Web Application Firewall
Protect your tunnels from common web attacks with WAF rules
Overview
Web Application Firewall (WAF) policies detect and block common web attacks such as SQL injection, XSS, path traversal, and more. Essential for protecting APIs and web applications from malicious requests.
Key Features
- • SQL Injection detection
- • Cross-Site Scripting (XSS) protection
- • Path traversal prevention
- • Command injection detection
- • Custom regex pattern matching
- • Multiple action types: block, log, challenge
Configuration Schema
| Field | Type | Description |
|---|---|---|
| rules | Array of strings (required) | List of enabled WAF rule types. Available built-in rules:
|
| custom_patterns | Array of objects (optional) | Custom regex patterns for additional detection. Each pattern object has:
|
How It Works
- • WAF rules scan incoming requests for attack patterns in URL paths, query parameters, headers, and request bodies
- • Built-in rules use pre-compiled regex patterns to detect common web attacks
- • Custom patterns allow you to add your own detection rules using regular expressions
- • When a rule matches, the request is immediately blocked with a 403 Forbidden response
- • All blocked requests are logged to audit logs for security monitoring
- • Rules are evaluated in order - first match wins (fail-fast)
Built-in Attack Detection
SQL Injection
Detects SQL injection attempts in URLs, headers, and request bodies:
• UNION SELECT attacks
• OR 1=1 conditions
• Comment injection (-- and /* */)
• Hex and encoded SQL keywords
Cross-Site Scripting (XSS)
Blocks XSS attempts:
• <script> tags and event handlers
• JavaScript protocol handlers (javascript:)
• Data URIs with scripts
• Encoded XSS payloads
Path Traversal
Prevents directory traversal attacks:
• ../ and ..\ sequences
• Absolute path references (/etc/passwd)
• URL-encoded traversal attempts
Command Injection
Detects OS command injection:
• Shell metacharacters (; | & ` $ )
• Command chaining attempts
• Backtick and $() execution
Configuration Examples
Example 1: Basic Protection
{
"name": "Basic WAF",
"rules": [
{
"type": "sql_injection",
"action": "block",
"severity": "high"
},
{
"type": "xss",
"action": "block",
"severity": "high"
}
]
}Block SQL injection and XSS attacks.
Example 2: Comprehensive Protection
{
"name": "Full WAF Protection",
"rules": [
{
"type": "sql_injection",
"action": "block",
"severity": "critical"
},
{
"type": "xss",
"action": "block",
"severity": "critical"
},
{
"type": "path_traversal",
"action": "block",
"severity": "high"
},
{
"type": "cmd_injection",
"action": "block",
"severity": "critical"
}
],
"log_all_blocks": true
}Enable all built-in protection rules.
Example 3: Custom Pattern Matching
{
"name": "Custom Rules",
"rules": [
{
"type": "custom",
"pattern": "\\b(admin|root|superuser)\\b",
"action": "log",
"severity": "medium",
"message": "Privileged username detected"
},
{
"type": "custom",
"pattern": "\\b(password|secret|apikey)=\\w+",
"action": "block",
"severity": "high",
"message": "Credentials in URL"
}
]
}Create custom rules with regex patterns.
Example 4: Log Mode (Testing)
{
"name": "WAF Testing Mode",
"rules": [
{
"type": "sql_injection",
"action": "log",
"severity": "high"
},
{
"type": "xss",
"action": "log",
"severity": "high"
}
]
}Log attacks without blocking (useful for testing false positives).
Example 5: API-Specific Protection
{
"name": "API Protection",
"rules": [
{
"type": "sql_injection",
"action": "block",
"severity": "critical"
},
{
"type": "custom",
"pattern": "\\beval\\(|exec\\(|system\\(",
"action": "block",
"severity": "critical",
"message": "Code execution attempt"
},
{
"type": "custom",
"pattern": "\\.\\./|\\.\\.\\\\",
"action": "block",
"severity": "high",
"message": "Path traversal attempt"
}
]
}Protect APIs from injection and code execution.
Common Use Cases
API Protection
Protect REST APIs from injection attacks and malicious payloads.
Web Application Security
Block common OWASP Top 10 attacks on web applications.
Vulnerability Scanning
Detect and log automated vulnerability scanners.
Compliance Requirements
Meet security compliance standards (PCI DSS, HIPAA).
Zero-Day Protection
Generic attack pattern detection for unknown vulnerabilities.
How to Use
Step 1: Create Policy
Go to Dashboard → Security → WAF Rules
- Click "Create Policy"
- Enter policy name and description
- Select built-in rules to enable
- Add custom regex patterns if needed
- Choose action (block/log/challenge) for each rule
- Save the policy
Step 2: Apply to Tunnel
ngsrv http 3000 --policy ngsrv_waf_ABC123Step 3: Test Protection
# Test SQL injection
curl "https://myapp.tnl.ngsrv.com?id=1' OR '1'='1"# Test XSS
curl "https://myapp.tnl.ngsrv.com?name=<script>alert(1)</script>"Both should return 403 Forbidden if WAF is working.
Best Practices
✅ Start in Log Mode
Test WAF rules in "log" mode first to check for false positives.
✅ Enable All Core Rules
Use SQL injection, XSS, path traversal, and command injection protection by default.
⚠️ Monitor Audit Logs
Regularly review blocked requests to fine-tune rules.
💡 Combine with Rate Limiting
Use WAF with rate limiting for defense-in-depth.
❌ Don't Block Legitimate Traffic
Whitelist known safe patterns to avoid false positives.