使用 AWS Waf 和 Shield 保护 DDoS
[](https://res.cloudinary.com/practicaldev/image/fetch/s--_n6sKZu3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/q2f056d5uj1t3skwl1fe.p
[
](https://res.cloudinary.com/practicaldev/image/fetch/s--_n6sKZu3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/q2f056d5uj1t3skwl1fe.png)
- AWS Shield 和 Web 应用程序防火墙 (WAF) 都是为 AWS 网络提供外围防御的产品。
- Shield 提供 DDOS 保护,WAF 是第 7 层应用程序防火墙。
- 参考:https://www.cloudflare.com/en-au/learning/ddos/what-is-a-ddos-attack/
- 我们可以使用 CDK 创建具有预期规则的 AWS WAF 并将其关联到 ALB
本文档内容
-
初始化WAF CDK项目
-
写代码栈
-
部署堆栈
🚀 初始化 WAF CDK 项目
⚡ $ mkdir waf_alb
⚡ $ cd waf_alb
⚡ $ cdk init -l python
进入全屏模式 退出全屏模式
🚀 写代码栈
-
在
RuleProperty处,我们将OverrideActionProperty设置为count,这样如果规则匹配 Web 请求,它只计算匹配。 -
要定义和启用 Amazon CloudWatch 指标和 Web 请求样本收集,我们启用
VisibilityConfig -
范围:
REGIONAL与CLOUDFRONT -
REGIONAL:区域应用程序可以是 Application Load Balancer (ALB)、Amazon API Gateway REST API 或 AWS AppSync GraphQL API
-
云端
-
如何获取可用的托管规则组:
aws wafv2 list-available-managed-rule-groups --scope REGIONAL
进入全屏模式 退出全屏模式
- 代码:https://github.com/vumdao/waf-alb/waf_alb_stack.py
from aws_cdk import (
aws_cloudformation as cfn,
aws_wafv2 as waf,
core,
)
class WafStack(core.Stack):
def __init__(self, scope: core.Construct, id: str, env, target_arn, **kwargs) -> None:
super().__init__(scope, id, env=env, **kwargs)
waf_rules = list()
""" 1. Reputation List """
aws_ip_rep_list = waf.CfnWebACL.RuleProperty(
name='WafIpreputation',
priority=1,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesAmazonIpReputationList',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_reputation',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_ip_rep_list)
""" 2. AnonymousIpList """
aws_anony_list = waf.CfnWebACL.RuleProperty(
name='WafAnony',
priority=2,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesAnonymousIpList',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_anony',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_anony_list)
""" 3. CommonRule """
aws_common_rule = waf.CfnWebACL.RuleProperty(
name='WafCommonRule',
priority=3,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesCommonRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_common',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_common_rule)
""" 4. PHP Rule """
aws_php_rule = waf.CfnWebACL.RuleProperty(
name='WafPHPRule',
priority=4,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesPHPRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_php',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_php_rule)
""" 5. Linux Rule """
aws_linux_rule = waf.CfnWebACL.RuleProperty(
name='WafLinuxRule',
priority=5,
override_action=waf.CfnWebACL.OverrideActionProperty(count={}),
statement=waf.CfnWebACL.StatementOneProperty(
managed_rule_group_statement=waf.CfnWebACL.ManagedRuleGroupStatementProperty(
name='AWSManagedRulesLinuxRuleSet',
vendor_name='AWS',
excluded_rules=[]
)
),
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='aws_linux',
sampled_requests_enabled=True,
)
)
waf_rules.append(aws_linux_rule)
""" DefaultAction: Action of AWS WAF to perform when a web request doesn't match any of the rules in the WebACL. """
web_acl = waf.CfnWebACL(
self, 'WebACL',
default_action=waf.CfnWebACL.DefaultActionProperty(
allow={}
),
scope="REGIONAL", # vs 'CLOUDFRONT'
visibility_config=waf.CfnWebACL.VisibilityConfigProperty(
cloud_watch_metrics_enabled=True,
metric_name='webACL',
sampled_requests_enabled=True
),
name=f'prod-acl',
rules=waf_rules
)
""" Associate it with the resource provided. """
waf.CfnWebACLAssociation(self, 'WAFACLAssociateALB',
web_acl_arn=web_acl.attr_arn,
resource_arn=target_arn
)
进入全屏模式 退出全屏模式
🚀 部署堆栈
⚡ $ cdk ls
theWalACLAlblon
⚡ $ cdk deploy
theWalACLAlblon: deploying...
theWalACLAlblon: creating CloudFormation changeset...
[██████████████████████████████████████████████████████████] (4/4)
✅ theWalACLAlblon
Stack ARN:
arn:aws:cloudformation:eu-west-2:111111111111:stack/theWalACLAlblon/fbe06250-740f-11eb-9c9f-0685bc814060
进入全屏模式 退出全屏模式
- 个请求:
[
](https://res.cloudinary.com/practicaldev/image/fetch/s--0th9IntZ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/ducohx9p4rhj7wsquaif.png)
- 规则:
[
](https://res.cloudinary.com/practicaldev/image/fetch/s--b4AB8KwS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/ouz75dyj9jo72gugm3fl.png)
- 助理 ALB
[
](https://res.cloudinary.com/practicaldev/image/fetch/s--FQuqzt_T--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/lgrmdhhgrp2mla0nztpx.png)
- Cloudwatch 指标
[
](https://res.cloudinary.com/practicaldev/image/fetch/s--UIwYdk5j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev- to-uploads.s3.amazonaws.com/uploads/articles/psltrd7doo9lhs8kqm70.png)
🌠博客·Github·(https://github.com/vumdao/)·* Web]](https://vumdao.hashnode.dev/)·LinkedIn](https://www.linkedin.com/in/vu-dao-9280ab43/)·(https://www.linkedin.com/in/vu-dao-9280ab43/)·[集团]](https://www.linkedin.com/groups/12488649/)·[·[
CI/CD社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献22914条内容
所有评论(0)