This data source provides details about a specific Waas Policy resource in Oracle Cloud Infrastructure Web Application Acceleration and Security service.
Gets the details of a WAAS policy.
data "oci_waas_waas_policy" "test_waas_policy" {
#Required
waas_policy_id = oci_waas_waas_policy.test_waas_policy.id
}
The following arguments are supported:
waas_policy_id
- (Required) The OCID of the WAAS policy.The following attributes are exported:
additional_domains
- An array of additional domains for this web application.cname
- The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF.compartment_id
- The OCID of the WAAS policy's compartment.defined_tags
- Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags. Example: {"Operations.CostCenter": "42"}
display_name
- The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique.domain
- The web application domain that the WAAS policy protects.freeform_tags
- Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags. Example: {"Department": "Finance"}
id
- The OCID of the WAAS policy.origin_groups
- The map of origin groups and their keys used to associate origins to the wafConfig
. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests.
origins
- The list of objects containing origin references and additional properties.origins
- A map of host servers (origins) and their keys for the web application. Origin keys are used to associate origins to specific protection rules. The key should be a user-friendly name for the host. Examples: primary
or secondary
.
custom_headers
- A list of HTTP headers to forward to your origin.
name
- The name of the header.value
- The value of the header.http_port
- The HTTP port on the origin that the web application listens on. If unspecified, defaults to 80
. If 0
is specified - the origin is not used for HTTP traffic.https_port
- The HTTPS port on the origin that the web application listens on. If unspecified, defaults to 443
. If 0
is specified - the origin is not used for HTTPS traffic.uri
- The URI of the origin. Does not support paths. Port numbers should be specified in the httpPort
and httpsPort
fields.policy_config
- The configuration details for the WAAS policy.
certificate_id
- The OCID of the SSL certificate to use if HTTPS is supported.cipher_group
- The set cipher group for the configured TLS protocol. This sets the configuration for the TLS connections between clients and edge nodes only.
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
client_address_header
- Specifies an HTTP header name which is treated as the connecting client's IP address. Applicable only if isBehindCdn
is enabled.
The edge node reads this header and its value and sets the client IP address as specified. It does not create the header if the header is not present in the request. If the header is not present, the connecting IP address will be used as the client's true IP address. It uses the last IP address in the header's value as the true IP address.
Example: X-Client-Ip: 11.1.1.1, 13.3.3.3
In the case of multiple headers with the same name, only the first header will be used. It is assumed that CDN sets the correct client IP address to prevent spoofing.
X-Forwarded-For
header name.X-Client-Ip
header name.X-Real-Ip
header name.Client-Ip
header name.True-Client-Ip
header name.health_checks
- Health checks monitor the status of your origin servers and only route traffic to the origins that pass the health check. If the health check fails, origin is automatically removed from the load balancing. There is roughly one health check per EDGE POP per period. Any checks that pass will be reported as "healthy".
expected_response_code_group
- The HTTP response codes that signify a healthy state.
expected_response_text
- Health check will search for the given text in a case-sensitive manner within the response body and will fail if the text is not found.headers
- HTTP header fields to include in health check requests, expressed as "name": "value"
properties. Because HTTP header field names are case-insensitive, any use of names that are case-insensitive equal to other names will be rejected. If Host is not specified, requests will include a Host header field with value matching the policy's protected domain. If User-Agent is not specified, requests will include a User-Agent header field with value "waf health checks".
Note: The only currently-supported header fields are Host and User-Agent.
healthy_threshold
- Number of successful health checks after which the server is marked up.interval_in_seconds
- Time between health checks of an individual origin server, in seconds.is_enabled
- Enables or disables the health checks.is_response_text_check_enabled
- Enables or disables additional check for predefined text in addition to response code.method
- An HTTP verb (i.e. HEAD, GET, or POST) to use when performing the health check.path
- Path to visit on your origins when performing the health check.timeout_in_seconds
- Response timeout represents wait time until request is considered failed, in seconds.unhealthy_threshold
- Number of failed health checks after which the server is marked down.is_behind_cdn
- Enabling isBehindCdn
allows for the collection of IP addresses from client requests if the WAF is connected to a CDN.is_cache_control_respected
- Enable or disable automatic content caching based on the response cache-control
header. This feature enables the origin to act as a proxy cache. Caching is usually defined using cache-control
header. For example cache-control: max-age=120
means that the returned resource is valid for 120 seconds. Caching rules will overwrite this setting.is_https_enabled
- Enable or disable HTTPS support. If true, a certificateId
is required. If unspecified, defaults to false
.is_https_forced
- Force HTTP to HTTPS redirection. If unspecified, defaults to false
.is_origin_compression_enabled
- Enable or disable GZIP compression of origin responses. If enabled, the header Accept-Encoding: gzip
is sent to origin, otherwise, the empty Accept-Encoding:
header is used.is_response_buffering_enabled
- Enable or disable buffering of responses from the origin. Buffering improves overall stability in case of network issues, but slightly increases Time To First Byte.is_sni_enabled
- SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process. This allows a server to connect multiple SSL Certificates to one IP address and port.load_balancing_method
- An object that represents a load balancing method and its properties.
domain
- The domain for which the cookie is set, defaults to WAAS policy domain. expiration_time_in_seconds
- The time for which a browser should keep the cookie in seconds. Empty value will cause the cookie to expire at the end of a browser session. method
- Load balancing methods are algorithms used to efficiently distribute traffic among origin servers.
name
- The name of the cookie used to track the persistence. Can contain any US-ASCII character except separator or control character. tls_protocols
- A list of allowed TLS protocols. Only applicable when HTTPS support is enabled. The TLS protocol is negotiated while the request is connecting and the most recent protocol supported by both the edge node and client browser will be selected. If no such version exists, the connection will be aborted.
Enabled TLS protocols must go in a row. For example if TLS_v1_1
and TLS_V1_3
are enabled, TLS_V1_2
must be enabled too.
websocket_path_prefixes
- ModSecurity is not capable to inspect WebSockets. Therefore paths specified here have WAF disabled if Connection request header from the client has the value Upgrade (case insensitive matching) and Upgrade request header has the value websocket (case insensitive matching). Paths matches if the concatenation of request URL path and query starts with the contents of the one of websocketPathPrefixes
array value. In All other cases challenges, like JSC, HIC and etc., remain active.state
- The current lifecycle state of the WAAS policy.time_created
- The date and time the policy was created, expressed in RFC 3339 timestamp format.waf_config
- The Web Application Firewall configuration for the WAAS policy.
access_rules
- The access rules applied to the Web Application Firewall. Used for defining custom access policies with the combination of ALLOW
, DETECT
, and BLOCK
rules, based on different criteria.
action
- The action to take when the access criteria are met for a rule. If unspecified, defaults to ALLOW
.
REDIRECT
is selected: redirectUrl
, redirectResponseCode
.Regardless of action, no further rules are processed once a rule is matched.
block_action
- The method used to block requests if action
is set to BLOCK
and the access criteria are met. If unspecified, defaults to SET_RESPONSE_CODE
.block_error_page_code
- The error code to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access rules'.block_error_page_description
- The description text to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.'block_error_page_message
- The message to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.'block_response_code
- The response status code to return when action
is set to BLOCK
, blockAction
is set to SET_RESPONSE_CODE
, and the access criteria are met. If unspecified, defaults to 403
. The list of available response codes: 200
, 201
, 202
, 204
, 206
, 300
, 301
, 302
, 303
, 304
, 307
, 400
, 401
, 403
, 404
, 405
, 408
, 409
, 411
, 412
, 413
, 414
, 415
, 416
, 422
, 444
, 494
, 495
, 496
, 497
, 499
, 500
, 501
, 502
, 503
, 504
, 507
.bypass_challenges
- The list of challenges to bypass when action
is set to BYPASS
. If unspecified or empty, all challenges are bypassed.
md5-066177196bc6cc3d1422220c50c0fab2
Example: "GET\nPOST"
value
field. The value
in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET
, HEAD
, POST
, PUT
, DELETE
, CONNECT
, OPTIONS
, TRACE
, PATCH
Example: "GET\nPOST"
value
field. The value
in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. Example: "AL\nDZ\nAM"value
field. The value
in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. Example: "AL\nDZ\nAM"value
field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
value
field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
is_case_sensitive
- When enabled, the condition will be matched with case-sensitive rules.value
- The criteria value.name
- The unique name of the access rule.redirect_response_code
- The response status code to return when action
is set to REDIRECT
.
redirect_url
- The target to which the request should be redirected, represented as a URI reference. Required when action
is REDIRECT
.response_header_manipulation
- An object that represents an action to apply to an HTTP response headers if all rule criteria will be matched regardless of action
value.
action
- The action can be one of these values: ADD_HTTP_RESPONSE_HEADER
, EXTEND_HTTP_RESPONSE_HEADER
, REMOVE_HTTP_RESPONSE_HEADER
header
- A header field name that conforms to RFC 7230. Example: example_header_name
value
- A header field value that conforms to RFC 7230. Example: example_value
address_rate_limiting
- The IP address rate limiting settings used to limit the number of requests from an address.
allowed_rate_per_address
- The number of allowed requests per second from one IP address. If unspecified, defaults to 1
.block_response_code
- The response status code returned when a request is blocked. If unspecified, defaults to 503
. The list of available response codes: 400
, 401
, 403
, 404
, 405
, 408
, 409
, 411
, 412
, 413
, 414
, 415
, 416
, 422
, 494
, 495
, 496
, 497
, 499
, 500
, 501
, 502
, 503
, 504
, 507
.is_enabled
- Enables or disables the address rate limiting Web Application Firewall feature.max_delayed_count_per_address
- The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to 10
.caching_rules
- A list of caching rules applied to the web application.
action
- The action to take when the criteria of a caching rule are met.
caching_duration
- The duration to cache content for the caching rule, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99
. Mixing of multiple units is not supported. Only applies when the action
is set to CACHE
. Example: PT1H
client_caching_duration
- The duration to cache content in the user's browser, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99
. Mixing of multiple units is not supported. Only applies when the action
is set to CACHE
. Example: PT1H
criteria
- The array of the rule criteria with condition and value. The caching rule would be applied for the requests that matched any of the listed conditions.
condition
- The condition of the caching rule criteria.
value
field.value
field.value
field.value
field.URLs must start with a /
. URLs can't contain restricted double slashes //
. URLs can't contain the restricted '
&
?
symbols. Resources to cache can only be specified by a URL, any query parameters are ignored.
value
- The value of the caching rule criteria.is_client_caching_enabled
- Enables or disables client caching. Browsers use the Cache-Control
header value for caching content locally in the browser. This setting overrides the addition of a Cache-Control
header in responses.key
- The unique key for the caching rule.name
- The name of the caching rule.captchas
- A list of CAPTCHA challenge settings. These are used to challenge requests with a CAPTCHA to block bots.
md5-55ff2ac6110f0c79c3c7a687abe13594
Example: "GET\nPOST"
value
field. The value
in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET
, HEAD
, POST
, PUT
, DELETE
, CONNECT
, OPTIONS
, TRACE
, PATCH
Example: "GET\nPOST"
value
field. The value
in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. Example: "AL\nDZ\nAM"value
field. The value
in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website. Example: "AL\nDZ\nAM"value
field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
value
field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
is_case_sensitive
- When enabled, the condition will be matched with case-sensitive rules.value
- The criteria value.failure_threshold
- The number of failed requests before taking action. If unspecified, defaults to 10
.is_enabled
- Enables or disables the JavaScript challenge Web Application Firewall feature.is_nat_enabled
- When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses.set_http_header
- Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action
is set to DETECT
.
name
- The name of the header.value
- The value of the header.origin
- The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins
. Required when creating the WafConfig
resource, but not on update.origin_groups
- The map of origin groups and their keys used to associate origins to the wafConfig
. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins
field of a UpdateWaasPolicy
request.protection_settings
- The settings to apply to protection rules.
allowed_http_methods
- The list of allowed HTTP methods. If unspecified, default to [OPTIONS, GET, HEAD, POST]
. This setting only applies if a corresponding protection rule is enabled, such as the "Restrict HTTP Request Methods" rule (key: 911100).block_action
- If action
is set to BLOCK
, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to SET_RESPONSE_CODE
.block_error_page_code
- The error code to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403
.block_error_page_description
- The description text to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to Access blocked by website owner. Please contact support.
block_error_page_message
- The message to show on the error page when action
is set to BLOCK
, blockAction
is set to SHOW_ERROR_PAGE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.'block_response_code
- The response code returned when action
is set to BLOCK
, blockAction
is set to SET_RESPONSE_CODE
, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403
. The list of available response codes: 400
, 401
, 403
, 405
, 409
, 411
, 412
, 413
, 414
, 415
, 416
, 500
, 501
, 502
, 503
, 504
, 507
.is_response_inspected
- Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to false
.
Note: Only origin responses with a Content-Type matching a value in mediaTypes
will be inspected.
max_argument_count
- The maximum number of arguments allowed to be passed to your application before an action is taken. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 255
. This setting only applies if a corresponding protection rule is enabled, such as the "Number of Arguments Limits" rule (key: 960335). Example: If maxArgumentCount
to 2
for the Max Number of Arguments protection rule (key: 960335), the following requests would be blocked: GET /myapp/path?query=one&query=two&query=three
POST /myapp/path
with Body {"argument1":"one","argument2":"two","argument3":"three"}
max_name_length_per_argument
- The maximum length allowed for each argument name, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 400
. This setting only applies if a corresponding protection rule is enabled, such as the "Values Limits" rule (key: 960208).max_response_size_in_ki_b
- The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to 1024
.max_total_name_length_of_arguments
- The maximum length allowed for the sum of the argument name and value, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 64000
. This setting only applies if a corresponding protection rule is enabled, such as the "Total Arguments Limits" rule (key: 960341).media_types
- The list of media types to allow for inspection, if isResponseInspected
is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to ["text/html", "text/plain", "text/xml"]
.
Supported MIME types include:
recommendations_period_in_days
- The length of time to analyze traffic traffic, in days. After the analysis period, WafRecommendations
will be populated. If unspecified, defaults to 10
.
Use GET /waasPolicies/{waasPolicyId}/wafRecommendations
to view WAF recommendations.
whitelists
- A list of IP addresses that bypass the Web Application Firewall.
address_lists
- A list of OCID of IP address lists to include in the whitelist.addresses
- A set of IP addresses or CIDR notations to include in the whitelist.name
- The unique name of the whitelist.