diff --git a/config/README.md b/config/README.md new file mode 100644 index 0000000000..e3df891740 --- /dev/null +++ b/config/README.md @@ -0,0 +1,5 @@ +# AEM as a Cloud Service Configuration Files + +This folder contains service's configuration files that you can deploy on your AEM as a Cloud Service environment from Cloud Manager using Configuration Pipeline. + +For now only CDN Traffic Filters Rules and WAF rules can be configured. You can learn more about Traffic Filters Rules and WAF rules in [our online documentation](https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/security/cdn-and-waf-rules.html). diff --git a/config/cdn.yaml b/config/cdn.yaml new file mode 100644 index 0000000000..e00dac5c23 --- /dev/null +++ b/config/cdn.yaml @@ -0,0 +1,66 @@ +kind: "CDN" +version: "1" +metadata: + envTypes: ["dev"] +data: + trafficFilters: + rules: + # Block access to OFAC countries + - name: block-ofac-countries + when: + allOf: + - reqProperty: tier + in: [ publish ] + - reqProperty: clientCountry + in: + - SY + - BY + - MM + - KP + - IQ + - CD + - SD + - IR + - LR + - ZW + - CU + - CI + action: block + # Block client for 5m when it exceeds 100 req/sec on a time window of 1sec + - name: limit-requests-per-client-ip + when: + reqProperty: tier + in: [ publish ] + rateLimit: + limit: 100 + window: 1 + penalty: 300 + groupBy: + - reqProperty: clientIp + action: block + # Enable recommend WAF protections (only works if WAF is enabled for your environment) + - name: block-waf-flags-globally + when: + reqProperty: tier + in: [ publish ] + action: + type: block + wafFlags: + - SANS + - SIGSCI-IP + - TORNODE + - NOUA + - SCANNER + - USERAGENT + - PRIVATEFILE + - ABNORMALPATH + - TRAVERSAL + - NULLBYTE + - BACKDOOR + - LOG4J-JNDI + - SQLI + - XSS + - CODEINJECTION + - CMDEXE + - NO-CONTENT-TYPE + - UTF8