enable Fastly WAF on crates-io web app CDN#917
Conversation
|
short note: ( we're also using the fastly WAF at my dayjob) after having the WAF active for some time, and ruling out false positives, we actually set up "block always / directly" rules for some signals. example: |
| enabled = true | ||
| workspace_id = fastly_ngwaf_workspace.webapp.id | ||
| } | ||
| } |
There was a problem hiding this comment.
I'm not sure if some VCL snippets also need to be added to make the edge WAF work.
There was a problem hiding this comment.
I don't have much experience with Fastly, but after some research I learned about NGWAF simulator, and I was wondering whether we could use to experiment and fine tune signals/rules we want to apply 👀
I discussed with @marcoieni and I'm now* aware that we have staging as an option to deploy and test WAF behavior, but eventually something like a simulator speeds a bit the lifecycle for code-test-deploy for any snippets we want to try out.
There was a problem hiding this comment.
the default behaviour for the WAF is "don't block, just report",
so you'll be able to inspect the signals in the dashboard before switching the blocking mode on
marcoieni
force-pushed
the
enable-fastly-waf-on-crates-io-web-app-cdn
branch
3 times, most recently
from
bbdbab6 to
044cdf5
Compare
marcoieni
force-pushed
the
enable-fastly-waf-on-crates-io-web-app-cdn
branch
from
044cdf5 to
02ad776
Compare
|
I applied this. Changed the mode to |
3 participants
The crates-io team requested to enable WAF because of bots sending too many requests.
Related to #1007