Multiple conditions in a WAF rule, and unable to get it to work properly

Before asking, did you search first? Press :mag: at the upper right to search.

I did try to find similar topics.

I’m trying to figure out the proper way to use WAF rules, but I’m really lost at how it works. I’m trying to only allow US for specific hostname and URI, and allow specific countries only.

(ip.geoip.country ne "US" and http.host ne "api.piped.fi" and http.request.uri.path ne "/webhooks/pubsub") or (not ip.geoip.country in {"DK" "EE" "FI" "SE"})

Then I set block, but that results in me accessing the whole thing to be blocked too from Finland. In my mind it should be if:

  • If it’s not from US, with the specified host AND path of the webhook, it should be allowed.
  • If it’s from those listed geo, it should be allowed.

Instead I get blocked.

From what I see, you should be able to access api.piped.fi/webhooks/pubsub from Finland and the other countries in the list. Almost Everything else would be blocked from everywhere.

(not ip.geoip.country in {"DK" "EE" "FI" "SE"})

This block all requests from outside these countries.

(http.host ne "api.piped.fi" and http.request.uri.path ne "/webhooks/pubsub")

The US thing at the beginning does nothing, so I will ignore it. Requests from the US are already blocked by the first part, and not US is everyone else.

This part blocks everything from everyone, unless the hostname is api.piped.fi or the path is /webhooks/pubsub.
So whatever.piped.fi/webhooks/pubsub and api.piped.fi/whatever should be accessible from the countries in your list.

What are you trying to achieve?

I’m trying to only allow Google’s FeedFetcher (which needs access to the pubsub webhook endpoint) that happens to result in traffic from US but I don’t want to allow other US sourced traffic.
While also geoblocking most countries from accessing my domain.

So it should be the full url: api.piped.fi/webhooks/pubsub that should be allowed from US. Everything else from the listed countries.

First rule:

Country equals US and hostname equals api.piped.fi and path equals /webhooks/pubsub
then
Skip remaining Rules

Though you could also use User-Agent equals Feedfetcher-Google instead of the US rule.

Second Rule:

Country not in {List of countries}
then
Block

If you want to combine both into a single rule, you would do (not (rule1)) AND (rule2) then block.

There is no “skip remaining rules” in security/waf/custom-rules/? Which is why I’m confused as to where/how this is supposed to be done?

It should look like this:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.