Li, Qiao d62a949ca4 WAF Dedicated API 20240227 version

Reviewed-by: Belejkanic, Lukas <lukas.belejkanic@t-systems.com>
Co-authored-by: Li, Qiao <qiaoli@huawei.com>
Co-committed-by: Li, Qiao <qiaoli@huawei.com>

2024-07-30 08:02:28 +00:00

75 KiB

Raw Permalink Blame History

Modifying a Domain Name Protected by a Dedicated WAF Instance

Function

This API is used to modify a domain name protected by a dedicated WAF instance.

URI

PUT /v1/{project_id}/premium-waf/host/{host_id}

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID
host_id	Yes	String	ID of the domain name protected by the dedicated WAF engine

Request Parameters

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Content type. Default value: application/json;charset=utf8 Default: application/json;charset=utf8
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header).

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
proxy	No	Boolean	Whether a proxy is used for the domain name. If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set Proxy Configured to No. Otherwise, Proxy Configured must be set to Yes. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies.
certificateid	No	String	HTTPS certificate ID. It can be obtained by calling the ListCertificates API.
certificatename	No	String	HTTPS certificate name. It can be obtained by calling the ListCertificates API. Certifacteid and certificatename are required at the same. If certificateid does not match certificatename, an error is reported.
tls	No	String	Minimum TLS version supported. TLS v1.0 is used by default. The value can be:TLS v1.0TLS v1.1TLS v1.2TLS v1.3
cipher	No	String	Cipher suite. The value can be: cipher_1: ECDHE-ECDSA-AES256-GCM-SHA384:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4:!kRSA:!SRP:!3DES:!DSS:!EXP:!CAMELLIA:@STRENGTH cipher_2: EECDH+AESGCM:EDH+AESGCM cipher_3: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH cipher_4. ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!EDH cipher_default: ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM
protect_status	No	Integer	WAF status of the protected domain name. 0: Suspended. WAF only forwards requests for the domain name but does not detect attacks. 1: Enabled. WAF detects attacks based on the configured policy.
server	No	Array of PremiumWafServer objects	Server configuration in dedicated mode
block_page	No	BlockPage object	Alarm configuration page
flag	No	Flag object	Feature switch for configuring compliance certification checks for domain names protected with the dedicated WAF instance.
traffic_mark	No	TrafficMark object	Traffic identifier
circuit_breaker	No	CircuitBreaker object	Circuit breaker configuration
timeout_config	No	TimeoutConfig object	Timeout settings
web_tag	No	String	website name
description	No	String	website remarks

**Table 4** PremiumWafServer
Parameter	Mandatory	Type	Description
front_protocol	Yes	String	Client protocol Enumeration values: HTTP HTTPS
back_protocol	Yes	String	Server protocol Enumeration values: HTTP HTTPS
address	Yes	String	IP address or domain name of the origin server that the client accesses.
port	Yes	Integer	Server port
type	Yes	String	The origin server address is an IPv4 or IPv6 address. Default value: ipv4 Enumeration values: ipv4 ipv6
vpc_id	Yes	String	VPC ID. Perform the following steps to obtain the VPC ID: 1.Find the name of the VPC where the dedicated engine is located. The VPC name is in the VPC\Subnet column. Log in to the WAF console and choose Instance Management > Dedicated Engine > VPC\Subnet. Log in to the VPC console and click the VPC name. On the page displayed, copy the VPC ID in the VPC Information area.
weight	No	Integer	This parameter is reserved and can be ignored currently.

**Table 5** BlockPage
Parameter	Mandatory	Type	Description
template	Yes	String	Template type, the value can be: default: The default block page. custom: Your custom block page is returned when a request is blocked. The request is redirected to the URL you specify.
custom_page	No	CustomPage object	Custom alarm page.
redirect_url	No	String	Redirect URL. The root domain name of the redirection address must be the name of the currently protected domain (including a wildcard domain name).${http_host} can be used to indicate the currently protected domain name and port, for example, ${http_host}/error.html.

**Table 6** CustomPage
Parameter	Mandatory	Type	Description
status_code	Yes	String	Status Codes
content_type	Yes	String	Content type of alarm page.
content	Yes	String	Page content.

**Table 7** Flag
Parameter	Mandatory	Type	Description
pci_3ds	No	String	Whether to enable PCI 3DS compliance check. This parameter must be used together with tls and cipher. tls must be set to TLS v1.2, and cipher must be set to cipher_2. Note: If PCI 3DS compliance check is enabled and the minimum TLS is set to TLS v1.2, the website can be accessed using TLS v1.2, but cannot be accessed using TLS v1.1 or earlier. Once PCI 3DS is enabled, it cannot be disabled. Before you enable it, ensure that your website services will not be affected. You can ignore it. true: Enable this check. false: Disable this check. Enumeration values: true false
pci_dss	No	String	Whether to enable PCI DSS compliance check. This parameter must be used together with tls and cipher. tls must be set to TLS v1.2, and cipher must be set to cipher_2. Note: If PCI DSS compliance check is enabled and the minimum TLS is set to TLS v1.2, the website can be accessed using TLS v1.2, but cannot be accessed using TLS v1.1 or earlier. Before you enable it, ensure that your website services will not be affected. You can ignore it. true: Enable this check. false: Disable this check. Enumeration values: true false

**Table 8** TrafficMark
Parameter	Mandatory	Type	Description
sip	No	Array of strings	IP tag. HTTP request header field of the original client IP address.
cookie	No	String	Session tag. This tag is used by known attack source rules to block malicious attacks based on cookie attributes. This parameter must be configured in known attack source rules to block requests based on cookie attributes.
params	No	String	User tag. This tag is used by known attack source rules to block malicious attacks based on params attributes. This parameter must be configured to block requests based on the params attributes.

**Table 9** CircuitBreaker
Parameter	Mandatory	Type	Description
switch	No	Boolean	Whether to enable connection protection. true: Enable connection protection. false: Disable the connection protection.
dead_num	No	Integer	502/504 error threshold. 502/504 errors allowed for every 30 seconds.
dead_ratio	No	Number	A breakdown protection is triggered when the 502/504 error threshold and percentage threshold have been reached.
block_time	No	Integer	Protection period upon the first breakdown. During this period, WAF stops forwarding client requests.
superposition_num	No	Integer	The maximum multiplier you can use for consecutive breakdowns. The number of breakdowns are counted from 0 every time the accumulated breakdown protection duration reaches 3,600s. For example, assume that Initial Downtime (s) is set to 180s and Multiplier for Consecutive Breakdowns is set to 3. If the breakdown is triggered for the second time, that is, less than 3, the protection duration is 360s (180s X 2). If the breakdown is triggered for the third or fourth time, that is, equal to or greater than 3, the protection duration is 540s (180s X 3). When the accumulated downtime duration exceeds 1 hour (3,600s), the number of breakdowns are counted from 0.
suspend_num	No	Integer	Threshold of the number of pending URL requests. Connection protection is triggered when the threshold has been reached.
sus_block_time	No	Integer	Downtime duration after the connection protection is triggered. During this period, WAF stops forwarding website requests.

**Table 10** TimeoutConfig
Parameter	Mandatory	Type	Description
connect_timeout	No	Integer	Timeout for WAF to connect to the origin server.
send_timeout	No	Integer	Timeout for WAF to send requests to the origin server.
read_timeout	No	Integer	Timeout for WAF to receive responses from the origin server.

Response Parameters

Status code: 200

**Table 11** Response body parameters
Parameter	Type	Description
id	String	Domain name ID
policyid	String	ID of the policy initially used to the domain name. It can be obtained by calling the API described in 2.1.1 Querying Protection Policies.
hostname	String	Domain name added to cloud WAF.
domainid	String	User domain ID
project_id	String	Project ID
protocol	String	Client protocol, which is the protocol used by a client (for example, a browser) to access your website. Enumeration values: HTTPS HTTP
tls	String	Minimum TLS version supported. TLS v1.0 is used by default. The value can be:TLS v1.0TLS v1.1TLS v1.2TLS v1.3
cipher	String	Cipher suite. The value can be: cipher_1: ECDHE-ECDSA-AES256-GCM-SHA384:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4:!kRSA:!SRP:!3DES:!DSS:!EXP:!CAMELLIA:@STRENGTH cipher_2: EECDH+AESGCM:EDH+AESGCM cipher_3: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH cipher_4. ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!EDH cipher_default: ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM
server	Array of PremiumWafServer objects	Origin server details
certificateid	String	HTTPS certificate ID. It can be obtained by calling the ListCertificates API. This parameter is not required when the client protocol is HTTP. This parameter is mandatory when the client protocol is HTTPS.
certificatename	String	Certificate name. This parameter is not required when the client protocol is HTTP. This parameter is mandatory when the client protocol is HTTPS.
proxy	Boolean	Whether the proxy is enabled
locked	Integer	Lock status. This parameter is redundant and can be ignored. Default value: - 0: Default: 0
protect_status	Integer	WAF status of the protected domain name. The value can be: 0: Suspended. WAF only forwards requests for the domain name but does not detect attacks. 1: Enabled. WAF detects attacks based on the configured policy.
access_status	Integer	Whether a domain name is connected to WAF. 0: The domain name is not connected to the engine instance. 1: The domain name is connected to the engine instance.
access_progress	Array of Access_progress objects	Access progress, which is used only for the new console (frontend).
flag	Flag object	Feature switch for configuring compliance certification checks for domain names protected with the dedicated WAF instance.
block_page	BlockPage object	Alarm configuration page
extend	Extend object	This parameter includes some extended information about the protected domain name.
traffic_mark	TrafficMark object	Traffic identifier
circuit_breaker	CircuitBreaker object	Circuit breaker configuration
timeout_config	TimeoutConfig object	Timeout settings
web_tag	String	website name
description	String	website remarks
timestamp	Long	Time a domain name is added to WAF

**Table 12** PremiumWafServer
Parameter	Type	Description
front_protocol	String	Client protocol Enumeration values: HTTP HTTPS
back_protocol	String	Server protocol Enumeration values: HTTP HTTPS
address	String	IP address or domain name of the origin server that the client accesses.
port	Integer	Server port
type	String	The origin server address is an IPv4 or IPv6 address. Default value: ipv4 Enumeration values: ipv4 ipv6
vpc_id	String	VPC ID. Perform the following steps to obtain the VPC ID: 1.Find the name of the VPC where the dedicated engine is located. The VPC name is in the VPC\Subnet column. Log in to the WAF console and choose Instance Management > Dedicated Engine > VPC\Subnet. Log in to the VPC console and click the VPC name. On the page displayed, copy the VPC ID in the VPC Information area.
weight	Integer	This parameter is reserved and can be ignored currently.

**Table 13** Access_progress
Parameter	Type	Description
step	Integer	Step 1: whitelisting WAF IP addresses. 2: testing WAF. 3:modifying DNS record.
status	Integer	Status. The value can be 0 or 1. 0: The step has not been finished. 1: The step has finished.

**Table 14** Flag
Parameter	Type	Description
pci_3ds	String	Whether to enable PCI 3DS compliance check. This parameter must be used together with tls and cipher. tls must be set to TLS v1.2, and cipher must be set to cipher_2. Note: If PCI 3DS compliance check is enabled and the minimum TLS is set to TLS v1.2, the website can be accessed using TLS v1.2, but cannot be accessed using TLS v1.1 or earlier. Once PCI 3DS is enabled, it cannot be disabled. Before you enable it, ensure that your website services will not be affected. You can ignore it. true: Enable this check. false: Disable this check. Enumeration values: true false
pci_dss	String	Whether to enable PCI DSS compliance check. This parameter must be used together with tls and cipher. tls must be set to TLS v1.2, and cipher must be set to cipher_2. Note: If PCI DSS compliance check is enabled and the minimum TLS is set to TLS v1.2, the website can be accessed using TLS v1.2, but cannot be accessed using TLS v1.1 or earlier. Before you enable it, ensure that your website services will not be affected. You can ignore it. true: Enable this check. false: Disable this check. Enumeration values: true false

**Table 15** BlockPage
Parameter	Type	Description
template	String	Template type, the value can be: default: The default block page. custom: Your custom block page is returned when a request is blocked. The request is redirected to the URL you specify.
custom_page	CustomPage object	Custom alarm page.
redirect_url	String	Redirect URL. The root domain name of the redirection address must be the name of the currently protected domain (including a wildcard domain name).${http_host} can be used to indicate the currently protected domain name and port, for example, ${http_host}/error.html.

**Table 16** CustomPage
Parameter	Type	Description
status_code	String	Status Codes
content_type	String	Content type of alarm page.
content	String	Page content.

**Table 17** Extend
Parameter	Type	Description
ltsInfo	String	Details about LTS configuration
extend	String	Timeout configuration details.

**Table 18** TrafficMark
Parameter	Type	Description
sip	Array of strings	IP tag. HTTP request header field of the original client IP address.
cookie	String	Session tag. This tag is used by known attack source rules to block malicious attacks based on cookie attributes. This parameter must be configured in known attack source rules to block requests based on cookie attributes.
params	String	User tag. This tag is used by known attack source rules to block malicious attacks based on params attributes. This parameter must be configured to block requests based on the params attributes.

**Table 19** CircuitBreaker
Parameter	Type	Description
switch	Boolean	Whether to enable connection protection. true: Enable connection protection. false: Disable the connection protection.
dead_num	Integer	502/504 error threshold. 502/504 errors allowed for every 30 seconds.
dead_ratio	Number	A breakdown protection is triggered when the 502/504 error threshold and percentage threshold have been reached.
block_time	Integer	Protection period upon the first breakdown. During this period, WAF stops forwarding client requests.
superposition_num	Integer	The maximum multiplier you can use for consecutive breakdowns. The number of breakdowns are counted from 0 every time the accumulated breakdown protection duration reaches 3,600s. For example, assume that Initial Downtime (s) is set to 180s and Multiplier for Consecutive Breakdowns is set to 3. If the breakdown is triggered for the second time, that is, less than 3, the protection duration is 360s (180s X 2). If the breakdown is triggered for the third or fourth time, that is, equal to or greater than 3, the protection duration is 540s (180s X 3). When the accumulated downtime duration exceeds 1 hour (3,600s), the number of breakdowns are counted from 0.
suspend_num	Integer	Threshold of the number of pending URL requests. Connection protection is triggered when the threshold has been reached.
sus_block_time	Integer	Downtime duration after the connection protection is triggered. During this period, WAF stops forwarding website requests.

**Table 20** TimeoutConfig
Parameter	Type	Description
connect_timeout	Integer	Timeout for WAF to connect to the origin server.
send_timeout	Integer	Timeout for WAF to send requests to the origin server.
read_timeout	Integer	Timeout for WAF to receive responses from the origin server.

Status code: 400

**Table 21** Response body parameters
Parameter	Type	Description
error_code	String	Error code
error_msg	String	Error message

Status code: 401

**Table 22** Response body parameters
Parameter	Type	Description
error_code	String	Error code
error_msg	String	Error message

Status code: 500

**Table 23** Response body parameters
Parameter	Type	Description
error_code	String	Error code
error_msg	String	Error message

Example Requests

PUT https://{Endpoint}/v1/{project_id}/premium-waf/host/{host_id}?

{
  "proxy" : true
}

Example Responses

Status code: 200

Request succeeded.

{
  "id" : "ee896796e1a84f3f85865ae0853d8974",
  "hostname" : "www.demo.com",
  "protocol" : "HTTPS",
  "server" : [ {
    "address" : "1.2.3.4",
    "port" : 443,
    "type" : "ipv4",
    "weight" : 1,
    "front_protocol" : "HTTPS",
    "back_protocol" : "HTTPS",
    "vpc_id" : "ebfc553a-386d-4746-b0c2-18ff3f0e903d"
  } ],
  "proxy" : true,
  "locked" : 0,
  "timestamp" : 1650593801380,
  "flag" : {
    "pci_3ds" : "false",
    "pci_dss" : "false"
  },
  "extend" : { },
  "block_page" : {
    "template" : "default"
  },
  "description" : "",
  "policyid" : "df15d0eb84194950a8fdc615b6c012dc",
  "domainid" : "0ee78615ca08419f81f539d97c9ee353",
  "projectid" : "550500b49078408682d0d4f7d923f3e1",
  "protect_status" : 1,
  "access_status" : 0,
  "certificateid" : "360f992501a64de0a65c50a64d1ca7b3",
  "certificatename" : "certificatename75315"
}

Status Codes

Status Code	Description
200	Request succeeded.
400	Invalid request
401	The token does not have the required permission.
500	Internal server error.

Error Codes

See Error Codes.

Parent topic: Managing Websites Protected in Dedicated Mode

75 KiB Raw Permalink Blame History