Skip to content

waas.oracle.com/v1beta1

Back to API Reference

APIVersion: waas.oracle.com/v1beta1

This content is generated from the checked-in CRD schemas in config/crd/bases/. If a description is missing or incorrect, fix the source comments or generator inputs and rerun make generate manifests; do not hand-edit config/crd/bases/*.yaml.

Packages

No customer-visible package currently exposes waas.oracle.com/v1beta1.

Resources

Kind Scope Sample Packages
AddressList Namespaced Sample -
Certificate Namespaced Sample -
CustomProtectionRule Namespaced Sample -
HttpRedirect Namespaced Sample -
WaasPolicy Namespaced Sample -

AddressList

AddressList is the Schema for the addresslists API.

  • Plural: addresslists
  • Scope: Namespaced
  • APIVersion: waas.oracle.com/v1beta1
  • Sample: Sample (config/samples/waas_v1beta1_addresslist.yaml)
  • Packages: Not currently exposed by a customer-visible package.

Spec

AddressListSpec defines the desired state of AddressList.

Field Description Type Required Default Enum
addresses A list of IP addresses or CIDR notations. list[string] Yes - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the compartment in which to create the address list. string Yes - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName A user-friendly name for the address list. string Yes - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -

Status

AddressListStatus defines the observed state of AddressList.

Field Description Type Required Default Enum
addressCount The total number of unique IP addresses in the address list. number No - -
addresses The list of IP addresses or CIDR notations. list[string] No - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the address list's compartment. string No - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName The user-friendly name of the address list. string No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the address list. string No - -
lifecycleState The current lifecycle state of the address list. string No - -
status - object Yes - -
timeCreated The date and time the address list was created, expressed in RFC 3339 timestamp format. string No - -

Status.status

Back to AddressList status

Field Description Type Required Default Enum
async Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. object No - -
conditions - list[object] No - -
createdAt - string (date-time) No - -
deletedAt - string (date-time) No - -
message - string No - -
ocid - string No - -
opcRequestId OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. string No - -
reason - string No - -
requestedAt - string (date-time) No - -
updatedAt - string (date-time) No - -

Status.status.async

Back to AddressList status

Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.

Field Description Type Required Default Enum
current - object No - -

Status.status.async.current

Back to AddressList status

Field Description Type Required Default Enum
message - string No - -
normalizedClass - string Yes - attention, canceled, failed, pending, succeeded, unknown
percentComplete - number No - -
phase - string Yes - create, delete, update
rawOperationType - string No - -
rawStatus - string No - -
source - string Yes - lifecycle, none, workrequest
updatedAt - string (date-time) Yes - -
workRequestId - string No - -

Status.status.conditions[]

Back to AddressList status

Field Description Type Required Default Enum
lastTransitionTime - string (date-time) No - -
message - string No - -
reason - string No - -
status - string Yes - -
type - string Yes - -

Certificate

Certificate is the Schema for the certificates API.

  • Plural: certificates
  • Scope: Namespaced
  • APIVersion: waas.oracle.com/v1beta1
  • Sample: Sample (config/samples/waas_v1beta1_certificate.yaml)
  • Packages: Not currently exposed by a customer-visible package.

Spec

CertificateSpec defines the desired state of Certificate.

Field Description Type Required Default Enum
certificateData The data of the SSL certificate. Note: Many SSL certificate providers require an intermediate certificate chain to ensure a trusted status. If your SSL certificate requires an intermediate certificate chain, please append the intermediate certificate key in the certificateData field after the leaf certificate issued by the SSL certificate provider. If you are unsure if your certificate requires an intermediate certificate chain, see your certificate provider's documentation. The example below shows an intermediate certificate appended to a leaf certificate. string Yes - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the compartment in which to create the SSL certificate. string Yes - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName A user-friendly name for the SSL certificate. The name can be changed and does not need to be unique. string No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
isTrustVerificationDisabled Set to true if the SSL certificate is self-signed. boolean No - -
privateKeyData The private key of the SSL certificate. string Yes - -

Status

CertificateStatus defines the observed state of Certificate.

Field Description Type Required Default Enum
certificateData The data of the SSL certificate. string No - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the certificate's compartment. string No - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName The user-friendly name of the certificate. string No - -
extensions Additional attributes associated with users or public keys for managing relationships between Certificate Authorities. list[object] No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the certificate. string No - -
isTrustVerificationDisabled This indicates whether trust verification was disabled during the creation of SSL certificate. If true SSL certificate trust verification was disabled and this SSL certificate is most likely self-signed. boolean No - -
issuedBy - string No - -
issuerName CertificateIssuerName defines nested fields for Certificate.IssuerName. object No - -
lifecycleState The current lifecycle state of the SSL certificate. string No - -
publicKeyInfo CertificatePublicKeyInfo defines nested fields for Certificate.PublicKeyInfo. object No - -
serialNumber A unique, positive integer assigned by the Certificate Authority (CA). The issuer name and serial number identify a unique certificate. string No - -
signatureAlgorithm The identifier for the cryptographic algorithm used by the Certificate Authority (CA) to sign this certificate. string No - -
status - object Yes - -
subjectName CertificateSubjectName defines nested fields for Certificate.SubjectName. object No - -
timeCreated The date and time the certificate was created, expressed in RFC 3339 timestamp format. string No - -
timeNotValidAfter The date and time the certificate will expire, expressed in RFC 3339 timestamp format. string No - -
timeNotValidBefore The date and time the certificate will become valid, expressed in RFC 3339 timestamp format. string No - -
version The version of the encoded certificate. integer No - -

Status.extensions[]

Back to Certificate status

CertificateExtension defines nested fields for Certificate.Extension.

Field Description Type Required Default Enum
isCritical The critical flag of the extension. Critical extensions must be processed, non-critical extensions can be ignored. boolean No - -
name The certificate extension name. string No - -
value The certificate extension value. string No - -

Status.issuerName

Back to Certificate status

CertificateIssuerName defines nested fields for Certificate.IssuerName.

Field Description Type Required Default Enum
commonName The Certificate Authority (CA) name. string No - -
country ISO 3166-1 alpha-2 code of the country where the organization is located. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). string No - -
emailAddress The email address of the server's administrator. string No - -
locality The city in which the organization is located. string No - -
organization The organization name. string No - -
organizationalUnit The field to differentiate between divisions within an organization. string No - -
stateProvince The province where the organization is located. string No - -

Status.publicKeyInfo

Back to Certificate status

CertificatePublicKeyInfo defines nested fields for Certificate.PublicKeyInfo.

Field Description Type Required Default Enum
algorithm The algorithm identifier and parameters for the public key. string No - -
exponent The private key exponent. integer No - -
keySize The number of bits in a key used by a cryptographic algorithm. integer No - -

Status.status

Back to Certificate status

Field Description Type Required Default Enum
async Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. object No - -
conditions - list[object] No - -
createdAt - string (date-time) No - -
deletedAt - string (date-time) No - -
message - string No - -
ocid - string No - -
opcRequestId OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. string No - -
reason - string No - -
requestedAt - string (date-time) No - -
updatedAt - string (date-time) No - -

Status.status.async

Back to Certificate status

Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.

Field Description Type Required Default Enum
current - object No - -

Status.status.async.current

Back to Certificate status

Field Description Type Required Default Enum
message - string No - -
normalizedClass - string Yes - attention, canceled, failed, pending, succeeded, unknown
percentComplete - number No - -
phase - string Yes - create, delete, update
rawOperationType - string No - -
rawStatus - string No - -
source - string Yes - lifecycle, none, workrequest
updatedAt - string (date-time) Yes - -
workRequestId - string No - -

Status.status.conditions[]

Back to Certificate status

Field Description Type Required Default Enum
lastTransitionTime - string (date-time) No - -
message - string No - -
reason - string No - -
status - string Yes - -
type - string Yes - -

Status.subjectName

Back to Certificate status

CertificateSubjectName defines nested fields for Certificate.SubjectName.

Field Description Type Required Default Enum
commonName The fully qualified domain name used for DNS lookups of the server. string No - -
country ISO 3166-1 alpha-2 code of the country where the organization is located. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). string No - -
emailAddress The email address of the server's administrator. string No - -
locality The city in which the organization is located. string No - -
organization The organization name. string No - -
organizationalUnit The field to differentiate between divisions within an organization. string No - -
stateProvince The province where the organization is located. string No - -

CustomProtectionRule

CustomProtectionRule is the Schema for the customprotectionrules API.

  • Plural: customprotectionrules
  • Scope: Namespaced
  • APIVersion: waas.oracle.com/v1beta1
  • Sample: Sample (config/samples/waas_v1beta1_customprotectionrule.yaml)
  • Packages: Not currently exposed by a customer-visible package.

Spec

CustomProtectionRuleSpec defines the desired state of CustomProtectionRule.

Field Description Type Required Default Enum
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the compartment in which to create the custom protection rule. string Yes - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
description A description for the Custom Protection rule. string No - -
displayName A user-friendly name for the custom protection rule. string Yes - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
template The template text of the custom protection rule. All custom protection rules are expressed in ModSecurity Rule Language. Additionally, each rule must include two placeholder variables that are updated by the WAF service upon publication of the rule. id: {{id_1}} - This field is populated with a unique rule ID generated by the WAF service which identifies a SecRule. More than one SecRule can be defined in the template field of a CreateCustomSecurityRule call. The value of the first SecRule must be id: {{id_1}} and the id field of each subsequent SecRule should increase by one, as shown in the example. ctl:ruleEngine={{mode}} - The action to be taken when the criteria of the SecRule are met, either OFF, DETECT or BLOCK. This field is automatically populated with the corresponding value of the action field of the CustomProtectionRuleSetting schema when the WafConfig is updated. Example: SecRule REQUEST_COOKIES "regex matching SQL injection - part 1/2" \ "phase:2, \ msg:'Detects chained SQL injection attempts 1/2.', \ id: {{id_1}}, \ ctl:ruleEngine={{mode}}, \ deny" SecRule REQUEST_COOKIES "regex matching SQL injection - part 2/2" \ "phase:2, \ msg:'Detects chained SQL injection attempts 2/2.', \ id: {{id_2}}, \ ctl:ruleEngine={{mode}}, \ deny" The example contains two SecRules each having distinct regex expression to match the Cookie header value during the second input analysis phase. For more information about custom protection rules, see Custom Protection Rules (https://docs.oracle.com/iaas/Content/WAF/Tasks/customprotectionrules.htm). For more information about ModSecurity syntax, see Making Rules: The Basic Syntax (https://www.modsecurity.org/CRS/Documentation/making.html). For more information about ModSecurity's open source WAF rules, see Mod Security's OWASP Core Rule Set documentation (https://www.modsecurity.org/CRS/Documentation/index.html). string Yes - -

Status

CustomProtectionRuleStatus defines the observed state of CustomProtectionRule.

Field Description Type Required Default Enum
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the custom protection rule's compartment. string No - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
description The description of the custom protection rule. string No - -
displayName The user-friendly name of the custom protection rule. string No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the custom protection rule. string No - -
lifecycleState The current lifecycle state of the custom protection rule. string No - -
modSecurityRuleIds The auto-generated ID for the custom protection rule. These IDs are referenced in logs. list[string] No - -
status - object Yes - -
template The template text of the custom protection rule. All custom protection rules are expressed in ModSecurity Rule Language. Additionally, each rule must include two placeholder variables that are updated by the WAF service upon publication of the rule. id: {{id_1}} - This field is populated with a unique rule ID generated by the WAF service which identifies a SecRule. More than one SecRule can be defined in the template field of a CreateCustomSecurityRule call. The value of the first SecRule must be id: {{id_1}} and the id field of each subsequent SecRule should increase by one, as shown in the example. ctl:ruleEngine={{mode}} - The action to be taken when the criteria of the SecRule are met, either OFF, DETECT or BLOCK. This field is automatically populated with the corresponding value of the action field of the CustomProtectionRuleSetting schema when the WafConfig is updated. Example: SecRule REQUEST_COOKIES "regex matching SQL injection - part 1/2" \ "phase:2, \ msg:'Detects chained SQL injection attempts 1/2.', \ id: {{id_1}}, \ ctl:ruleEngine={{mode}}, \ deny" SecRule REQUEST_COOKIES "regex matching SQL injection - part 2/2" \ "phase:2, \ msg:'Detects chained SQL injection attempts 2/2.', \ id: {{id_2}}, \ ctl:ruleEngine={{mode}}, \ deny" The example contains two SecRules each having distinct regex expression to match the Cookie header value during the second input analysis phase. For more information about custom protection rules, see Custom Protection Rules (https://docs.oracle.com/iaas/Content/WAF/Tasks/customprotectionrules.htm). For more information about ModSecurity syntax, see Making Rules: The Basic Syntax (https://www.modsecurity.org/CRS/Documentation/making.html). For more information about ModSecurity's open source WAF rules, see Mod Security's OWASP Core Rule Set documentation (https://www.modsecurity.org/CRS/Documentation/index.html). string No - -
timeCreated The date and time the protection rule was created, expressed in RFC 3339 timestamp format. string No - -

Status.status

Back to CustomProtectionRule status

Field Description Type Required Default Enum
async Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. object No - -
conditions - list[object] No - -
createdAt - string (date-time) No - -
deletedAt - string (date-time) No - -
message - string No - -
ocid - string No - -
opcRequestId OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. string No - -
reason - string No - -
requestedAt - string (date-time) No - -
updatedAt - string (date-time) No - -

Status.status.async

Back to CustomProtectionRule status

Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.

Field Description Type Required Default Enum
current - object No - -

Status.status.async.current

Back to CustomProtectionRule status

Field Description Type Required Default Enum
message - string No - -
normalizedClass - string Yes - attention, canceled, failed, pending, succeeded, unknown
percentComplete - number No - -
phase - string Yes - create, delete, update
rawOperationType - string No - -
rawStatus - string No - -
source - string Yes - lifecycle, none, workrequest
updatedAt - string (date-time) Yes - -
workRequestId - string No - -

Status.status.conditions[]

Back to CustomProtectionRule status

Field Description Type Required Default Enum
lastTransitionTime - string (date-time) No - -
message - string No - -
reason - string No - -
status - string Yes - -
type - string Yes - -

HttpRedirect

HttpRedirect is the Schema for the httpredirects API.

  • Plural: httpredirects
  • Scope: Namespaced
  • APIVersion: waas.oracle.com/v1beta1
  • Sample: Sample (config/samples/waas_v1beta1_httpredirect.yaml)
  • Packages: Not currently exposed by a customer-visible package.

Spec

HttpRedirectSpec defines the desired state of HttpRedirect.

Field Description Type Required Default Enum
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the HTTP Redirects compartment. string Yes - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName The user-friendly name of the HTTP Redirect. The name can be changed and does not need to be unique. string No - -
domain The domain from which traffic will be redirected. string Yes - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
responseCode The response code returned for the redirect to the client. For more information, see RFC 7231 (https://tools.ietf.org/html/rfc7231#section-6.4). integer No - -
target The redirect target object including all the redirect data. object Yes - -

Spec.target

Back to HttpRedirect spec

The redirect target object including all the redirect data.

Field Description Type Required Default Enum
host The host portion of the redirect. string Yes - -
path The path component of the target URL (e.g., "/path/to/resource" in "https://target.example.com/path/to/resource?redirected"), which can be empty, static, or request-copying, or request-prefixing. Use of \ is not permitted except to escape a following \, {, or }. An empty value is treated the same as static "/". A static value must begin with a leading "/", optionally followed by other path characters. A request-copying value must exactly match "{path}", and will be replaced with the path component of the request URL (including its initial "/"). A request-prefixing value must start with "/" and end with a non-escaped "{path}", which will be replaced with the path component of the request URL (including its initial "/"). Only one such replacement token is allowed. string Yes - -
port Port number of the target destination of the redirect, default to match protocol integer No - -
protocol The protocol used for the target, http or https. string Yes - -
query The query component of the target URL (e.g., "?redirected" in "https://target.example.com/path/to/resource?redirected"), which can be empty, static, or request-copying. Use of \ is not permitted except to escape a following \, {, or }. An empty value results in a redirection target URL with no query component. A static value must begin with a leading "?", optionally followed by other query characters. A request-copying value must exactly match "{query}", and will be replaced with the query component of the request URL (including a leading "?" if and only if the request URL includes a query component). string Yes - -

Status

HttpRedirectStatus defines the observed state of HttpRedirect.

Field Description Type Required Default Enum
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the HTTP Redirect's compartment. string No - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName The user-friendly name of the HTTP Redirect. The name can be changed and does not need to be unique. string No - -
domain The domain from which traffic will be redirected. string No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the HTTP Redirect. string No - -
lifecycleState The current lifecycle state of the HTTP Redirect. string No - -
responseCode The response code returned for the redirect to the client. For more information, see RFC 7231 (https://tools.ietf.org/html/rfc7231#section-6.4). integer No - -
status - object Yes - -
target The redirect target object including all the redirect data. object No - -
timeCreated The date and time the policy was created, expressed in RFC 3339 timestamp format. string No - -

Status.status

Back to HttpRedirect status

Field Description Type Required Default Enum
async Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. object No - -
conditions - list[object] No - -
createdAt - string (date-time) No - -
deletedAt - string (date-time) No - -
message - string No - -
ocid - string No - -
opcRequestId OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. string No - -
reason - string No - -
requestedAt - string (date-time) No - -
updatedAt - string (date-time) No - -

Status.status.async

Back to HttpRedirect status

Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.

Field Description Type Required Default Enum
current - object No - -

Status.status.async.current

Back to HttpRedirect status

Field Description Type Required Default Enum
message - string No - -
normalizedClass - string Yes - attention, canceled, failed, pending, succeeded, unknown
percentComplete - number No - -
phase - string Yes - create, delete, update
rawOperationType - string No - -
rawStatus - string No - -
source - string Yes - lifecycle, none, workrequest
updatedAt - string (date-time) Yes - -
workRequestId - string No - -

Status.status.conditions[]

Back to HttpRedirect status

Field Description Type Required Default Enum
lastTransitionTime - string (date-time) No - -
message - string No - -
reason - string No - -
status - string Yes - -
type - string Yes - -

Status.target

Back to HttpRedirect status

The redirect target object including all the redirect data.

Field Description Type Required Default Enum
host The host portion of the redirect. string Yes - -
path The path component of the target URL (e.g., "/path/to/resource" in "https://target.example.com/path/to/resource?redirected"), which can be empty, static, or request-copying, or request-prefixing. Use of \ is not permitted except to escape a following \, {, or }. An empty value is treated the same as static "/". A static value must begin with a leading "/", optionally followed by other path characters. A request-copying value must exactly match "{path}", and will be replaced with the path component of the request URL (including its initial "/"). A request-prefixing value must start with "/" and end with a non-escaped "{path}", which will be replaced with the path component of the request URL (including its initial "/"). Only one such replacement token is allowed. string Yes - -
port Port number of the target destination of the redirect, default to match protocol integer No - -
protocol The protocol used for the target, http or https. string Yes - -
query The query component of the target URL (e.g., "?redirected" in "https://target.example.com/path/to/resource?redirected"), which can be empty, static, or request-copying. Use of \ is not permitted except to escape a following \, {, or }. An empty value results in a redirection target URL with no query component. A static value must begin with a leading "?", optionally followed by other query characters. A request-copying value must exactly match "{query}", and will be replaced with the query component of the request URL (including a leading "?" if and only if the request URL includes a query component). string Yes - -

WaasPolicy

WaasPolicy is the Schema for the waaspolicies API.

  • Plural: waaspolicies
  • Scope: Namespaced
  • APIVersion: waas.oracle.com/v1beta1
  • Sample: Sample (config/samples/waas_v1beta1_waaspolicy.yaml)
  • Packages: Not currently exposed by a customer-visible package.

Spec

WaasPolicySpec defines the desired state of WaasPolicy.

Field Description Type Required Default Enum
additionalDomains An array of additional domains for the specified web application. list[string] No - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the compartment in which to create the WAAS policy. string Yes - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName A user-friendly name for the WAAS policy. The name can be changed and does not need to be unique. string No - -
domain The web application domain that the WAAS policy protects. string Yes - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
originGroups The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins field of a UpdateWaasPolicy request. map[string, object] No - -
origins A map of host to origin for the web application. The key should be a customer friendly name for the host, ex. primary, secondary, etc. map[string, object] No - -
policyConfig WaasPolicyPolicyConfig defines nested fields for WaasPolicy.PolicyConfig. object No - -
wafConfig WaasPolicyWafConfig defines nested fields for WaasPolicy.WafConfig. object No - -

Spec.originGroups{}

Back to WaasPolicy spec

WaasPolicyOriginGroups defines nested fields for WaasPolicy.OriginGroups.

Field Description Type Required Default Enum
origins The list of objects containing origin references and additional properties. list[object] No - -

Spec.originGroups{}.origins[]

Back to WaasPolicy spec

WaasPolicyOriginGroupsOrigin defines nested fields for WaasPolicy.OriginGroups.Origin.

Field Description Type Required Default Enum
origin The IP address or CIDR notation of the origin server. string No - -
weight The weight of the origin used in load balancing. Origins with higher weights will receive larger proportions of client requests. integer No - -

Spec.origins{}

Back to WaasPolicy spec

WaasPolicyOrigins defines nested fields for WaasPolicy.Origins.

Field Description Type Required Default Enum
customHeaders A list of HTTP headers to forward to your origin. list[object] No - -
httpPort The HTTP port on the origin that the web application listens on. If unspecified, defaults to 80. If 0 is specified - the origin is not used for HTTP traffic. integer No - -
httpsPort The HTTPS port on the origin that the web application listens on. If unspecified, defaults to 443. If 0 is specified - the origin is not used for HTTPS traffic. integer No - -
uri The URI of the origin. Does not support paths. Port numbers should be specified in the httpPort and httpsPort fields. string Yes - -

Spec.origins{}.customHeaders[]

Back to WaasPolicy spec

WaasPolicyOriginsCustomHeader defines nested fields for WaasPolicy.Origins.CustomHeader.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Spec.policyConfig

Back to WaasPolicy spec

WaasPolicyPolicyConfig defines nested fields for WaasPolicy.PolicyConfig.

Field Description Type Required Default Enum
certificateId The OCID of the SSL certificate to use if HTTPS is supported. string No - -
cipherGroup The set cipher group for the configured TLS protocol. This sets the configuration for the TLS connections between clients and edge nodes only. - DEFAULT: Cipher group supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 protocols. It has the following ciphers enabled: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA string No - -
clientAddressHeader Specifies an HTTP header name which is treated as the connecting client's IP address. Applicable only if isBehindCdn is enabled. The edge node reads this header and its value and sets the client IP address as specified. It does not create the header if the header is not present in the request. If the header is not present, the connecting IP address will be used as the client's true IP address. It uses the last IP address in the header's value as the true IP address. Example: X-Client-Ip: 11.1.1.1, 13.3.3.3 In the case of multiple headers with the same name, only the first header will be used. It is assumed that CDN sets the correct client IP address to prevent spoofing. - X_FORWARDED_FOR: Corresponds to X-Forwarded-For header name. - X_CLIENT_IP: Corresponds to X-Client-Ip header name. - X_REAL_IP: Corresponds to X-Real-Ip header name. - CLIENT_IP: Corresponds to Client-Ip header name. - TRUE_CLIENT_IP: Corresponds to True-Client-Ip header name. string No - -
healthChecks WaasPolicyPolicyConfigHealthChecks defines nested fields for WaasPolicy.PolicyConfig.HealthChecks. object No - -
isBehindCdn Enabling isBehindCdn allows for the collection of IP addresses from client requests if the WAF is connected to a CDN. boolean No - -
isCacheControlRespected Enable or disable automatic content caching based on the response cache-control header. This feature enables the origin to act as a proxy cache. Caching is usually defined using cache-control header. For example cache-control: max-age=120 means that the returned resource is valid for 120 seconds. Caching rules will overwrite this setting. boolean No - -
isHttpsEnabled Enable or disable HTTPS support. If true, a certificateId is required. If unspecified, defaults to false. boolean No - -
isHttpsForced Force HTTP to HTTPS redirection. If unspecified, defaults to false. boolean No - -
isOriginCompressionEnabled Enable or disable GZIP compression of origin responses. If enabled, the header Accept-Encoding: gzip is sent to origin, otherwise, the empty Accept-Encoding: header is used. boolean No - -
isResponseBufferingEnabled Enable or disable buffering of responses from the origin. Buffering improves overall stability in case of network issues, but slightly increases Time To First Byte. boolean No - -
isSniEnabled SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process. This allows a server to connect multiple SSL Certificates to one IP address and port. boolean No - -
loadBalancingMethod An object that represents a load balancing method and its properties. object No - -
tlsProtocols A list of allowed TLS protocols. Only applicable when HTTPS support is enabled. The TLS protocol is negotiated while the request is connecting and the most recent protocol supported by both the edge node and client browser will be selected. If no such version exists, the connection will be aborted. - TLS_V1: corresponds to TLS 1.0 specification. - TLS_V1_1: corresponds to TLS 1.1 specification. - TLS_V1_2: corresponds to TLS 1.2 specification. - TLS_V1_3: corresponds to TLS 1.3 specification. Enabled TLS protocols must go in a row. For example if TLS_v1_1 and TLS_V1_3 are enabled, TLS_V1_2 must be enabled too. list[string] No - -
websocketPathPrefixes ModSecurity is not capable to inspect WebSockets. Therefore paths specified here have WAF disabled if Connection request header from the client has the value Upgrade (case insensitive matching) and Upgrade request header has the value websocket (case insensitive matching). Paths matches if the concatenation of request URL path and query starts with the contents of the one of websocketPathPrefixes array value. In All other cases challenges, like JSC, HIC and etc., remain active. list[string] No - -

Spec.policyConfig.healthChecks

Back to WaasPolicy spec

WaasPolicyPolicyConfigHealthChecks defines nested fields for WaasPolicy.PolicyConfig.HealthChecks.

Field Description Type Required Default Enum
expectedResponseCodeGroup The HTTP response codes that signify a healthy state. - 2XX: Success response code group. - 3XX: Redirection response code group. - 4XX: Client errors response code group. - 5XX: Server errors response code group. list[string] No - -
expectedResponseText Health check will search for the given text in a case-sensitive manner within the response body and will fail if the text is not found. string No - -
headers HTTP header fields to include in health check requests, expressed as "name": "value" properties. Because HTTP header field names are case-insensitive, any use of names that are case-insensitive equal to other names will be rejected. If Host is not specified, requests will include a Host header field with value matching the policy's protected domain. If User-Agent is not specified, requests will include a User-Agent header field with value "waf health checks". Note: The only currently-supported header fields are Host and User-Agent. map[string, string] No - -
healthyThreshold Number of successful health checks after which the server is marked up. integer No - -
intervalInSeconds Time between health checks of an individual origin server, in seconds. integer No - -
isEnabled Enables or disables the health checks. boolean No - -
isResponseTextCheckEnabled Enables or disables additional check for predefined text in addition to response code. boolean No - -
method An HTTP verb (i.e. HEAD, GET, or POST) to use when performing the health check. string No - -
path Path to visit on your origins when performing the health check. string No - -
timeoutInSeconds Response timeout represents wait time until request is considered failed, in seconds. integer No - -
unhealthyThreshold Number of failed health checks after which the server is marked down. integer No - -

Spec.policyConfig.loadBalancingMethod

Back to WaasPolicy spec

An object that represents a load balancing method and its properties.

Field Description Type Required Default Enum
domain The domain for which the cookie is set, defaults to WAAS policy domain. string No - -
expirationTimeInSeconds The time for which a browser should keep the cookie in seconds. Empty value will cause the cookie to expire at the end of a browser session. integer No - -
jsonData - string No - -
method - string No - -
name The name of the cookie used to track the persistence. Can contain any US-ASCII character except separator or control character. string No - -

Spec.wafConfig

Back to WaasPolicy spec

WaasPolicyWafConfig defines nested fields for WaasPolicy.WafConfig.

Field Description Type Required Default Enum
accessRules The access rules applied to the Web Application Firewall. Access rules allow custom content access policies to be defined and ALLOW, DETECT, or BLOCK actions to be taken on a request when specified criteria are met. list[object] No - -
addressRateLimiting The settings used to limit the number of requests from an IP address. object No - -
cachingRules A list of caching rules applied to the web application. list[object] No - -
captchas A list of CAPTCHA challenge settings. CAPTCHAs challenge requests to ensure a human is attempting to reach the specified URL and not a bot. list[object] No - -
customProtectionRules A list of the custom protection rule OCIDs and their actions. list[object] No - -
deviceFingerprintChallenge The device fingerprint challenge settings. Blocks bots based on unique device fingerprint information. object No - -
humanInteractionChallenge The human interaction challenge settings. Detects natural human interactions such as mouse movements, time on site, and page scrolling to identify bots. object No - -
jsChallenge The JavaScript challenge settings. Blocks bots by challenging requests from browsers that have no JavaScript support. object No - -
origin The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins. Required when creating the WafConfig resource, but is not required upon updating the configuration. string No - -
originGroups The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins field of a UpdateWaasPolicy request. list[string] No - -
protectionSettings The settings applied to protection rules. object No - -
whitelists A list of IP addresses that bypass the Web Application Firewall. list[object] No - -

Spec.wafConfig.accessRules[]

Back to WaasPolicy spec

WaasPolicyWafConfigAccessRule defines nested fields for WaasPolicy.WafConfig.AccessRule.

Field Description Type Required Default Enum
action The action to take when the access criteria are met for a rule. If unspecified, defaults to ALLOW. - ALLOW: Takes no action, just logs the request. - DETECT: Takes no action, but creates an alert for the request. - BLOCK: Blocks the request by returning specified response code or showing error page. - BYPASS: Bypasses some or all challenges. - REDIRECT: Redirects the request to the specified URL. These fields are required when REDIRECT is selected: redirectUrl, redirectResponseCode. - SHOW_CAPTCHA: Show a CAPTCHA Challenge page instead of the requested page. Regardless of action, no further rules are processed once a rule is matched. string Yes - -
blockAction The method used to block requests if action is set to BLOCK and the access criteria are met. If unspecified, defaults to SET_RESPONSE_CODE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access rules'. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.' string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.' string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE, and the access criteria are met. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
bypassChallenges The list of challenges to bypass when action is set to BYPASS. If unspecified or empty, all challenges are bypassed. - JS_CHALLENGE: Bypasses JavaScript Challenge. - DEVICE_FINGERPRINT_CHALLENGE: Bypasses Device Fingerprint Challenge. - HUMAN_INTERACTION_CHALLENGE: Bypasses Human Interaction Challenge. - CAPTCHA: Bypasses CAPTCHA Challenge. list[string] No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
criteria The list of access rule criteria. The rule would be applied only for the requests that matched all the listed conditions. list[object] Yes - -
name The unique name of the access rule. string Yes - -
redirectResponseCode The response status code to return when action is set to REDIRECT. - MOVED_PERMANENTLY: Used for designating the permanent movement of a page (numerical code - 301). - FOUND: Used for designating the temporary movement of a page (numerical code - 302). string No - -
redirectUrl The target to which the request should be redirected, represented as a URI reference. Required when action is REDIRECT. string No - -
responseHeaderManipulation An object that represents an action to apply to an HTTP response headers if all rule criteria will be matched regardless of action value. list[object] No - -

Spec.wafConfig.accessRules[].criteria[]

Back to WaasPolicy spec

WaasPolicyWafConfigAccessRuleCriteria defines nested fields for WaasPolicy.WafConfig.AccessRule.Criteria.

Field Description Type Required Default Enum
condition The criteria the access rule and JavaScript Challenge uses to determine if action should be taken on a request. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. URL must start with a /. - URL_IS_NOT: Matches if the concatenation of request URL path and query is not identical to the contents of the value field. URL must start with a /. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. URL must start with a /. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. - URL_REGEX: Matches if the concatenation of request URL path and query is described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_MATCH_REGEX: Matches if the concatenation of request URL path and query is not described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_START_WITH: Matches if the concatenation of request URL path and query does not start with the contents of the value field. - URL_PART_DOES_NOT_CONTAIN: Matches if the concatenation of request URL path and query does not contain the contents of the value field. - URL_PART_DOES_NOT_END_WITH: Matches if the concatenation of request URL path and query does not end with the contents of the value field. - IP_IS: Matches if the request originates from one of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IS_NOT: Matches if the request does not originate from any of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IN_LIST: Matches if the request originates from one of the IP addresses contained in the referenced address list. The value in this case is OCID of the address list. - IP_NOT_IN_LIST: Matches if the request does not originate from any IP address contained in the referenced address list. The value field in this case is OCID of the address list. - HTTP_HEADER_CONTAINS: The HTTP_HEADER_CONTAINS criteria is defined using a compound value separated by a colon: a header field name and a header field value. host:test.example.com is an example of a criteria value where host is the header field name and test.example.com is the header field value. A request matches when the header field name is a case insensitive match and the header field value is a case insensitive, substring match. Example: With a criteria value of host:test.example.com, where host is the name of the field and test.example.com is the value of the host field, a request with the header values, Host: www.test.example.com will match, where as a request with header values of host: www.example.com or host: test.sub.example.com will not match. - HTTP_METHOD_IS: Matches if the request method is identical to one of the values listed in field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - HTTP_METHOD_IS_NOT: Matches if the request is not identical to any of the contents of the value field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - COUNTRY_IS: Matches if the request originates from one of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - COUNTRY_IS_NOT: Matches if the request does not originate from any of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - USER_AGENT_IS: Matches if the requesting user agent is identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 - USER_AGENT_IS_NOT: Matches if the requesting user agent is not identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 string Yes - -
isCaseSensitive When enabled, the condition will be matched with case-sensitive rules. boolean No - -
value The criteria value. string Yes - -

Spec.wafConfig.accessRules[].responseHeaderManipulation[]

Back to WaasPolicy spec

WaasPolicyWafConfigAccessRuleResponseHeaderManipulation defines nested fields for WaasPolicy.WafConfig.AccessRule.ResponseHeaderManipulation.

Field Description Type Required Default Enum
action - string No - -
header A header field name that conforms to RFC 7230. Example: example_header_name string No - -
jsonData - string No - -
value A header field value that conforms to RFC 7230. Example: example_value string No - -

Spec.wafConfig.addressRateLimiting

Back to WaasPolicy spec

The settings used to limit the number of requests from an IP address.

Field Description Type Required Default Enum
allowedRatePerAddress The number of allowed requests per second from one IP address. If unspecified, defaults to 1. integer No - -
blockResponseCode The response status code returned when a request is blocked. If unspecified, defaults to 503. The list of available response codes: 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
isEnabled Enables or disables the address rate limiting Web Application Firewall feature. boolean Yes - -
maxDelayedCountPerAddress The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to 10. integer No - -

Spec.wafConfig.cachingRules[]

Back to WaasPolicy spec

WaasPolicyWafConfigCachingRule defines nested fields for WaasPolicy.WafConfig.CachingRule.

Field Description Type Required Default Enum
action The action to take when the criteria of a caching rule are met. - CACHE: Caches requested content when the criteria of the rule are met. - BYPASS_CACHE: Allows requests to bypass the cache and be directed to the origin when the criteria of the rule is met. string Yes - -
cachingDuration The duration to cache content for the caching rule, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99. Mixing of multiple units is not supported. Only applies when the action is set to CACHE. Example: PT1H string No - -
clientCachingDuration The duration to cache content in the user's browser, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99. Mixing of multiple units is not supported. Only applies when the action is set to CACHE. Example: PT1H string No - -
criteria The array of the rule criteria with condition and value. The caching rule would be applied for the requests that matched any of the listed conditions. list[object] Yes - -
isClientCachingEnabled Enables or disables client caching. Browsers use the Cache-Control header value for caching content locally in the browser. This setting overrides the addition of a Cache-Control header in responses. boolean No - -
key The unique key for the caching rule. string No - -
name The name of the caching rule. string Yes - -

Spec.wafConfig.cachingRules[].criteria[]

Back to WaasPolicy spec

WaasPolicyWafConfigCachingRuleCriteria defines nested fields for WaasPolicy.WafConfig.CachingRule.Criteria.

Field Description Type Required Default Enum
condition The condition of the caching rule criteria. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. URLs must start with a /. URLs can't contain restricted double slashes //. URLs can't contain the restricted ' & ? symbols. Resources to cache can only be specified by a URL, any query parameters are ignored. string Yes - -
value The value of the caching rule criteria. string Yes - -

Spec.wafConfig.captchas[]

Back to WaasPolicy spec

WaasPolicyWafConfigCaptcha defines nested fields for WaasPolicy.WafConfig.Captcha.

Field Description Type Required Default Enum
failureMessage The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to The CAPTCHA was incorrect. Try again. string Yes - -
footerText The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.' string No - -
headerText The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.' string No - -
sessionExpirationInSeconds The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to 300. integer Yes - -
submitLabel The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to Yes, I am human. string Yes - -
title The title used when displaying a CAPTCHA challenge. If unspecified, defaults to Are you human? string Yes - -
url The unique URL path at which to show the CAPTCHA challenge. string Yes - -

Spec.wafConfig.customProtectionRules[]

Back to WaasPolicy spec

WaasPolicyWafConfigCustomProtectionRule defines nested fields for WaasPolicy.WafConfig.CustomProtectionRule.

Field Description Type Required Default Enum
action The action to take when the custom protection rule is triggered. DETECT - Logs the request when the criteria of the custom protection rule are met. BLOCK - Blocks the request when the criteria of the custom protection rule are met. string No - -
exclusions - list[object] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the custom protection rule. string No - -

Spec.wafConfig.customProtectionRules[].exclusions[]

Back to WaasPolicy spec

WaasPolicyWafConfigCustomProtectionRuleExclusion defines nested fields for WaasPolicy.WafConfig.CustomProtectionRule.Exclusion.

Field Description Type Required Default Enum
exclusions - list[string] No - -
target The target of the exclusion. string No - -

Spec.wafConfig.deviceFingerprintChallenge

Back to WaasPolicy spec

The device fingerprint challenge settings. Blocks bots based on unique device fingerprint information.

Field Description Type Required Default Enum
action The action to take on requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges for the same IP address. If unspecified, defaults to 60. integer No - -
challengeSettings WaasPolicyWafConfigDeviceFingerprintChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.DeviceFingerprintChallenge.ChallengeSettings. object No - -
failureThreshold The number of failed requests allowed before taking action. If unspecified, defaults to 10. integer No - -
failureThresholdExpirationInSeconds The number of seconds before the failure threshold resets. If unspecified, defaults to 60. integer No - -
isEnabled Enables or disables the device fingerprint challenge Web Application Firewall feature. boolean Yes - -
maxAddressCount The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to 20. integer No - -
maxAddressCountExpirationInSeconds The number of seconds before the maximum addresses count resets. If unspecified, defaults to 60. integer No - -

Spec.wafConfig.deviceFingerprintChallenge.challengeSettings

Back to WaasPolicy spec

WaasPolicyWafConfigDeviceFingerprintChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.DeviceFingerprintChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Spec.wafConfig.humanInteractionChallenge

Back to WaasPolicy spec

The human interaction challenge settings. Detects natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.

Field Description Type Required Default Enum
action The action to take against requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges for the same IP address. If unspecified, defaults to 60. integer No - -
challengeSettings WaasPolicyWafConfigHumanInteractionChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.HumanInteractionChallenge.ChallengeSettings. object No - -
failureThreshold The number of failed requests before taking action. If unspecified, defaults to 10. integer No - -
failureThresholdExpirationInSeconds The number of seconds before the failure threshold resets. If unspecified, defaults to 60. integer No - -
interactionThreshold The number of interactions required to pass the challenge. If unspecified, defaults to 3. integer No - -
isEnabled Enables or disables the human interaction challenge Web Application Firewall feature. boolean Yes - -
isNatEnabled When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses. boolean No - -
recordingPeriodInSeconds The number of seconds to record the interactions from the user. If unspecified, defaults to 15. integer No - -
setHttpHeader Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT. object No - -

Spec.wafConfig.humanInteractionChallenge.challengeSettings

Back to WaasPolicy spec

WaasPolicyWafConfigHumanInteractionChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.HumanInteractionChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Spec.wafConfig.humanInteractionChallenge.setHttpHeader

Back to WaasPolicy spec

Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Spec.wafConfig.jsChallenge

Back to WaasPolicy spec

The JavaScript challenge settings. Blocks bots by challenging requests from browsers that have no JavaScript support.

Field Description Type Required Default Enum
action The action to take against requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges from the same IP address. If unspecified, defaults to 60. integer No - -
areRedirectsChallenged When enabled, redirect responses from the origin will also be challenged. This will change HTTP 301/302 responses from origin to HTTP 200 with an HTML body containing JavaScript page redirection. boolean No - -
challengeSettings WaasPolicyWafConfigJsChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.JsChallenge.ChallengeSettings. object No - -
criteria When defined, the JavaScript Challenge would be applied only for the requests that matched all the listed conditions. list[object] No - -
failureThreshold The number of failed requests before taking action. If unspecified, defaults to 10. integer No - -
isEnabled Enables or disables the JavaScript challenge Web Application Firewall feature. boolean Yes - -
isNatEnabled When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses. boolean No - -
setHttpHeader Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT. object No - -

Spec.wafConfig.jsChallenge.challengeSettings

Back to WaasPolicy spec

WaasPolicyWafConfigJsChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.JsChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Spec.wafConfig.jsChallenge.criteria[]

Back to WaasPolicy spec

WaasPolicyWafConfigJsChallengeCriteria defines nested fields for WaasPolicy.WafConfig.JsChallenge.Criteria.

Field Description Type Required Default Enum
condition The criteria the access rule and JavaScript Challenge uses to determine if action should be taken on a request. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. URL must start with a /. - URL_IS_NOT: Matches if the concatenation of request URL path and query is not identical to the contents of the value field. URL must start with a /. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. URL must start with a /. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. - URL_REGEX: Matches if the concatenation of request URL path and query is described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_MATCH_REGEX: Matches if the concatenation of request URL path and query is not described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_START_WITH: Matches if the concatenation of request URL path and query does not start with the contents of the value field. - URL_PART_DOES_NOT_CONTAIN: Matches if the concatenation of request URL path and query does not contain the contents of the value field. - URL_PART_DOES_NOT_END_WITH: Matches if the concatenation of request URL path and query does not end with the contents of the value field. - IP_IS: Matches if the request originates from one of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IS_NOT: Matches if the request does not originate from any of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IN_LIST: Matches if the request originates from one of the IP addresses contained in the referenced address list. The value in this case is OCID of the address list. - IP_NOT_IN_LIST: Matches if the request does not originate from any IP address contained in the referenced address list. The value field in this case is OCID of the address list. - HTTP_HEADER_CONTAINS: The HTTP_HEADER_CONTAINS criteria is defined using a compound value separated by a colon: a header field name and a header field value. host:test.example.com is an example of a criteria value where host is the header field name and test.example.com is the header field value. A request matches when the header field name is a case insensitive match and the header field value is a case insensitive, substring match. Example: With a criteria value of host:test.example.com, where host is the name of the field and test.example.com is the value of the host field, a request with the header values, Host: www.test.example.com will match, where as a request with header values of host: www.example.com or host: test.sub.example.com will not match. - HTTP_METHOD_IS: Matches if the request method is identical to one of the values listed in field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - HTTP_METHOD_IS_NOT: Matches if the request is not identical to any of the contents of the value field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - COUNTRY_IS: Matches if the request originates from one of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - COUNTRY_IS_NOT: Matches if the request does not originate from any of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - USER_AGENT_IS: Matches if the requesting user agent is identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 - USER_AGENT_IS_NOT: Matches if the requesting user agent is not identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 string Yes - -
isCaseSensitive When enabled, the condition will be matched with case-sensitive rules. boolean No - -
value The criteria value. string Yes - -

Spec.wafConfig.jsChallenge.setHttpHeader

Back to WaasPolicy spec

Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Spec.wafConfig.protectionSettings

Back to WaasPolicy spec

The settings applied to protection rules.

Field Description Type Required Default Enum
allowedHttpMethods The list of allowed HTTP methods. If unspecified, default to [OPTIONS, GET, HEAD, POST]. This setting only applies if a corresponding protection rule is enabled, such as the "Restrict HTTP Request Methods" rule (key: 911100). list[string] No - -
blockAction If action is set to BLOCK, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to SET_RESPONSE_CODE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.' string No - -
blockResponseCode The response code returned when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403. The list of available response codes: 400, 401, 403, 405, 409, 411, 412, 413, 414, 415, 416, 500, 501, 502, 503, 504, 507. integer No - -
isResponseInspected Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to false. Note: Only origin responses with a Content-Type matching a value in mediaTypes will be inspected. boolean No - -
maxArgumentCount The maximum number of arguments allowed to be passed to your application before an action is taken. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 255. This setting only applies if a corresponding protection rule is enabled, such as the "Number of Arguments Limits" rule (key: 960335). Example: If maxArgumentCount to 2 for the Max Number of Arguments protection rule (key: 960335), the following requests would be blocked: GET /myapp/path?query=one&query=two&query=three POST /myapp/path with Body {"argument1":"one","argument2":"two","argument3":"three"} integer No - -
maxNameLengthPerArgument The maximum length allowed for each argument name, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 400. This setting only applies if a corresponding protection rule is enabled, such as the "Values Limits" rule (key: 960208). integer No - -
maxResponseSizeInKiB The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to 1024. integer No - -
maxTotalNameLengthOfArguments The maximum length allowed for the sum of the argument name and value, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 64000. This setting only applies if a corresponding protection rule is enabled, such as the "Total Arguments Limits" rule (key: 960341). integer No - -
mediaTypes The list of media types to allow for inspection, if isResponseInspected is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to ["text/html", "text/plain", "text/xml"]. Supported MIME types include: - text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml list[string] No - -
recommendationsPeriodInDays The length of time to analyze traffic traffic, in days. After the analysis period, WafRecommendations will be populated. If unspecified, defaults to 10. Use GET /waasPolicies/{waasPolicyId}/wafRecommendations to view WAF recommendations. integer No - -

Spec.wafConfig.whitelists[]

Back to WaasPolicy spec

WaasPolicyWafConfigWhitelist defines nested fields for WaasPolicy.WafConfig.Whitelist.

Field Description Type Required Default Enum
addressLists A list of OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of IP address lists to include in the whitelist. list[string] No - -
addresses A set of IP addresses or CIDR notations to include in the whitelist. list[string] No - -
name The unique name of the whitelist. string Yes - -

Status

WaasPolicyStatus defines the observed state of WaasPolicy.

Field Description Type Required Default Enum
additionalDomains An array of additional domains for this web application. list[string] No - -
cname The CNAME record to add to your DNS configuration to route traffic for the domain, and all additional domains, through the WAF. string No - -
compartmentId The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the WAAS policy's compartment. string No - -
definedTags Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Operations": {"CostCenter": "42"}} map[string, map[string, string]] No - -
displayName The user-friendly name of the WAAS policy. The name can be changed and does not need to be unique. string No - -
domain The web application domain that the WAAS policy protects. string No - -
freeformTags Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see Resource Tags (https://docs.oracle.com/iaas/Content/General/Concepts/resourcetags.htm). Example: {"Department": "Finance"} map[string, string] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the WAAS policy. string No - -
lifecycleState The current lifecycle state of the WAAS policy. string No - -
originGroups The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. map[string, object] No - -
origins A map of host servers (origins) and their keys for the web application. Origin keys are used to associate origins to specific protection rules. The key should be a user-friendly name for the host. Examples: primary or secondary. map[string, object] No - -
policyConfig WaasPolicyPolicyConfig defines nested fields for WaasPolicy.PolicyConfig. object No - -
status - object Yes - -
timeCreated The date and time the policy was created, expressed in RFC 3339 timestamp format. string No - -
wafConfig WaasPolicyWafConfig defines nested fields for WaasPolicy.WafConfig. object No - -

Status.originGroups{}

Back to WaasPolicy status

WaasPolicyOriginGroups defines nested fields for WaasPolicy.OriginGroups.

Field Description Type Required Default Enum
origins The list of objects containing origin references and additional properties. list[object] No - -

Status.originGroups{}.origins[]

Back to WaasPolicy status

WaasPolicyOriginGroupsOrigin defines nested fields for WaasPolicy.OriginGroups.Origin.

Field Description Type Required Default Enum
origin The IP address or CIDR notation of the origin server. string No - -
weight The weight of the origin used in load balancing. Origins with higher weights will receive larger proportions of client requests. integer No - -

Status.origins{}

Back to WaasPolicy status

WaasPolicyOrigins defines nested fields for WaasPolicy.Origins.

Field Description Type Required Default Enum
customHeaders A list of HTTP headers to forward to your origin. list[object] No - -
httpPort The HTTP port on the origin that the web application listens on. If unspecified, defaults to 80. If 0 is specified - the origin is not used for HTTP traffic. integer No - -
httpsPort The HTTPS port on the origin that the web application listens on. If unspecified, defaults to 443. If 0 is specified - the origin is not used for HTTPS traffic. integer No - -
uri The URI of the origin. Does not support paths. Port numbers should be specified in the httpPort and httpsPort fields. string Yes - -

Status.origins{}.customHeaders[]

Back to WaasPolicy status

WaasPolicyOriginsCustomHeader defines nested fields for WaasPolicy.Origins.CustomHeader.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Status.policyConfig

Back to WaasPolicy status

WaasPolicyPolicyConfig defines nested fields for WaasPolicy.PolicyConfig.

Field Description Type Required Default Enum
certificateId The OCID of the SSL certificate to use if HTTPS is supported. string No - -
cipherGroup The set cipher group for the configured TLS protocol. This sets the configuration for the TLS connections between clients and edge nodes only. - DEFAULT: Cipher group supports TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 protocols. It has the following ciphers enabled: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA string No - -
clientAddressHeader Specifies an HTTP header name which is treated as the connecting client's IP address. Applicable only if isBehindCdn is enabled. The edge node reads this header and its value and sets the client IP address as specified. It does not create the header if the header is not present in the request. If the header is not present, the connecting IP address will be used as the client's true IP address. It uses the last IP address in the header's value as the true IP address. Example: X-Client-Ip: 11.1.1.1, 13.3.3.3 In the case of multiple headers with the same name, only the first header will be used. It is assumed that CDN sets the correct client IP address to prevent spoofing. - X_FORWARDED_FOR: Corresponds to X-Forwarded-For header name. - X_CLIENT_IP: Corresponds to X-Client-Ip header name. - X_REAL_IP: Corresponds to X-Real-Ip header name. - CLIENT_IP: Corresponds to Client-Ip header name. - TRUE_CLIENT_IP: Corresponds to True-Client-Ip header name. string No - -
healthChecks WaasPolicyPolicyConfigHealthChecks defines nested fields for WaasPolicy.PolicyConfig.HealthChecks. object No - -
isBehindCdn Enabling isBehindCdn allows for the collection of IP addresses from client requests if the WAF is connected to a CDN. boolean No - -
isCacheControlRespected Enable or disable automatic content caching based on the response cache-control header. This feature enables the origin to act as a proxy cache. Caching is usually defined using cache-control header. For example cache-control: max-age=120 means that the returned resource is valid for 120 seconds. Caching rules will overwrite this setting. boolean No - -
isHttpsEnabled Enable or disable HTTPS support. If true, a certificateId is required. If unspecified, defaults to false. boolean No - -
isHttpsForced Force HTTP to HTTPS redirection. If unspecified, defaults to false. boolean No - -
isOriginCompressionEnabled Enable or disable GZIP compression of origin responses. If enabled, the header Accept-Encoding: gzip is sent to origin, otherwise, the empty Accept-Encoding: header is used. boolean No - -
isResponseBufferingEnabled Enable or disable buffering of responses from the origin. Buffering improves overall stability in case of network issues, but slightly increases Time To First Byte. boolean No - -
isSniEnabled SNI stands for Server Name Indication and is an extension of the TLS protocol. It indicates which hostname is being contacted by the browser at the beginning of the 'handshake'-process. This allows a server to connect multiple SSL Certificates to one IP address and port. boolean No - -
loadBalancingMethod An object that represents a load balancing method and its properties. object No - -
tlsProtocols A list of allowed TLS protocols. Only applicable when HTTPS support is enabled. The TLS protocol is negotiated while the request is connecting and the most recent protocol supported by both the edge node and client browser will be selected. If no such version exists, the connection will be aborted. - TLS_V1: corresponds to TLS 1.0 specification. - TLS_V1_1: corresponds to TLS 1.1 specification. - TLS_V1_2: corresponds to TLS 1.2 specification. - TLS_V1_3: corresponds to TLS 1.3 specification. Enabled TLS protocols must go in a row. For example if TLS_v1_1 and TLS_V1_3 are enabled, TLS_V1_2 must be enabled too. list[string] No - -
websocketPathPrefixes ModSecurity is not capable to inspect WebSockets. Therefore paths specified here have WAF disabled if Connection request header from the client has the value Upgrade (case insensitive matching) and Upgrade request header has the value websocket (case insensitive matching). Paths matches if the concatenation of request URL path and query starts with the contents of the one of websocketPathPrefixes array value. In All other cases challenges, like JSC, HIC and etc., remain active. list[string] No - -

Status.policyConfig.healthChecks

Back to WaasPolicy status

WaasPolicyPolicyConfigHealthChecks defines nested fields for WaasPolicy.PolicyConfig.HealthChecks.

Field Description Type Required Default Enum
expectedResponseCodeGroup The HTTP response codes that signify a healthy state. - 2XX: Success response code group. - 3XX: Redirection response code group. - 4XX: Client errors response code group. - 5XX: Server errors response code group. list[string] No - -
expectedResponseText Health check will search for the given text in a case-sensitive manner within the response body and will fail if the text is not found. string No - -
headers HTTP header fields to include in health check requests, expressed as "name": "value" properties. Because HTTP header field names are case-insensitive, any use of names that are case-insensitive equal to other names will be rejected. If Host is not specified, requests will include a Host header field with value matching the policy's protected domain. If User-Agent is not specified, requests will include a User-Agent header field with value "waf health checks". Note: The only currently-supported header fields are Host and User-Agent. map[string, string] No - -
healthyThreshold Number of successful health checks after which the server is marked up. integer No - -
intervalInSeconds Time between health checks of an individual origin server, in seconds. integer No - -
isEnabled Enables or disables the health checks. boolean No - -
isResponseTextCheckEnabled Enables or disables additional check for predefined text in addition to response code. boolean No - -
method An HTTP verb (i.e. HEAD, GET, or POST) to use when performing the health check. string No - -
path Path to visit on your origins when performing the health check. string No - -
timeoutInSeconds Response timeout represents wait time until request is considered failed, in seconds. integer No - -
unhealthyThreshold Number of failed health checks after which the server is marked down. integer No - -

Status.policyConfig.loadBalancingMethod

Back to WaasPolicy status

An object that represents a load balancing method and its properties.

Field Description Type Required Default Enum
domain The domain for which the cookie is set, defaults to WAAS policy domain. string No - -
expirationTimeInSeconds The time for which a browser should keep the cookie in seconds. Empty value will cause the cookie to expire at the end of a browser session. integer No - -
jsonData - string No - -
method - string No - -
name The name of the cookie used to track the persistence. Can contain any US-ASCII character except separator or control character. string No - -

Status.status

Back to WaasPolicy status

Field Description Type Required Default Enum
async Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first. object No - -
conditions - list[object] No - -
createdAt - string (date-time) No - -
deletedAt - string (date-time) No - -
message - string No - -
ocid - string No - -
opcRequestId OpcRequestID is the latest non-empty OCI request ID from a mutating OCI response or surfaced OCI service error that materially contributed to the current shared status projection. Headerless follow-up observations keep the last non-empty value intact. string No - -
reason - string No - -
requestedAt - string (date-time) No - -
updatedAt - string (date-time) No - -

Status.status.async

Back to WaasPolicy status

Async is the canonical controller-owned async contract. Resource-local legacy work-request fields may remain as compatibility mirrors while follow-on migrations land, but new async state should project here first.

Field Description Type Required Default Enum
current - object No - -

Status.status.async.current

Back to WaasPolicy status

Field Description Type Required Default Enum
message - string No - -
normalizedClass - string Yes - attention, canceled, failed, pending, succeeded, unknown
percentComplete - number No - -
phase - string Yes - create, delete, update
rawOperationType - string No - -
rawStatus - string No - -
source - string Yes - lifecycle, none, workrequest
updatedAt - string (date-time) Yes - -
workRequestId - string No - -

Status.status.conditions[]

Back to WaasPolicy status

Field Description Type Required Default Enum
lastTransitionTime - string (date-time) No - -
message - string No - -
reason - string No - -
status - string Yes - -
type - string Yes - -

Status.wafConfig

Back to WaasPolicy status

WaasPolicyWafConfig defines nested fields for WaasPolicy.WafConfig.

Field Description Type Required Default Enum
accessRules The access rules applied to the Web Application Firewall. Access rules allow custom content access policies to be defined and ALLOW, DETECT, or BLOCK actions to be taken on a request when specified criteria are met. list[object] No - -
addressRateLimiting The settings used to limit the number of requests from an IP address. object No - -
cachingRules A list of caching rules applied to the web application. list[object] No - -
captchas A list of CAPTCHA challenge settings. CAPTCHAs challenge requests to ensure a human is attempting to reach the specified URL and not a bot. list[object] No - -
customProtectionRules A list of the custom protection rule OCIDs and their actions. list[object] No - -
deviceFingerprintChallenge The device fingerprint challenge settings. Blocks bots based on unique device fingerprint information. object No - -
humanInteractionChallenge The human interaction challenge settings. Detects natural human interactions such as mouse movements, time on site, and page scrolling to identify bots. object No - -
jsChallenge The JavaScript challenge settings. Blocks bots by challenging requests from browsers that have no JavaScript support. object No - -
origin The key in the map of origins referencing the origin used for the Web Application Firewall. The origin must already be included in Origins. Required when creating the WafConfig resource, but is not required upon updating the configuration. string No - -
originGroups The map of origin groups and their keys used to associate origins to the wafConfig. Origin groups allow you to apply weights to groups of origins for load balancing purposes. Origins with higher weights will receive larger proportions of client requests. To add additional origins to your WAAS policy, update the origins field of a UpdateWaasPolicy request. list[string] No - -
protectionSettings The settings applied to protection rules. object No - -
whitelists A list of IP addresses that bypass the Web Application Firewall. list[object] No - -

Status.wafConfig.accessRules[]

Back to WaasPolicy status

WaasPolicyWafConfigAccessRule defines nested fields for WaasPolicy.WafConfig.AccessRule.

Field Description Type Required Default Enum
action The action to take when the access criteria are met for a rule. If unspecified, defaults to ALLOW. - ALLOW: Takes no action, just logs the request. - DETECT: Takes no action, but creates an alert for the request. - BLOCK: Blocks the request by returning specified response code or showing error page. - BYPASS: Bypasses some or all challenges. - REDIRECT: Redirects the request to the specified URL. These fields are required when REDIRECT is selected: redirectUrl, redirectResponseCode. - SHOW_CAPTCHA: Show a CAPTCHA Challenge page instead of the requested page. Regardless of action, no further rules are processed once a rule is matched. string Yes - -
blockAction The method used to block requests if action is set to BLOCK and the access criteria are met. If unspecified, defaults to SET_RESPONSE_CODE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access rules'. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access blocked by website owner. Please contact support.' string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the access criteria are met. If unspecified, defaults to 'Access to the website is blocked.' string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE, and the access criteria are met. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
bypassChallenges The list of challenges to bypass when action is set to BYPASS. If unspecified or empty, all challenges are bypassed. - JS_CHALLENGE: Bypasses JavaScript Challenge. - DEVICE_FINGERPRINT_CHALLENGE: Bypasses Device Fingerprint Challenge. - HUMAN_INTERACTION_CHALLENGE: Bypasses Human Interaction Challenge. - CAPTCHA: Bypasses CAPTCHA Challenge. list[string] No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to SHOW_CAPTCHA and the request is challenged. string No - -
criteria The list of access rule criteria. The rule would be applied only for the requests that matched all the listed conditions. list[object] Yes - -
name The unique name of the access rule. string Yes - -
redirectResponseCode The response status code to return when action is set to REDIRECT. - MOVED_PERMANENTLY: Used for designating the permanent movement of a page (numerical code - 301). - FOUND: Used for designating the temporary movement of a page (numerical code - 302). string No - -
redirectUrl The target to which the request should be redirected, represented as a URI reference. Required when action is REDIRECT. string No - -
responseHeaderManipulation An object that represents an action to apply to an HTTP response headers if all rule criteria will be matched regardless of action value. list[object] No - -

Status.wafConfig.accessRules[].criteria[]

Back to WaasPolicy status

WaasPolicyWafConfigAccessRuleCriteria defines nested fields for WaasPolicy.WafConfig.AccessRule.Criteria.

Field Description Type Required Default Enum
condition The criteria the access rule and JavaScript Challenge uses to determine if action should be taken on a request. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. URL must start with a /. - URL_IS_NOT: Matches if the concatenation of request URL path and query is not identical to the contents of the value field. URL must start with a /. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. URL must start with a /. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. - URL_REGEX: Matches if the concatenation of request URL path and query is described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_MATCH_REGEX: Matches if the concatenation of request URL path and query is not described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_START_WITH: Matches if the concatenation of request URL path and query does not start with the contents of the value field. - URL_PART_DOES_NOT_CONTAIN: Matches if the concatenation of request URL path and query does not contain the contents of the value field. - URL_PART_DOES_NOT_END_WITH: Matches if the concatenation of request URL path and query does not end with the contents of the value field. - IP_IS: Matches if the request originates from one of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IS_NOT: Matches if the request does not originate from any of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IN_LIST: Matches if the request originates from one of the IP addresses contained in the referenced address list. The value in this case is OCID of the address list. - IP_NOT_IN_LIST: Matches if the request does not originate from any IP address contained in the referenced address list. The value field in this case is OCID of the address list. - HTTP_HEADER_CONTAINS: The HTTP_HEADER_CONTAINS criteria is defined using a compound value separated by a colon: a header field name and a header field value. host:test.example.com is an example of a criteria value where host is the header field name and test.example.com is the header field value. A request matches when the header field name is a case insensitive match and the header field value is a case insensitive, substring match. Example: With a criteria value of host:test.example.com, where host is the name of the field and test.example.com is the value of the host field, a request with the header values, Host: www.test.example.com will match, where as a request with header values of host: www.example.com or host: test.sub.example.com will not match. - HTTP_METHOD_IS: Matches if the request method is identical to one of the values listed in field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - HTTP_METHOD_IS_NOT: Matches if the request is not identical to any of the contents of the value field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - COUNTRY_IS: Matches if the request originates from one of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - COUNTRY_IS_NOT: Matches if the request does not originate from any of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - USER_AGENT_IS: Matches if the requesting user agent is identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 - USER_AGENT_IS_NOT: Matches if the requesting user agent is not identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 string Yes - -
isCaseSensitive When enabled, the condition will be matched with case-sensitive rules. boolean No - -
value The criteria value. string Yes - -

Status.wafConfig.accessRules[].responseHeaderManipulation[]

Back to WaasPolicy status

WaasPolicyWafConfigAccessRuleResponseHeaderManipulation defines nested fields for WaasPolicy.WafConfig.AccessRule.ResponseHeaderManipulation.

Field Description Type Required Default Enum
action - string No - -
header A header field name that conforms to RFC 7230. Example: example_header_name string No - -
jsonData - string No - -
value A header field value that conforms to RFC 7230. Example: example_value string No - -

Status.wafConfig.addressRateLimiting

Back to WaasPolicy status

The settings used to limit the number of requests from an IP address.

Field Description Type Required Default Enum
allowedRatePerAddress The number of allowed requests per second from one IP address. If unspecified, defaults to 1. integer No - -
blockResponseCode The response status code returned when a request is blocked. If unspecified, defaults to 503. The list of available response codes: 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
isEnabled Enables or disables the address rate limiting Web Application Firewall feature. boolean Yes - -
maxDelayedCountPerAddress The maximum number of requests allowed to be queued before subsequent requests are dropped. If unspecified, defaults to 10. integer No - -

Status.wafConfig.cachingRules[]

Back to WaasPolicy status

WaasPolicyWafConfigCachingRule defines nested fields for WaasPolicy.WafConfig.CachingRule.

Field Description Type Required Default Enum
action The action to take when the criteria of a caching rule are met. - CACHE: Caches requested content when the criteria of the rule are met. - BYPASS_CACHE: Allows requests to bypass the cache and be directed to the origin when the criteria of the rule is met. string Yes - -
cachingDuration The duration to cache content for the caching rule, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99. Mixing of multiple units is not supported. Only applies when the action is set to CACHE. Example: PT1H string No - -
clientCachingDuration The duration to cache content in the user's browser, specified in ISO 8601 extended format. Supported units: seconds, minutes, hours, days, weeks, months. The maximum value that can be set for any unit is 99. Mixing of multiple units is not supported. Only applies when the action is set to CACHE. Example: PT1H string No - -
criteria The array of the rule criteria with condition and value. The caching rule would be applied for the requests that matched any of the listed conditions. list[object] Yes - -
isClientCachingEnabled Enables or disables client caching. Browsers use the Cache-Control header value for caching content locally in the browser. This setting overrides the addition of a Cache-Control header in responses. boolean No - -
key The unique key for the caching rule. string No - -
name The name of the caching rule. string Yes - -

Status.wafConfig.cachingRules[].criteria[]

Back to WaasPolicy status

WaasPolicyWafConfigCachingRuleCriteria defines nested fields for WaasPolicy.WafConfig.CachingRule.Criteria.

Field Description Type Required Default Enum
condition The condition of the caching rule criteria. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. URLs must start with a /. URLs can't contain restricted double slashes //. URLs can't contain the restricted ' & ? symbols. Resources to cache can only be specified by a URL, any query parameters are ignored. string Yes - -
value The value of the caching rule criteria. string Yes - -

Status.wafConfig.captchas[]

Back to WaasPolicy status

WaasPolicyWafConfigCaptcha defines nested fields for WaasPolicy.WafConfig.Captcha.

Field Description Type Required Default Enum
failureMessage The text to show when incorrect CAPTCHA text is entered. If unspecified, defaults to The CAPTCHA was incorrect. Try again. string Yes - -
footerText The text to show in the footer when showing a CAPTCHA challenge. If unspecified, defaults to 'Enter the letters and numbers as they are shown in the image above.' string No - -
headerText The text to show in the header when showing a CAPTCHA challenge. If unspecified, defaults to 'We have detected an increased number of attempts to access this website. To help us keep this site secure, please let us know that you are not a robot by entering the text from the image below.' string No - -
sessionExpirationInSeconds The amount of time before the CAPTCHA expires, in seconds. If unspecified, defaults to 300. integer Yes - -
submitLabel The text to show on the label of the CAPTCHA challenge submit button. If unspecified, defaults to Yes, I am human. string Yes - -
title The title used when displaying a CAPTCHA challenge. If unspecified, defaults to Are you human? string Yes - -
url The unique URL path at which to show the CAPTCHA challenge. string Yes - -

Status.wafConfig.customProtectionRules[]

Back to WaasPolicy status

WaasPolicyWafConfigCustomProtectionRule defines nested fields for WaasPolicy.WafConfig.CustomProtectionRule.

Field Description Type Required Default Enum
action The action to take when the custom protection rule is triggered. DETECT - Logs the request when the criteria of the custom protection rule are met. BLOCK - Blocks the request when the criteria of the custom protection rule are met. string No - -
exclusions - list[object] No - -
id The OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the custom protection rule. string No - -

Status.wafConfig.customProtectionRules[].exclusions[]

Back to WaasPolicy status

WaasPolicyWafConfigCustomProtectionRuleExclusion defines nested fields for WaasPolicy.WafConfig.CustomProtectionRule.Exclusion.

Field Description Type Required Default Enum
exclusions - list[string] No - -
target The target of the exclusion. string No - -

Status.wafConfig.deviceFingerprintChallenge

Back to WaasPolicy status

The device fingerprint challenge settings. Blocks bots based on unique device fingerprint information.

Field Description Type Required Default Enum
action The action to take on requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges for the same IP address. If unspecified, defaults to 60. integer No - -
challengeSettings WaasPolicyWafConfigDeviceFingerprintChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.DeviceFingerprintChallenge.ChallengeSettings. object No - -
failureThreshold The number of failed requests allowed before taking action. If unspecified, defaults to 10. integer No - -
failureThresholdExpirationInSeconds The number of seconds before the failure threshold resets. If unspecified, defaults to 60. integer No - -
isEnabled Enables or disables the device fingerprint challenge Web Application Firewall feature. boolean Yes - -
maxAddressCount The maximum number of IP addresses permitted with the same device fingerprint. If unspecified, defaults to 20. integer No - -
maxAddressCountExpirationInSeconds The number of seconds before the maximum addresses count resets. If unspecified, defaults to 60. integer No - -

Status.wafConfig.deviceFingerprintChallenge.challengeSettings

Back to WaasPolicy status

WaasPolicyWafConfigDeviceFingerprintChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.DeviceFingerprintChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Status.wafConfig.humanInteractionChallenge

Back to WaasPolicy status

The human interaction challenge settings. Detects natural human interactions such as mouse movements, time on site, and page scrolling to identify bots.

Field Description Type Required Default Enum
action The action to take against requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges for the same IP address. If unspecified, defaults to 60. integer No - -
challengeSettings WaasPolicyWafConfigHumanInteractionChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.HumanInteractionChallenge.ChallengeSettings. object No - -
failureThreshold The number of failed requests before taking action. If unspecified, defaults to 10. integer No - -
failureThresholdExpirationInSeconds The number of seconds before the failure threshold resets. If unspecified, defaults to 60. integer No - -
interactionThreshold The number of interactions required to pass the challenge. If unspecified, defaults to 3. integer No - -
isEnabled Enables or disables the human interaction challenge Web Application Firewall feature. boolean Yes - -
isNatEnabled When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses. boolean No - -
recordingPeriodInSeconds The number of seconds to record the interactions from the user. If unspecified, defaults to 15. integer No - -
setHttpHeader Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT. object No - -

Status.wafConfig.humanInteractionChallenge.challengeSettings

Back to WaasPolicy status

WaasPolicyWafConfigHumanInteractionChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.HumanInteractionChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Status.wafConfig.humanInteractionChallenge.setHttpHeader

Back to WaasPolicy status

Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Status.wafConfig.jsChallenge

Back to WaasPolicy status

The JavaScript challenge settings. Blocks bots by challenging requests from browsers that have no JavaScript support.

Field Description Type Required Default Enum
action The action to take against requests from detected bots. If unspecified, defaults to DETECT. string No - -
actionExpirationInSeconds The number of seconds between challenges from the same IP address. If unspecified, defaults to 60. integer No - -
areRedirectsChallenged When enabled, redirect responses from the origin will also be challenged. This will change HTTP 301/302 responses from origin to HTTP 200 with an HTML body containing JavaScript page redirection. boolean No - -
challengeSettings WaasPolicyWafConfigJsChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.JsChallenge.ChallengeSettings. object No - -
criteria When defined, the JavaScript Challenge would be applied only for the requests that matched all the listed conditions. list[object] No - -
failureThreshold The number of failed requests before taking action. If unspecified, defaults to 10. integer No - -
isEnabled Enables or disables the JavaScript challenge Web Application Firewall feature. boolean Yes - -
isNatEnabled When enabled, the user is identified not only by the IP address but also by an unique additional hash, which prevents blocking visitors with shared IP addresses. boolean No - -
setHttpHeader Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT. object No - -

Status.wafConfig.jsChallenge.challengeSettings

Back to WaasPolicy status

WaasPolicyWafConfigJsChallengeChallengeSettings defines nested fields for WaasPolicy.WafConfig.JsChallenge.ChallengeSettings.

Field Description Type Required Default Enum
blockAction The method used to block requests that fail the challenge, if action is set to BLOCK. If unspecified, defaults to SHOW_ERROR_PAGE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE and the request is blocked. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to Access to the website is blocked. string No - -
blockResponseCode The response status code to return when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE or SHOW_ERROR_PAGE, and the request is blocked. If unspecified, defaults to 403. The list of available response codes: 200, 201, 202, 204, 206, 300, 301, 302, 303, 304, 307, 400, 401, 403, 404, 405, 408, 409, 411, 412, 413, 414, 415, 416, 422, 444, 494, 495, 496, 497, 499, 500, 501, 502, 503, 504, 507. integer No - -
captchaFooter The text to show in the footer when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, default to Enter the letters and numbers as they are shown in image above. string No - -
captchaHeader The text to show in the header when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to We have detected an increased number of attempts to access this webapp. To help us keep this webapp secure, please let us know that you are not a robot by entering the text from captcha below. string No - -
captchaSubmitLabel The text to show on the label of the CAPTCHA challenge submit button when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Yes, I am human. string No - -
captchaTitle The title used when showing a CAPTCHA challenge when action is set to BLOCK, blockAction is set to SHOW_CAPTCHA, and the request is blocked. If unspecified, defaults to Are you human? string No - -

Status.wafConfig.jsChallenge.criteria[]

Back to WaasPolicy status

WaasPolicyWafConfigJsChallengeCriteria defines nested fields for WaasPolicy.WafConfig.JsChallenge.Criteria.

Field Description Type Required Default Enum
condition The criteria the access rule and JavaScript Challenge uses to determine if action should be taken on a request. - URL_IS: Matches if the concatenation of request URL path and query is identical to the contents of the value field. URL must start with a /. - URL_IS_NOT: Matches if the concatenation of request URL path and query is not identical to the contents of the value field. URL must start with a /. - URL_STARTS_WITH: Matches if the concatenation of request URL path and query starts with the contents of the value field. URL must start with a /. - URL_PART_ENDS_WITH: Matches if the concatenation of request URL path and query ends with the contents of the value field. - URL_PART_CONTAINS: Matches if the concatenation of request URL path and query contains the contents of the value field. - URL_REGEX: Matches if the concatenation of request URL path and query is described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_MATCH_REGEX: Matches if the concatenation of request URL path and query is not described by the regular expression in the value field. The value must be a valid regular expression recognized by the PCRE library in Nginx (https://www.pcre.org). - URL_DOES_NOT_START_WITH: Matches if the concatenation of request URL path and query does not start with the contents of the value field. - URL_PART_DOES_NOT_CONTAIN: Matches if the concatenation of request URL path and query does not contain the contents of the value field. - URL_PART_DOES_NOT_END_WITH: Matches if the concatenation of request URL path and query does not end with the contents of the value field. - IP_IS: Matches if the request originates from one of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IS_NOT: Matches if the request does not originate from any of the IP addresses contained in the defined address list. The value in this case is string with one or multiple IPs or CIDR notations separated by new line symbol \n Example: "1.1.1.1\n1.1.1.2\n1.2.2.1/30" - IP_IN_LIST: Matches if the request originates from one of the IP addresses contained in the referenced address list. The value in this case is OCID of the address list. - IP_NOT_IN_LIST: Matches if the request does not originate from any IP address contained in the referenced address list. The value field in this case is OCID of the address list. - HTTP_HEADER_CONTAINS: The HTTP_HEADER_CONTAINS criteria is defined using a compound value separated by a colon: a header field name and a header field value. host:test.example.com is an example of a criteria value where host is the header field name and test.example.com is the header field value. A request matches when the header field name is a case insensitive match and the header field value is a case insensitive, substring match. Example: With a criteria value of host:test.example.com, where host is the name of the field and test.example.com is the value of the host field, a request with the header values, Host: www.test.example.com will match, where as a request with header values of host: www.example.com or host: test.sub.example.com will not match. - HTTP_METHOD_IS: Matches if the request method is identical to one of the values listed in field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - HTTP_METHOD_IS_NOT: Matches if the request is not identical to any of the contents of the value field. The value in this case is string with one or multiple HTTP methods separated by new line symbol \n The list of available methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH Example: "GET\nPOST" - COUNTRY_IS: Matches if the request originates from one of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - COUNTRY_IS_NOT: Matches if the request does not originate from any of countries in the value field. The value in this case is string with one or multiple countries separated by new line symbol \n Country codes are in ISO 3166-1 alpha-2 format. For a list of codes, see ISO's website (https://www.iso.org/obp/ui/#search/code/). Example: "AL\nDZ\nAM" - USER_AGENT_IS: Matches if the requesting user agent is identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 - USER_AGENT_IS_NOT: Matches if the requesting user agent is not identical to the contents of the value field. Example: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 string Yes - -
isCaseSensitive When enabled, the condition will be matched with case-sensitive rules. boolean No - -
value The criteria value. string Yes - -

Status.wafConfig.jsChallenge.setHttpHeader

Back to WaasPolicy status

Adds an additional HTTP header to requests that fail the challenge before being passed to the origin. Only applicable when the action is set to DETECT.

Field Description Type Required Default Enum
name The name of the header. string Yes - -
value The value of the header. string Yes - -

Status.wafConfig.protectionSettings

Back to WaasPolicy status

The settings applied to protection rules.

Field Description Type Required Default Enum
allowedHttpMethods The list of allowed HTTP methods. If unspecified, default to [OPTIONS, GET, HEAD, POST]. This setting only applies if a corresponding protection rule is enabled, such as the "Restrict HTTP Request Methods" rule (key: 911100). list[string] No - -
blockAction If action is set to BLOCK, this specifies how the traffic is blocked when detected as malicious by a protection rule. If unspecified, defaults to SET_RESPONSE_CODE. string No - -
blockErrorPageCode The error code to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403. string No - -
blockErrorPageDescription The description text to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to Access blocked by website owner. Please contact support. string No - -
blockErrorPageMessage The message to show on the error page when action is set to BLOCK, blockAction is set to SHOW_ERROR_PAGE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 'Access to the website is blocked.' string No - -
blockResponseCode The response code returned when action is set to BLOCK, blockAction is set to SET_RESPONSE_CODE, and the traffic is detected as malicious by a protection rule. If unspecified, defaults to 403. The list of available response codes: 400, 401, 403, 405, 409, 411, 412, 413, 414, 415, 416, 500, 501, 502, 503, 504, 507. integer No - -
isResponseInspected Inspects the response body of origin responses. Can be used to detect leakage of sensitive data. If unspecified, defaults to false. Note: Only origin responses with a Content-Type matching a value in mediaTypes will be inspected. boolean No - -
maxArgumentCount The maximum number of arguments allowed to be passed to your application before an action is taken. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 255. This setting only applies if a corresponding protection rule is enabled, such as the "Number of Arguments Limits" rule (key: 960335). Example: If maxArgumentCount to 2 for the Max Number of Arguments protection rule (key: 960335), the following requests would be blocked: GET /myapp/path?query=one&query=two&query=three POST /myapp/path with Body {"argument1":"one","argument2":"two","argument3":"three"} integer No - -
maxNameLengthPerArgument The maximum length allowed for each argument name, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 400. This setting only applies if a corresponding protection rule is enabled, such as the "Values Limits" rule (key: 960208). integer No - -
maxResponseSizeInKiB The maximum response size to be fully inspected, in binary kilobytes (KiB). Anything over this limit will be partially inspected. If unspecified, defaults to 1024. integer No - -
maxTotalNameLengthOfArguments The maximum length allowed for the sum of the argument name and value, in characters. Arguements are query parameters or body parameters in a PUT or POST request. If unspecified, defaults to 64000. This setting only applies if a corresponding protection rule is enabled, such as the "Total Arguments Limits" rule (key: 960341). integer No - -
mediaTypes The list of media types to allow for inspection, if isResponseInspected is enabled. Only responses with MIME types in this list will be inspected. If unspecified, defaults to ["text/html", "text/plain", "text/xml"]. Supported MIME types include: - text/html - text/plain - text/asp - text/css - text/x-script - application/json - text/webviewhtml - text/x-java-source - application/x-javascript - application/javascript - application/ecmascript - text/javascript - text/ecmascript - text/x-script.perl - text/x-script.phyton - application/plain - application/xml - text/xml list[string] No - -
recommendationsPeriodInDays The length of time to analyze traffic traffic, in days. After the analysis period, WafRecommendations will be populated. If unspecified, defaults to 10. Use GET /waasPolicies/{waasPolicyId}/wafRecommendations to view WAF recommendations. integer No - -

Status.wafConfig.whitelists[]

Back to WaasPolicy status

WaasPolicyWafConfigWhitelist defines nested fields for WaasPolicy.WafConfig.Whitelist.

Field Description Type Required Default Enum
addressLists A list of OCID (https://docs.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of IP address lists to include in the whitelist. list[string] No - -
addresses A set of IP addresses or CIDR notations to include in the whitelist. list[string] No - -
name The unique name of the whitelist. string Yes - -