You are here

New allow rule logic explained

With Airlock 4.1, we changed the logic and configuration of allow rules (aka white lists).
This article explains how the new logic works and answers typical questions.

White List logic

There are two conditions that must be met by an HTTP request in order to be allowed for further processing:

  1. There must be at least one applicable allow rule.
    An allow rule is applicable if the request path matches the path pattern.
  2. Each applicable allow rule must be fully satisfied by the HTTP request.
    An allow rule is satisfied by a HTTP request if it is applicable and the HTTP request satisfies all criteria defined by the allow rule.

Checking the criteria of an applicable allow rule includes the following steps:

  • The request method and content type of the request must match the corresponding pattern.
  • The client IP address must match the defined IP pattern.
  • Each parameter of the request must match at least one parameter name pattern in the list.
  • If the name of a parameter matches, the parameter value must also match the corresponding value pattern.
    If the Invert flag is set, the value pattern must match the values of all parameters not matching the parameter value pattern.
  • If the parameter is marked as required, at least one parameter must match it. Requests without such a parameter are therefore blocked.
  • If the list of parameter restrictions is empty, the request must not contain any parameters. For this reason, the default parameter restriction contains a ".*" parameter name and value pattern.
  • The order of the parameter restrictions is not relevant, i.e. you cannot enforce a certain order among the request parameters in a request.

During processing of an HTTP request, allow rules are applied first. Deny rules are only applied if the allow rules allow the request.

Knowledge Base Categories: