CDN integrates Web Application Firewall (WAF) capabilities to filter out malicious requests and reroute secure requests to servers. CDN WAF can help protect Web servers against intrusions, secure core data, and prevent server performance exceptions caused by attacks. This topic describes WAF protection, scenarios, billing methods, and setting methods.
CDN WAF is the integration of WAF capabilities into CDN to protect CDN nodes. For more information about WAF protection, see What is Alibaba Cloud WAF?.
CDN WAF is applicable to industries such as finance, e-commerce, O2O, Internet Plus, games, government, and insurance. It protects your website against unexpected loss caused by attacks when you use CDN to accelerate your website.
- Prevents leaks of core data on your website caused by injection attacks.
- Prevents trojans from being uploaded, which may tamper with your Web pages and safeguards the credibility of your website.
- Provides virtual patches that enable quick fix for newly discovered vulnerabilities.
|Requests per hour||Fees|
|1 to 20,000||CNY 0.4 ( a fixed fee)|
|20,001 to 500,000||CNY 0.2 per 10,000 requests|
|500,001 to 5,000,000||CNY 0.18 per 10,000 requests|
|Over 5,000,000||CNY 0.15 per 10,000 requests|
|User||Requests between 10:20 and 11:20||Bill (CNY) received at 11:21|
|B||350,000||7 (350,000/10,000 × 0.2)|
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the target domain name and click Manage.
- In the left-side navigation pane of the specified domain name, click Security Settings.
- On the WAF page, turn on WAF Configuration.
- Click Modify.
- Configure Web Application Protection and HTTP ACL Policy as prompted.
Project Parameter Description Web Application Protection Status The Web Application Protection switch. Mode The following two Web application protection modes are supported:
An attack is blocked after it is detected.
An alert is sent after an attack is detected. However, the attack is not blocked.
Mode of Protection Policy The following Web application protection policies are used:
- Loose Rule Group
If many normal requests are blocked when you set Mode of Protection Policy to Medium Rule Group, we recommend you select Loose Rule Group. The loose rule group has the least false positives but the most false negatives.
- Medium Rule Group
The medium rule group is used by default.
- Strict Rule Group
If you require stricter protection against path traversal, SQL injections, and command execution attacks, we recommend that you select Strict Rule Group.
When a protection rule is found to block normal requests, you can adjust the mode of protection policy. The loose rule group has the least false positives but the most false negatives.
HTTP ACL Policy Status The HTTP ACL Policy switch. Rules A default rule is provided. You can click Settings to add a rule, and modify the default rule. Up to three conditions are allowed in each custom rule. The conditions are in the logical AND relationship. A rule is matched only when all the three conditions are satisfied.