|
| 1 | +--- |
| 2 | +pcx-content-type: |
| 3 | +title: WAF for SaaS |
| 4 | +weight: 2 |
| 5 | +--- |
| 6 | + |
| 7 | +# WAF for SaaS |
| 8 | + |
| 9 | +[Web Application Firewall (WAF)](/waf/) allows you to create additional security measures through Cloudflare. As a SaaS provider, you can link firewall rules, rate liminting rules, and managed rules to your custom hostnames. This provides more control to keep your domains safe from malicious traffic. |
| 10 | + |
| 11 | +As a SaaS provider, you may want to apply different security measures to different custom hostnames. With WAF for SaaS, you can create multiple WAF configuration that you can apply to different sets of custom hostnames. This added flexibility and security leads to optimal protection across the domains of your end customers. |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +## Prerequisites |
| 16 | + |
| 17 | +Before you can use WAF for SaaS, you need to create a custom hostname. Review [Get started with SSL for SaaS](/ssl/ssl-for-saas/getting-started/) if you have not already done so. |
| 18 | + |
| 19 | +You can also create a custom hostname through the API: |
| 20 | + |
| 21 | +```json |
| 22 | +curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone:id}/custom_hostnames" \ |
| 23 | + -H "X-Auth-Email: {email}" \ |
| 24 | + -H "X-Auth-Key: {key}" \ |
| 25 | + -H "Content-Type: application/json" \ |
| 26 | + --data '{"Hostname":"example.com"}, "Ssl":{wildcard:false}}' |
| 27 | +``` |
| 28 | + |
| 29 | +## Step 1 - Associate custom metadata to a custom hostname |
| 30 | + |
| 31 | +To apply WAF to your custom hostname, you need to create an association between your customer’s domain and the firewall ruleset that you’d like to attach to it. Cloudflare’s product, [Custom Metadata](/ssl/ssl-for-saas/hostname-specific-behavior/custom-metadata/) allows you to do this via the API. |
| 32 | + |
| 33 | +1. [Locate your zone ID](/fundamentals/get-started/basic-tasks/find-account-and-zone-ids/), available in the Cloudflare dashboard. |
| 34 | + |
| 35 | +2. Locate your Authentication Key by selecting **My Profile** > **API tokens** > **Global API Key**. |
| 36 | + |
| 37 | +3. Locate your custom hostname ID by making a ‘get’ call in the API: |
| 38 | + |
| 39 | +```json |
| 40 | +curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames" \ |
| 41 | + -H "X-Auth-Email: {email}" \ |
| 42 | + -H "X-Auth-Key: {key}" \ |
| 43 | + -H "Content-Type: application/JSON" |
| 44 | + |
| 45 | +``` |
| 46 | + |
| 47 | +4. Plan your [custom metadata](/ssl/ssl-for-saas/hostname-specific-behavior/custom-metadata/). It is fully customizable. In the example below, we have chosen the tag “security_level” to which we expect to assign three values (low, medium, and high). |
| 48 | + |
| 49 | +{{<Aside type="note">}} |
| 50 | + |
| 51 | +One instance of low, medium, and high rules could be rate limiting. You can specify three different thresholds: low - 100 requests/minute, medium - 85 requests/minute, high - 50 requests/minute, for example. Another possibility is a Firewall Rule in which low challenges requests and high blocks them. |
| 52 | + |
| 53 | +{{</Aside>}} |
| 54 | + |
| 55 | +5. Make an API call in the format below using your Cloudflare email and the IDs gathered above: |
| 56 | + |
| 57 | +```json |
| 58 | +curl -sXPATCH "https://api.cloudflare.com/client/v4/zones/{zone:id}/custom_hostnames/{custom_hostname:id}"\ |
| 59 | + -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\ |
| 60 | + -H "Content-Type: application/json"\ |
| 61 | + -d '{ |
| 62 | +"Custom_metadata":{ |
| 63 | +"customer_id":"12345", |
| 64 | +“security_level”: “low” |
| 65 | +} |
| 66 | +}' |
| 67 | +``` |
| 68 | +This assigns custom metadata to your custom hostname so that it has a security tag associated with its ID. |
| 69 | + |
| 70 | +## Step 2 - Trigger security products based on tags |
| 71 | + |
| 72 | +1. Locate the custom metadata field in the Ruleset Engine where the WAF runs. This can be used to trigger different configurations of products such as [WAF](/waf/), [Firewall Rules](/firewall/), [Advanced Rate Limiting](/waf/rate-limiting-rules/), and [Transform Rules](/rules/transform/). |
| 73 | + |
| 74 | +2. Build your rules either [through the dashboard](/firewall/cf-dashboard/create-edit-delete-rules/) or via the API. An example rate limiting rule, corresponding to “security_level” low, is shown below as an API call. |
| 75 | + |
| 76 | +```json |
| 77 | +curl -X PUT "https://api.cloudflare.com/client/v4/zones/{zone:id}/rulesets/phases/http_ratelimit/entrypoint" \ |
| 78 | + -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\ |
| 79 | + -H "Content-Type: application/json"\ |
| 80 | + -d '{ |
| 81 | + |
| 82 | +"rules": [ |
| 83 | + { |
| 84 | + "action": "block", |
| 85 | + "ratelimit": { |
| 86 | + "characteristics": [ |
| 87 | + "cf.colo.id", |
| 88 | + "ip.src" |
| 89 | + ], |
| 90 | + "period": 10, |
| 91 | + "requests_per_period": 2, |
| 92 | + "mitigation_timeout": 60 |
| 93 | + }, |
| 94 | + "expression": "lookup_json_string(cf.hostname.metadata, \"security_level\") eq \"low\" and http.request.uri contains \"login\"" |
| 95 | + } |
| 96 | + ] |
| 97 | + }}' |
| 98 | +``` |
| 99 | + |
| 100 | +To build rules through the dashboard: |
| 101 | + |
| 102 | +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and navigate to your account and website. |
| 103 | + |
| 104 | +2. Select **Security** > **WAF**. |
| 105 | + |
| 106 | +3. Follow the instructions on the dashboard specific to firewall rules, rate limiting rules, or managed rules, depending on your security goal. |
| 107 | + |
| 108 | +4. Once the rule is active, you should see it under the applicable tab (firewall rules, rate limiting, or managed rules). |
| 109 | + |
| 110 | + |
0 commit comments