Firewall rules: Allow specific header value

I’ve read the Firewall docs but can’t see to setup a Firewall rule to allow specific rule. This is what’d like to setup:

Allow requests to go through if:

  • X-Custom-Header custom header contain a specific string 0058f23a2313c8a56d2610db420d181f
  • X-Custom-Header custom header contain another specific string ed17dc70b5e27adba6d2f800d3d55970
  • is on a specific path: https://example.com/path/to/something

This is what i wrote:

any(http.request.headers["x-custom-header"][*] contains "0058f23a2313c8a56d2610db420d181f") 
and any(http.request.headers["x-custom-header"][*] contains "ed17dc70b5e27adba6d2f800d3d55970") 
and (http.request.full_uri eq "https://example.com/path/to/something")

and I’ve set rule to Allow

Is there something that’s not letting these requests through?

This is the first rule in the list and nothing is passing through so I assumed that something is not working.

I don’t understand why you feel you need this rule. All legitimate traffic is allowed by default. Is there a rule later that’s blocking requests?

I see. This is the first rule that allow something, and then the second rule is to block all requests not coming from a list of specific IPs.

To give better contexts:

  • Allow Rule 1: use request headers to white list a bunch of health monitors with changing IPs. This is used for monitoring the health of a site
  • Block Rule 2: block all IPs not from a list of IPs that I want to be allowed to access the site.

Are these two conditions happen at the same time? Or only either one will happen at one time?

If nothing is passing through, check the Firewall Event Log to see why. Most likely that second rule because the first rule isn’t triggering for some reason. Which is why you’re posting here.

@erictung knows far more about this type of rule than I. I wonder if “contains” doesn’t work for custom header checks.

“contains” probably work, but I never try before so I can’t give an exact answer.

For now I’m curious about this:

1 Like

It does seem like it’s checking to makes sure two headers ~match~ for a given path to Allow access.

Oh sorry, so he is actually referring to two different headers with different values.

This is what I’m actually trying to check.

I don’t know the exact string of the value, so I need to check that it contains a specific value.

I realize that I’m being cryptic here because I don’t want to accidentally reveal what I am checking (our site gets botted quite often and I don’t want anyone to try to guess what I’m doing and then be able to bypass the firewall.

But in essence, I need to check the presence of two exact string inside a custom value, in the form of:

"X-Foo-Bar": "some unknown text followed by exact-text-that-i-want-to-check and then some other text followed by another-string-of-exact-text-that-i-want-to-check"

Hope this is clear. So that’s why I just check for two values inside a header (and based on docs I assume that I would check for x-foo-bar header name in all lower case.