Static Content Bypass for Stingray Application Firewall

The Enforcer rule used by Stingray Application Firewall (SAF) will pass all requests to the local decider processes for inspection and security.

 

For performance reasons, you may not want to inspect all requests.  For example, if some requests that are processed by your virtual server are sent to a cluster of servers hosting static content, and other requests are sent to a completely separate set of transaction servers, then it may make pragmatic sense to just inspect the requests that are routed to your transaction servers.

 

You can whitelist a request by setting the a connection-local variable 'enforcer.whitelist' to '1'.

 

Example

 

The following rule should be applied to the Virtual Server prior to the SAF Enforcer rule.  It will whitelist requests only if they are using the HTTP "GET" method, do not have a Query String, and the file extension appears in the $fileTypes array

 

#=-SAF Bypass Rule. This needs to be run as a request rule prior to the SAF Enforcer rule
# Only Bypass GET Requests
if ( http.getMethod() != "GET" )
   break;

# Only byPass requests with no Query String
if ( http.getQueryString() )
   break;

# Array of file extensions to bypass
$fileTypes = [ "css", "js", "png", "gif", "jpg" ];

# Pull out extension from path
$extension = array.pop( string.split( http.getPath(), ".") );

# If the extension exists in our array, then set the whitelist flag
if ( array.contains($fileTypes, $extension) ) {
   connection.data.set("enforcer.whitelist", 1);
}