edit-icon download-icon

Protect the origin

Last Updated: Mar 21, 2018

To prevent the origin from the direct attacks through its IP address, you must configure an ECS security group or an SLB whitelist most appropriately.

Note

Origin protection is not a must. Normal service forwarding is not affected even if the origin is not configured. However in the absence of such protection, the attackers can easily bypass WAF and attack the origin, whenever the origin’s IP address is exposed.

Configuring a security group may give rise to certain risks. We recommend that you pay attention to the following:

  • Make sure that all domain names of the ECS or SLB instances are added to WAF.
  • When the WAF cluster is crashed, the system may divert the access requests to the domain names to the origin. In this case, if the origin is configured with security group protection, the origin may not be accessed through the Internet.
  • When the WAF cluster expands the back-to-source CIDR blocks, the system may throw 5xx errors frequently if the origin is configured with security group protection.

Procedure

Follow these steps to configure origin protection.

  1. Log on to the Alibaba Cloud Security WAF console, and access the Website Configuration page.

  2. Click Alibaba Cloud WAF IP range to retrieve all back-to-source IP segments of WAF.

  3. Follow these steps to configure the origin to only allow access from WAF’s back-to-source IP address.

    For an ECS origin

    1. Go to the ECS instance list, locate the ECS instance to configure security group for, and then click Management under its Actions column.

    2. Go to the Security Groups page.

    3. Locate the target security group, and click Configure Rules under its Actions list.

    4. Click Add Security Group Rules, and configure the following security group rule:

      • NIC: Internet
      • Rule Direction: Inbound
      • Authorization Policy: Allow
      • Protocol Type: Custom TCP
      • Port Range: 80/443
      • Priority: 1
      • Authorization type: Address Field Access
      • Authorization Object: WAF back-to-source IP segments (Note: Each rule can only add one WAF back-to-source IP address.)
    5. Repeat step iv to create relevant security group rules for all WAF back-to-source IP addresses.

    6. After adding security group rules for all WAF back-to-source IP segments, add the following security group rule to reject inbound access from all Internet IP segments, by setting a priority as 100 for the rule.

      • NIC: Internet
      • Rule Direction: Inbound
      • Authorization Policy: Drop
      • Protocol Type: Custom TCP
      • Port Range: 80/443
      • Priority: 100
      • Authorization Type: Address Field Access
      • Authorization Object: 0.0.0.0/0

    Note: If the server protected by this security group interacts with other IP addresses or applications, you must add these interactive IP addresses and ports to the whitelist and allow access through the security group. Alternatively, you can add an all-port allow policy with the lowest priority to the end.

    For an SLB origin

    Similarly, add WAF’s back-to-source IP addresses to the corresponding SLB instance’s whitelist. For more information, see Configure a whitelist.

Thank you! We've received your feedback.