean
|
|
Whether to attempt non-idempotent creation of a resource. By default, create resource is an idempotent operation, and doesn't create the resource if it already exists. Setting this option to true, forcefully creates a copy of the resource, even if it already exists.This option is mutually exclusive with key_by.
|
|||
|
freeform_tags
dictionary
|
A simple key-value pair without any defined schema.
|
||||
|
key_by
list
|
The list of comma-separated attributes of this resource which should be used to uniquely identify an instance of the resource. By default, all the attributes of a resource except freeform_tags are used to uniquely identify a resource.
|
||||
|
origins
dictionary
|
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.
|
||||
|
custom_headers
list
|
A list of HTTP headers to forward to your origin.
|
||||
|
name
-
/ required
|
The name of the header.
|
||||
|
value
-
/ required
|
The value of the header.
|
||||
|
http_port
integer
|
The HTTP port on the origin that the web application listens on. If unspecified, defaults to `80`.
|
||||
|
https_port
integer
|
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to `443`.
|
||||
|
uri
-
/ required
|
The URI of the origin. Does not support paths. Port numbers should be specified in the `httpPort` and `httpsPort` fields.
|
||||
|
policy_config
dictionary
|
|||||
|
certificate_id
-
|
The OCID of the SSL certificate to use if HTTPS is supported.
|
||||
|
is_https_enabled
boolean
|
|
Enable or disable HTTPS support. If true, a `certificateId` is required. If unspecified, defaults to `false`.
|
|||
|
is_https_forced
boolean
|
|
Force HTTP to HTTPS redirection. If unspecified, defaults to `false`.
|
|||
|
region
string
|
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See
config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions. |
||||
|
state
-
|
|
The state of the WaasPolicy.
Use state=present to create or update a WaasPolicy.
Use state=absent to delete a WaasPolicy.
|
|||
|
tenancy
string
|
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See
config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm |
||||
|
waas_policy_id
-
|
The OCID of the WAAS policy.
Required for update using state=present, state=absent.
aliases: id |
||||
|
waf_config
dictionary
|
|||||
|
access_rules
list
|
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of `ALLOW`, `DETECT`, and `BLOCK` rules, based on different criteria.
|
||||
|
action
-
/ required
|
|
The action to take when the access criteria are met for a rule. If unspecified, defaults to `ALLOW`.
|
|||
|
block_action
-
|
|
The method used to block requests if `action` is set to `BLOCK` and the access criteria are met. If unspecified, defaults to `SET_RESPONSE_CODE`.
|
|||
|
block_error_page_code
-
|
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access rules'.
|
||||
|
block_error_page_description
-
|
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'
|
||||
|
block_error_page_message
-
|
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'
|
||||
|
block_response_code
integer
|
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the access criteria are met. If unspecified, defaults to `403`.
|
||||
|
criteria
list
/ required
|
The list of access rule criteria.
|
||||
|
condition
-
/ required
|
|
The criteria the access rule uses to determine if action should be taken on a request.
- **URL_IS:** Matches if the concatenation of request URL path and query is identical to the contents of the `value` field. - **URL_IS_NOT:** Matches if the concatenation of request URL path and query is not identical to the contents of the `value` field. - **URL_STARTS_WITH:** Matches if the concatenation of request URL path and query starts with the contents of the `value` field. - **URL_PART_ENDS_WITH:** Matches if the concatenation of request URL path and query ends with the contents of the `value` field. - **URL_PART_CONTAINS:** Matches if the concatenation of request URL path and query contains the contents of the `value` field. - **URL_REGEX:** Matches if the request is described by the regular expression in the `value` field. - **IP_IS:** Matches if the request originates from an IP address in the `value` field. - **IP_IS_NOT:** Matches if the request does not originate from an IP address in the `value` field. - **HTTP_HEADER_CONTAINS:** Matches if the request includes an HTTP header field whose name and value correspond to data specified in the `value` field with a separating colon. **Example:** `host:test.example.com` where `host` is the name of the field and `test.example.com` is the value of the host field. Comparison is independently applied to every header field whose name is a case insensitive match, and the value is required to be case-sensitive identical. - **COUNTRY_IS:** Matches if the request originates from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **COUNTRY_IS_NOT:** Matches if the request does not originate from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **USER_AGENT_IS:** Matches if the requesting user agent is identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0` - **USER_AGENT_IS_NOT:** Matches if the requesting user agent is not identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0`
|
|||
|
value
-
/ required
|
The criteria value.
|
||||
|
name
-
/ required
|
The unique name of the access rule.
|
||||
|
address_rate_limiting
dictionary
|
The IP address rate limiting settings used to limit the number of requests from an address.
|
||||
|
allowed_rate_per_address
integer
|
The number of allowed requests per second from one IP address. If unspecified, defaults to `1`.
|
||||
|
block_response_code
integer
|
The response status code returned when a request is blocked. If unspecified, defaults to `503`.
|
||||
|
is_enabled
boolean
/ required
|
|
Enables or disables the address rate limiting Web Application Firewall feature.
|
|||
|
max_delayed_count_per_address
integer
|
The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to `10`.
|
||||
|
captchas
list
|
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.
|
||||
|
failure_message
-
/ required
|
The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to `The CAPTCHA was incorrect. Try again.`
|
||||
|
footer_text
-
|
The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.'
|
||||
|
header_text
-
|
The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.'
|
||||
|
session_expiration_in_seconds
integer
/ required
|
The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to `300`.
|
||||
|
submit_label
-
/ required
|
The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to `Yes, I am human`.
|
||||
|
title
-
/ required
|
The title used when displaying a CAPTCHA challenge. If unspecified, defaults to `Are you human?`
|
||||
|
url
-
/ required
|
The unique URL path at which to show the CAPTCHA challenge.
|
||||
|
device_fingerprint_challenge
dictionary
|
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.
|
||||
|
action
-
|
|
The action to take on requests from detected bots. If unspecified, defaults to `DETECT`.
|
|||
|
action_expiration_in_seconds
integer
|
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
|
||||
|
challenge_settings
dictionary
|
|||||
|
block_action
-
|
|
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
|
|||
|
block_error_page_code
-
|
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
block_error_page_description
-
|
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
|
||||
|
block_error_page_message
-
|
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
|
||||
|
block_response_code
integer
|
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
captcha_footer
-
|
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
|
||||
|
captcha_header
-
|
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
|
||||
|
captcha_submit_label
-
|
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
|
||||
|
captcha_title
-
|
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
|
||||
|
failure_threshold
integer
|
The number of failed requests allowed before taking action. If unspecified, defaults to `10`.
|
||||
|
failure_threshold_expiration_in_seconds
integer
|
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
|
||||
|
is_enabled
boolean
/ required
|
|
Enables or disables the device fingerprint challenge Web Application Firewall feature.
|
|||
|
max_address_count
integer
|
The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to `20`.
|
||||
|
max_address_count_expiration_in_seconds
integer
|
The number of seconds before the maximum addresses count resets. If unspecified, defaults to `60`.
|
||||
|
good_bots
list
|
A list of bots allowed to access the web application.
|
||||
|
description
-
|
The description of the bot.
|
||||
|
is_enabled
boolean
/ required
|
|
Enables or disables the bot.
|
|||
|
key
-
/ required
|
The unique key for the bot.
|
||||
|
name
-
|
The bot name.
|
||||
|
human_interaction_challenge
dictionary
|
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.
|
||||
|
action
-
|
|
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
|
|||
|
action_expiration_in_seconds
integer
|
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
|
||||
|
challenge_settings
dictionary
|
|||||
|
block_action
-
|
|
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
|
|||
|
block_error_page_code
-
|
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
block_error_page_description
-
|
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
|
||||
|
block_error_page_message
-
|
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
|
||||
|
block_response_code
integer
|
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
captcha_footer
-
|
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
|
||||
|
captcha_header
-
|
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
|
||||
|
captcha_submit_label
-
|
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
|
||||
|
captcha_title
-
|
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
|
||||
|
failure_threshold
integer
|
The number of failed requests before taking action. If unspecified, defaults to `10`.
|
||||
|
failure_threshold_expiration_in_seconds
integer
|
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
|
||||
|
interaction_threshold
integer
|
The number of interactions required to pass the challenge. If unspecified, defaults to `3`.
|
||||
|
is_enabled
boolean
/ required
|
|
Enables or disables the human interaction challenge Web Application Firewall feature.
|
|||
|
recording_period_in_seconds
integer
|
The number of seconds to record the interactions from the user. If unspecified, defaults to `15`.
|
||||
|
set_http_header
dictionary
|
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
|
||||
|
name
-
/ required
|
The name of the header.
|
||||
|
value
-
/ required
|
The value of the header.
|
||||
|
js_challenge
dictionary
|
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.
|
||||
|
action
-
|
|
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
|
|||
|
action_expiration_in_seconds
integer
|
The number of seconds between challenges from the same IP address. If unspecified, defaults to `60`.
|
||||
|
challenge_settings
dictionary
|
|||||
|
block_action
-
|
|
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
|
|||
|
block_error_page_code
-
|
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
block_error_page_description
-
|
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
|
||||
|
block_error_page_message
-
|
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
|
||||
|
block_response_code
integer
|
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
|
||||
|
captcha_footer
-
|
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
|
||||
|
captcha_header
-
|
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
|
||||
|
captcha_submit_label
-
|
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
|
||||
|
captcha_title
-
|
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
|
||||
|
failure_threshold
integer
|
The number of failed requests before taking action. If unspecified, defaults to `10`.
|
||||
|
is_enabled
boolean
/ required
|
|
Enables or disables the JavaScript challenge Web Application Firewall feature.
|
|||
|
set_http_header
dictionary
|
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
|
||||
|
name
-
/ required
|
The name of the header.
|
||||
|
value
-
/ required
|
The value of the header.
|
||||
|
origin
-
|
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in `Origins`. Required when creating the `WafConfig` resource, but not on update.
|
||||
|
protection_rules
list
|
A list of the protection rules and their details.
|
||||
|
action
-
|
|
The action to take when the traffic is detected as malicious. If unspecified, defaults to `OFF`.
|
|||
|
description
-
|
The description of the protection rule.
|
||||
|
exclusions
list
|
|||||
|
exclusions
list
|
|||||
|
target
-
|
|
The target of the exclusion.
|
|||
|
key
-
|
The unique key of the protection rule.
|
||||
|
labels
list
|
The list of labels for the protection rule.
**Note:** Protection rules with a `ResponseBody` label will have no effect unless `isResponseInspected` is true.
|
||||
|
mod_security_rule_ids
list
|
The list of the ModSecurity rule IDs that apply to this protection rule. For more information about ModSecurity's open source WAF rules, see Mod Security's documentation.
|
||||
|
name
-
|
The name of the protection rule.
|
||||
|
protection_settings
dictionary
|
The settings to apply to protection rules.
|
||||
|
allowed_http_methods
list
|
|
The list of allowed HTTP methods. If unspecified, default to `[OPTIONS, GET, HEAD, POST]`.
|
|||
|
block_action
-
|
|
If `action` is set to `BLOCK`, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to `SET_RESPONSE_CODE`.
|
|||
|
block_error_page_code
-
|
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
|
||||
|
block_error_page_description
-
|
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
|
||||
|
block_error_page_message
-
|
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'
|
||||
|
block_response_code
integer
|
The response code returned when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
|
||||
|
is_response_inspected
boolean
|
|
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to `false`.
**Note:** Only origin responses with a Content-Type matching a value in `mediaTypes` will be inspected.
|
|||
|
max_argument_count
integer
|
The maximum number of arguments allowed to be passed to your application before an action is taken. If unspecified, defaults to `255`.
|
||||
|
max_name_length_per_argument
integer
|
The maximum length allowed for each argument name, in characters. If unspecified, defaults to `400`.
|
||||
|
max_response_size_in_ki_b
integer
|
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to `1024`.
|
||||
|
max_total_name_length_of_arguments
integer
|
The maximum length allowed for the sum of all argument names, in characters. If unspecified, defaults to `64000`.
|
||||
|
media_types
list
|
The list of media types to allow for inspection, if `isResponseInspected` is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to `[`text/html`, `text/plain`, `text/xml`]`.
Supported MIME types include:
- text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml
|
||||
|
recommendations_period_in_days
integer
|
The length of time to analyze traffic traffic, in days. After the analysis period, `WafRecommendations` will be populated. If unspecified, defaults to `10`.
Use `GET /waasPolicies/{waasPolicyId}/wafRecommendations` to view WAF recommendations.
|
||||
|
threat_feeds
list
|
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.
|
||||
|
action
-
|
|
The action to take when traffic is flagged as malicious by data from the threat intelligence feed. If unspecified, defaults to `OFF`.
|
|||
|
description
-
|
The description of the threat intelligence feed.
|
||||
|
key
-
|
The unique key of the threat intelligence feed.
|
||||
|
name
-
|
The name of the threat intelligence feed.
|
||||
|
whitelists
list
|
A list of IP addresses that bypass the Web Application Firewall.
|
||||
|
addresses
list
/ required
|
A set of IP addresses or CIDR notations to include in the whitelist.
|
||||
|
name
-
/ required
|
The unique name of the whitelist.
|
||||
|
wait
boolean
|
|
Whether to wait for create or delete operation to complete.
|
|||
|
wait_timeout
integer
|
Default: 1200
|
Time, in seconds, to wait when wait=yes.
|
|||
|
wait_until
string
|
The lifecycle state to wait for the resource to transition into when wait=yes. By default, when wait=yes, we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/ RUNNING applicable lifecycle state during create operation & to get into DELETED/DETACHED/ TERMINATED lifecycle state during delete operation.
|
||||
Notes¶
Note
- For OCI python sdk configuration, please refer to https://oracle-cloud-infrastructure-python-sdk.readthedocs.io/en/latest/configuration.html
Examples¶
- name: Create waas_policy
oci_waas_policy:
compartment_id: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
domain: domain_example
- name: Update waas_policy
oci_waas_policy:
display_name: display_name_example
origins:
uri: uri_example
waas_policy_id: ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx
- name: Delete waas_policy
oci_waas_policy:
waas_policy_id: ocid1.waaspolicy.oc1..xxxxxxEXAMPLExxxxxx
state: absent
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | ||||
|---|---|---|---|---|---|---|
|
waas_policy
complex
|
on success |
Details of the WaasPolicy resource acted upon by the current operation
Sample:
{'lifecycle_state': 'CREATING', 'domain': 'domain_example', 'display_name': 'display_name_example', 'compartment_id': 'ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx', 'origins': {'http_port': 56, 'custom_headers': [{'name': 'name_example', 'value': 'value_example'}], 'uri': 'uri_example', 'https_port': 56}, 'waf_config': {'origin': 'origin_example', 'protection_rules': [{'mod_security_rule_ids': [], 'name': 'name_example', 'key': 'key_example', 'action': 'OFF', 'labels': [], 'exclusions': [{'target': 'REQUEST_COOKIES', 'exclusions': []}], 'description': 'description_example'}], 'address_rate_limiting': {'is_enabled': True, 'allowed_rate_per_address': 56, 'block_response_code': 56, 'max_delayed_count_per_address': 56}, 'js_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'failure_threshold': 56, 'action': 'DETECT', 'action_expiration_in_seconds': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'device_fingerprint_challenge': {'is_enabled': True, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'max_address_count_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'max_address_count': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'whitelists': [{'name': 'name_example', 'addresses': []}], 'human_interaction_challenge': {'is_enabled': True, 'set_http_header': {'name': 'name_example', 'value': 'value_example'}, 'recording_period_in_seconds': 56, 'failure_threshold_expiration_in_seconds': 56, 'action_expiration_in_seconds': 56, 'failure_threshold': 56, 'action': 'DETECT', 'interaction_threshold': 56, 'challenge_settings': {'block_error_page_message': 'block_error_page_message_example', 'captcha_footer': 'captcha_footer_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'captcha_title': 'captcha_title_example', 'captcha_header': 'captcha_header_example', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example', 'captcha_submit_label': 'captcha_submit_label_example'}}, 'good_bots': [{'is_enabled': True, 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}], 'access_rules': [{'block_error_page_message': 'block_error_page_message_example', 'name': 'name_example', 'block_error_page_code': 'block_error_page_code_example', 'block_action': 'SET_RESPONSE_CODE', 'criteria': [{'condition': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0', 'value': 'value_example'}], 'action': 'ALLOW', 'block_response_code': 56, 'block_error_page_description': 'block_error_page_description_example'}], 'protection_settings': {'media_types': [], 'block_error_page_message': 'block_error_page_message_example', 'max_total_name_length_of_arguments': 56, 'recommendations_period_in_days': 56, 'block_error_page_code': 'block_error_page_code_example', 'max_response_size_in_ki_b': 56, 'block_action': 'SHOW_ERROR_PAGE', 'max_argument_count': 56, 'max_name_length_per_argument': 56, 'is_response_inspected': True, 'block_response_code': 56, 'allowed_http_methods': [], 'block_error_page_description': 'block_error_page_description_example'}, 'captchas': [{'submit_label': 'submit_label_example', 'header_text': 'header_text_example', 'title': 'title_example', 'url': 'url_example', 'session_expiration_in_seconds': 56, 'footer_text': 'footer_text_example', 'failure_message': 'failure_message_example'}], 'threat_feeds': [{'action': 'OFF', 'name': 'name_example', 'key': 'key_example', 'description': 'description_example'}]}, 'defined_tags': {'Operations': {'CostCenter': 'US'}}, 'freeform_tags': {'Department': 'Finance'}, 'time_created': '2018-11-16T21:10:29Z', 'policy_config': {'certificate_id': 'ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx', 'is_https_enabled': True, 'is_https_forced': True}, 'cname': 'cname_example', 'additional_domains': [], 'id': 'ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx'}
|
||||
|
additional_domains
list
|
on success |
An array of additional domains for this web application.
|
||||
|
cname
string
|
on success |
The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF.
Sample:
cname_example
|
||||
|
compartment_id
string
|
on success |
The OCID of the WAAS policy's compartment.
Sample:
ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
|
||||
|
defined_tags
dictionary
|
on success |
A key-value pair with a defined schema that restricts the values of tags. These predefined keys are scoped to namespaces.
Sample:
{'Operations': {'CostCenter': 'US'}}
|
||||
|
display_name
string
|
on success |
The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique.
Sample:
display_name_example
|
||||
|
domain
string
|
on success |
The web application domain that the WAAS policy protects.
Sample:
domain_example
|
||||
|
freeform_tags
dictionary
|
on success |
A simple key-value pair without any defined schema.
Sample:
{'Department': 'Finance'}
|
||||
|
id
string
|
on success |
The OCID of the WAAS policy.
Sample:
ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
|
||||
|
lifecycle_state
string
|
on success |
The current lifecycle state of the WAAS policy.
Sample:
CREATING
|
||||
|
origins
complex
|
on success |
A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc.
|
||||
|
custom_headers
complex
|
on success |
A list of HTTP headers to forward to your origin.
|
||||
|
name
string
|
on success |
The name of the header.
Sample:
name_example
|
||||
|
value
string
|
on success |
The value of the header.
Sample:
value_example
|
||||
|
http_port
integer
|
on success |
The HTTP port on the origin that the web application listens on. If unspecified, defaults to `80`.
Sample:
56
|
||||
|
https_port
integer
|
on success |
The HTTPS port on the origin that the web application listens on. If unspecified, defaults to `443`.
Sample:
56
|
||||
|
uri
string
|
on success |
The URI of the origin. Does not support paths. Port numbers should be specified in the `httpPort` and `httpsPort` fields.
Sample:
uri_example
|
||||
|
policy_config
complex
|
on success |
|
||||
|
certificate_id
string
|
on success |
The OCID of the SSL certificate to use if HTTPS is supported.
Sample:
ocid1.certificate.oc1..xxxxxxEXAMPLExxxxxx
|
||||
|
is_https_enabled
boolean
|
on success |
Enable or disable HTTPS support. If true, a `certificateId` is required. If unspecified, defaults to `false`.
Sample:
True
|
||||
|
is_https_forced
boolean
|
on success |
Force HTTP to HTTPS redirection. If unspecified, defaults to `false`.
Sample:
True
|
||||
|
time_created
string
|
on success |
The date and time the policy was created, expressed in RFC 3339 timestamp format.
Sample:
2018-11-16 21:10:29
|
||||
|
waf_config
complex
|
on success |
|
||||
|
access_rules
complex
|
on success |
The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of `ALLOW`, `DETECT`, and `BLOCK` rules, based on different criteria.
|
||||
|
action
string
|
on success |
The action to take when the access criteria are met for a rule. If unspecified, defaults to `ALLOW`.
Sample:
ALLOW
|
||||
|
block_action
string
|
on success |
The method used to block requests if `action` is set to `BLOCK` and the access criteria are met. If unspecified, defaults to `SET_RESPONSE_CODE`.
Sample:
SET_RESPONSE_CODE
|
||||
|
block_error_page_code
string
|
on success |
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access rules'.
Sample:
block_error_page_code_example
|
||||
|
block_error_page_description
string
|
on success |
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'
Sample:
block_error_page_description_example
|
||||
|
block_error_page_message
string
|
on success |
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'
Sample:
block_error_page_message_example
|
||||
|
block_response_code
integer
|
on success |
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the access criteria are met. If unspecified, defaults to `403`.
Sample:
56
|
||||
|
criteria
complex
|
on success |
The list of access rule criteria.
|
||||
|
condition
string
|
on success |
The criteria the access rule uses to determine if action should be taken on a request.
- **URL_IS:** Matches if the concatenation of request URL path and query is identical to the contents of the `value` field. - **URL_IS_NOT:** Matches if the concatenation of request URL path and query is not identical to the contents of the `value` field. - **URL_STARTS_WITH:** Matches if the concatenation of request URL path and query starts with the contents of the `value` field. - **URL_PART_ENDS_WITH:** Matches if the concatenation of request URL path and query ends with the contents of the `value` field. - **URL_PART_CONTAINS:** Matches if the concatenation of request URL path and query contains the contents of the `value` field. - **URL_REGEX:** Matches if the request is described by the regular expression in the `value` field. - **IP_IS:** Matches if the request originates from an IP address in the `value` field. - **IP_IS_NOT:** Matches if the request does not originate from an IP address in the `value` field. - **HTTP_HEADER_CONTAINS:** Matches if the request includes an HTTP header field whose name and value correspond to data specified in the `value` field with a separating colon. **Example:** `host:test.example.com` where `host` is the name of the field and `test.example.com` is the value of the host field. Comparison is independently applied to every header field whose name is a case insensitive match, and the value is required to be case-sensitive identical. - **COUNTRY_IS:** Matches if the request originates from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **COUNTRY_IS_NOT:** Matches if the request does not originate from a country in the `value` field. Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. - **USER_AGENT_IS:** Matches if the requesting user agent is identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0` - **USER_AGENT_IS_NOT:** Matches if the requesting user agent is not identical to the contents of the `value` field. Example: `Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0`
Sample:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
|
||||
|
value
string
|
on success |
The criteria value.
Sample:
value_example
|
||||
|
name
string
|
on success |
The unique name of the access rule.
Sample:
name_example
|
||||
|
address_rate_limiting
complex
|
on success |
The IP address rate limiting settings used to limit the number of requests from an address.
|
||||
|
allowed_rate_per_address
integer
|
on success |
The number of allowed requests per second from one IP address. If unspecified, defaults to `1`.
Sample:
56
|
||||
|
block_response_code
integer
|
on success |
The response status code returned when a request is blocked. If unspecified, defaults to `503`.
Sample:
56
|
||||
|
is_enabled
boolean
|
on success |
Enables or disables the address rate limiting Web Application Firewall feature.
Sample:
True
|
||||
|
max_delayed_count_per_address
integer
|
on success |
The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to `10`.
Sample:
56
|
||||
|
captchas
complex
|
on success |
A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.
|
||||
|
failure_message
string
|
on success |
The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to `The CAPTCHA was incorrect. Try again.`
Sample:
failure_message_example
|
||||
|
footer_text
string
|
on success |
The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.'
Sample:
footer_text_example
|
||||
|
header_text
string
|
on success |
The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.'
Sample:
header_text_example
|
||||
|
session_expiration_in_seconds
integer
|
on success |
The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to `300`.
Sample:
56
|
||||
|
submit_label
string
|
on success |
The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to `Yes, I am human`.
Sample:
submit_label_example
|
||||
|
title
string
|
on success |
The title used when displaying a CAPTCHA challenge. If unspecified, defaults to `Are you human?`
Sample:
title_example
|
||||
|
url
string
|
on success |
The unique URL path at which to show the CAPTCHA challenge.
Sample:
url_example
|
||||
|
device_fingerprint_challenge
complex
|
on success |
The device fingerprint challenge settings. Used to detect unique devices based on the device fingerprint information collected in order to block bots.
|
||||
|
action
string
|
on success |
The action to take on requests from detected bots. If unspecified, defaults to `DETECT`.
Sample:
DETECT
|
||||
|
action_expiration_in_seconds
integer
|
on success |
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
challenge_settings
complex
|
on success |
|
||||
|
block_action
string
|
on success |
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
Sample:
SET_RESPONSE_CODE
|
||||
|
block_error_page_code
string
|
on success |
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
Sample:
block_error_page_code_example
|
||||
|
block_error_page_description
string
|
on success |
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
Sample:
block_error_page_description_example
|
||||
|
block_error_page_message
string
|
on success |
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
Sample:
block_error_page_message_example
|
||||
|
block_response_code
integer
|
on success |
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
Sample:
56
|
||||
|
captcha_footer
string
|
on success |
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
Sample:
captcha_footer_example
|
||||
|
captcha_header
string
|
on success |
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
Sample:
captcha_header_example
|
||||
|
captcha_submit_label
string
|
on success |
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
Sample:
captcha_submit_label_example
|
||||
|
captcha_title
string
|
on success |
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
Sample:
captcha_title_example
|
||||
|
failure_threshold
integer
|
on success |
The number of failed requests allowed before taking action. If unspecified, defaults to `10`.
Sample:
56
|
||||
|
failure_threshold_expiration_in_seconds
integer
|
on success |
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
is_enabled
boolean
|
on success |
Enables or disables the device fingerprint challenge Web Application Firewall feature.
Sample:
True
|
||||
|
max_address_count
integer
|
on success |
The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to `20`.
Sample:
56
|
||||
|
max_address_count_expiration_in_seconds
integer
|
on success |
The number of seconds before the maximum addresses count resets. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
good_bots
complex
|
on success |
A list of bots allowed to access the web application.
|
||||
|
description
string
|
on success |
The description of the bot.
Sample:
description_example
|
||||
|
is_enabled
boolean
|
on success |
Enables or disables the bot.
Sample:
True
|
||||
|
key
string
|
on success |
The unique key for the bot.
Sample:
key_example
|
||||
|
name
string
|
on success |
The bot name.
Sample:
name_example
|
||||
|
human_interaction_challenge
complex
|
on success |
The human interaction challenge settings. Used to look for natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.
|
||||
|
action
string
|
on success |
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
Sample:
DETECT
|
||||
|
action_expiration_in_seconds
integer
|
on success |
The number of seconds between challenges for the same IP address. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
challenge_settings
complex
|
on success |
|
||||
|
block_action
string
|
on success |
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
Sample:
SET_RESPONSE_CODE
|
||||
|
block_error_page_code
string
|
on success |
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
Sample:
block_error_page_code_example
|
||||
|
block_error_page_description
string
|
on success |
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
Sample:
block_error_page_description_example
|
||||
|
block_error_page_message
string
|
on success |
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
Sample:
block_error_page_message_example
|
||||
|
block_response_code
integer
|
on success |
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
Sample:
56
|
||||
|
captcha_footer
string
|
on success |
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
Sample:
captcha_footer_example
|
||||
|
captcha_header
string
|
on success |
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
Sample:
captcha_header_example
|
||||
|
captcha_submit_label
string
|
on success |
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
Sample:
captcha_submit_label_example
|
||||
|
captcha_title
string
|
on success |
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
Sample:
captcha_title_example
|
||||
|
failure_threshold
integer
|
on success |
The number of failed requests before taking action. If unspecified, defaults to `10`.
Sample:
56
|
||||
|
failure_threshold_expiration_in_seconds
integer
|
on success |
The number of seconds before the failure threshold resets. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
interaction_threshold
integer
|
on success |
The number of interactions required to pass the challenge. If unspecified, defaults to `3`.
Sample:
56
|
||||
|
is_enabled
boolean
|
on success |
Enables or disables the human interaction challenge Web Application Firewall feature.
Sample:
True
|
||||
|
recording_period_in_seconds
integer
|
on success |
The number of seconds to record the interactions from the user. If unspecified, defaults to `15`.
Sample:
56
|
||||
|
set_http_header
complex
|
on success |
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
|
||||
|
name
string
|
on success |
The name of the header.
Sample:
name_example
|
||||
|
value
string
|
on success |
The value of the header.
Sample:
value_example
|
||||
|
js_challenge
complex
|
on success |
The JavaScript challenge settings. Used to challenge requests with a JavaScript challenge and take the action if a browser has no JavaScript support in order to block bots.
|
||||
|
action
string
|
on success |
The action to take against requests from detected bots. If unspecified, defaults to `DETECT`.
Sample:
DETECT
|
||||
|
action_expiration_in_seconds
integer
|
on success |
The number of seconds between challenges from the same IP address. If unspecified, defaults to `60`.
Sample:
56
|
||||
|
challenge_settings
complex
|
on success |
|
||||
|
block_action
string
|
on success |
The method used to block requests that fail the challenge, if `action` is set to `BLOCK`. If unspecified, defaults to `SHOW_ERROR_PAGE`.
Sample:
SET_RESPONSE_CODE
|
||||
|
block_error_page_code
string
|
on success |
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE` and the request is blocked. If unspecified, defaults to `403`.
Sample:
block_error_page_code_example
|
||||
|
block_error_page_description
string
|
on success |
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
Sample:
block_error_page_description_example
|
||||
|
block_error_page_message
string
|
on success |
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `Access to the website is blocked`.
Sample:
block_error_page_message_example
|
||||
|
block_response_code
integer
|
on success |
The response status code to return when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE` or `SHOW_ERROR_PAGE`, and the request is blocked. If unspecified, defaults to `403`.
Sample:
56
|
||||
|
captcha_footer
string
|
on success |
The text to show in the footer when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, default to `Enter the letters and numbers as they are shown in image above`.
Sample:
captcha_footer_example
|
||||
|
captcha_header
string
|
on success |
The text to show in the header when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below.`
Sample:
captcha_header_example
|
||||
|
captcha_submit_label
string
|
on success |
The text to show on the label of the CAPTCHA challenge submit button when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Yes, I am human`.
Sample:
captcha_submit_label_example
|
||||
|
captcha_title
string
|
on success |
The title used when showing a CAPTCHA challenge when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_CAPTCHA`, and the request is blocked. If unspecified, defaults to `Are you human?`
Sample:
captcha_title_example
|
||||
|
failure_threshold
integer
|
on success |
The number of failed requests before taking action. If unspecified, defaults to `10`.
Sample:
56
|
||||
|
is_enabled
boolean
|
on success |
Enables or disables the JavaScript challenge Web Application Firewall feature.
Sample:
True
|
||||
|
set_http_header
complex
|
on success |
Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the `action` is set to `DETECT`.
|
||||
|
name
string
|
on success |
The name of the header.
Sample:
name_example
|
||||
|
value
string
|
on success |
The value of the header.
Sample:
value_example
|
||||
|
origin
string
|
on success |
The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in `Origins`. Required when creating the `WafConfig` resource, but not on update.
Sample:
origin_example
|
||||
|
protection_rules
complex
|
on success |
A list of the protection rules and their details.
|
||||
|
action
string
|
on success |
The action to take when the traffic is detected as malicious. If unspecified, defaults to `OFF`.
|
||||
|
description
string
|
on success |
The description of the protection rule.
Sample:
description_example
|
||||
|
exclusions
complex
|
on success |
|
||||
|
exclusions
list
|
on success |
|
||||
|
target
string
|
on success |
The target of the exclusion.
Sample:
REQUEST_COOKIES
|
||||
|
key
string
|
on success |
The unique key of the protection rule.
Sample:
key_example
|
||||
|
labels
list
|
on success |
The list of labels for the protection rule.
**Note:** Protection rules with a `ResponseBody` label will have no effect unless `isResponseInspected` is true.
|
||||
|
mod_security_rule_ids
list
|
on success |
The list of the ModSecurity rule IDs that apply to this protection rule. For more information about ModSecurity's open source WAF rules, see Mod Security's documentation.
|
||||
|
name
string
|
on success |
The name of the protection rule.
Sample:
name_example
|
||||
|
protection_settings
complex
|
on success |
The settings to apply to protection rules.
|
||||
|
allowed_http_methods
list
|
on success |
The list of allowed HTTP methods. If unspecified, default to `[OPTIONS, GET, HEAD, POST]`.
|
||||
|
block_action
string
|
on success |
If `action` is set to `BLOCK`, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to `SET_RESPONSE_CODE`.
Sample:
SHOW_ERROR_PAGE
|
||||
|
block_error_page_code
string
|
on success |
The error code to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
Sample:
block_error_page_code_example
|
||||
|
block_error_page_description
string
|
on success |
The description text to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `Access blocked by website owner. Please contact support.`
Sample:
block_error_page_description_example
|
||||
|
block_error_page_message
string
|
on success |
The message to show on the error page when `action` is set to `BLOCK`, `blockAction` is set to `SHOW_ERROR_PAGE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'
Sample:
block_error_page_message_example
|
||||
|
block_response_code
integer
|
on success |
The response code returned when `action` is set to `BLOCK`, `blockAction` is set to `SET_RESPONSE_CODE`, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to `403`.
Sample:
56
|
||||
|
is_response_inspected
boolean
|
on success |
Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to `false`.
**Note:** Only origin responses with a Content-Type matching a value in `mediaTypes` will be inspected.
Sample:
True
|
||||
|
max_argument_count
integer
|
on success |
The maximum number of arguments allowed to be passed to your application before an action is taken. If unspecified, defaults to `255`.
Sample:
56
|
||||
|
max_name_length_per_argument
integer
|
on success |
The maximum length allowed for each argument name, in characters. If unspecified, defaults to `400`.
Sample:
56
|
||||
|
max_response_size_in_ki_b
integer
|
on success |
The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to `1024`.
Sample:
56
|
||||
|
max_total_name_length_of_arguments
integer
|
on success |
The maximum length allowed for the sum of all argument names, in characters. If unspecified, defaults to `64000`.
Sample:
56
|
||||
|
media_types
list
|
on success |
The list of media types to allow for inspection, if `isResponseInspected` is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to `[`text/html`, `text/plain`, `text/xml`]`.
Supported MIME types include:
- text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml
|
||||
|
recommendations_period_in_days
integer
|
on success |
The length of time to analyze traffic traffic, in days. After the analysis period, `WafRecommendations` will be populated. If unspecified, defaults to `10`.
Use `GET /waasPolicies/{waasPolicyId}/wafRecommendations` to view WAF recommendations.
Sample:
56
|
||||
|
threat_feeds
complex
|
on success |
A list of threat intelligence feeds and the actions to apply to known malicious traffic based on internet intelligence.
|
||||
|
action
string
|
on success |
The action to take when traffic is flagged as malicious by data from the threat intelligence feed. If unspecified, defaults to `OFF`.
|
||||
|
description
string
|
on success |
The description of the threat intelligence feed.
Sample:
description_example
|
||||
|
key
string
|
on success |
The unique key of the threat intelligence feed.
Sample:
key_example
|
||||
|
name
string
|
on success |
The name of the threat intelligence feed.
Sample:
name_example
|
||||
|
whitelists
complex
|
on success |
A list of IP addresses that bypass the Web Application Firewall.
|
||||
|
addresses
list
|
on success |
A set of IP addresses or CIDR notations to include in the whitelist.
|
||||
|
name
string
|
on success |
The unique name of the whitelist.
Sample:
name_example
|
||||
Status¶
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
- Manoj Meda (@manojmeda)
- Mike Ross (@mross22)
- Nabeel Al-Saber (@nalsaber)
Hint
If you notice any issues in this documentation you can edit this document to improve it.