CDN integrates Web Application Firewall (WAF) capabilities to filter out malicious
requests and reroute secure requests to servers. CDN WAF can help protect Web servers
against intrusions, secure core data, and prevent server performance exceptions caused
by attacks. This topic describes WAF protection, scenarios, billing methods, and setting
methods.
Prerequisites
WAF is applicable only to CDN nodes in mainland China. Before enabling WAF protection,
you must confirm the region of the domain name. For more information about how to
change the region of a domain name, see
Modify basic information.
Background information
CDN WAF is the integration of WAF capabilities into CDN to protect CDN nodes. For
more information about WAF protection, see What is Alibaba Cloud WAF?.
CDN WAF is applicable to industries such as finance, e-commerce, O2O, Internet Plus,
games, government, and insurance. It protects your website against unexpected loss
caused by attacks when you use CDN to accelerate your website.
CDN WAF can provide the following capabilities:
- Prevents leaks of core data on your website caused by injection attacks.
- Prevents trojans from being uploaded, which may tamper with your Web pages and safeguards
the credibility of your website.
- Provides virtual patches that enable quick fix for newly discovered vulnerabilities.
When you enable CDN WAF for a domain name, CDN WAF will detect all requests for the
domain name, count the number of requests by account, and then charge fees. The following
table describes CDN WAF billing rules.
| Requests per hour |
Fees |
| 1 to 20,000 |
CNY 0.4 ( a fixed fee) |
| 20,001 to 500,000 |
CNY 0.2 per 10,000 requests |
| 500,001 to 5,000,000 |
CNY 0.18 per 10,000 requests |
| Over 5,000,000 |
CNY 0.15 per 10,000 requests |
For example, user A enabled the CDN WAF feature for a domain name and user B enabled
the CDN WAF feature for another domain name at 10:20, February 28, 2019. The following
table describes all the fees incurred.
| User |
Requests between 10:20 and 11:20 |
Bill (CNY) received at 11:21 |
| A |
15,000 |
0.4 |
| B |
350,000 |
7 (350,000/10,000 × 0.2) |
Procedure
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the target domain name and click Manage.
- In the left-side navigation pane of the specified domain name, click Security Settings.
- On the WAF page, turn on WAF Configuration.
- Click Modify.
- Configure Web Application Protection and HTTP ACL Policy as prompted.
| Project |
Parameter |
Description |
| Web Application Protection |
Status |
The Web Application Protection switch. |
| Mode |
The following two Web application protection modes are supported:
- Block
An attack is blocked after it is detected.
- Report
An alert is sent after an attack is detected. However, the attack is not blocked.
|
| Mode of Protection Policy |
The following Web application protection policies are used:
- Loose Rule Group
If many normal requests are blocked when you set Mode of Protection Policy to Medium Rule Group, we recommend you select Loose Rule Group. The loose rule group has the least false positives but the most false negatives.
- Medium Rule Group
The medium rule group is used by default.
- Strict Rule Group
If you require stricter protection against path traversal, SQL injections, and command
execution attacks, we recommend that you select Strict Rule Group.
When a protection rule is found to block normal requests, you can adjust the mode
of protection policy. The loose rule group has the least false positives but the most
false negatives.
|
| HTTP ACL Policy |
Status |
The HTTP ACL Policy switch. |
| Rules |
A default rule is provided. You can click Settings to add a rule, and modify the default rule. Up to three conditions are allowed in
each custom rule. The conditions are in the logical AND relationship. A rule is matched
only when all the three conditions are satisfied.
|