This topic describes how to add your website to Web Application Firewall (WAF) in CNAME record mode after you purchase a WAF instance.

Prerequisites

  • A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.
    Note The total number of domain names that are added to a WAF instance varies based on the specifications of the instance and the number of extra domain packages that you purchased. For more information, see Extra domain package.
  • If you use a WAF instance in mainland China to protect your domain name, you must complete Internet Content Provider (ICP) filing for your domain name before you can add your domain name. If you have not completed ICP filing for your domain name, an error is reported when you add your website to WAF. For more information, see ICP filing application overview.
    Notice After you add your website to WAF, we recommend that you keep the ICP filing information up-to-date. To meet regulatory requirements, WAF instances in mainland China clear the domain names that have invalid ICP filings on a regular basis.

Background information

When you add your website to WAF in CNAME record mode, you must enter the website information and change the DNS record to resolve the domain name of your website to the CNAME assigned by WAF. This way, the requests destined for your website are redirected to WAF. This mode is supported regardless of whether your origin server is deployed on the cloud. However, the origin server must be accessible over the Internet. The following sections describe how to add a website in CNAME record mode.

You can use one of the following methods to add a website:

  • Configure WAF to automatically add website configurations: You need only to select the domain name of the website that you want to add and the network protocol type on the Add Domain Name page. WAF automatically reads the information about the website within your Alibaba Cloud account. Then, WAF automatically adds the website configurations, such as the domain name, server address, and standard ports (80 and 443), and changes the DNS record of the domain name.
    Note The account that you use to add domain names must have management permissions on Alibaba Cloud DNS resources. If the account does not have the permissions, WAF cannot automatically change the DNS record. If WAF does not automatically change the DNS record, you can manually change the DNS record of the domain name after the website is added.
  • Manually add website configurations: If WAF cannot automatically add the configurations of a website, you can manually add the website configurations, such as the domain name, protocol type, server address, and server port. After you manually add the website configurations, you must manually change the DNS record of the domain name for the website to redirect the requests that are destined for the website to WAF.

Configure WAF to automatically add website configurations

You can select an eligible domain name that you want to add to WAF from the list on the Automatically Add tab. Then, the website is automatically added.

Eligible domain names include only the valid domain names that are configured in Alibaba Cloud DNS.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab, click Website Access.
  5. Optional:On the Add Domain Name page, set Access Mode to CNAME Record.
    If CNAME Record is automatically selected, skip this step.
  6. On the Automatically Add tab, select the required domain name and protocol type from the Domain Name and Protocol Type columns. Then, click Automatically Add.
    Note If the Automatically Add tab displays an empty list, no eligible domain names are found from your account. In this case, you must manually add a website. For more information, see Complete the wizard.
    Automatically Add

    If the domain name supports HTTPS, you must select https. If you select https, you must verify the HTTPS certificate of the domain name before the website configurations can be added. To verify the HTTPS certificate, perform the following steps:

    1. Select the domain name and https. Then, click Verify Certificate in the HTTPS Certificate column.
    2. In the Verify Certificate dialog box, specify Upload Type and upload the certificate that is associated with the domain name as prompted.
      For more information, see Upload an HTTPS certificate.
    3. After you upload the certificate, click Confirm.
      WAF automatically verifies the uploaded certificate.
      • If the certificate verification is successful, click Automatically Add.
      • If the certificate verification fails, resolve the failure based on the error message that is returned and perform the certificate verification again until the verification is successful. Error message example: The certificate and key do not match.

        For more information, see How do I handle the mismatch between a certificate and its private key?.

    WAF automatically adds the website configurations and changes the DNS record.
    Note If you want to add ports in addition to ports 80 and 443, modify the domain name information after the website is automatically added. For more information, see References.

    Possible issues and solutions:

    • Domain name was added, but you need to manually change the DNS record.
      Possible causes: The account that you use to add the domain name does not have management permissions on Alibaba Cloud DNS resources, or the uploaded HTTPS certificate does not match your domain name.
      Note If your website supports HTTPS but the uploaded HTTPS certificate does not match the domain name, WAF cannot detect the certificate even if the certificate verification is successful. In this case, WAF does not automatically change the DNS record. You must upload a valid and correct certificate and then manually change the DNS record. For more information, see Upload an HTTPS certificate.

      Click manually access the DNS. In the Manual Configuration dialog box, change the DNS record. For more information, see Change a DNS record.

    • The maximum number of domain names has been reached.

      Click extra domain package to purchase an extra domain package. Then, add the domain name again.

    • No ICP filing records are found for the domain name.

      If you use a WAF instance in mainland China to protect your domain name, you must complete Internet Content Provider (ICP) filing for your domain name before you can add your domain name. If WAF does not find ICP filing records for your domain name, you must complete ICP filing for your domain name and try again. For more information, see ICP filing application overview.

Manually add website configurations

To add a website to WAF in CNAME record mode, perform the following steps:

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab, click Website Access.
  5. Optional:On the Add Domain Name page, set Access Mode to CNAME Record.
    If CNAME Record is automatically selected, skip this step.
  6. Click the Manually Add tab and complete the wizard as prompted.
    1. Enter your website information.
      Configure the website parameters and click Next. The following table describes the parameters. Enter Your Website Information
      Parameter Description
      Domain Name Enter the domain name of your website. The domain name must meet the following requirements:
      • The domain name can be an exact match domain name such as www.aliyun.com. The domain name can also be a wildcard domain name such as *.aliyun.com. The following items describe each type of chart:
        • If you enter a wildcard domain name, WAF automatically matches specific domain names for the wildcard domain name. For example, if you enter *.aliyun.com, WAF matches www.aliyun.com and test.aliyun.com.
          Notice If you enter a wildcard domain name, WAF does not match the parent domain name of the wildcard domain name. For example, if you enter *.aliyun.com, WAF does not match aliyun.com. If you want to use WAF to protect aliyun.com, you must separately add the domain name to WAF.
        • If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection policies of the exact match domain name.
      • .edu domain names are not supported. If you want to add .edu domain names, you must submit a ticket to request technical support.
      Protection Resource Select the type of protection resource that you want to use. Valid values:
      • Shared Cluster: This is the default value.
      • Exclusive cluster: This option is available only when you use a WAF instance of the Exclusive edition. You can customize an exclusive cluster to deliver service-specific protection. For more information, see Best practices for WAF exclusive clusters.
      • Hybrid Cloud Cluster: If you use Hybrid Cloud WAF, you must select this option. For more information, see Add a website to Hybrid Cloud WAF.
      Protocol Type Select a protocol type. Valid values:
      • HTTP
      • HTTPS: If your website supports HTTPS, select HTTPS. After your website configurations are added, upload the required certificate and private key files. For more information, see Upload an HTTPS certificate.
        If you select HTTPS, you can configure the following settings.Select HTTPS
        • Select HTTP2. If your website supports HTTP/2, you must select HTTP2. The HTTP/2 port is the same as the HTTPS port. After you select HTTP2, you need only to set the HTTPS port.
          Notice You can select HTTP2 only for WAF instances of the Enterprise or higher edition.
        • Click Advanced Settings. You can configure the following settings:
          • Enforce HTTPS Routing: If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. If you want a client to access your website by using HTTPS, enable this feature. This feature improves access security.
            Notice
            • You can enable this feature only when HTTP is not selected.
            • Before you enable this feature, make sure that your website supports HTTPS. After this feature is enabled, requests are delivered over HTTPS.
          • Enable HTTP: If you enable this feature, WAF forwards requests over HTTP. The default port is 80. This feature allows HTTPS access to your website without changes to the origin server. This way, the workload of the origin server is reduced.
            Notice If your website does not support HTTPS, turn on Enable HTTP.
        • Select Enable Origin SNI. Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection needs to be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature.
          After you select Enable Origin SNI, you can configure the SNI field. Valid values:
          • Use Domain Name in Host Header: indicates that the value of the SNI field in a WAF back-to-origin request is the same as the value of the Host header field. This is the default value.

            For example, if the domain name of your website is *.example.com and the client requests www.example.com, which is the value of the Host header field, the value of the SNI field in WAF back-to-origin requests is www.example.com.

          • Custom: indicates that you can customize the SNI field in WAF back-to-origin requests.

            If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you must specify a custom value for the SNI field.

      Destination Server (IP Address) Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters and forwards requests to this address. You can configure this parameter based on the following descriptions:
      • IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet.
        Press Enter each time you enter an IP address. You can enter up to 20 IP addresses.
        Note If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on these addresses.
        If your WAF instance resides outside mainland China, you can enter only IPv4 addresses. If your WAF instance resides in mainland China, you can enter IPv4 and IPv6 addresses or only IPv4 addresses. However, you cannot enter only IPv6 addresses. You can enter IPv4 or IPv6 addresses based on the following descriptions:
        • If you configure both IPv4 and IPv6 addresses and select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4, and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF randomly forwards requests to the origin server over IPv4 or IPv6.
          Notice If you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.
        • If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4.
        The following list describes how to enter an IP address:
        • If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the instance.
        • If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
        • If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address of the origin server.
      • Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.

        If you select Domain Name (Such as CNAME), WAF forwards all requests to the origin server over IPv4.

        Notice
        • The domain name of the origin server must be different from the domain name that you want to protect.
        • If you enter a domain name of an OSS bucket, you must map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
      Destination Server Port Specify the port that you use to forward website requests.

      WAF uses only the port that you specify to receive and forward requests. This way, the origin server is protected against security threats even if you enable ports that you do not specify.

      Notice Protocol Type and Destination Server Port must be set to the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, you must set Protocol Type to HTTP and Destination Server Port to 80.
      Default ports:
      • HTTP 80: This port is used when HTTP is selected.
      • HTTPS 443: This port is used when HTTPS is selected.
        Note HTTP/2 uses the same port as HTTPS.

      Custom ports: Enter port numbers in the HTTP Port and HTTPS Port fields. Press Enter each time you enter a port number. Click View Allowed Port Range to query all supported ports.

      Custom ports
      Note
      • WAF Enterprise and Exclusive each support a maximum of 50 different server ports, which include ports 80, 8080, 443, and 8443. WAF Pro and Business each support a maximum of 10 ports, which include ports 80, 8080, 443, and 8443.
      • For more information about the ports that are supported by shared clusters, see View the allowed port range.
      • If you use a WAF instance of the Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Settings page. For more information, see Create an exclusive cluster.
      Load Balancing Algorithm If you enter multiple addresses for origin servers, configure this parameter. Valid values:
      • IP hash: Requests from a specific IP address are forwarded to the same origin server. This is the default value.
        Note If you select IP hash but the IP addresses of origin servers are not scattered on different network segments, workloads may be unbalanced.
      • Round-robin: All requests are distributed to origin servers in turn.
      • Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to minimize the latency when requests are forwarded to origin servers.
        Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.

      After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.

      Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF Specify whether a Layer 7 proxy is deployed in front of WAF. The Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values:
      • No: No Layer 7 proxies are deployed in front of WAF, and WAF receives requests from clients. WAF uses the IP address that is used to establish connections with WAF as the actual IP address of a client. WAF obtains the actual IP address from the REMOTE_ADDR field.
      • Yes: A Layer 7 proxy is deployed in front of WAF, and WAF receives requests from the Layer 7 proxy, instead of clients. To make sure that WAF can obtain the actual IP address of a client for security analysis, you must configure Obtain Source IP Address.

        By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

        Obtain Source IP Address

        You can use other proxies that require the actual IP addresses of clients to be contained in a custom header field, such as X-Client-IP or X-Real-IP. In this case, you must select Use the First IP Address in Specified Header Field as Source IP Address to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

        Note We recommend that you use custom header fields to store the actual IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business.

        You can enter multiple header fields. You must enter a comma (,) each time you enter a header field. If you enter multiple header fields, WAF attempts to obtain the actual IP address of a client from the fields in sequence. WAF obtains the actual IP address of a client from the first header field until the IP address is obtained. If WAF fails to obtain the actual IP address of the client from all header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.

      Enable Traffic Mark Specify whether to enable the WAF traffic marking feature.

      This feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to tag the requests that are forwarded by WAF or record the IP addresses of clients.

      If you select Enable Traffic Marking, you must add custom header fields. Enable Traffic MarkYou can add the following two types of header fields:
      • Custom Header: If you want to add a header field of this type, you must specify a header field name and header field value. WAF adds the header field to the back-to-origin requests. This helps the backend service identify whether requests pass through WAF, collect statistics, and analyze data.

        For example, you can specify the ALIWAF-TAG: Yes header field setting to tag the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name and Yes is the header field value.

        Notice We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
      • Client IP Address: If you want to add a header field of this type, you must specify the name of the header field that records an IP address. This way, WAF adds the header field to the back-to-origin requests and adds the IP addresses of clients to the value of the header field. For more information about how WAF obtains the IP addresses of clients, see the description of the Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF parameter.

        If the backend service needs to obtain the IP addresses of clients from a specified custom header field such as example-client-ip for analysis, you must add a header field of the Client IP Address type.

        Notice We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

      Click Add Mark to add a header field. You can add up to five header fields.

      Resource Group Select the resource group to which the domain name belongs from the resource group list.
      Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
    2. Change the DNS record.
      Change the DNS record as prompted and click Next. After you change the DNS record, the domain name is mapped to WAF. For more information, see Change a DNS record.
    3. Complete the settings.
      Configure the back-to-origin CIDR blocks of WAF as prompted and click Completed. Return to the website list.. Then, the Website Access page appears. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

What to do next

After you add the website, the requests that are destined for the website are protected by WAF. You can also modify website configurations to enhance protection.

WAF provides multiple features to protect your website against different types of attacks. By default, only the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects your website against common web attacks, such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You must manually enable other features and configure protection rules. For more information, see Overview.

Upload an HTTPS certificate

If you select HTTPS when you add a domain name, you must upload the valid and correct HTTPS certificate that is associated with the domain name in the WAF console. This way, WAF can protect HTTPS requests.

You can use one of the following methods to upload an HTTPS certificate:
  • Manually upload a certificate:
    You must prepare the following files before you upload the certificate:
    • The certificate file in the CRT or PEM format
    • The private key file in the KEY format
  • Select an existing certificate: You can select the certificate that is associated with the domain name and is managed in the SSL Certificates Service console.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab, find the domain name that you want to manage and click the Upload icon icon in the Origin Server column.
    Note The Upload icon icon appears in the Origin Server column only when you select HTTPS for the domain name that you add to WAF.
    HTTPS status
  5. In the Upload Certificate or Update Certificate dialog box, specify Upload Type to upload an HTTPS certificate.
    Note If the certificate is uploaded, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.
    • Manual Upload: Specify Certificate Name, copy and paste the content of the certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key File field. Manual Upload
      For more information about the certificate file, see the following descriptions:
      • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content.
      • If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy the text content. For information about how to convert the format of a certificate file, see How do I convert an HTTPS certificate to the PEM format?
      • If the domain name is associated with multiple certificate files, such as a certificate chain, you must combine the text content in the certificate files and then copy and paste the combined content to the Certificate File field.
    • Select Existing Certificate: Select the certificate that you want to upload from the Certificate drop-down list. Select Existing Certificate

      The Certificate drop-down list is a collection of certificates that are issued in the SSL Certificates Service console. You can select the certificate that is associated with the domain name. You can click Cloud Security - Certificates Service to go to the SSL Certificates Service console to manage certificates.

    • Purchase Certificate: Click Buy Now to go to the configuration page of SSL Certificates Service to purchase a certificate for the domain name. Purchase Certificate

      The certificate that you purchase is automatically uploaded to WAF.

      Note You can purchase only a domain validated (DV) certificate on this page. If you want to purchase a different type of certificate, go to the buy page of SSL Certificates Service. For more information, see Purchase an SSL Certificates Service instance.
  6. Click Confirm.

References

You can go to the Domain Names tab of the Website Access page to view the added domain name and perform the following operations.
  • Upload an HTTPS certificate: If your website supports HTTPS, make sure that the correct certificate and private key files are uploaded to WAF. This ensures that WAF protects HTTPS requests. To upload the HTTPS certificate and private key files for the domain name, you must click the Upload icon in the Origin Server column.

    For more information, see Upload an HTTPS certificate.

  • Enable IPv6 traffic protection: If you want to protect IPv6 traffic destined for your website, turn on IPV6 for the domain name of your website in the Quick Action column.

    For more information, see Enable IPv6 traffic protection.

  • Enable Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Log Service for WAF feature. This feature allows you to collect logs of your website. You can use the logs for query, analysis, dashboard data visualization, and alerting.

    For more information, see Step 2: Enable the log collection feature.

    Notice Log Service for WAF is a value-added service that is provided by WAF. You must enable this feature before you can use it. For more information, see Enable Log Service for WAF.
  • Configure protection resources: Click the Configure protection resources icon next to Protection Resource in the Quick Access column. Then, configure the protection resources for the domain name.
    The following types of protection resources are supported:
    • Shared Cluster and Shared IP: This is the default value.
    • Shared Cluster and Exclusive IP : For more information about exclusive IP addresses, see Exclusive IP addresses.
    • Shared Cluster and Load Balancing Among Multiple WAF Nodes: For more information about global load balancing, see Intelligent load balancing.
    • Exclusive Cluster: For more information about exclusive clusters, see Create an exclusive cluster.
  • View attack monitoring reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View security reports.
  • Configure protection policies: Click Config in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Overview.
  • Modify website configurations: Click Edit in the Actions column to modify website configurations, such as the protocol type, server address, and server port. The domain name cannot be changed.
  • Delete a domain name: Click Delete in the Actions column to delete a domain name.
    Warning Before you can delete a domain name, you must change the DNS record to map the domain name to the IP address of the origin server. If you do not change the DNS record, the requests that are destined for the domain name cannot be forwarded after the domain name is deleted.

FAQ

For more information, see FAQ about website access configuration in FAQ.