mirror of https://gitlab.com/curben/blog
post(aws-waf): regional ACL
- style: standardise edit date
This commit is contained in:
parent
d5093b21f4
commit
c5594e4a3e
|
@ -2,7 +2,7 @@
|
|||
title: Convert AWS WAF ACLs to human-readable format
|
||||
excerpt: Run the attached script to download and convert ACLs
|
||||
date: 2021-06-27
|
||||
updated: 2021-07-23
|
||||
updated: 2021-09-01
|
||||
tags:
|
||||
- aws
|
||||
- security
|
||||
|
@ -12,6 +12,8 @@ I regularly need to audit my company's access control lists (ACLs) implemented i
|
|||
|
||||
The script is [available here](https://gitlab.com/curben/aws-scripts/-/blob/main/waf-acl.py). It currently only supports Cloudfront ACL, feel free to extend it to support regional ACL.
|
||||
|
||||
(Edit: 1 Sep 2021) regional ACL is now supported.
|
||||
|
||||
## ACL schema
|
||||
|
||||
The underlying format of a web ACL is JSON. In this use case, I'm only concern with two keys:
|
||||
|
|
|
@ -39,7 +39,7 @@ This website's JAMstack workflow goes like this:
|
|||
4. Markdown files are processed into HTML pages using Nodejs-powered Hexo.
|
||||
5. Generated pages are hosted on curben.netlify.app
|
||||
|
||||
_(Edit 22 Feb 2021: static site is now hosted primarily on Cloudflare Pages curben.pages.dev, with Netlify as a standby)_
|
||||
(Edit: 22 Feb 2021) static site is now hosted primarily on Cloudflare Pages curben.pages.dev, with Netlify as a standby.
|
||||
|
||||
Right off the bat I can already see the need of setting up a private server due to the second requirement (ability to remove HTTP header). I had an option to drop Netlify by building the pages on my workstation and deploy to the web server (using a Hexo deployer plugin). So far I do find Netlify service to be reliable and it offers features like adding headers and reverse proxy which are easy to setup. Speaking of Netlify's features, I then had an idea of setting up a web server which reverse proxy to Netlify. This approach meets all the four requirements; a side-benefit is that if I screw up the web server, at least my website is still up on curben.netlify.app and I can easily migrate this domain to Netlify.
|
||||
|
||||
|
|
|
@ -69,7 +69,7 @@ PhishTank is a notable example of this kind of discrepancy. Despite being operat
|
|||
|
||||
Using URLhaus and PhishTank alone cannot possibly determine the effectiveness of malicious-blocking DNS providers accurately. I believe there are many malicious links out there that are not covered in those datasets. While I do think they are high quality and every DNS provider should consider utilising them, they are not _representative_ samples. So, take DNS-filtering testing which has limited sample with a grain of salt.
|
||||
|
||||
(Edit 14/07/2020) I was curious if the result is due to the samples being too _fresh_ (7 hours); DNS providers may not update their sources in real-time and perhaps only update once or twice a day. I ran the tests again on 13 July 2020 using the same samples (which I downloaded in 10 July 2020), a 3-day delay. The results show no significant change though.
|
||||
(Edit: 14 Jul 2020) I was curious if the result is due to the samples being too _fresh_ (7 hours); DNS providers may not update their sources in real-time and perhaps only update once or twice a day. I ran the tests again on 13 July 2020 using the same samples (which I downloaded in 10 July 2020), a 3-day delay. The results show no significant change though.
|
||||
|
||||
## Google Safe Browsing
|
||||
|
||||
|
|
Loading…
Reference in New Issue