All Products
Search
Document Center

Web Application Firewall:Tutorial

Last Updated:Sep 12, 2023

Before you can use Web Application Firewall (WAF) to protect your web services, you must add your website to WAF. This topic describes how to add a website to WAF.

Access mode

You can add your website to WAF in CNAME record mode or transparent proxy mode based on your business requirements. HTTP 1.0, HTTP 1.1, and HTTP 2.0 are supported by default.

Comparison item

CNAME record mode

Transparent proxy mode

Description

The CNAME record mode allows you to add the domain name of a website that you want to protect to WAF and change the DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF.

The transparent proxy mode allows you to protect a website by adding its domain name to WAF, without the need to change its DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF.

Supported origin servers

Origin servers that are deployed in-cloud or on-premises

Origin servers that are Elastic Compute Service (ECS) instances or that are added to an Internet-facing Server Load Balancer (SLB) instance

The number of domain names that can be added

One domain name each time

All of the domain names that are included in the ECS or SLB instance

Whether back-to-origin rules must be configured

You must configure back-to-origin rules.

You do not need to configure back-to-origin rules.

Whether the DNS record must be changed

You must change the DNS record.

You do not need to change the DNS record.

Whether protection for origin servers must be configured

When you add your website to WAF in CNAME record mode, attackers can bypass WAF and launch direct-to-origin attacks. Therefore, you must configure protection for your origin server to prevent such attacks.

You do not need to configure protection for your origin server.

Limits

N/A

  • WAF instances in some regions do not support the transparent proxy mode due to network architecture limits.

  • Internal-facing SLB instances do not support the transparent proxy mode.

  • IPv6 Internet-facing SLB instances do not support the transparent proxy mode. The number of traffic redirection ports that are supported in transparent proxy mode is limited.

  • Default protection rules cannot be changed. You must configure a domain name before you can configure protection rules for the domain name.

For more information about the limits of the transparent proxy mode, see Transparent proxy mode.

Add a website in CNAME record mode

  1. On the Add Domain Name page of the WAF console, set Access Mode to CNAME Record.

  2. Add the domain name of the website that you want to protect to WAF and configure back-to-origin rules.

    Parameter

    Description

    Domain Name

    Enter the domain name of the website that you want to protect.

    Protection Resource

    Select the type of protection resource that you want to use.

    Protocol Type

    Select the protocol that is supported by your website. If you set Protocol Type to HTTPS, you can select Enable Origin SNI. You can also click Advanced Settings and then select Enable HTTPS Routing and Enable HTTP.

    Destination Server Port

    Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services.

    Important

    If the origin server uses a port other than HTTP port 80 and HTTPS port 443, you can specify the port and check whether the port is within the port range that is supported by WAF. For more information, see View the ports supported by WAF.

    Destination Server (IP Address)

    Specify the type of the origin server address. Valid values:

    • IP: Enter the public IP addresses of the SLB or ECS instances on which the origin servers are deployed, or the IP addresses of the origin servers that are not deployed on Alibaba Cloud.

    • Domain Name (Such as CNAME): Enter the domain names of the origin servers. The domain names of the origin servers cannot be the same as the domain name of the website added to WAF. Only IPv4 addresses are supported.

    Load Balancing Algorithm

    If you enter multiple addresses for origin servers, configure this parameter based on your business requirements.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF

    Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.

    Enable Traffic Mark

    Specify whether to enable the WAF traffic marking feature.

    Resource Group

    If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.

    For more information, see Add a domain name to WAF.

  3. Check whether the configurations take effect. If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

  4. Change the DNS record. You must manually change the DNS record to redirect requests that are destined for your website to WAF.

    The following example demonstrates how to change the DNS record in Alibaba Cloud DNS.

    1. Obtain the CNAME or IP address of your WAF instance. For more information, see Obtain the CNAME that is assigned by WAF to your domain name.

    2. On the Domain Name Resolution page of the Alibaba Cloud DNS console, locate the domain name whose configurations you want to modify and click DNS Settings in the Actions column. Add a CNAME record to map the domain name to the CNAME that is provided by WAF.

    For more information, see Modify a DNS record.

  5. Check whether your website is protected by WAF. For more information, see Optional: Simulate simple web attack commands to check whether WAF runs as expected. For example, enter /alert(xss) that specifies a web attack request in the address bar of your browser. Then, check whether WAF blocks the request. If the request is blocked, the following page appears..

After you perform the preceding operations, your website is protected by WAF. To enhance the protection capabilities of your WAF instance, we recommend that you perform the following operations:

  • Upload an HTTPS certificate

    If your website uses HTTPS, you must upload a valid HTTPS certificate in the WAF console to make sure that WAF processes HTTPS requests as expected. For more information, see Add a domain name to WAF.

  • Allow access from the back-to-origin CIDR blocks of WAF

    WAF uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. This way, the origin server receives requests from the back-to-origin CIDR blocks of WAF and requests are sent at a high rate. In this case, the firewall or security software hosted on the origin server may consider these CIDR blocks as attack IP addresses and block them. Therefore, you must add the back-to-origin CIDR blocks to the IP address whitelist of the security software. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  • Configure protection for an origin server

    For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server. For more information, see Configure protection for an origin server.

  • Configure custom TLS settings

    If the website that you added to WAF uses HTTPS to transmit data, you can customize TLS version settings and cipher suites for the domain name of the website. For more information, see Configure custom TLS settings.

Add a website in transparent proxy mode

  1. On the Add Domain Name page of the WAF console, set Access Mode to Transparent Proxy Mode.

  2. Add the domain name of your website to WAF.

    Parameter

    Description

    Domain Name

    Enter the domain name of the website that you want to protect.

    Destination Server Port

    Select the instance type and the port for the instance. WAF supports the following types of instances: ALB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, and ECS-based Domains.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF

    Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.

    Enable Traffic Mark

    Specify whether to enable the WAF traffic marking feature.

    Resource Group

    If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.

    For more information, see Transparent proxy mode.

  3. Check whether your website is protected by WAF. For more information, see Optional: Simulate simple web attack commands to check whether WAF runs as expected. For example, enter /alert(xss) that specifies a web attack request in the address bar of your browser. Then, check whether WAF blocks the request. If the request is blocked, the following page appears..

Add cloud services to WAF

You can use WAF together with other Alibaba Cloud security services such as Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN to improve the security of your website.

What to do next

After your website is added to WAF, WAF filters the requests that are destined for the website and forwards normal requests to the origin server. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. To use other features, you must manually enable the features and configure protection rules. For more information, see Overview of website protection features.