Skip to main content
Version: 2.6.1

Waf Plugin


  • Waf is the core implementation of gateway to realize firewall function for network traffic.

Plugin Setting#

Please refer to the deployment document, choose a way to start shenyu-admin. For example, through Local Deployment to start the Apache ShenYu management system.

  • In shenyu-admin BasicConfig --> plugin -> waf set to enable.If you don't want to use this function, please disable this plugin in the shenyu-admin.

  • Add configuration mode in plugin editing.

{"model":"black"}# model can be 'black' or 'mixed'# The default mode is blacklist mode; If setting is mixed, it will be mixed mode. We will explain it specifically below.

Add Dependency#

  • Introducing waf dependency in the pom.xml of the gateway.
  <!-- apache shenyu waf plugin start-->  <dependency>      <groupId>org.apache.shenyu</groupId>      <artifactId>shenyu-spring-boot-starter-plugin-waf</artifactId>      <version>${project.version}</version>  </dependency>  <!-- apache shenyu waf plugin end-->

Waf Plugin Configuration#

For more instructions on selector and rule configuration, please refer to: Selector And Rule Config, here only some fields are introduced.

Waf plugin rule configuration page:

For requests that are denied access by Waf , the response header status code is: 403.

Black Model#

  • When model is set to black mode, only the matched traffic will execute the rejection policy, and the unmatched traffic will be skipped directly.
  • The Handler feild in the rule configuration is invalid and can be configured to be empty.

Mixed Model#

  • When model is set to mixed mode, all traffic will pass through waf plugin. For different matching traffic, users can set whether to reject or pass.

  • The Handler feild in the rule configuration must be configured:

    • permission: The handle logic that matches the rule. reject: deny access, allow: allow access.

    • statusCode: When access is denied, the value of the code field in the response body. Will not modify the status code of the response header.

      e.g.:statusCode=10001,The rejected response body is :

      {"code":10001,"message":"You are forbidden to visit"}


  • Waf is also the pre-plugin of ShenYu, which is mainly used to intercept illegal requests or exception requests and give relevant rejection policies.
  • When faced with replay attacks, you can intercept illegal ip and host, and set reject strategy according to matched ip or host.
  • How to determine ip and host, please refer to: parsing-ip-and-host