From d37db3128951b637d094cb02d11376d3e7ae089e Mon Sep 17 00:00:00 2001 From: lvalentine6 Date: Wed, 24 Sep 2025 00:01:57 +0900 Subject: [PATCH 1/5] =?UTF-8?q?fix:=20ua=20=EC=A1=B0=EA=B1=B4=20=EC=A0=9C?= =?UTF-8?q?=EA=B1=B0=20=EB=B0=8F=20x-origin-verify=20Header=20=EA=B2=80?= =?UTF-8?q?=EC=82=AC=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/common/waf/main.tf | 94 ++++++++++++++---------------------- 1 file changed, 37 insertions(+), 57 deletions(-) diff --git a/terraform/common/waf/main.tf b/terraform/common/waf/main.tf index ba533e2..4d1fe6b 100644 --- a/terraform/common/waf/main.tf +++ b/terraform/common/waf/main.tf @@ -1,3 +1,7 @@ +data "aws_ssm_parameter" "x_origin_verify" { + name = "/common/CLIENT_HEADER_SECRET" +} + resource "aws_wafv2_web_acl" "this" { name = "${var.project_name}-web-acl" scope = "REGIONAL" @@ -26,6 +30,39 @@ resource "aws_wafv2_web_acl" "this" { } } + # x-origin-verify Header Check Rule + rule { + name = "X-Origin-Verify-Header-Check" + priority = 5 + action { + block {} + } + statement { + not_statement { + statement { + byte_match_statement { + search_string = data.aws_ssm_parameter.x_origin_verify.value + positional_constraint = "EXACTLY" + field_to_match { + single_header { + name = "x-origin-verify" + } + } + text_transformation { + priority = 0 + type = "NONE" + } + } + } + } + } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "x-origin-verify-check" + sampled_requests_enabled = true + } + } + # AWS Managed Core Rule Set rule { name = "AWS-Managed-Core-Rule-Set" @@ -90,25 +127,15 @@ resource "aws_wafv2_web_acl" "this" { rule { name = "AWS-Managed-Bot-Control-Rule-Set" priority = 40 - override_action { none {} } - statement { managed_rule_group_statement { vendor_name = "AWS" name = "AWSManagedRulesBotControlRuleSet" - - rule_action_override { - name = "SignalNonBrowserUserAgent" - action_to_use { - count {} - } - } } } - visibility_config { cloudwatch_metrics_enabled = true metric_name = "aws-managed-bot-control" @@ -116,53 +143,6 @@ resource "aws_wafv2_web_acl" "this" { } } - # 임시 조치로 ua가 node일 경우만 통과시킴 - rule { - name = "Block-Non-Node-User-Agents" - priority = 41 - - action { - block {} - } - - statement { - and_statement { - statement { - label_match_statement { - scope = "LABEL" - key = "awswaf:managed:aws:bot-control:signal:non_browser_user_agent" - } - } - - statement { - not_statement { - statement { - byte_match_statement { - search_string = "node" - field_to_match { - single_header { - name = "user-agent" - } - } - positional_constraint = "CONTAINS" - text_transformation { - priority = 0 - type = "NONE" - } - } - } - } - } - } - } - - visibility_config { - cloudwatch_metrics_enabled = true - metric_name = "block-non-node-uas" - sampled_requests_enabled = true - } - } - # Anonymous IP list rule { name = "AWS-Managed-Anonymous-IP-List" From a400c773ca1ddf1a549d5221d1f9db892109c33c Mon Sep 17 00:00:00 2001 From: lvalentine6 Date: Wed, 24 Sep 2025 18:23:07 +0900 Subject: [PATCH 2/5] =?UTF-8?q?fix:=20=EB=85=B8=EB=93=9C-=EC=84=9C?= =?UTF-8?q?=EB=B2=84=EA=B0=84=20=EC=9A=94=EC=B2=AD=EC=9D=80=20=EA=B2=80?= =?UTF-8?q?=EC=A6=9D,=20=EA=B8=B0=EB=B3=B8=20=EC=9A=94=EC=B2=AD=EC=9D=80?= =?UTF-8?q?=20CORS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/common/waf/main.tf | 110 +++++++++++++++++++++++++++-------- 1 file changed, 85 insertions(+), 25 deletions(-) diff --git a/terraform/common/waf/main.tf b/terraform/common/waf/main.tf index 4d1fe6b..f554fe9 100644 --- a/terraform/common/waf/main.tf +++ b/terraform/common/waf/main.tf @@ -7,58 +7,118 @@ resource "aws_wafv2_web_acl" "this" { scope = "REGIONAL" default_action { - allow {} + block {} } - # Rate-based Rule (HTTP Flood) rule { - name = "Rate-Limit-Rule" - priority = 1 + name = "Allow-Verified-Server-Requests" + priority = 5 action { - block {} + allow {} } statement { - rate_based_statement { - limit = var.request_threshold - aggregate_key_type = "IP" + and_statement { + statement { + byte_match_statement { + field_to_match { + single_header { + name = "user-agent" + } + } + search_string = "node" + positional_constraint = "CONTAINS" + text_transformation { + priority = 0 + type = "NONE" + } + } + } + statement { + byte_match_statement { + field_to_match { + single_header { + name = "x-origin-verify" + } + } + search_string = data.aws_ssm_parameter.x_origin_verify.value + positional_constraint = "EXACTLY" + text_transformation { + priority = 0 + type = "NONE" + } + } + } } } visibility_config { cloudwatch_metrics_enabled = true - metric_name = "rate-limit-rule" + metric_name = "allow-verified-server-requests" sampled_requests_enabled = true } } - # x-origin-verify Header Check Rule rule { - name = "X-Origin-Verify-Header-Check" - priority = 5 + name = "Allow-Browser-Requests" + priority = 10 action { - block {} + allow {} } statement { - not_statement { + or_statement { statement { - byte_match_statement { - search_string = data.aws_ssm_parameter.x_origin_verify.value - positional_constraint = "EXACTLY" + size_constraint_statement { field_to_match { single_header { - name = "x-origin-verify" + name = "origin" } } + comparison_operator = "GT" + size = 0 text_transformation { priority = 0 type = "NONE" } } } + statement { + size_constraint_statement { + field_to_match { + single_header { + name = "referer" + } + } + comparison_operator = "GT" + size = 0 + text_transformation { + priority = 0 + type = "NONE" + } + } + } + } + } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "allow-browser-requests" + sampled_requests_enabled = true + } + } + + rule { + name = "Rate-Limit-Rule" + priority = 20 + action { + block {} + } + statement { + rate_based_statement { + limit = var.request_threshold + aggregate_key_type = "IP" } } visibility_config { cloudwatch_metrics_enabled = true - metric_name = "x-origin-verify-check" + metric_name = "rate-limit-rule" sampled_requests_enabled = true } } @@ -66,7 +126,7 @@ resource "aws_wafv2_web_acl" "this" { # AWS Managed Core Rule Set rule { name = "AWS-Managed-Core-Rule-Set" - priority = 10 + priority = 30 override_action { none {} } @@ -86,7 +146,7 @@ resource "aws_wafv2_web_acl" "this" { # Scanners & Probes Protection rule { name = "AWS-Managed-Known-Bad-Inputs-Rule-Set" - priority = 20 + priority = 40 override_action { none {} } @@ -106,7 +166,7 @@ resource "aws_wafv2_web_acl" "this" { # Reputation Lists Protection rule { name = "AWS-Managed-Amazon-IP-Reputation-List" - priority = 30 + priority = 50 override_action { none {} } @@ -126,7 +186,7 @@ resource "aws_wafv2_web_acl" "this" { # Bad Bot Protection rule { name = "AWS-Managed-Bot-Control-Rule-Set" - priority = 40 + priority = 60 override_action { none {} } @@ -146,7 +206,7 @@ resource "aws_wafv2_web_acl" "this" { # Anonymous IP list rule { name = "AWS-Managed-Anonymous-IP-List" - priority = 50 + priority = 70 override_action { none {} } @@ -166,7 +226,7 @@ resource "aws_wafv2_web_acl" "this" { # SQL database rule { name = "AWS-Managed-SQLi-Rule-Set" - priority = 60 + priority = 80 override_action { none {} } From 450e1f8ee216a3f825c52d33981f44605e6369c1 Mon Sep 17 00:00:00 2001 From: lvalentine6 Date: Wed, 24 Sep 2025 18:47:09 +0900 Subject: [PATCH 3/5] =?UTF-8?q?fix:=20vercel=20=ED=95=A8=EC=88=98=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80=20=EB=B0=8F=20=EC=8A=A4=EB=A0=88=EB=93=9C=20?= =?UTF-8?q?=ED=99=80=EB=93=9C=20=EC=83=81=ED=96=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/common/locals.tf | 2 +- terraform/common/waf/main.tf | 37 +++++++++++++++++++++++++++--------- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/terraform/common/locals.tf b/terraform/common/locals.tf index 5fa48ae..819db71 100644 --- a/terraform/common/locals.tf +++ b/terraform/common/locals.tf @@ -251,5 +251,5 @@ locals { } locals { - request_threshold = 200 + request_threshold = 2000 } diff --git a/terraform/common/waf/main.tf b/terraform/common/waf/main.tf index f554fe9..7e68559 100644 --- a/terraform/common/waf/main.tf +++ b/terraform/common/waf/main.tf @@ -19,17 +19,36 @@ resource "aws_wafv2_web_acl" "this" { statement { and_statement { statement { - byte_match_statement { - field_to_match { - single_header { - name = "user-agent" + or_statement { + statement { + byte_match_statement { + field_to_match { + single_header { + name = "user-agent" + } + } + search_string = "node" + positional_constraint = "CONTAINS" + text_transformation { + priority = 0 + type = "NONE" + } } } - search_string = "node" - positional_constraint = "CONTAINS" - text_transformation { - priority = 0 - type = "NONE" + statement { + byte_match_statement { + field_to_match { + single_header { + name = "user-agent" + } + } + search_string = "Vercel" + positional_constraint = "CONTAINS" + text_transformation { + priority = 0 + type = "NONE" + } + } } } } From b08b672f1463a98b005c062e1d036e282abdd90b Mon Sep 17 00:00:00 2001 From: lvalentine6 Date: Wed, 24 Sep 2025 18:51:48 +0900 Subject: [PATCH 4/5] =?UTF-8?q?fix:=20vercel=20=ED=95=A8=EC=88=98=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80=20=EB=B0=8F=20=EC=8A=A4=EB=A0=88=EB=93=9C=20?= =?UTF-8?q?=ED=99=80=EB=93=9C=20=EC=83=81=ED=96=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/common/locals.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/common/locals.tf b/terraform/common/locals.tf index 819db71..3d45331 100644 --- a/terraform/common/locals.tf +++ b/terraform/common/locals.tf @@ -4,7 +4,6 @@ data "aws_region" "current" {} locals { group_name = "power" project_name = "eatda" - admin_email = "yappweb1server@gmail.com" policy_arns = [ "arn:aws:iam::aws:policy/AdministratorAccess", From 86a7f42953753a0fd61ab42a818edcc15032f5f5 Mon Sep 17 00:00:00 2001 From: lvalentine6 Date: Wed, 24 Sep 2025 21:50:52 +0900 Subject: [PATCH 5/5] =?UTF-8?q?fix:=20x-origin-verify=20=EB=A7=88=EC=8A=A4?= =?UTF-8?q?=ED=82=B9=20=EC=B2=98=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- terraform/common/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/common/main.tf b/terraform/common/main.tf index 2052d1b..afcda04 100644 --- a/terraform/common/main.tf +++ b/terraform/common/main.tf @@ -74,4 +74,9 @@ resource "aws_cloudwatch_log_group" "waf_logs" { resource "aws_wafv2_web_acl_logging_configuration" "this" { log_destination_configs = [trimsuffix(aws_cloudwatch_log_group.waf_logs.arn, ":*")] resource_arn = module.waf.web_acl_arn + redacted_fields { + single_header { + name = "x-origin-verify" + } + } }