ESAPI WAF 配置详解<\/h1>

1. 概述<\/h2>
ESAPI WAF (Web Application Firewall) 是一个基于XML策略文件的应用程序防火墙解决方案，专为J2EE应用程序设计。它通过定义安全规则来保护应用程序免受各种攻击，如SQL注入、XSS、CSRF等。<\/p>

2. 策略文件基础结构<\/h2>

策略文件的根元素是<policy><\/code>，包含以下主要部分：<\/p>

<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><policy><\/span>
<\/span><\/span>  <aliases><\/aliases><\/span>
<\/span><\/span>  <settings><\/settings><\/span>
<\/span><\/span>  <!-- 其他规则标签 --><\/span>
<\/span><\/span><\/policy><\/span>
<\/span><\/span><\/code><\/pre>2.1 必需标签<\/h3>

<aliases><\/code>: 定义在整个策略文件中公用的字符串<\/li>
<settings><\/code>: WAF的全局配置<\/li>
<\/ul>
3. Aliases 标签<\/h2>
<aliases><\/code>标签用于定义策略文件中可重用的字符串或正则表达式。<\/p>
<aliases><\/span>
<\/span><\/span>  <alias<\/span> name=<\/span>"ADMIN_PATH"<\/span> type=<\/span>"regex"<\/span>><\/span>^\/admin\/.*<\/alias><\/span>
<\/span><\/span><\/aliases><\/span>
<\/span><\/span><\/code><\/pre>
name<\/strong> (必需): 别名标识，后续在策略中引用<\/li>
type<\/strong> (可选): 指定字符串类型，默认为普通字符串，可设为"regex"表示正则表达式<\/li>
<\/ul>
4. Settings 标签<\/h2>
<settings><\/code>标签包含WAF的全局配置。<\/p>
4.1 运行模式 (<mode><\/code>)<\/h3>
<mode><\/span>block<\/mode><\/span>
<\/span><\/span><\/code><\/pre>可选值：<\/p>

log<\/code>: 仅记录日志，不执行其他操作<\/li>
redirect<\/code>: 发生安全事件时重定向到错误页面<\/li>
block<\/code>: 停止处理请求并返回空响应<\/li>
<\/ul>
4.2 会话Cookie名称 (<session-cookie-name><\/code>)<\/h3>
<session-cookie-name><\/span>JSESSIONID<\/session-cookie-name><\/span>
<\/span><\/span><\/code><\/pre>
默认为"JSESSIONID"<\/li>
实验性功能，不推荐使用<\/li>
<\/ul>
4.3 错误处理 (<error-handling><\/code>)<\/h3>
<error-handling><\/span>
<\/span><\/span>  <default-redirect-page><\/span>\/error.jsp<\/default-redirect-page><\/span>
<\/span><\/span>  <block-status><\/span>500<\/block-status><\/span>
<\/span><\/span><\/error-handling><\/span>
<\/span><\/span><\/code><\/pre>
<default-redirect-page><\/code>: 重定向目标URL<\/li>
<block-status><\/code>: 在block模式下返回的HTTP状态码<\/li>
<\/ul>
5. Authentication-Rules 标签<\/h2>
用于执行J2EE认证请求。<\/p>
<authentication-rules<\/span> path=<\/span>"\/.*"<\/span> key=<\/span>"UserAuthKey"<\/span>><\/span>
<\/span><\/span>  <path-exception><\/span>\/<\/path-exception><\/span>
<\/span><\/span>  <path-exception<\/span> type=<\/span>"regex"<\/span>><\/span>\/images\/.*<\/path-exception><\/span>
<\/span><\/span><\/authentication-rules><\/span>
<\/span><\/span><\/code><\/pre>
path<\/strong> (必需): 需要认证的URL正则表达式<\/li>
key<\/strong> (必需): 检查的session属性名<\/li>
<path-exception><\/code>: 白名单URL

type<\/strong> (可选): 可设为"regex"表示正则表达式<\/li>
<\/ul>
<\/li>
<\/ul>
6. Authorization-Rules 标签<\/h2>
用于执行J2EE授权请求。<\/p>
6.1 Restrict-Source-IP<\/h3>
<authorization-rules><\/span>
<\/span><\/span>  <restrict-source-ip<\/span> type=<\/span>"regex"<\/span> ip-header=<\/span>"X-ORIGINAL-IP"<\/span> 
<\/span><\/span>                      ip-regex=<\/span>"(192\.168\.1\..*|127.0.0.1)"<\/span>><\/span>
<\/span><\/span>    \/admin\/.*
<\/span><\/span>  <\/restrict-source-ip><\/span>
<\/span><\/span><\/authorization-rules><\/span>
<\/span><\/span><\/code><\/pre>
type<\/strong>: 路径匹配类型，"regex"表示正则表达式<\/li>
ip-header<\/strong>: 包含真实IP的请求头<\/li>
ip-regex<\/strong>: 允许的IP正则表达式<\/li>
<\/ul>
6.2 Must-Match<\/h3>
<authorization-rules><\/span>
<\/span><\/span>  <must-match<\/span> path=<\/span>"^\/admin\/.*"<\/span> variable=<\/span>"request.headers.X-ROLES"<\/span> 
<\/span><\/span>              operator=<\/span>"contains"<\/span> value=<\/span>"admin"<\/span> \/><\/span>
<\/span><\/span><\/authorization-rules><\/span>
<\/span><\/span><\/code><\/pre>
path<\/strong> (必需): 应用规则的URL正则<\/li>
variable<\/strong> (必需): 检查的变量位置，可以是：

request.headers.<name><\/code><\/li>
request.parameters.<name><\/code><\/li>
request.cookies.<name><\/code><\/li>
session.<name><\/code><\/li>
application.<name><\/code><\/li>
<\/ul>
<\/li>
operator<\/strong> (必需): 比较操作符

equals<\/code>: 完全匹配<\/li>
contains<\/code>: 包含<\/li>
startsWith<\/code>: 开头匹配<\/li>
inList<\/code>: 在集合中<\/li>
<\/ul>
<\/li>
value<\/strong> (必需): 匹配的值<\/li>
<\/ul>
7. Url-Rules 标签<\/h2>
对HTTP请求行数据执行检查。<\/p>
7.1 Restrict-Extension<\/h3>
<url-rules><\/span>
<\/span><\/span>  <restrict-extension<\/span> deny=<\/span>".java"<\/span> \/><\/span>
<\/span><\/span><\/url-rules><\/span>
<\/span><\/span><\/code><\/pre>
deny\/allow<\/strong>: 至少出现一个，不能同时出现<\/li>
值可以是正则表达式<\/li>
<\/ul>
7.2 Restrict-Method<\/h3>
<url-rules><\/span>
<\/span><\/span>  <restrict-method<\/span> deny=<\/span>"GET"<\/span> path=<\/span>".*\.do$"<\/span> \/><\/span>
<\/span><\/span>  <restrict-method<\/span> allow=<\/span>"^(GET|POST|HEAD)$"<\/span> \/><\/span>
<\/span><\/span><\/url-rules><\/span>
<\/span><\/span><\/code><\/pre>
deny\/allow<\/strong>: 至少出现一个<\/li>
path<\/strong> (可选): 应用规则的URL正则<\/li>
<\/ul>
7.3 Enforce-Https<\/h3>
<url-rules><\/span>
<\/span><\/span>  <enforce-https<\/span> path=<\/span>"\/.*"<\/span>><\/span>
<\/span><\/span>    <path-exception><\/span>\/index.html<\/path-exception><\/span>
<\/span><\/span>  <\/enforce-https><\/span>
<\/span><\/span><\/url-rules><\/span>
<\/span><\/span><\/code><\/pre>
path<\/strong> (必需): 强制SSL的URL正则<\/li>
<path-exception><\/code>: 例外URL<\/li>
<\/ul>
8. Header-Rules 标签<\/h2>
对HTTP请求头数据执行检查。<\/p>
8.1 Restrict-User-Agent<\/h3>
<header-rules><\/span>
<\/span><\/span>  <restrict-user-agent<\/span> deny=<\/span>".*GoogleBot.*"<\/span> \/><\/span>
<\/span><\/span><\/header-rules><\/span>
<\/span><\/span><\/code><\/pre>
deny\/allow<\/strong>: 至少出现一个<\/li>
<\/ul>
8.2 Restrict-Content-Type<\/h3>
<header-rules><\/span>
<\/span><\/span>  <restrict-content-type<\/span> deny=<\/span>".*multipart.*"<\/span> \/><\/span>
<\/span><\/span><\/header-rules><\/span>
<\/span><\/span><\/code><\/pre>
deny\/allow<\/strong>: 至少出现一个<\/li>
<\/ul>
9. Virtual-Patchs 标签<\/h2>
针对已知攻击实施虚拟补丁。<\/p>
<virtual-patchs><\/span>
<\/span><\/span>  <virtual-patch<\/span> id=<\/span>"scr-15520"<\/span> path=<\/span>"\/foobar.jsp"<\/span> 
<\/span><\/span>                 variable=<\/span>"request.parameters.q"<\/span> 
<\/span><\/span>                 pattern=<\/span>"^[0-9a-zA-Z\s,\.]$"<\/span> 
<\/span><\/span>                 message=<\/span>"detected exploit of SCR #15520"<\/span> \/><\/span>
<\/span><\/span><\/virtual-patchs><\/span>
<\/span><\/span><\/code><\/pre>
id<\/strong> (可选): 规则唯一标识<\/li>
path<\/strong> (必需): 应用规则的URL正则<\/li>
variable<\/strong> (必需): 检查的变量位置<\/li>
pattern<\/strong> (必需): 匹配的正则表达式<\/li>
message<\/strong> (必需): 规则失败时的日志消息<\/li>
<\/ul>
10. 最佳实践<\/h2>

从空策略文件开始，逐步添加规则<\/li>
为重要规则添加唯一ID便于日志追踪<\/li>
使用正则表达式提高规则灵活性<\/li>
生产环境先使用log<\/code>模式测试规则<\/li>
为管理员区域添加IP限制<\/li>
禁用不必要的HTTP方法<\/li>
对敏感操作强制使用SSL<\/li>
为已知漏洞创建虚拟补丁<\/li>
<\/ol>
通过合理配置ESAPI WAF，可以显著提高J2EE应用程序的安全性，防止多种常见攻击。<\/p>

ESAPI WAF 配置详解<\/h1>

1. 概述<\/h2> ESAPI WAF (Web Application Firewall) 是一个基于XML策略文件的应用程序防火墙解决方案，专为J2EE应用程序设计。它通过定义安全规则来保护应用程序免受各种攻击，如SQL注入、XSS、CSRF等。<\/p>

4. Settings 标签<\/h2> <settings><\/code>标签包含WAF的全局配置。<\/p>

6. Authorization-Rules 标签<\/h2> 用于执行J2EE授权请求。<\/p>

7. Url-Rules 标签<\/h2> 对HTTP请求行数据执行检查。<\/p>

8. Header-Rules 标签<\/h2> 对HTTP请求头数据执行检查。<\/p>

1. 概述<\/h2>
ESAPI WAF (Web Application Firewall) 是一个基于XML策略文件的应用程序防火墙解决方案，专为J2EE应用程序设计。它通过定义安全规则来保护应用程序免受各种攻击，如SQL注入、XSS、CSRF等。<\/p>

4. Settings 标签<\/h2>
`<settings><\/code>标签包含WAF的全局配置。<\/p>`

6. Authorization-Rules 标签<\/h2>
用于执行J2EE授权请求。<\/p>

7. Url-Rules 标签<\/h2>
对HTTP请求行数据执行检查。<\/p>

8. Header-Rules 标签<\/h2>
对HTTP请求头数据执行检查。<\/p>