Web Application Firewall (WAF) can be used in combination with a content delivery network (CDN), such as Alibaba Cloud CDN, to protect domain names against web attacks. The domain names have content acceleration enabled.

Background information

You can deploy WAF and CDN in the following sequence: CDN, WAF, and origin servers. CDN is deployed at the ingress layer to accelerate the distribution of content. WAF is deployed at the intermediate layer to protect applications.

Use Alibaba Cloud CDN

  1. Add the domain name that you want to accelerate to Alibaba Cloud CDN. For more information, see CDN quick start.
  2. Add the domain name to WAF.
    • Domain Name: Enter the domain name that you want to protect.
    • Destination Server (IP Address): Enter the public IP address of the SLB instance, the public IP address of the ECS instance, or the IP address of the server that is not deployed on Alibaba Cloud.
    • Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.

    For more information, see Add websites.

    Add Domain Name page
  3. After the domain name is added to WAF, WAF generates a dedicated canonical name (CNAME) for the domain name.
    Note For more information about how to view the CNAME that is generated by WAF, see Change a DNS record.
  4. Change the DNS record of the origin server in the Alibaba Cloud CDN console to point to the CNAME.
    1. Log on to the Alibaba Cloud CDN console.
    2. Open the Domain Names page. On the page that appears, select the required domain name and click Manage.
    3. In the Origin Information section, click Modify.
    4. Modify the information of the origin server.
      • Origin Info: Select Site Domain.
      • Domain Name: Enter the CNAME that is generated by WAF.
      • Port: Select 80.
      Add Origin Server dialog box
    5. Go to the Back-to-origin page. On the Configurations tab, verify that Origin Host is disabled.
      Configurations tab
    After the configuration is complete, traffic passes through Alibaba Cloud CDN. The dynamic content remains detected and protected by WAF.