1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-11 15:39:42 +00:00
gcloud-help/gcloud/alpha/compute/security-policies/rules/update
2022-03-01 04:29:52 +00:00

198 lines
8.5 KiB
Text

NAME
gcloud alpha compute security-policies rules update - update a Compute
Engine security policy rule
SYNOPSIS
gcloud alpha compute security-policies rules update PRIORITY
[--action=ACTION] [--ban-duration-sec=BAN_DURATION_SEC]
[--ban-threshold-count=BAN_THRESHOLD_COUNT]
[--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC]
[--conform-action=CONFORM_ACTION] [--description=DESCRIPTION]
[--enforce-on-key=ENFORCE_ON_KEY]
[--enforce-on-key-name=ENFORCE_ON_KEY_NAME]
[--exceed-action=EXCEED_ACTION]
[--exceed-redirect-target=EXCEED_REDIRECT_TARGET]
[--exceed-redirect-type=EXCEED_REDIRECT_TYPE] [--preview]
[--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT]
[--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC]
[--redirect-target=REDIRECT_TARGET] [--redirect-type=REDIRECT_TYPE]
[--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]]
[--security-policy=SECURITY_POLICY]
[--expression=EXPRESSION | --src-ip-ranges=[SRC_IP_RANGE,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(ALPHA) gcloud alpha compute security-policies rules update is used to
update security policy rules.
For example to update the description and IP ranges of a rule at priority
1000, run:
$ gcloud alpha compute security-policies rules update 1000 \
--security-policy my-policy \
--description "block 1.2.3.4/32" \
--src-ip-ranges 1.2.3.4/32
POSITIONAL ARGUMENTS
PRIORITY
The priority of the rule to update. Rules are evaluated in order from
highest priority to lowest priority where 0 is the highest priority and
2147483647 is the lowest priority.
FLAGS
--action=ACTION
The action to take if the request matches the match condition. ACTION
must be one of:
allow
Allows the request from HTTP(S) Load Balancing.
deny
Denies the request from TCP/SSL Proxy Load Balancing.
deny-403
Denies the request from HTTP(S) Load Balancing, with an HTTP
response status code of 403.
deny-404
Denies the request from HTTP(S) Load Balancing, with an HTTP
response status code of 404.
deny-502
Denies the request from HTTP(S) Load Balancing, with an HTTP
response status code of 503.
rate-based-ban
Enforces rate-based ban action from HTTP(S) Load Balancing, based
on rate limit options.
redirect
Redirects the request from HTTP(S) Load Balancing, based on
redirect options.
redirect-to-recaptcha
(DEPRECATED) Redirects the request from HTTP(S) Load Balancing, for
reCAPTCHA Enterprise assessment. This flag choice is deprecated.
Use --action=redirect and --redirect-type=google-recaptcha instead.
throttle
Enforces throttle action from HTTP(S) Load Balancing, based on rate
limit options.
--ban-duration-sec=BAN_DURATION_SEC
Can only be specified if the action for the rule is rate-based-ban. If
specified, determines the time (in seconds) the traffic will continue
to be banned by the rate limit after the rate falls below the
threshold.
--ban-threshold-count=BAN_THRESHOLD_COUNT
Number of HTTP(S) requests for calculating the threshold for banning
requests. Can only be specified if the action for the rule is
rate-based-ban. If specified, the key will be banned for the configured
BAN_DURATION_SEC when the number of requests that exceed the
RATE_LIMIT_THRESHOLD_COUNT also exceed this BAN_THRESHOLD_COUNT.
--ban-threshold-interval-sec=BAN_THRESHOLD_INTERVAL_SEC
Interval over which the threshold for banning requests is computed. Can
only be specified if the action for the rule is rate-based-ban. If
specified, the key will be banned for the configured BAN_DURATION_SEC
when the number of requests that exceed the RATE_LIMIT_THRESHOLD_COUNT
also exceed this BAN_THRESHOLD_COUNT.
--conform-action=CONFORM_ACTION
Action to take when requests are under the given threshold. When
requests are throttled, this is also the action for all requests which
are not dropped. CONFORM_ACTION must be (currently only one value is
supported): allow.
--description=DESCRIPTION
An optional, textual description for the rule.
--enforce-on-key=ENFORCE_ON_KEY
Different key types available to enforce the rate limit threshold limit
on:
◆ ip: each client IP address has this limit enforced separately
◆ all: a single limit is applied to all requests matching this rule
◆ http-header: key type takes the value of the HTTP header configured
in enforce-on-key-name as the key value
◆ xff-ip: takes the original IP address specified in the
X-Forwarded-For header as the key
◆ http-cookie: key type takes the value of the HTTP cookie configured
in enforce-on-key-name as the key value
ENFORCE_ON_KEY must be one of: ip, all, http-header, xff-ip,
http-cookie.
--enforce-on-key-name=ENFORCE_ON_KEY_NAME
Determines the key name for the rate limit key. Applicable only for the
following rate limit key types:
◆ http-header: The name of the HTTP header whose value is taken as
the key value.
◆ http-cookie: The name of the HTTP cookie whose value is taken as
the key value.
--exceed-action=EXCEED_ACTION
Action to take when requests are above the given threshold. When a
request is denied, return the specified HTTP response code. When a
request is redirected, use the redirect options based on
--exceed-redirect-type and --exceed-redirect-target below.
EXCEED_ACTION must be one of: deny-403, deny-404, deny-429, deny-502,
deny, redirect.
--exceed-redirect-target=EXCEED_REDIRECT_TARGET
URL target for the redirect action that is configured as the exceed
action when the redirect type is external-302.
--exceed-redirect-type=EXCEED_REDIRECT_TYPE
Type for the redirect action that is configured as the exceed action.
EXCEED_REDIRECT_TYPE must be one of: google-recaptcha, external-302.
--preview
If specified, the action will not be enforced.
--rate-limit-threshold-count=RATE_LIMIT_THRESHOLD_COUNT
Number of HTTP(S) requests for calculating the threshold for rate
limiting requests.
--rate-limit-threshold-interval-sec=RATE_LIMIT_THRESHOLD_INTERVAL_SEC
Interval over which the threshold for rate limiting requests is
computed.
--redirect-target=REDIRECT_TARGET
URL target for the redirect action. Must be specified if the redirect
type is external-302. Cannot be specified if the redirect type is
google-recaptcha.
--redirect-type=REDIRECT_TYPE
Type for the redirect action. Default to external-302 if unspecified
while --redirect-target is given. REDIRECT_TYPE must be one of:
google-recaptcha, external-302.
--request-headers-to-add=[REQUEST_HEADERS_TO_ADD,...]
A comma-separated list of header names and header values to add to
requests that match this rule.
--security-policy=SECURITY_POLICY
The security policy that this rule belongs to.
Security policy rule matcher.
At most one of these can be specified:
--expression=EXPRESSION
The Cloud Armor rules language expression to match for this rule.
--src-ip-ranges=[SRC_IP_RANGE,...]
The source IPs/IP ranges to match for this rule. To match all IPs
specify *.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in alpha and might change without notice. If this
command fails with API permission errors despite specifying the correct
project, you might be trying to access an API with an invitation-only early
access allowlist. These variants are also available:
$ gcloud compute security-policies rules update
$ gcloud beta compute security-policies rules update