After you add your website to Web Application Firewall (WAF), you can configure access control policies for your origin server to allow inbound traffic only from WAF back-to-origin CIDR blocks. This way, your website is protected from direct-to-origin attacks. This topic describes how to configure security group rules or access control (whitelist) policies for an origin server that is deployed on an Elastic Compute Service (ECS) or Classic Load Balancer (CLB) instance, formerly known a Server Load Balancer (SLB) instance.

Prerequisites

  • The origin server is deployed on an ECS or CLB instance. For more information about ECS and CLB instances, see ECS instances and CLB instances.
  • All domain names that are hosted on the origin server are added to WAF.

    For more information, see Add a website.

Precautions

After you add your website to WAF for protection, traffic is forwarded regardless of whether you configure protection for your origin server. If the IP address of your origin server is exposed, malicious parties can bypass WAF and launch direct-to-origin attacks. In this scenario, you must configure protection for your origin server. For more information about how to determine whether the IP address of your origin server is exposed, see How do I determine whether the IP address of my origin server is exposed?.

If you configure access control policies on the origin server, security risks may occur. Before you configure protection for an origin server, take note of the following items:
  • Make sure that all domain names hosted on the origin server are added to WAF. The origin server is deployed on an ECS or CLB instance.
  • If a WAF cluster fails, requests that are destined for your website are directed to the origin server in bypass mode. This ensures service continuity. In this case, if you have configured ECS security group rules or CLB access control policies for the origin server, the origin server cannot be accessed over the Internet.
  • If back-to-origin CIDR blocks are added during a WAF cluster scale-out and you have configured ECS security group rules or CLB access control policies for the origin server, HTTP 5xx status codes may be frequently returned.

Obtain the WAF back-to-origin CIDR blocks

Notice The WAF back-to-origin CIDR blocks are updated on a regular basis. To avoid service interruption, take note of update notifications and add the updated back-to-origin CIDR blocks to the security group rules or access control policies that are configured for your origin server at the earliest opportunity.
  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose System Management > Product Information.
  4. In the lower part of the Product Information page, find the WAF IP Segments section and click Copy All IPs.
    The WAF IP Segments section displays the latest back-to-origin CIDR blocks. Back-to-origin CIDR blocks of WAF

Configure ECS security group rules

If your origin server is deployed on an ECS instance, you must configure security group rules for the ECS instance after you obtain the WAF back-to-origin CIDR blocks. These security group rules allow inbound traffic only from the WAF back-to-origin CIDR blocks.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the resource group and region of the ECS instance.
  4. On the Instances page, find the ECS instance and choose More > Network and Security Group > Configure Security Group in the Actions column.
  5. Find the security group that you want to configure and click Add Rules in the Actions column.
  6. Add a security group rule with the highest priority to allow inbound traffic only from the WAF back-to-origin CIDR blocks.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save. Security group rule - allow
      Parameter Description
      Action Select Allow.
      Priority Enter 1, which specifies the highest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Paste the back-to-origin CIDR blocks that you obtain to the Source field.

      Press Ctrl+V to paste the back-to-origin CIDR blocks.

      Description The description of the security group rule. Example: Allow inbound traffic from the WAF back-to-origin CIDR blocks.
      Notice If your origin server communicates with applications by using the IP addresses and ports other than the specified WAF back-to-origin CIDR blocks and ports, you must add these IP addresses and ports to the security group rule.
      After the security group rule is added, it takes the highest priority in the security group. This way, the ECS instance allows all inbound traffic from the WAF back-to-origin CIDR blocks.
      Warning Make sure that all WAF back-to-origin CIDR blocks are added to the security group rule. Otherwise, access exceptions may occur.
  7. Add another security group rule with the lowest priority to block all inbound traffic.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save. Security group rule - block
      Parameter Description
      Action Select Forbid.
      Priority Enter 100, which specifies the lowest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Enter 0.0.0.0/0 in the Source field. 0.0.0.0/0 specifies all CIDR blocks.
      Description The description of the security group rule. Example: Block all inbound traffic.
      After the security group rule is added, the ECS instance blocks inbound traffic from all CIDR blocks. The CIDR blocks exclude those specified in Step 6. This way, all service traffic passes through WAF before the traffic reaches the ECS instance.

Configure CLB access control policies

If your origin server is deployed on a CLB instance, you must obtain the WAF back-to-origin CIDR blocks and configure an access control policy for the CLB instance. The access control policy allows the inbound traffic only from the WAF back-to-origin CIDR blocks.

The following example describes how to configure an access control policy. A CLB instance is used in this example. If you use an Application Load Balancer (ALB) instance, configure an access control policy based on the following steps and the description in Enable access control for ALB instances.

  1. Log on to the SLB console.
  2. In the left-side navigation pane, choose CLB (FKA SLB) > Access Control.
  3. In the top navigation bar, select the resource group and region of the CLB instance.
  4. Create an access control list (ACL).
    1. On the Access Control page, click Create Access Control List.
    2. In the Create Access Control List panel, configure the following parameters and click Create.
      The following configurations are used to create an ACL forWAF back-to-origin addresses.
      Parameter Description
      Access Control List Name Enter the name of the ACL. Example: WAF back-to-origin CIDR blocks.
      Add Multiple Addresses and Descriptions Copy and paste allWAF back-to-origin IP addresses.

      Enter one IP address in each line. Press Enter to start a new line.

      Note All WAF back-to-origin addresses that are copied are separated by commas (,). Before you paste the IP addresses, we recommend that you use a text editor that supports extension replacement to replace the commas (,) with line breaks (\n).
  5. Configure the ACL for listeners.
    1. In the left-side navigation pane, choose CLB (FKA SLB) > Instances.
    2. On the Instances page, find the instance that you want to manage and click the ID of the instance.
    3. On the Listener tab, find the listener that you want to configure, click the More icon in the Actions column, and then click Set Access Control.
      Select the listener based on the type of service that is protected by WAF:
      • If HTTP services are added to WAF, configure an HTTP listener.
      • If HTTPS services are added to WAF, configure an HTTPS listener.
      • If HTTP and HTTPS services are added to WAF, configure an HTTP listener and an HTTPS listener.
    4. In the Access Control Settings panel, turn on Enable Access Control and configure the following parameters. Access control settings
      Parameter Description
      Access Control Method Select Whitelist to allow specified IP addresses to access the CLB instance.
      Access Control List

      Select the access control list that you created for the WAF back-to-origin CIDR blocks.

    After the preceding configurations are complete, the CLB instance allows inbound traffic from WAF back-to-origin CIDR blocks.

What to do next

After you configure an ECS security group rules and CLB access control policies, we recommend that you test whether the origin server can be connected over ports 80 and 8080. This way, you can check whether the protection configurations take effect.

If the origin server cannot be connected over port 80 or 8080, but the service runs as expected, the protection configurations take effect.

How do I determine whether the IP address of my origin server is exposed?

Use Telnet to establish a connection from a host that is not deployed on Alibaba Cloud to your origin server by using the service port and the public IP address.
  • If the connection is successful, the IP address of your origin server is exposed. In this case, malicious parties that obtain the public IP address can bypass WAF and launch attacks on your origin server.
  • If the connection fails, the IP address of your origin server is not exposed.
Example: Test the connectivity over ports 80 and 8080 of an origin server that is protected by WAF. If the connectivity is normal, the IP address of your origin server is exposed. Established connection, WAF