这是我使用的 json 格式的 Web ACL 定义。我默认阻止所有流量,然后添加了 1 条规则以允许来自小范围 IP 的流量
{
"Name": "app-*-WebACL",
"Id": "fbb1f8f1-d78b-42de-8ebf-*",
"ARN": "arn:aws:wafv2:us-east-1:*:global/webacl/app-*-WebACL/fbb1f8f1-d78b-42de-8ebf-*",
"DefaultAction": {
"Block": {}
},
"Description": "",
"Rules": [
{
"Name": "OnlyAllowSomeIPs",
"Priority": 0,
"Statement": {
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:*:global/ipset/app-*-ipset/2d0e7033-9007-43ad-b755-*"
}
},
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "OnlyAllowSomeIPs"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": false,
"MetricName": "app-*-webACL"
},
"Capacity": 1,
"ManagedByFirewallManager": false
}
当我从列入白名单的 IP 中访问关联的 Cloudfront 时,一切都按预期进行。当我从允许的范围之外点击它时,我希望被阻止访问 - 我仍然能够访问内容。我看到响应标头 x-cache: Error from cloudfront
,但正在提供内容本身。我如何使块工作?