設定
Ruleとして追加する
IPsetを作成する
ルールを追加する
- Add rules → Add my own rules and rule groupsから追加する
- IPsetで作ったIPアドレスリストをアタッチ
- ActionはBlock
- Allowにすればホワイトリスト形式で設定できる
動作確認
- 接続しているALBへアクセスすると、ALBからの403で返ってくるようになる
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
yuta:~ $ curl -i https://dev2.vademic.jp/ HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Sun, 29 Nov 2020 14:18:22 GMT Content-Type: text/html Content-Length: 118 Connection: keep-alive <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> </body> </html> |
Terraformコード
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
<span class="nx">resource</span> <span class="s2">"aws_wafv2_web_acl"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"amelys-wafv2"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"wafv2 created from terraform"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">allow</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">excluded_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"SizeRestrictions_BODY"</span> <span class="p">}</span> <span class="nx">excluded_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"GenericRFI_BODY"</span> <span class="p">}</span> <span class="nx">excluded_rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"CrossSiteScripting_BODY"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWS-AWSManagedRulesLinuxRuleSet"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">override_action</span> <span class="p">{</span> <span class="nx">none</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">managed_rule_group_statement</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesLinuxRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AWS-AWSManagedRulesLinuxRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"IPAddress_BlackList"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">block</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">ip_set_reference_statement</span> <span class="p">{</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_wafv2_ip_set</span><span class="err">.</span><span class="nx">blacklist</span><span class="err">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AWS-AWSManagedRulesIPAddressBlackList"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Automation</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// IPアドレスリスト</span> <span class="nx">resource</span> <span class="s2">"aws_wafv2_ip_set"</span> <span class="s2">"blacklist"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blacklist"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"blacklist"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">ip_address_version</span> <span class="p">=</span> <span class="s2">"IPV4"</span> <span class="nx">addresses</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"1.2.3.4/32"</span><span class="p">,</span> <span class="s2">"5.6.7.8/32"</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Automation</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> |