Bypass traffic on AWS WAF based on content-type

Question

Is it possible to bypass WAF on Cloudfront if the request is fore statics files like images?

This is a simple question, but one that has a big impact on operating cost. Because the charge of Cloudfront + WAF is performed by GB, so images have a high impact on cost, and there is no need to have a firewall.

I believe it is. But if someone know that it, or already set this customisation it helps. — Mateus Saggin, Jun 04 '18 at 23:23

score 1 · Accepted Answer · answered Jun 05 '18 at 00:07

1

There's no per-gigabyte charge. There's a $0.60 charge per million requests. https://aws.amazon.com/waf/pricing/
If you want to avoid that, set up a second CloudFront distribution without the WAF and use that one for static assets. It can have identical settings, or you can set the origin to point directly at your images subfolder if you have one. (This has the additional benefit of stopping someone from using the second distribution to bypass the WAF.)

answered Jun 05 '18 at 00:07

ceejayoz

32,910
7
82
106

@ceejayvoz and @michael - sqlbot, sorry about my mistake, it’s by request, that’s right. But I had around `500M visits` * `10 pageviews` * `150 requests` months, this is `750 billions requests` and a `U$450.000,00` month. This is extremely unviable. So what I need, is to host all files keeping the domain, but the statics ones out of WAF. Is there a way to do that? – Mateus Saggin Jun 05 '18 at 04:47
@MateusSaggin See #2 in my answer. Use a separate distribution for the static files. – ceejayoz Jun 05 '18 at 12:27
(Also, 150 requests for every pageview is incredibly excessive in most cases, unless you're running a large photo gallery site or something. 750 billion requests is probably always going to be at least *somewhat* expensive, though.) – ceejayoz Jun 05 '18 at 12:29
ceejayoz, we developed a ecommerce platform. So, yes, it has too many request, especially on category/search/department pages. We now that 750 billion request is expensive. But expend money with WAF on unnecessary files is stupid. So, if exists a way ok. Or, if not, we will build a CNAME that resolves to another Cloudfront, and all stores needs a subdomain to "host" static files. – Mateus Saggin Jun 05 '18 at 15:45
1

The separate CNAME is the way to go here, I suspect. Something like `static.example.com` pointed at your static files directory. – ceejayoz Jun 05 '18 at 15:56

Bypass traffic on AWS WAF based on content-type

1 Answers1