config_examples/waflyctl.toml.example


logpath = "waflyctl.log"
apiendpoint = "https://api.fastly.com"
tags = []
publisher = ["owasp"]
action = "log"
rules = []

# ONLY during new WAF provisionings we disabled the following list of rules by default
disabledrules = []

[owasp]
# OWASP generic settings
ParanoiaLevel = 3
AllowedHTTPVersions = "HTTP/1.0 HTTP/1.1 HTTP/2"
AllowedMethods = "GET HEAD POST OPTIONS PUT PATCH DELETE"
AllowedRequestContentType = "application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain"
AllowedRequestContentTypeCharset = "utf-8|iso-8859-1|iso-8859-15|windows-1252"
ArgLength = 800
ArgNameLength = 800
CombinedFileSizes = 10000000
CRSValidateUTF8Encoding = false
MaxFileSize = 10000000
MaxNumArgs = 255
TotalArgLength = 6400
RestrictedExtensions = ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/"
RestrictedHeaders = "/proxy/ /lock-token/ /content-range/ /translate/ /if/"

# OWASP score settings
InboundAnomalyScoreThreshold = 10
CriticalAnomalyScore = 5
ErrorAnomalyScore = 4
WarningAnomalyScore = 3
NoticeAnomalyScore = 2
PHPInjectionScoreThreshold = 5
RCEScoreThreshold = 5
HTTPViolationScoreThreshold = 5
LFIScoreThreshold = 5
RFIScoreThreshold = 5
SessionFixationScoreThreshold = 5
SQLInjectionScoreThreshold = 5
XSSScoreThreshold = 5

[weblog]
name = "weblogs"
address = "address"
port = 514
format = '''{\"type\":\"req\",\"service_id\":\"%{req.service_id}V\",\"request_id\":\"%{req.http.fastly-soc-x-request-id}V\",\"start_time\":\"%{time.start.sec}V\",\"fastly_info\":\"%{fastly_info.state}V\",\"datacenter\":\"%{server.datacenter}V\",\"client_ip\":\"%a\",\"req_method\":\"%m\",\"req_uri\":\"%{cstr_escape(req.url)}V\",\"req_h_host\":\"%{cstr_escape(req.http.Host)}V\",\"req_h_user_agent\":\"%{cstr_escape(req.http.User-Agent)}V\",\"req_h_accept_encoding\":\"%{cstr_escape(req.http.Accept-Encoding)}V\",\"req_header_bytes\":\"%{req.header_bytes_read}V\",\"req_body_bytes\":\"%{req.body_bytes_read}V\",\"waf_logged\":\"%{waf.logged}V\",\"waf_blocked\":\"%{waf.blocked}V\",\"waf_failures\":\"%{waf.failures}V\",\"waf_executed\":\"%{waf.executed}V\",\"anomaly_score\":\"%{waf.anomaly_score}V\",\"sql_injection_score\":\"%{waf.sql_injection_score}V\",\"rfi_score\":\"%{waf.rfi_score}V\",\"lfi_score\":\"%{waf.lfi_score}V\",\"rce_score\":\"%{waf.rce_score}V\",\"php_injection_score\":\"%{waf.php_injection_score}V\",\"session_fixation_score\":\"%{waf.session_fixation_score}V\",\"http_violation_score\":\"%{waf.http_violation_score}V\",\"xss_score\":\"%{waf.xss_score}V\",\"resp_status\":\"%{resp.status}V\",\"resp_bytes\":\"%{resp.bytes_written}V\",\"resp_header_bytes\":\"%{resp.header_bytes_written}V\",\"resp_body_bytes\":\"%{resp.body_bytes_written}V\"}'''

[waflog]
name = "waflogs"
address = "address"
port = 514
format = '''{\"type\":\"waf\",\"request_id\":\"%{req.http.fastly-soc-x-request-id}V\",\"rule_id\":\"%{waf.rule_id}V\",\"severity\":\"%{waf.severity}V\",\"anomaly_score\":\"%{waf.anomaly_score}V\",\"logdata\":\"%{json.escape(waf.logdata)}V\",\"waf_message\":\"%{json.escape(waf.message)}V\"}'''


[vclsnippet]
name = "Fastly_WAF_Snippet"
content = '''
if (!req.http.fastly-soc-x-request-id)
{
  set req.http.fastly-soc-x-request-id = digest.hash_sha256(now randomstr(64) req.http.host req.url req.http.Fastly-Client-IP server.identity);
}
'''
type = "recv"
priority = 10
dynamic = 1

[response]
name = "WAF_Response"
httpstatuscode = 403
httpresponse = "Forbidden"
contenttype = "text/plain"
content = "403 Forbidden"

[prefetch]
name = "WAF_Prefetch"
statement = "req.backend.is_origin"
type = "PREFETCH"
priority = 10