enable Fastly WAF on crates-io web app CDN #917
Conversation
|
short note: ( we're also using the fastly WAF at my dayjob) after having the WAF active for some time, and ruling out false positives, we actually set up "block always / directly" rules for some signals. example: |
| enabled = true | ||
| workspace_id = fastly_ngwaf_workspace.webapp.id | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm not sure if some VCL snippets also need to be added to make the edge WAF work.
There was a problem hiding this comment.
I don't have much experience with Fastly, but after some research I learned about NGWAF simulator, and I was wondering whether we could use to experiment and fine tune signals/rules we want to apply 👀
I discussed with @marcoieni and I'm now* aware that we have staging as an option to deploy and test WAF behavior, but eventually something like a simulator speeds a bit the lifecycle for code-test-deploy for any snippets we want to try out.
There was a problem hiding this comment.
the default behaviour for the WAF is "don't block, just report",
so you'll be able to inspect the signals in the dashboard before switching the blocking mode on
| resource "fastly_ngwaf_workspace" "webapp" { | ||
| name = "${var.webapp_domain_name}-waf" | ||
| description = "Next-Gen WAF workspace for ${var.webapp_domain_name}" | ||
| mode = "block" |
There was a problem hiding this comment.
| mode = "block" | |
| mode = "log" |
maybe we should change mode to just report initially.
3 participants
The crates-io team requested to enable WAF because of bots sending too many requests.