Configuration
FOXWAF is configured via the Web console — all changes take effect instantly. Below are the key parameters for each module.
Sites
Each site is a combination of {listen port + SNI/Host + upstream + certificate + rules}:
| Field | Description |
|---|---|
| Listen | 0.0.0.0:443 / 0.0.0.0:80 / multiple ports coexist |
| SNI / Host | Exact, wildcard (*.example.com) and regex matching are supported |
| Upstream | Multiple http://ip:port / https://... entries; weights configurable |
| Load Balancing | Round-robin / weighted / consistent-hash / least-connection |
| Certificate | RSA / ECDSA / SM2; OCSP Stapling can be enabled |
| HTTPS Redirect | Automatic 80 → 443 redirect |
| WebSocket | Pass-through toggle; timeouts configured separately |
TLS Certificates
- Upload PEM / PFX; private keys are encrypted on disk
- Per-domain certificates: each SNI binds to its own certificate, fully isolated
- Certificate swaps take effect instantly: existing connections finish naturally, new connections use the new certificate
- ShangMi SM2 certificates can coexist with RSA / ECDSA on the same SNI (dual certificates issued together)
Rule Sets
Rule sets fall into three categories: system, industry-specific and custom:
| Category | Source | Updates |
|---|---|---|
| System Rules | OWASP Core / official FOXWAF extensions | Updated with each release |
| Industry Rules | Finance / Government / E-commerce specialsPro | Cloud rule-source subscription |
| Custom Rules | Created via console or APIPro | Take effect on save |
Recommendation:When creating custom rules, run them in Monitor mode for 24~48 hours first to confirm no false positives, then switch to Block mode.
CC / Bot ProtectionPro
- CC rate limiting: per-IP / per-user / per-path thresholds per second / per minute
- JS Challenge: a lightweight JS verification page is returned over the threshold; browsers pass through automatically while automation tools are blocked
- Bot detection: behavioral analysis + TLS fingerprinting + DevTools anti-debug, three-way verdict
- Allow list: search-engine crawlers (Googlebot / Bingbot, etc.) are allowed after UA + reverse DNS validation
Mirrors
On upgrade, mirrors are tried in priority order until one succeeds. Configure them under Mirror Management in the console:
| Platform | Description |
|---|---|
| GitHub | Preferred for overseas nodes |
| GitCode | CSDN's domestic platform — stable, no proxy required |
| Official Direct Link | Fallback when every mirror fails |
Hot Reload
Every configuration change takes effect on save with no restart, backed by RCU-style switching:
- New requests use the new config; in-flight requests finish under the old one
- Rule Tries are rebuilt in a double-buffer and swapped atomically by pointer
- Certificate / SNI routing tables are read-only maps swapped wholesale on update
Audit & Compliance
- Every configuration change is recorded in the Audit Log with operator, timestamp and before/after values
- Attack logs can be exported as CSV / JSON for SIEM / SOC integration
- Monthly archiving and automatic cleanup, compliant with China MLPS Level 3 log retention
Further Reading
- Architecture — Pipeline and hot-reload
- OpenAPI Reference — PRO 自动化 API 完整接口目录
- Plugins & Extensions — Inject business-specific logic
- Releases — Per-version feature updates