As part of the WAF rules editor, users are able to create custom rules revolving around tags to help further filter incoming traffic. A tag contains information about an end-user and is attached to their request. Tag rules are just one component of StackPath's robust rule engine. There are two types of tag rules that users can create: tag based rules and tag generating rules.
Basic tag based rules are created using pre-defined sets of tags provided by StackPath. Tag generating rules allow you to create your own custom tags according to the conditions you define to be applied to incoming requests. These custom tags are called user defined tags, and can be used to customize your tag based rules by allowing you to create even more complex rule sets.
Tag Based Rules
By defining specific if/then statements in the portal, users are able to block and allow certain requests to protect their site. StackPath offers a pre-defined set of tags that are available to you, which you can then use to create basic tag based rules.
In the example below, we set up a tag based rule that will block traffic if the tag associated with the request contains
Hosting Services. The reason why we want to block traffic coming from hosting services, is because these IPs are more likely to belong to automated users rather than human users.
It is recommended that you review the details of your WAF Requests prior to creating these tag based rules, as these details contain the tags associated with end-users. You can use this information to help you determine which tags in the list to use in your rules to filter traffic. For a list of these pre-defined tags and their descriptions, please refer to our guide here.
Tag Generating Rules
In addition to the availability of pre-defined tags, the WAF also provides you with the ability to create rules that will generate custom tags of your choice based on the conditions you define. We call these custom tags, user defined tags. Once a user defined tag is created, it's then added to the list of pre-defined tags, making it available for you to use in a tag based rule.
In our next example, let's say we are running an online shop that requires users to be logged-in before checking out for verification purposes. We will create a rule to generate a custom tag named
validuser if the header named set-cookie contains a cookie named mycookie, which indicates that the user is logged-in.
Using User Defined Tags
In our example above,
validuser is our new user defined tag that's now available for us to use in a tag based rule. With that said, in the example below, we are going to be allowing all requests that contain the user defined tag
validuser, as we know these users are verified because they are logged-in. This will ensure that our logged-in users do not encounter any unwanted WAF blocks.
Please note that user defined tag rules run before other rules that use our pre-defined sets of tags.