After you add your website to the WAF console, you can configure access control policies for your origin server to allow inbound traffic from only WAF back-to-origin CIDR blocks. This protects you from direct-to-origin attacks. This topic describes how to configure security group rules and whitelist policies for an origin server that is deployed on ECS and SLB instances.

Prerequisites

  • The origin server is deployed on the ECS and SLB instances. All domain names deployed on those instances are added to and protected by WAF. For more information, see Add domain names.
  • The traffic to the website has been resolved to WAF for protection. This means the DNS resolution status of the domain name is normal in the WAF console. For more information, see Check the DNS resolution status.

Precautions

After you add your website to the WAF console for protection, the traffic is always be forwarded, regardless of whether you configure protection for your origin server. If the IP address of your origin server is exposed, malicious parties can bypass WAF and launch direct-to-origin attacks. This function can prevent such attacks. For more information about how to determine whether the IP address of your origin server is exposed, see FAQ.

Risks may arise when you configure the access control policies on the origin server. Take note of the following items before you configure protection for the origin server:
  • Make sure that all domain names whose origin servers are deployed on ECS and SLB instances are added to the WAF console.
  • If a WAF cluster fails, requests may be forwarded to the origin server in bypass mode to avoid service interruptions. In this case, if you have configured the ECS security group or SLB whitelist policies for the origin server, users may not be able to access your origin server from the Internet.
  • If back-to-origin CIDR blocks are added after WAF cluster scale-out and you have configured the ECS security group and SLB whitelist policies for the origin server, HTTP 5xx errors may be frequently reported.

Obtain WAF back-to-origin CIDR blocks

Notice The WAF back-to-origin CIDR blocks are updated on a regular basis. Pay attention to update notifications and make sure that you add the updated back-to-origin CIDR blocks to the security group and whitelist policies in a timely manner to avoid service interruption.
  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose System Management > Product Information.

Configure ECS security group rules

If your origin server is deployed on an ECS instance, you must configure security group rules for the ECS instance after obtaining the WAF back-to-origin CIDR blocks. These security group rules only allow inbound traffic from the WAF back-to-origin CIDR blocks.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the resource group and region of the ECS instance.
  4. In the Instances section, find the target instance and choose More > Network and Security Group > Configure Security Group in the Actions column.
  5. Find the security group that you want to configure and click Add Rules in the Actions column.
  6. Click Add Security Group Rule.
  7. In the Add Security Group Rule dialog box, specify the required parameters and click OK.Security group rule-allow
    Parameter Description
    NIC Type The default NIC type is the same as the network type of the ECS instance.
    • When the network type of the ECS instance is VPC, the default value is Internal.
    • When the network type of the ECS instance is a classic network, set NIC Type to Public.
    Rule Direction Select Inbound.
    Action Select Allow.
    Protocol Type Select Custom TCP.
    Port Range Enter 80/443.
    Priority Enter 1, which indicates the highest priority.
    Authorization Type Select IPv4 CIDR Block.
    Authorization Object Paste the copied back-to-origin CIDR blocks.

    CIDR blocks follow the 10.x.x.x/32 format. Separate multiple CIDR blocks with commas (,). You can add up to 10 CIDR blocks to each security group rule.

    Note We recommend that you put all WAF back-to-origin CIDR blocks into multiple security groups and add multiple security group rules for authorization.
    Description The description of the security group rule. Example: Allow inbound traffic from the WAF back-to-origin CIDR blocks.
    The security group rule that you added takes the highest priority and allows all inbound traffic from the WAF back-to-origin CIDR blocks.
    Warning Make sure that you add all WAF back-to-origin CIDR blocks to the security group rules. Otherwise, access exceptions may occur.
  8. Add another security group rule with the lowest priority and configure it as follows to block all accesses.Security group rule-block
    The following table lists the specific rule configurations.
    Parameter Description
    NIC Type The default NIC type is the same as the network type of the ECS instance.
    • When the network type of the ECS instance is VPC, the default value is Internal.
    • When the network type of the ECS instance is a classic network, set NIC Type to Public.
    Rule Direction Select Inbound.
    Authorization Type Select Forbid.
    Protocol Type Select Custom TCP.
    Port Range Enter 80/443.
    Priority Enter 100, which indicates the lowest priority.
    Authorization Type Select IPv4 CIDR block.
    Authorization Object Enter 0.0.0.0/0, which indicates all CIDR blocks.
    Description The description of the security group rule. Example: Block all inbound traffic, with a priority of 100.
Note If your origin server communicates with other IP addresses or applications, you must add another security group rule to allow access from them. Alternatively, you can add a security group rule to allow access from all ports and set it to the lowest priority.

Configure SLB access control policies

If your origin server is deployed with SLB, you must obtain the WAF back-to-origin CIDR blocks and configure an access control policy (whitelist) for the SLB instance. The policy allows only the inbound traffic from the WAF back-to-origin CIDR blocks.

  1. Log on to the SLB console.
  2. In the left-side navigation pane, click Access Control.
  3. Click Create Access Control List.
  4. On the Create Access Control List page, configure the following policy group and click OK.Access control list
    Parameter Description
    Access Control List Name The name of the custom policy group. Example: WAF back-to-origin CIDR block
    Resource Group Select the resource group to which the policy group belongs.
    IP Version Select IPv4.
    Add Multiple Addresses and Descriptions Paste all WAF back-to-origin IP addresses.

    Enter one entry in each line. Start a new line by pressing Enter.

    Note All copied WAF back-to-origin CIDR blocks are separated by commas (,). When you copy those IP addresses, we recommend that you use a text editor that supports extension replacement, such as Notepad or Word, to replace the commas (,) with line breaks (\n).
  5. In the left-side navigation pane, choose Instances > Server Load Balancers.
  6. In the Server Load Balancers page, find the target instance and click its ID.
  7. On the Listener tab, find the target listener and choose More > Set Access Control.
  8. On the Access Control Settings page, turn on Enable Access Control, configure the following parameters, and click OK.
    Parameter Description
    Access Control Method Select Whitelist to allow specified IP addresses to access the SLB instance.
    Access Control List Select the access control list that you created for the WAF back-to-origin IP addresses.

What to do next

After you configure the ECS security group and SLB whitelist policies, test whether the origin IP address can be connected through ports 80 and 8080 to check whether the protection configurations are in effect.

If the origin server cannot be connected through these ports but your service is running normally, it indicates that the protection configurations are in effect.

FAQ

How can I confirm that the IP address of the origin server remains concealed?

Use Telnet to establish a connection from a host that is not deployed on Alibaba Cloud to the service port of the public IP address of your origin server.
  • If the connection is established, the IP address of your origin server may be exposed. Malicious parties that obtain the public IP address can bypass WAF and launch attacks on your origin server.
  • If the connection fails, your origin server is secure.
For example, test the connectivity of ports 80 and 8080 of the origin server that is protected by WAF. If the connectivity is normal, your origin server is insecure.Reachable port of WAF