Skip to main content
Last updated: 6 Mar 2024

Web Application Firewall (WAF) configuration

Web Application Firewall (WAF) rules enable blocking potentially malicious/suspect requests at the edge of the network before they can reach the applications.

How to configure WAF rules

WAF rules are configured via Terraform and associated to load balancers.

The rules are maintained in govuk-aws/terraform/projects/infra-public-wafs (alongside the configuration for the public load balancers in govuk-aws/terraform/projects/infra-public-services).

For instructions on how to deploy the terraform projects see deploying terraform.

For documentation on the kinds of rules:

Viewing logs for WAF

Our WAF ACLs are configured to log requests to Amazon CloudWatch log groups following the naming convention aws-waf-logs-<acl>-public-<environment>. They can be live tailed or queried via the CloudWatch interface in the AWS console.

For the cache_public and bouncer_public WAF ACLs, we only log requests where the action is either BLOCK or COUNT. For the backend_public WAF ACL, we log all requests.

Blocking requests by JA3 signature

JA3 is a way of fingerprinting TLS connections, which can be used to detect whether a connection comes from a particular browser, or another TLS client (like curl, python, or possibly malware). They are useful as a way to match botnet/malware traffic if there are no better criteria available. Their opaqueness is a disadvantage in that it’s not possible to tell anything about what traffic they might apply to by reading the configuration.

Note that banning JA3s is potentially risky. If we get it wrong, we could ban a legitimate browser version.

The backend_public WAF ACL supports blocking requests by JA3 signature. The production denylist can be configured in govuk-aws-data/infra-public-wafs/production/common.tfvars (integration, staging).

The cache_public and bouncer_public ACLs do not support JA3 denylisting, but this can instead be configured at the CDN level.