-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.yaml
More file actions
178 lines (142 loc) · 5.88 KB
/
config.example.yaml
File metadata and controls
178 lines (142 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
proxy:
host: "http://192.168.0.1:8888" # Host for traffic proxy
api:
auth:
enabled: true
username: 'admin'
password: 'admin'
metrics:
enabled: true
auth:
enabled: false
username: 'admin'
password: 'admin'
wafMiddleware:
#Policy Audit Mode configures waf to allow all traffic while logging all connections
#that policies would otherwise drop. Default value: audit
mode: normal # or audit
bannedResponse:
httpCode: 429 # OPTIONAL Default: 429
json: '' # OPTIONAL Default: JSON object with error text
html: '' # OPTIONAL
htmlLink: '' # OPTIONAL
# Under Attack Mode configuration
underAttack:
enabled: true # enable under attack mode
challengeDurationMs: 1800000 # 30 minutes token validity
conditions: [] # All conditions must be meat. If an array is empty - module work for all requests
# - field: 'hostname' # or hostname, user-agent, header-<header-name>, geo-country, geo-city
# check: # If any condition is met - check is considered successfully
# - method: 'equals'
# values: [ "foo-bar.com", "foo-bar.net", "foo-bar.io" ]
# Fingerprint checks settings
fingerprintChecks:
enabled: true
minScore: 70 # minimum score to pass (0-100)
# Bot detection settings
botDetection:
enabled: true
aiModel: "advanced" # basic or advanced (advanced recommended)
blockSuspiciousUA: true
# Tamper-proof check settings
advancedChecks:
enabled: true # Enable advanced checks
challengeTimeout: 120 # Maximum time for a challenge in seconds
minBrowserProofScore: 60 # Minimum score for browser proofs (0-100)
# Challenge page settings
challengePage:
title: "Security Check"
# path: "/path/to/custom/challenge.html" # custom page
# URLs that don't require verification
skipUrls:
- "/__under_attack_challenge"
- "/favicon.ico"
- "/robots.txt"
- "/api/webhook/*" # wildcard support
# Cookie name for token
cookieName: "waf"
# Header for bypassing verification (for trusted services)
bypassHeaders:
- name: "X-Bypass-UnderAttack"
value: "secret-key-12345"
whitelist:
ips: [ '10.0.0.1', '10.0.0.2' ] # OPTIONAL
ipSubnet: [ '192.168.0.0/22', '10.0.0.0/22' ] # OPTIONAL
geoCountry: [ 'USA', 'CA' ] # OPTIONAL
geoCity: [ 'Lviv' ] # OPTIONAL
blacklist:
ips: [ '10.0.0.1', '10.0.0.2' ] # OPTIONAL
ipSubnet: [ '192.168.0.0/22', '10.0.0.0/22' ] # OPTIONAL
geoCountry: [ 'USA', 'CA' ] # OPTIONAL
geoCity: [ 'Lviv' ] # OPTIONAL
detectClientIp:
headers: ['fastly-client-ip', 'cf-connecting-ip', 'x-original-forwarded-for']
detectClientCountry:
method: header
header: 'X-client-country'
detectClientCity:
method: header
header: 'X-client-city'
detectClientRequestId: # OPTIONAL
header: 'X-RequestId'
jailManager:
enabled: false # OPTIONAL
# loadInterval: 10 # OPTIONAL seconds Default: 30
# flushInterval: 10 # OPTIONAL seconds Default: 30
# flushAlways: true # OPTIONAL Default false
storage:
driver: file # or operator or memory, if not set - default value - memory
driverConfig: # OPTIONAL for some drivers
filePath: data/blocked_ips.json
locker:
enabled: true
config:
retries: 3
filterRules:
- name: "static-rule-1"
type: "static"
linkUrl: "https://httpbin.org/status/200"
updateInterval: 120 # (measurement seconds)
- name: "composite-rule-1"
type: "composite"
uniqueClientKey: ["ip", "user-agent", "hostname", "url", "geo-country", "geo-city"]
conditions: # All conditions must be meat
- field: 'hostname' # or hostname, user-agent, header-<header-name>, geo-country, geo-city
check: # If any condition is met - check is considered successfully
- method: 'equals'
values: ["foo-bar.com", "foo-bar.net", "foo-bar.io"]
- method: 'regexp'
values: ["/bar-baz\.(com|net|io)/i"]
- field: 'url' # or hostname, user-agent, header-<header-name>, geo-country, geo-city
check: # If any condition is met - check is considered successfully
- method: 'equals'
values: [ "/admin.php", "/phpinfo.php", "/.env" ]
- method: 'regexp'
values: [ "/wp-(admin|include|content)/i" ]
period: 60 # Period in seconds for which the number of requests is considered (measurement seconds)
limit: 5 # If during the period the number of requests exceeds the limit, ban
duration: 180 # Blocking by 180 seconds when the limit exceeds (measurement seconds)
escalationRate: 1.3 # OPTIONAL
- name: "flexible-rule-1"
type: "flexible"
conditions: # All conditions must be meat
- field: 'hostname' # or hostname, user-agent, header-<header-name>, geo-country, geo-city
check: # If any condition is met - check is considered successfully
- method: 'equals'
values: ["foo-bar.com", "foo-bar.net", "foo-bar.io"]
- method: 'regexp'
values: ["/bar-baz\.(com|net|io)/i"]
- field: 'url' # or hostname, user-agent, header-<header-name>, geo-country, geo-city
check: # If any condition is met - check is considered successfully
- method: 'equals'
values: [ "/admin.php", "/phpinfo.php", "/.env" ]
- method: 'regexp'
values: [ "/wp-(admin|include|content)/i" ]
period: 60 # Period in seconds for which the number of requests is considered (measurement seconds)
limit: 5 # If during the period the number of requests exceeds the limit, ban
duration: 180 # Blocking by 180 seconds when the limit exceeds (measurement seconds)
escalationRate: 1.1 # OPTIONAL
sentry:
enabled: false
dsn: ''
debug: true