Dynamic Route for CDN (DCDN) is integrated with Web Application Firewall (WAF) to protect your websites from vulnerabilities and attacks such as SQL injection, webshells, and cross-site scripting (XSS). WAF prevents your domain names from being identified as dangerous websites by browsers and search engines. In addition, WAF protects your websites from spam content, malicious pop-up windows, domain hijacking, website vulnerabilities, Trojans, data breaches, and password leaks. After you activate WAF, you must configure protection policies for different accelerated regions. This way, WAF can process traffic in different regions based on domain names.

Background information

WAF is a security service that protects your websites and applications. WAF identifies malicious web traffic, scrubs and filters the malicious traffic, and then forwards safe traffic to your server. This protects your web servers from attacks and ensures data and business security. For more information about features of WAF, see What is WAF?.

Prerequisites

  • WAF Pro Edition or WAF Business Edition is activated. If you have not activated WAF Pro Edition or WAF Business Edition, submit a ticket.
  • Before you enable WAF for an accelerated domain name, make sure that the accelerated region of the domain name is set to Global or Global (Excluding Mainland China). For more information about how to change the accelerated region for an accelerated domain name, see Modify basic information.

Value-added services

For more information about how to configure features of WAF, see the WAF documents. The following table lists the features supported by WAF Business Edition and Pro Edition.
Feature Pro Edition Business Edition
Scan protection Supported Supported
Account security Not supported Supported
HTTP flood protection Not supported Supported
IP blacklists Supported Supported
Rate Limit Not supported Supported
Bot threat intelligence rules Not supported Supported
JavaScript validation Not supported Supported
Crawler whitelists Not supported Supported
Web application protection Supported Supported
Zero-day attack protection Supported Supported
Block and Warn protection modes Supported Supported
Decoding and analytics of request data in specified formats Supported Supported
Custom rule groups Not supported Supported
HTTP access control list (ACL) policies Supported Supported
Log Service Supported with a storage capacity up to 1 TB Supported of a storage capacity up to 3 TB

Configure WAF for one domain name

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Configure page, find the domain name that you want to manage and click Domain Names in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Security Settings.
  5. On the WAF tab, turn on the WAF - Mainland China switch.
  6. Click Modify Configurations.
  7. Follow the instructions on the page to configure the protection features on the Web Security and Access Control/Throttling tabs.
    Parameter Action Description
    Web Security Status You can turn on or off web application protection.
    Mode Web application protection supports the following protection modes:
    • Block: blocks attacks immediately after they are detected.
    • Alert: sends alerts after attacks are detected but does not block the attacks.
    Protection Rule Group Web application protection supports the following protection rules:
    • Loose rule group: If the Medium rule group causes a high rate of false positives, we recommend that you select the Loose rule group. The loose rule group has the lowest false positive rate but the highest false negative rate.
    • Medium rule group: the default protection rule.
    • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command execution attacks, we recommend that you select the Strict rule group.
    Decoding Settings You can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
    1. Click jiema to select data formats from the drop-down list.
    2. Select or clear data formats based on your business requirements.
      • You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
      • You can clear the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
    3. Click OK.
    Note To ensure higher performance, the RegEx protection engine decodes and analyzes the request content in all formats by default. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can clear the formats to reduce the false positive rate.
    Access Control/Throttling IP Blacklist Status You can enable or disable the IP blacklist feature.
    Note You can use the IP blacklist to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions. You can click Settings to add IP addresses or regions to the blacklist.
    Custom Protection Policy Status You can enable or disable the custom protection policy feature.
    Note This allows you to customize an access control rule and apply the access control rule to a specific object. A default rule is provided. You can click Settings to add a rule.

Configure WAF for multiple domain names

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose WAF > Domain Names.
  3. Add the domain name for which you want to enable WAF.
    1. On the Domain Names page, click Add Domain to WAF.
    2. In the Add Domain to WAF dialog box, select the domain name that you want to add.
      Note You can add only one domain name at a time. To add multiple domain names, repeat this step.
    3. Click OK.
  4. Configure protection.
    1. On the Domain Names page, find the domain name and click Configure Protection.
    2. Follow the instructions on the page to configure the protection features on the Web Security and Access Control/Throttling tabs.
      Parameter Action Description
      Web Security Status You can turn on or off web application protection.
      Mode Web application protection supports the following protection modes:
      • Block: blocks attacks immediately after they are detected.
      • Alert: sends alerts after attacks are detected but does not block the attacks.
      Protection Rule Group Web application protection supports the following protection rules:
      • Loose rule group: If the Medium rule group causes a high rate of false positives, we recommend that you select the Loose rule group. The loose rule group has the lowest false positive rate but the highest false negative rate.
      • Medium rule group: the default protection rule.
      • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command execution attacks, we recommend that you select the Strict rule group.
      Decoding Settings You can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
      1. Click jiema to select data formats from the drop-down list.
      2. Select or clear data formats based on your business requirements.
        • You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
        • You can clear the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
      3. Click OK.
      Note To ensure higher performance, the RegEx protection engine decodes and analyzes the request content in all formats by default. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can clear the formats to reduce the false positive rate.
      Access Control/Throttling IP Blacklist Status You can enable or disable the IP blacklist feature.
      Note You can use the IP blacklist to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions. You can click Settings to add IP addresses or regions to the blacklist.
      Custom Protection Policy Status You can enable or disable the custom protection policy feature.
      Note This allows you to customize an access control rule and apply the access control rule to a specific object. A default rule is provided. You can click Settings to add a rule.