From 3669dfdd26a134d1c8a3cecb1d3e8cff7bddeed5 Mon Sep 17 00:00:00 2001
From: Quentin Vecchio <qvecchio@adobe.com>
Date: Wed, 14 Aug 2024 14:27:38 +0200
Subject: [PATCH] Reflect latest recommend CDN rules

---
 config/cdn.yaml | 111 +++++++++++++++++++++++++++++-------------------
 1 file changed, 68 insertions(+), 43 deletions(-)

diff --git a/config/cdn.yaml b/config/cdn.yaml
index 386e60834a..cd69cc12ef 100644
--- a/config/cdn.yaml
+++ b/config/cdn.yaml
@@ -1,49 +1,74 @@
 kind: "CDN"
 version: "1"
 metadata:
-  envTypes: ["dev"]
+  envTypes: ["dev", "stage", "prod"]
 data:
   trafficFilters:
     rules:
-      # Block access to a given path
-      # - name: block-path
-      #   when:
-      #     allOf:
-      #       - reqProperty: tier
-      #         matches: "author|publish"
-      #       - reqProperty: path
-      #         equals: '/block/me'
-      #   action: block
-      # Block access to OFAC countries
-      - name: block-ofac-countries
-        when:
-          allOf:
-            - reqProperty: tier
-              matches: "author|publish"
-            - reqProperty: clientCountry
-              in:
-                - SY
-                - BY
-                - MM
-                - KP
-                - IQ
-                - CD
-                - SD
-                - IR
-                - LR
-                - ZW
-                - CU
-                - CI
-        action: block
-      # Block client for 5m when it exceeds 100 req/sec on a time window of 1sec
-      - name: limit-requests-per-client-ip
-        when:
-          reqProperty: tier
-          matches: "author|publish"
-        rateLimit:
-          limit: 100
-          window: 1
-          penalty: 300
-          groupBy:
-            - reqProperty: clientIp
-        action: block
+    #  Block client for 5m when it exceeds an average of 100 req/sec to origin on a time window of 10sec
+    - name: limit-origin-requests-client-ip
+      when:
+        reqProperty: tier
+        equals: 'publish'
+      rateLimit:
+        limit: 100
+        window: 10
+        count: fetches
+        penalty: 300
+        groupBy:
+          - reqProperty: clientIp
+      action: log
+    #  Block client for 5m when it exceeds an average of 500 req/sec on a time window of 10sec
+    - name: limit-requests-client-ip
+      when:
+        reqProperty: tier
+        equals: 'publish'
+      rateLimit:
+        limit: 500
+        window: 10
+        count: all
+        penalty: 300
+        groupBy:
+          - reqProperty: clientIp
+      action: log
+    # Block requests coming from OFAC countries
+    - name: block-ofac-countries
+      when:
+        allOf:
+          - { reqProperty: tier, in: ["author", "publish"] }
+          - reqProperty: clientCountry
+            in:
+              - SY
+              - BY
+              - MM
+              - KP
+              - IQ
+              - CD
+              - SD
+              - IR
+              - LR
+              - ZW
+              - CU
+              - CI
+      action: log
+    # Enable recommended WAF protections (only works if WAF is licensed enabled for your environment)
+    - name: block-waf-flags-globally
+      when:
+        reqProperty: tier
+        in: ["author", "publish"]
+      action:
+        type: log
+        wafFlags:
+          - TRAVERSAL
+          - CMDEXE-NO-BIN
+          - XSS
+          - LOG4J-JNDI
+          - BACKDOOR
+          - USERAGENT
+          - SQLI
+          - SANS
+          - TORNODE
+          - NOUA
+          - SCANNER
+          - PRIVATEFILE
+          - NULLBYTE