edit-icon download-icon

Use CDN with WAF

Last Updated: Jan 15, 2018

Alibaba Cloud Security WAF can be used in combination with ChinaNetCenter, Jiasule, Qiniu, Yupoo, Alibaba Cloud, and others to defend domain names with CDN enabled against web attacks.

Deployment architecture

Visitors > CDN > WAF > Server Load Balancer, ECS, server

Note: Most CDN service providers do not defend against HTTP Flood attacks, and accesses to HTTP Flood-attacked domain names are intercepted at the CDN level. We recommend that you enable WAF independently for domain names that are frequently targeted by HTTP Flood attacks.

Deployment guide

Alibaba Cloud CDN

  1. Configure CDN and connect the domain name to CDN.

  2. Configure WAF.

    1. The domain name for WAF must be consistent with the one configured for CDN (you can configure a wildcard domain name).
    2. Enter the Server Load Balancer Internet IP address, ECS Internet IP address, or off-cloud server IP address for the origin site.
    3. Select Yes for Other proxies enabled already? and click Next.

    Other proxies enabled already

  3. Once configuration is successful, WAF generates a CNAME address.

    CNAME address

  4. Change the origin site that is originally configured in CDN to the CNAME address assigned by WAF.

    Note:

    • You only need to modify the CDN origin site.
    • Enable Protocol with back-to-source.
    • Do not modify Back-to-source host. Make sure that this toggle is switched off after the domain name is configured in CDN.

    Configuration

  5. After the operation is complete, the traffic goes through CDN, and the dynamic content continues to be checked and protected by WAF.

Non-Alibaba Cloud CDN

  1. Configure CDN, and connect the domain name to CDN.

  2. Configure WAF.

    1. The domain name for WAF must be consistent with the one configured for CDN (you can configure a wildcard domain name).
    2. Enter the server IP address for the origin site. You can use the origin site IP address configured in CDN.
    3. Select Yes for Other proxies enabled already? and click Next.

    Other proxies enabled already

  3. Once configuration is successful, WAF generates a CNAME address.

    CNAME address

  4. Change the source site that was originally configured in CDN to the CNAME address assigned by WAF.

Thank you! We've received your feedback.