Basic concepts: Allow rules

Allow rules are a kind of white list filter. They define which requests are allowed.

There are two conditions that must be met by an HTTP request in order to be allowed for further processing:

  • There must be at least one applicable allow rule.
  • Each applicable allow rule must be satisfied by the HTTP request.

An allow rule is applicable if the path of a request URL matches the configured path pattern.

An allow rule is satisfied by a HTTP request if it is applicable and the HTTP request satisfies all criteria defined by the allow rule.

During processing of an HTTP request, allow rules are applied first. Deny rules are only applied if the allow rules allow the request.

Allow rule examples

Suppose you have a mapping with the following allow rule configuration.

Allow rules

The following allow rules are configured:

  • Rule 1
  • Name: Allow all
  • Enabled: False
  • Rule 2
  • Name: Wiki_known_filetypes
  • Enabled: True
  • Path pattern: (^$|/$|\.php$|\.css$|\.js$|\.ico$|\.pdf$|\.png$|\.php$)
  • HTTP method: <NOT CONFIGURED> => No restrictions
  • Rule 3
  • Name: Wiki_http_methods
  • Enabled: True
  • Path pattern: ^/dokuwiki/(?!comment\.php$)
  • HTTP method: "^(GET|HEAD)$"
  • Rule 4
  • Name: Wiki_comment
  • Enabled: True
  • Path pattern: ^/dokuwiki/comment\.php$
  • HTTP method: "^(GET|HEAD|POST)$"

Example requests

The examples below show which requests will be allowed or blocked based on the allow rule configuration.

  1. Received request: GET /dokuwiki/doku.php?id=37&date=20070305&fromdate=20101231
    • The default allow rule Allow all is disabled and will be ignored.
    • The custom allow rule Wiki_known_filetypes is applicable, because the path pattern matches. The extension .php is allowed.
    • The custom allow rule Wiki_http_methods is applicable, because the path pattern matches. The HTTP method GET is allowed.
    • The custom allow rule Wiki_comment is not applicable, because the path pattern does not match.

    More than one allow rules are applicable and all of them are satisfied by the HTTP request. Therefore, the request is allowed.

  1. Received request: POST /dokuwiki/comment.php?id=357
    • Filter results
    • The default allow rule Allow all is disabled and will be ignored.
    • The custom allow rule Wiki_known_filetypes is applicable, because the path pattern matches. The extension .php is allowed.
    • The custom allow rule Wiki_http_methods is not applicable, because the path pattern does not match.
    • The custom allow rule Wiki_comment is applicable, because the path pattern matches. The HTTP method POST is allowed.

    More than one allow rules are applicable and all of them are satisfied by the HTTP request. Therefore, the request is allowed.

  1. Received request: POST /dokuwiki/users.php?id=987
    • Filter results
    • The default allow rule Allow all is disabled and will be ignored.
    • The custom allow rule Wiki_known_filetypes is applicable, because the path pattern matches. The extension .php is allowed.
    • The custom allow rule Wiki_http_methods is applicable, because the path pattern matches. The HTTP method POST is not allowed and therefore this rule is not satisfied.
    • The custom allow rule Wiki_comment is not applicable, because the path pattern does not match.

    More than one allow rules are applicable but not all of them are satisfied by the HTTP request. Therefore, the request is blocked.

The allow rule Wiki_http_methods contains a path pattern with a negative lookahead. The regex excludes /dokuwiki/comment.php allow additional HTTP methods in another allow rule for comment.php.

Filtering JSON attributes

Airlock Microgateway automatically generates parameters from JSON objects. These JSON parameters are treated like parameters in GET or POST requests. For details please refer to the JSON filtering page.