In March 2021, AWS introduced support for customized responses and request header insertion with AWS WAF . This website post will demonstrate ways to use these new functions to customize your AWS WAF treatment for improve the user encounter and security position of your applications.

HTTP response codes are regular responses sent by way of a server in reaction to litigant request. When AWS WAF blocks a ask for, the default response program code sent back to your client is HTTP 403 (Forbidden). The HTTP 403 response code is of a default error web page built by the net server engine. This site is generic rather than user-friendly typically. With the Custom Reaction feature, AWS WAF today allows you to change the status program code from HTTP 403 to HTTP 2xx, 3xx, 4xx, and 5xx, also to return a customized body when the demand is usually blocked by AWS WAF. The customized responses special to AWS WAF furthermore permit you to differentiate blocked requests generated by AWS WAF or your server.

When inspected HTTP requests are allowed simply by AWS WAF, the request is passed to the associated reference. Now you be capable of insert custom HTTP ask for headers for every rule within your web access manage list (web ACL) established to allow or count, and you will create additional logic together with your program by tagging these requests with the headers.

We are outlining three different make use of cases showing how these AWS may be used by you WAF features.

Make use of case 1: Custom reaction code

In this illustration, you will utilize the custom reaction code function to redirect a viewer demand to a new webpage. You utilize HTTP 3xx reaction codes to redirect the incoming ask for, and utilize the HTTP header Place to specify the web site URL for redirection. Determine 1 shows a synopsis of the workflow.

Number 1 illustrates the next steps:

1. AWS WAF includes a rate-based rule to permit 100 requests every five minutes.
2. A user sends several breaches and requests AWS WAF rate-based guidelines threshold.
3. AWS WAF blocks any more requests from an individual.
4. The AWS WAF custom response code feature modifies the response code from HTTP 403 to HTTP 302 – Short-term Redirect with a Area header specifying the redirected URL.

Configure the AWS WAF internet principle and ACL for customized response code

To generate a credit card applicatoin Load Balancer and associate it to AWS WAF

1. Adhere to the steps in order to configure lots balancer and the listener to generate an internet-dealing with load balancer in the N.Virginia AWS Area.
2. Following the load balancer is established, open the particular AWS WAF system.
3. In the routing pane, choose Internet ACLs, and choose &lt then;strong>Create internet ACL in US east (N.Virginia) Area.
4. For Title, enter the real name that you would like to use to recognize this web ACL.
5. For Reference type, pick the Program Load Balancer that you produced in Step one 1 and select Include.
6. Choose Next.
7. Choose Include rules and choose Include my very own rule and rules organizations.
8. For Title, enter the real name you want to use to recognize this rule.
9. For Guideline type, select Price-centered rule.
10. For Price restrict, enter 100.
11. Under Activities, keep carefully the default actions of Prevent and enable Custom made response.
12. Enter the reaction code as 302.
13. Under Reaction headers, put in a new customized header with Essential as Place and Worth as instance.com
14. Choose Include guideline.
15. Continue steadily to select Next to attain the summary web page, and then select Create new internet ACL.

Following the web ACL is established, the web ought to be seen by you ACL configuration as shown in Figure 2.

Today, the set up is complete. A internet is had by you ACL with a rate-based principle configured to redirect blocked requests to another URL. To verify that the set up is working needlessly to say, it is possible to enable and analyze the AWS WAF logs for a check user that’s sending a lot more than 100 requests in an interval of five minutes.

In Amount 3, you can view the custom response program code of 302 being delivered to the test user instance.

In the illustration in Figure 3, we tested our configuration with a user send a lot more than 100 requests from the PC to trigger a block. To verify the Area header, we analyzed the system traffic utilizing the developer equipment of the browser. As you can plainly see in Figure 4, the custom is roofed by the response header Place with the configured redirect URL.

Make use of case 2: Custom mistake page

In this instance, the AWS will undoubtedly be utilized by you WAF custom mistake page to path the request to a new error page, compared to the default web server error pages rather. As possible plainly see in Physique 5, the workflow is comparable to use situation 1.

Number 5 shows the next steps:

1. AWS WAF includes a rate-based rule to permit 100 requests every five minutes.
2. The user sends several requests and breaches AWS WAF rate-based guidelines threshold.
3. AWS WAF blocks any more requests from an individual.
4. AWS WAF custom made response code function modifies the response program code to HTTP 307 – Temporary Redirect and responds with a custom made error web page with the information Many Requests&lt too;/em>.

To configure the AWS WAF internet guideline and ACL for custom made error page

1. In the AWS WAF system, in the routing pane, select Internet ACLs, and choose the internet ACL that you developed in use situation 1.
2. Select Guidelines tab and choose Put rules and choose Include my very own rules and rule teams.
3. For Title, enter the title that you would like to use to recognize this principle.
4. For Principle type, select Rate-centered rule.
5. For Price restriction, enter 100.
6. Under Activities, keep carefully the default activity of Block and enable Custom made reaction.
7. For the reaction code, enter 307.
8. For Select how you wish to specify the reaction body, choose Develop a custom response entire body.
9. The pop-up box shall open up. Enter a true title for the Response entire body object title.
10. For Content material type, it is possible to select JSON, HTML, or Basic Textual content. In this example, we go for Plain Textual content.
11. For Reaction entire body, enter any sample textual content. In this illustration, we enter It is a sample custom error page. Choose &lt then;strong>Save.
12. Choose Increase Guideline.
13. For Place guideline priority, move your brand-new rule to the very best so that this principle is processed initial.

Shape 6 shows a listing of the price based-rule designed for use situation 2.

Today, the set up is complete. A internet is had by you ACL with a rate-based guideline configured to redirect blocked requests to various URL. To verify the set up is working needlessly to say, you can evaluate the AWS WAF logs for a check user that’s sending a lot more than 100 requests in an interval of five minutes. Figure 7 displays the custom response program code of 307 getting delivered to our example test consumer instance.

Once you access the strain balancer URL from your own browser, the custom ought to be seen by you error page much like Figure 8.

Use situation 3: Header insertion for ask for tagging

This example demonstrates the AWS WAF header insertion capacity to route the request predicated on geolocation. You shall utilize the header country-verify to notify the application form Load Balancer to path the request to another target group, utilizing the Application Load Balancer superior routing function.

Physique 9 shows the next steps:

1. Consumer sends demand to the application form Load Balancer that’s attached with AWS WAF.
2. AWS WAF applies a geographic place rule which allows requests from unexpected nations in &lt conditionally;strong>Count setting.
3. AWS WAF adds a customized HTTP ask for header to tag this demand.
4. A CREDIT CARD APPLICATOIN Load Balancer listener principle is configured to path requests predicated on this header.
5. Demand tagged by AWS WAF with the customized header is routed to another target team.

To include a geographical location guideline for ask for header insertion

1. In the AWS WAF system, in the routing pane, select Internet ACLs, and choose the internet ACL that you made in use situation 1.
2. On the Guidelines tab, choose Include rules and choose Include my very own rules and rule groupings.
3. For Title, enter the title you want to use to recognize this principle.
4. For Principle type, select Normal guideline.
5. For In case a request, choose doesn’t match the declaration (NOT).
6. For Inspect, choose Hails from a national country within.
7. In this instance, normal traffic hails from United States; therefore under Nation codes, choose USA – All of us.
8. For Ip to use to look for the national nation of origin, Choose Supply IP Deal with.
9. For Activity, select Count. This can allow requests to end up being logged and tagged while digesting other guidelines that follow.
10. Expand Customized request, select Add brand new custom made header. For Important, select country-verify and for Worth, select real.
    

    Take note: customized request headers are usually prefixed with x-amzn-waf-

11. Choose Conserve principle.
12. Set guideline priority, move your brand-new rule to the very best to permit first this rule in order to be processed.
13. Choose Save.

Because of this use-case, you create a geographical location principle to check on for requests that result from countries outside the normal traffic movement of one’s application (in this illustration, america). You don’t want to prevent the requests immediately, but rather tag the requests set off by this AWS WAF guideline for more validation downstream by the application form logic. To path the tagged requests differently, you utilize ALB advanced demand routing feature to path AWS WAF tagged visitors to a new target team.

It is possible to verify the header inserted by the principle by enabling AWS WAF complete logs and considering the requestHeadersInserted log industry, as shown in Shape 11.

Bottom line

AWS WAF supplies the ability to develop a custom reaction for blocked requests by changing the position code and response entire body. The header insertion capacity enables you to tag requests permitted by AWS WAF for the application to execute another motion.

In this article, we demonstrated you three basic use-cases to show how you can develop a better user encounter by redirecting users to some other location rather than responding with a denied web page. We demonstrated you ways to create customized AWS WAF guidelines by tagging the obtain the application logic to view it has already been inspected, and how you may make a decision for this given information.

If you’re not used to AWS WAF, see Getting started off with AWS WAF.

When you have feedback concerning this post, submit remarks in the Remarks area below. Should you have questions concerning this post, start a brand new thread on the AWS WAF discussion board or contact AWS Assistance.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.