您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Front Door 上的 Azure Web 应用程序防火墙Azure Web Application Firewall on Azure Front Door

Azure Front Door 上的 Azure Web 应用程序防火墙 (WAF) 为 Web 应用程序提供集中保护。Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF 可以防范 Web 服务遭到常见的恶意利用和出现漏洞。WAF defends your web services against common exploits and vulnerabilities. 它使服务对用户高度可用,并帮助满足合规性要求。It keeps your service highly available for your users and helps you meet compliance requirements.

Front Door 上的 WAF 是一个全球性的集中式解决方案。WAF on Front Door is a global and centralized solution. 它部署在全球各地的 Azure 网络边缘位置。It's deployed on Azure network edge locations around the globe. 启用了 WAF 的 Web 应用程序会检查 Front Door 在网络边缘传送的每个传入请求。WAF enabled web applications inspect every incoming request delivered by Front Door at the network edge.

在恶意攻击进入虚拟网络之前,WAF 会阻止这些攻击靠近攻击源。WAF prevents malicious attacks close to the attack sources, before they enter your virtual network. 你可以获得大规模的全局保护,且不会降低性能。You get global protection at scale without sacrificing performance. WAF 策略可轻松链接到订阅中的任何 Front Door 配置文件。A WAF policy easily links to any Front Door profile in your subscription. 在几分钟内就能部署新的规则,因此可以快速响应不断变化的威胁模式。New rules can be deployed within minutes, so you can respond quickly to changing threat patterns.

Azure Web 应用程序防火墙

WAF 策略和规则WAF policy and rules

可以配置一个 WAF 策略,然后将该策略与一个或多个 Front Door 前端关联,以提供保护。You can configure a WAF policy and associate that policy to one or more Front Door front-ends for protection. WAF 策略包含两种类型的安全规则:A WAF policy consists of two types of security rules:

  • 客户创作的自定义规则。custom rules that are authored by the customer.

  • 托管规则集,即由 Azure 托管的预配置规则设置的集合。managed rule sets that are a collection of Azure-managed pre-configured set of rules.

如果两者均存在,则先处理自定义规则,然后处理托管规则集中的规则。When both are present, custom rules are processed before processing the rules in a managed rule set. 规则由匹配条件、优先级和操作组成。A rule is made of a match condition, a priority, and an action. 支持的操作类型包括:允许、阻止、记录和重定向。Action types supported are: ALLOW, BLOCK, LOG, and REDIRECT. 可以组合托管规则和自定义规则以创建满足特定应用程序保护要求的完全自定义策略。You can create a fully customized policy that meets your specific application protection requirements by combining managed and custom rules.

策略中的规则按优先顺序进行处理。Rules within a policy are processed in a priority order. “优先级”是唯一的整数,定义规则的处理顺序。Priority is a unique integer that defines the order of rules to process. 整数值越小表示优先级越高,这些规则的评估顺序先于整数值较大的规则。Smaller integer value denotes a higher priority and those rules are evaluated before rules with a higher integer value. 匹配规则后,规则中定义的相应操作将应用于请求。Once a rule is matched, the corresponding action that was defined in the rule is applied to the request. 处理此类匹配后,不再进一步处理优先级较低的规则。Once such a match is processed, rules with lower priorities aren't processed further.

Front Door 交付的 Web 应用程序一次只能与一个 WAF 策略关联。A web application delivered by Front Door can have only one WAF policy associated with it at a time. 但可以使用 Front Door 配置,且无需将其与任何 WAF 策略关联。However, you can have a Front Door configuration without any WAF policies associated with it. 如果 WAF 策略存在,它将复制到所有边缘位置,以确保全球的安全策略保持一致。If a WAF policy is present, it's replicated to all of our edge locations to ensure consistent security policies across the world.

WAF 模式WAF modes

WAF 策略可配置为在以下两种模式下运行:WAF policy can be configured to run in the following two modes:

  • 检测模式: 在检测模式下运行时,WAF 除进行监视并将请求及其匹配的 WAF 规则记录到 WAF 日志中以外,不会执行任何其他操作。Detection mode: When run in detection mode, WAF doesn't take any other actions other than monitors and logs the request and its matched WAF rule to WAF logs. 可为 Front Door 启用日志诊断。You can turn on logging diagnostics for Front Door. 如果使用门户,请转到“诊断”部分。When you use the portal, go to the Diagnostics section.

  • 阻止模式: 在阻止模式下,如果请求与规则匹配,WAF 将执行指定的操作。Prevention mode: In prevention mode, WAF takes the specified action if a request matches a rule. 如果找到匹配项,则不会评估优先级更低的规则。If a match is found, no further rules with lower priority are evaluated. 任何匹配的请求也会记录在 WAF 日志中。Any matched requests are also logged in the WAF logs.

WAF 操作WAF actions

如果请求匹配规则的条件,WAF 客户可以选择运行其中某个操作:WAF customers can choose to run from one of the actions when a request matches a rule’s conditions:

  • 允许: 请求通过 WAF 传递并转发到后端。Allow: Request passes through the WAF and is forwarded to back-end. 没有其他优先级较低的规则可以阻止此请求。No further lower priority rules can block this request.
  • 阻止: 请求受阻,WAF 将响应发送到客户端,且不会将请求转发到后端。Block: The request is blocked and WAF sends a response to the client without forwarding the request to the back-end.
  • 记录: 请求记录在 WAF 日志中,且 WAF 继续评估优先级较低的规则。Log: Request is logged in the WAF logs and WAF continues evaluating lower priority rules.
  • 重定向: WAF 将请求重定向到指定的 URI。Redirect: WAF redirects the request to the specified URI. 指定的 URI 是策略级别设置。The URI specified is a policy level setting. 配置后,与“重定向”操作匹配的所有请求都将发送到该 URI。Once configured, all requests that match the Redirect action will be sent to that URI.

WAF 规则WAF rules

WAF 策略可以由安全规则(由客户创作的自定义规则)和托管规则集(由 Azure 托管的预配置规则集)这两种类型组成。A WAF policy can consist of two types of security rules - custom rules, authored by the customer and managed rulesets, Azure-managed pre-configured set of rules.

自定义创作规则Custom authored rules

可按如下方式配置自定义规则 WAF:You can configure custom rules WAF as follows:

  • IP 允许列表和阻止列表: 可以基于客户端 IP 地址列表或 IP 地址范围来控制对 Web 应用程序的访问。IP allow list and block list: You can control access to your web applications based on a list of client IP addresses or IP address ranges. 支持 IPv4 和 IPv6 地址类型。Both IPv4 and IPv6 address types are supported. 可将此列表配置为阻止或允许源 IP 与列表中的 IP 匹配的请求。This list can be configured to either block or allow those requests where the source IP matches an IP in the list.

  • 基于地理位置的访问控制: 可以基于与客户端 IP 地址相关联的国家/地区代码来控制对 Web 应用程序的访问。Geographic based access control: You can control access to your web applications based on the country code that's associated with a client’s IP address.

  • 基于 HTTP 参数的访问控制: 可使规则基于 HTTP/HTTPS 请求参数中的字符串匹配项。HTTP parameters-based access control: You can base rules on string matches in HTTP/HTTPS request parameters. 例如,查询字符串、POST 参数、请求 URI、请求标头和请求正文。For example, query strings, POST args, Request URI, Request Header, and Request Body.

  • 基于请求方法的访问控制: 使规则基于请求的 HTTP 请求方法。Request method-based access control: You based rules on the HTTP request method of the request. 例如 GET、PUT 或 HEAD。For example, GET, PUT, or HEAD.

  • 大小约束: 可使规则基于请求的特定部分(例如查询字符串、URI 或请求正文)的长度。Size constraint: You can base rules on the lengths of specific parts of a request such as query string, Uri, or request body.

  • 速率限制规则: 速率控制规则用于限制任何客户端 IP 发出的异常高的流量。Rate limiting rules: A rate control rule is to limit abnormal high traffic from any client IP. 对于客户端 IP 在一分钟内允许的 Web 请求数,可以配置一个阈值。You may configure a threshold on the number of web requests allowed from a client IP during a one-minute duration. 此规则与基于 IP 列表的允许/阻止自定义规则不同,后者允许或阻止客户端 IP 的所有请求。This rule is distinct from an IP list-based allow/block custom rule that either allows all or blocks all request from a client IP. 速率限制可以与其他匹配条件(例如用于粒度速率控制的 HTTP(S) 参数匹配)结合使用。Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.

Azure 托管的规则集Azure-managed rule sets

Azure 托管的规则集可轻松针对一组常见的安全威胁来部署保护。Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. 由于此类规则集由 Azure 托管,因此这些规则会根据需要进行更新以预防新的攻击签名。Since such rulesets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Azure 托管的默认规则集包含针对以下威胁类别的规则:Azure-managed Default Rule Set includes rules against the following threat categories:

  • 跨站点脚本Cross-site scripting
  • Java 攻击Java attacks
  • 本地文件包含Local file inclusion
  • PHP 注入攻击PHP injection attacks
  • 远程命令执行Remote command execution
  • 远程文件包含Remote file inclusion
  • 会话固定Session fixation
  • SQL 注入保护SQL injection protection
  • 协议攻击者Protocol attackers

将新的攻击签名添加到规则集时,默认规则集的版本号将递增。The version number of the Default Rule Set increments when new attack signatures are added to the rule set. 默认规则集在 WAF 策略的检测模式下默认启用。Default Rule Set is enabled by default in Detection mode in your WAF policies. 可以禁用或启用默认规则集内的各个规则以满足应用程序要求。You can disable or enable individual rules within the Default Rule Set to meet your application requirements. 还可以根据规则设置特定操作(允许/阻止/重定向/记录)。You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule.

有时你可能需要忽略 WAF 评估中的某些请求属性。Sometimes you may need to omit certain request attributes from a WAF evaluation. 一个常见的例子是用于身份验证的 Active Directory 插入令牌。A common example is Active Directory-inserted tokens that are used for authentication. 可以为托管规则、规则组或整个规则集配置排除列表。You may configure an exclusion list for a managed rule, rule group, or for the entire rule set.

默认操作为“阻止”。The Default action is to BLOCK. 此外,如果想要绕过默认规则集中的任何预配置规则,可以在同一 WAF 策略中配置自定义规则。Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.

在评估默认规则集中的规则之前,自定义规则始终适用。Custom rules are always applied before rules in the Default Rule Set are evaluated. 如果请求与某个自定义规则相匹配,将应用相应的规则操作。If a request matches a custom rule, the corresponding rule action is applied. 请求将被阻止,或通过后端传递。The request is either blocked or passed through to the back-end. 不会处理任何其他自定义规则或默认规则集中的规则。No other custom rules or the rules in the Default Rule Set are processed. 还可以从 WAF 策略中删除默认规则集。You can also remove the Default Rule Set from your WAF policies.

机器人防护规则集(预览版)Bot protection rule set (preview)

可以启用托管机器人防护规则集,以便针对来自已知机器人类别的请求执行自定义操作。You can enable a managed bot protection rule set to take custom actions on requests from known bot categories.

支持三种机器人类别:“不良”、“良好”和“未知”。There are three bot categories supported: Bad, Good, and Unknown. 机器人签名由 WAF 平台管理和动态更新。Bot signatures are managed and dynamically updated by the WAF platform.

不良的机器人包括来自恶意 IP 地址的机器人,以及伪造了其身份的机器人。Bad bots include bots from malicious IP addresses and bots that have falsified their identities. 恶意 IP 地址源自于 Microsoft 威胁情报源,每小时更新一次。Malicious IP addresses are sourced from the Microsoft Threat Intelligence feed and updated every hour. Intelligent Security Graph 为 Microsoft 威胁智能助力,它已得到 Azure 安全中心等多项服务的运用。Intelligent Security Graph powers Microsoft Threat Intelligence and is used by multiple services including Azure Security Center.

善意机器人包括经过验证的搜索引擎。Good Bots include validated search engines. “未知”类别包括将自身标识为机器人的其他机器人组。Unknown categories include additional bot groups that have identified themselves as bots. 例如市场分析器、源提取器和数据收集代理。For example, market analyzer, feed fetchers and data collection agents.

未知的机器人是通过已发布的用户代理分类的,未经过附加的验证。Unknown bots are classified via published user agents without additional validation. 可为不同类型的机器人设置自定义的阻止、允许、记录或重定向操作。You can set custom actions to block, allow, log, or redirect for different types of bots.

机器人防护规则集

重要

机器人防护规则集当前为公共预览版,并提供预览版服务级别协议。The Bot protection rule set is currently in public preview and is provided with a preview service level agreement. 某些功能可能不受支持或者受限。Certain features may not be supported or may have constrained capabilities. 有关详细信息,请参阅 Microsoft Azure 预览版补充使用条款See the Supplemental Terms of Use for Microsoft Azure Previews for details.

如果启用了机器人防护,则与机器人规则匹配的传入请求将记录在 FrontdoorWebApplicationFirewallLog 日志中。If bot protection is enabled, incoming requests that match bot rules are logged at the FrontdoorWebApplicationFirewallLog log. 可从存储帐户、事件中心或日志分析访问 WAF 日志。You may access WAF logs from a storage account, event hub, or log analytics.

配置Configuration

可以使用 Azure 门户、REST API、Azure 资源管理器模板和 Azure PowerShell 来配置和部署所有 WAF 规则类型。You can configure and deploy all WAF rule types using the Azure portal, REST APIs, Azure Resource Manager templates, and Azure PowerShell.

监视Monitoring

在 Front Door 监视 WAF 与 Azure Monitor 集成,以便跟踪警报并轻松监视流量趋势。Monitoring for WAF at Front Door is integrated with Azure Monitor to track alerts and easily monitor traffic trends.

后续步骤Next steps