All Products
Search

This Product

    Web Application Firewall:FAQ about the transparent proxy mode

    Document Center

    Web Application Firewall:FAQ about the transparent proxy mode

    Last Updated:Apr 29, 2024

    This topic provides answers to some frequently asked questions about adding a domain name to Web Application Firewall (WAF) in transparent proxy mode.

    Can I add a domain name to WAF in CNAME record mode and transparent proxy mode?

    No. You can use only one access mode to add a domain name to WAF. If you want to add a domain name to WAF in transparent proxy mode but the domain name was added in CNAME record mode, you must delete the CNAME record configurations of the domain name before you add the domain name to WAF in transparent proxy mode.

    Important

    The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.

    What do I do if a domain name that was added to WAF no longer requires WAF protection?

    If you determine that the domain name no longer requires WAF protection, you can click the Servers tab on the Website Access page and find the IP address of the origin server on which the domain name is hosted. Then, disable traffic redirection for the ports that are used to redirect traffic to WAF. For more information, see the "Step 2: View and manage traffic redirection ports" section of the Transparent proxy mode topic. After you disable traffic redirection for the ports, requests that are destined for the domain name are not forwarded by WAF.

    Can the origin server obtain the originating IP addresses of clients after I add a domain name to WAF in transparent proxy mode?

    Yes, the origin server can obtain the originating IP addresses of clients. After you add a domain name to WAF in transparent proxy mode, WAF provides the originating IP addresses of clients to the origin server on which the domain name is hosted and does not send the back-to-origin CIDR blocks of WAF to the origin server.

    If the SSL certificate that is bound to a port is updated, do I need to re-upload the certificate in the WAF console?

    The operations vary based on the cloud service.

    • If the origin server is deployed on an Application Load Balancer (ALB) instance or a Layer 7 Server Load Balancer (SLB) instance, you do not need to re-upload the certificate in the WAF console. You need to only update the certificate in the ALB or SLB console. The new certificate is automatically synchronized to WAF.

      Important

      Take note that an expired certificate cannot be synchronized to WAF. You must delete the expired certificate and synchronize the new certificate.

    • If the origin server is deployed on a Layer 4 SLB instance or an Elastic Compute Service (ECS) instance, you must re-upload the certificate in the WAF console.

    If a domain name is hosted on multiple SLB instances, how do I add the domain name to WAF in transparent proxy mode?

    When you configure traffic redirection for the domain name, you must add all HTTP or HTTPS ports of the SLB instances to WAF. This ensures that traffic on the ports is redirected to WAF.

    If you add the HTTP or HTTPS ports of only one SLB instance to WAF, only traffic on the added ports is forwarded to and protected by WAF. Traffic from other SLB instances is not forwarded to or protected by WAF.

    If multiple domain names are hosted on an SLB instance, what happens if I add only one of the domain names to WAF in transparent proxy mode?

    All domain names hosted on the SLB instance are protected by WAF based on the default protection rule, including the protection rules engine and HTTP flood protection. WAF detects and blocks malicious traffic that is destined for the domain names.

    Important

    In transparent proxy mode, traffic that is protected by WAF is related only to the configurations of the traffic redirection ports of ECS, SLB, or ALB instances. If multiple domain names are hosted on your SLB instance and the domain names provide services by using the same port, such as HTTPS port 443, you can specify the port as the traffic redirection port when you add one of the domain names to WAF in transparent proxy mode to ensure that all traffic on the port is protected by WAF. For more information, see Transparent proxy mode.

    Why am I unable to find the Layer 7 SLB instance that I want to add to WAF in transparent proxy mode?

    The transparent proxy mode has specific limitations. For more information, see Transparent proxy mode.

    When you add an SLB instance to WAF in transparent proxy mode, you may be unable to find the Internet-facing SLB instance that you want to add to WAF on the Layer 7 SLB-based Domains tab of the Add Domain Name page or fail to add the instance to WAF due to the following reasons:

    Reason

    Description

    Solution

    Transparent proxy mode is unavailable in the region where your Internet-facing SLB instance resides.

    Only Internet-facing SLB instances and ECS instances that reside in the following regions can be added to WAF in transparent proxy mode: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

    • If your Internet-facing SLB instance or ECS instance resides in one of the following regions, select Chinese Mainland as the region of your WAF instance : China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).

    • If your Internet-facing SLB instance or ECS instance resides in one of the following regions, select Outside Chinese Mainland as the region of your WAF instance : China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

    The Internet-facing SLB instance uses an IPv6 address.

    Internet-facing SLB instances that use IPv6 addresses do not support the transparent proxy mode.

    Add an Internet-facing SLB instance that uses an IPv4 address to WAF.

    No listener protocol is configured for the Internet-facing SLB instance.

    You cannot add SLB instances that do not have listener ports to WAF.

    Add a listener port for the SLB instance in the SLB console.

    The Internet-facing SLB instance cannot be added to WAF due to network architecture limits.

    You can add only SLB instances that do not have network architecture limits to WAF.

    You can add internal-facing SLB instances that are associated with elastic IP addresses (EIPs) or new Internet-facing SLB instances to WAF.

    The SSL certificate for the port of the Layer 7 Internet-facing SLB instance that you want to add to WAF is not uploaded to Alibaba Cloud Certificate Management Service.

    When you add Layer 7 Internet-facing SLB instances to WAF in transparent proxy mode, you must upload the SSL certificates for HTTPS ports to Certificate Management Service. If you do not upload the SSL certificates for HTTPS ports to Certificate Management Service, the certificates cannot be synchronized to WAF and you cannot add the instances to WAF.

    Upload the certificate for the HTTPS port of your Layer 7 Internet-facing SLB instance to Certificate Management Service.

    Mutual authentication is enabled for the listener port of the Internet-facing SLB instance.

    Internet-facing SLB instances for which HTTPS mutual authentication is enabled cannot be added to WAF.

    Disable mutual authentication in the SLB console and add the instance to WAF in the WAF console.

    The Internet-facing SLB instance is a new instance.

    You may be unable to find new SLB instances on the Layer 7 SLB-based Domains tab of the Add Domain Name page due to data latency.

    After you purchase an SLB instance, we recommend that you wait for 1 minute to 3 minutes and refresh the WAF console before you add the instance to WAF in transparent proxy mode.

    The current edition of WAF does not support the SLB instance port that you want to specify.

    The following editions of subscription WAF instances support the transparent proxy mode: Pro Edition, Business Edition, and Enterprise Edition. If the port that you specify is not supported by WAF, you cannot save the configuration when you specify the port on the Layer 7 SLB-based Domains tab of the Add Domain Name page.

    Specify ports that are supported by the current WAF edition.

    Note

    In transparent proxy mode, the ports that you can specify vary based on the edition of the WAF instance. WAF instances of the Enterprise edition allow you to specify non-standard ports. To view the ports that are supported by other editions of WAF, click View Allowed Port Range on the Layer 7 SLB-based Domains tab.

    The zone of the ECS instance that is added to WAF in transparent proxy mode is changed.

    If a migration task is created and the zone of the ECS instance that is added to WAF in transparent proxy mode is changed, traffic redirection does not take effect.

    Re-enable traffic redirection in the WAF console. For more information, see the "Step 2: View and manage traffic redirection ports" section of the Transparent proxy mode topic.

    Can I add internal-facing SLB instances that are associated with EIPs to WAF in transparent proxy mode?

    Yes, you can add internal-facing SLB instances that are associated with EIPs to WAF in transparent proxy mode.