After you activate Web Application Firewall (WAF), you need to add the website configuration of the website that needs protection in the WAF console. This topic describes how WAF automatically adds a website configuration when you use the DNS proxy mode to configure WAF.

Prerequisites

  • The DNS records of the website are managed by Alibaba Cloud DNS, and at least one A record is valid.

    If you cannot host your domains on Alibaba Cloud DNS, you must manually add website configurations. For more information, see Website configuration.

  • If your website is deployed in a Mainland China region, make sure that you have obtained an ICP license.
  • For an HTTPS-based website, you must obtain the HTTPS certificate and the private key file, or host your certificate on Alibaba Cloud SSL Certificates Service.

Background information

Note You can use the transparent proxy mode or the DNS proxy mode to configure WAF for your website. This topic describes how to use the DNS proxy mode to configure WAF. For more information about the transparent proxy mode, see Use the transparent proxy mode to configure WAF.

When you configure WAF by using the DNS proxy mode, WAF can automatically read the A records that you have created on Alibaba Cloud DNS, the domain name of the website, and the origin server IP address to automatically add a website configuration. After the website configuration is added, WAF automatically updates the DNS record of the domain name. For more information, see Step 2: Update the DNS settings.

Note The protection resource assigned for an automatically added website is a shared cluster and a shared WAF IP address. If you want to change the protection resource to an exclusive cluster or an exclusive WAF IP, modify Protection Resource for the website on the Website Configuration page.

Procedure

  1. Log on to the Alibaba Cloud WAF console.
  2. On the top of the page, select Mainland China or International.
  3. Choose Management > Website Configuration and select DNS Proxy Mode.DNS proxy mode
  4. Click Add Domain.
    WAF automatically lists all domain names that have an A record configured on Alibaba Cloud DNS under the current Alibaba Cloud account. If you have not created an A record on Alibaba Cloud DNS, the Please choose your domain page does not appear. You can manually add the website configuration. For more information, see Website configuration. Automatically add a website to WAF
  5. On the Please choose your domain page, choose the domain name and the protocol type for the website.
  6. Optional: (Optional) If you choose HTTPS, you must verify the certificate before you add the website configuration.
    Note Alternatively, do not select HTTPS. After you have added the website configuration, upload the HTTPS certificate. For more information, see Update HTTPS certificates.
    1. Click Verify Certificate.
    2. In the Verify Certificate dialog box, upload the certificate and private key file.
      • If you have hosted your certificates on Alibaba Cloud SSL Certificate Service, click Select Existing Certificate in the Verify Certificate dialog box, and select the certificate bound to the domain name.
      • Manually upload the certificate. Click Manual Upload, enter the certificate name, and copy the text content of the certificate and private key files to the Certificate File and Private Key File fields.

        For more information, see Update HTTPS certificates.

    3. Click Verify to verify the uploaded certificate.
  7. Click Add domain protection now.
    After you have added the website configuration, WAF automatically updates the CNAME record of the domain to redirect requests targeting your website to WAF for monitoring. This operation takes 10 to 15 minutes.
    Note If you are required to update DNS records manually, follow the procedure described in Step 2: Update the DNS settings to complete the configuration.
  8. You can choose Management > Website Configuration to view the domain name that you have added and the DNS status in the DNS Resolution Status column.
    • Normal indicates that you have configured WAF for your website. You can specify protection policies. For more information, see Step 3: Configure WAF protection policies.
    • The DNS resolution status may be Exception after you have added the website configuration. We recommend that you check the DNS resolution status later or check whether the DNS settings are correct at your DNS service provider.

      If the DNS settings are not correct, update the DNS records. For more information, see Step 2: Update the DNS settings. For more information about the DNS resolution status, see DNS resolution status.

      DNS resolution exception