This topic provides answers to some commonly asked questions about Web Application Firewall (WAF).
- FAQ about pre-sales consulting
- Can I use WAF to protect servers that are not deployed on Alibaba Cloud?
- Does WAF support Cloud Web Hosting instances?
- Can WAF protect HTTPS services?
- Does WAF support custom ports?
- Is the QPS limit that is configured for a WAF instance in the WAF console applied to the entire WAF instance or a single domain name added to the WAF instance?
- Which editions of WAF can defend against SMS flood attacks?
- Does WAF support two-way HTTPS authentication?
- Does WAF support the WebSocket, HTTP/2, and SPDY protocols?
- Which SSL protocols does WAF support?
- Can WAF protect websites that use New Technology LAN Manager (NTLM) authentication?
- FAQ about website access configuration
- Can I enter the private IP address of an ECS instance as the IP address of an origin server in the WAF console?
- Can WAF protect IP addresses of multiple origin servers for one domain name?
- How does WAF balance request loads among origin servers?
- Does WAF support the health check feature?
- Does WAF support session persistence?
- Does latency occur when I change the IP address of an origin server in the WAF console?
- What are the back-to-origin CIDR blocks of WAF?
- Does WAF automatically add its back-to-origin CIDR blocks to security groups?
- Do I need to allow access requests from all client IP addresses?
- Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?
- Can WAF be deployed with CDN or with Anti-DDoS Pro or Anti-DDoS Premium?
- Can I deploy WAF with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different Alibaba Cloud accounts?
- FAQ about website protection configuration
- How can I use WAF to defend against HTTP flood attacks?
- How long does it take for modifications in the WAF console to take effect?
- When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?
- Why does a custom protection policy in which the URL match field contains two forward slashes (//) not take effect?
- FAQ about website protection analysis
Can I use WAF to protect servers that are not deployed on Alibaba Cloud?
Does WAF support Cloud Web Hosting instances?
Yes, all editions of WAF support exclusive Cloud Web Hosting instances. After you activate WAF, you can configure exclusive instances in the WAF console.
Shared Cloud Web Hosting instances use shared IP addresses, which means that multiple users share the same origin server. We recommend that you do not configure WAF for the shared instances.
Can WAF protect HTTPS services?
Yes, all editions of WAF can protect HTTPS services. You can add wildcard domain names to WAF.
To protect HTTPS services, you must upload the SSL certificate and private key files as prompted. After the HTTPS service protection is enabled, WAF decrypts access requests, examines request packets, encrypts the requests, and then forwards the requests to origin servers.
Does WAF support custom ports?
Is the QPS limit that is configured for a WAF instance in the WAF console applied to the entire WAF instance or a single domain name added to the WAF instance?
The QPS limit applies to the entire WAF instance.
For example, if you add three domain names to a WAF instance in the WAF console, the total QPS of these domain names cannot exceed the configured QPS limit. If the total QPS exceeds the limit, WAF triggers throttling and may discard packets at random.
Which editions of WAF can defend against SMS flood attacks?
All editions of WAF can defend against SMS flood attacks. For more information, see Editions and features.
Does WAF support two-way HTTPS authentication?
No, WAF does not support two-way HTTPS authentication.
Does WAF support the WebSocket, HTTP/2, and SPDY protocols?
All editions of WAF support WebSocket, and WAF Business or a higher edition supports HTTP/2. WAF does not support SPDY.
Which SSL protocols does WAF support?
- In the regions inside mainland China, WAF supports the following SSL protocols:
- TLS v1.0
- TLS v1.1
- TLS v1.2
- In the regions outside mainland China, WAF supports the following SSL protocols:
- TLS v1.1
- TLS v1.2
ssl_ciphers
:"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:! aNULL:! eNULL:! EXPORT:! DES:! MD5:! PSK:! RC4"
Can WAF protect websites that use New Technology LAN Manager (NTLM) authentication?
No, WAF cannot protect websites that use NTLM authentication. If your website uses NTLM authentication, access requests forwarded by WAF may fail to pass the NTLM authentication of an origin server. As a result, authentication prompts may be repeatedly displayed on the client. We recommend that you use a different authentication method for your website.
Can I enter the private IP address of an ECS instance as the IP address of an origin server in the WAF console?
No, you cannot enter the private IP address of an ECS instance. This is because WAF redirects requests to an origin server over the Internet.
Can WAF protect IP addresses of multiple origin servers for one domain name?
Yes, you can enter a maximum of 20 IP addresses of origin servers when you add a domain name in the WAF console.
How does WAF balance request loads among origin servers?
If you configure more than one origin server, WAF balances request loads among these origin servers by using a round-robin method.
Does WAF support the health check feature?
Does WAF support session persistence?
Yes, WAF supports session persistence, which is disabled by default. If you want to enable session persistence, submit a ticket to contact technical support.
Does latency occur when I change the IP address of an origin server in the WAF console?
Yes, latency occurs when you change the IP address of an origin server. The new IP address requires 1 minute to take effect.
What are the back-to-origin CIDR blocks of WAF?
You can query back-to-origin CIDR blocks in the WAF console. Perform the following operations: Log on to the WAF console and choose . For more information, see Allow access from WAF back-to-origin CIDR blocks.
Does WAF automatically add its back-to-origin CIDR blocks to security groups?
No, WAF does not automatically add its back-to-origin CIDR blocks to security groups. If you deploy other firewalls or host protection software for origin servers, we recommend that you add the back-to-origin CIDR blocks of WAF to the required whitelists.
We recommend that you configure specific protection policies for the origin servers. For more information, see Configure protection for an origin server.
Do I need to allow access requests from all client IP addresses?
You can allow access requests from only the back-to-origin CIDR blocks of WAF or all client IP addresses.
To protect web services of origin servers, we recommend that you allow access requests from only the back-to-origin CIDR blocks of WAF.
Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?
Yes, a WAF instance that uses an exclusive IP address can defend against DDoS attacks.
- WAF provides exclusive IP addresses for users. Blackhole filtering that defends against DDoS attacks can apply to these IP addresses, similar to the IP addresses of ECS and SLB instances.
- The default DDoS mitigation capability provided by the WAF instance that uses an exclusive IP address is the same as the DDoS mitigation capability of an ECS instance in the region where WAF is deployed.
Can WAF be deployed with CDN or with Anti-DDoS Pro or Anti-DDoS Premium?
Yes, WAF is fully compatible with CDN, Anti-DDoS Pro, and Anti-DDoS Premium. If you want to deploy WAF with CDN and Anti-DDoS Pro or Anti-DDoS Premium, we recommend that you deploy components in the following sequence: client, Anti-DDoS Pro or Anti-DDoS Premium, CDN, WAF, SLB, and origin server.
Can I deploy WAF with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different Alibaba Cloud accounts?
Yes, you can deploy WAF with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different accounts. This deployment allows you to defend against DDoS and web application attacks.
How can I use WAF to defend against HTTP flood attacks?
WAF provides various HTTP flood protection modes. You can select a mode based on your business requirements. For more information, see Configure HTTP flood protection.
To achieve better protection and lower false positive rates, you can use the WAF Business edition or WAF Enterprise edition. In addition, we recommend that you request security experts to tailor protection algorithms specific to your business requirements. For more information, see Create a custom protection policy.
How long does it take for modifications in the WAF console to take effect?
In most cases, modifications take effect within one minute.
When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?
Yes, you can enter CIDR blocks in the IP field when you configure custom protection policies in the WAF console.
Why does a custom protection policy in which the URL match field contains two forward slashes (//) not take effect?
When the rules engine of WAF processes the URL match field, it compresses consecutive forward slashes (/). Therefore, the rules engine cannot match the custom protection policy because the URL match field contains two forward slashes (//).
If you want to define an ACL policy in which the URL match field contains two forward
slashes (//), enter a single forward slash (/) instead. For example, if you want to
set the URL match field to //api/sms/request
, enter /api/sms/request
instead. This way, WAF can correctly implement access control based on the policy.
Can I view the source IP addresses of HTTP flood attacks in the WAF console?
Yes, you can view the source IP addresses of HTTP flood attacks after you enable Log Service of WAF. For more information, see Enable Log Service for WAF and Enable log query.
How do I query the bandwidth usage of WAF?
You can query the bandwidth usage of WAF on the Overview page in the WAF console.