Add a website

Configure WAF to automatically add website configurations

The Add Domain Name page appears only when an eligible domain name exists. If the page appears, you can select the domain name that you want to add to WAF. The website is automatically added to WAF.

Eligible domain names include only the valid domain names that are configured in Alibaba Cloud DNS.

Procedure

1. Log on to the Web Application Firewall console.
2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Domain Names tab, click Website Access.
5. On the Add Domain Name page, select the domain name that you want to add and a protocol type in the domain name list, and click Add domain protection now.
   Note The Add Domain Name page appears only when an eligible domain name exists. If the Add Domain Name page does not appear, we recommend that you manually add the website configurations. For more information, see Step 6.

   

   If you select https, you must verify the required certificate before you add the website configurations.

   Perform the following steps to verify a certificate:

   1. Select a domain name and https and click Verify Certificate in the HTTPS Certificate column.
   2. In the Verify Certificate dialog box, specify Upload Type and upload the HTTPS certificate.
      For more information, see Upload an HTTPS certificate.
   3. Click Confirm after the HTTPS certificate is uploaded.
      • If the certificate verification succeeds, click Add domain protection now.
      • If the certificate verification fails, verify the certificate again based on error messages, such as The certificate and key do not match, until the verification succeeds.
   WAF automatically adds the website configurations and changes the DNS record.

   Note If you want to add ports other than 80 and 443, manually edit the domain name information after the domain name is automatically added. For more information, see References.

   Possible issues and solutions:

   • Domain name was added, but you need to manually change the DNS record.
     Possible causes: The account that you use to add the domain name does not have management permissions on Alibaba Cloud DNS resources, or the uploaded HTTPS certificate does not match your domain name.

     Note Assume that your website uses HTTPS and the certificate verification succeeds. If the uploaded certificate and the website do not match, the certificate still cannot be detected, and WAF does not automatically change the DNS record. In this case, you must upload a valid and correct certificate and then manually change the DNS record. For more information, see Upload an HTTPS certificate.

     Click manually access the DNS. In the Manual Configuration dialog box, change the DNS record. For more information, see Change a DNS record.

   • The maximum number of domain names has been reached.

     Click extra domain package to purchase an extra domain package. Then, add the domain name again.

   • No ICP filing records are found for the domain name.

     If you use a WAF instance in mainland China to protect your domain name, you must complete ICP filing for your domain name before you can add your domain name. If WAF detects no ICP filing records for your domain name, you must complete ICP filing for your domain name and try again.

Manually add website configurations

The following procedure describes how to manually add a website in CNAME record mode:

1. Log on to the Web Application Firewall console.
2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Domain Names tab, click Website Access.
5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
   Note The Add Domain Name page appears only when an eligible domain name exists. If the Add Domain Name page does not appear, skip this step. For more information, see Configure WAF to automatically add website configurations.
6. On the Add Domain Name page, specify Domain Name, select CNAME Record for Access Mode, and then complete the wizard.
   The domain name must meet the following requirements:

   • The domain name can be an exact match domain name, such as www.aliyun.com, or a wildcard domain name, such as *.aliyun.com.
     • If you use a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name.
     • If you configure both a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection policies of the exact match domain name.
   • The domain name cannot be .edu domain names. To add .edu domain names, you must submit a ticket to request technical support.
   CNAME Record wizard:
   1. Enter your website information.
      Configure the website parameters that are described in the following table and click Next.

      Parameter	Description
      Protection Resource	Select the type of protection resource that you want to use. Valid values: Shared Cluster: This is the default value. Exclusive cluster: This option is available only when you use a WAF instance of the Exclusive edition. You can customize an exclusive cluster to deliver service-specific protection. For more information, see Best practices for WAF exclusive clusters. Hybrid Cloud Cluster: You must select this option when you use Hybrid Cloud WAF. For more information, see Add a website to Hybrid Cloud WAF.
      Protocol Type	Select a protocol type. Valid values: HTTP HTTPS: If your website uses HTTPS, select HTTPS and upload the certificate and private key files after you add the website configurations. For more information, see Upload an HTTPS certificate. After you select HTTPS, click Advanced Settings to show more options. Advanced Settings supports the following features: Enforce HTTPS Routing: If this feature is enabled, the HTTP requests are automatically redirected to HTTPS requests on port 443. You must clear HTTP before you enable the Enforce HTTPS Routing feature. If you want a client to access your website by using HTTPS, enable this feature. This enhances access security. Notice Before you enable this feature, make sure that your website supports HTTPS. After this feature is enabled, requests are delivered over HTTPS. Enable HTTP: If this feature is enabled, WAF forwards requests over HTTP. The default port is 80. This feature implements HTTPS access to your website without making changes to the origin server. This reduces the workload of the origin server. If your website does not support HTTPS, enable the Enable HTTP feature. HTTP2: This option is available only when you use a WAF instance of the Business or Enterprise edition and select HTTPS.
      Destination Server (IP Address)	Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters and redirects requests to this address. You can configure this parameter based on the following descriptions: IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet. Press Enter each time you enter an IP address. You can enter up to 20 IP addresses. Note If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on these addresses before redirecting requests. If your WAF instance resides outside mainland China, you can enter only IPv4 addresses. If your WAF instance resides in mainland China, you can enter both IPv4 and IPv6 addresses or enter only IPv4 addresses. However, you cannot enter only IPv6 addresses. You can enter IPv4 or IPv6 addresses based on the following descriptions: If you configure both IPv4 and IPv6 addresses and also select Use the Same Protocol, WAF forwards requests to the origin server based on the protocol specified in the requests. If you do not select Use the Same Protocol, WAF forwards requests to the origin server, regardless of the protocol specified in the requests. Notice If you want WAF to forward requests over IPv6, make sure that IPv6 is enabled for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection. If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4. The following list describes how to enter an IP address: If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the instance. If the ECS instance is associated with an SLB instance, enter the public IP address of the SLB instance. If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address. Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket. If you select Domain Name (Such as CNAME), WAF forwards all requests to the origin server only over IPv4. Notice The domain name of the origin server must be different from the domain name that you want to protect. If you enter a domain name of an OSS bucket, you must map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
      Destination Server Port	Specify the port that you use to forward website requests. WAF redirects the filtered requests only by using the port that you specify. If you enable the ports that are not specified here, no security threats are posed to the origin server. Notice Protocol Type and Destination Server Port must be the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP port 80, HTTP and port 80 must be configured for your domain name. Default ports: HTTP 80: This port is used when HTTP is selected. HTTPS 443: This port is used when HTTPS is selected. Note HTTP/2 uses the same port as HTTPS. Customize ports: Click Customize and specify custom ports based on HTTP or HTTPS you select. Click View Allowed Port Range to query all supported ports. Separate multiple ports with commas (,). Note WAF Enterprise and Exclusive each support a maximum of 50 different server ports, including ports 80, 8080, 443, and 8443. WAF Pro and Business each support a maximum of 10 ports, including ports 80, 8080, 443, and 8443. For more information about the ports supported by the shared cluster, see View the ports supported by WAF. If you use the WAF Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Cluster Settings page. For more information, see Create an exclusive cluster.
      Load Balancing Algorithm	If multiple origin IP addresses are configured, specify this parameter. Valid values: IP hash: The requests from a specific IP address are redirected to the same origin server. This is the default value. Note If you select IP hash but the IP addresses of origin servers are not scattered on different network segments, unbalanced loads may occur. Round-robin: All requests are distributed to origin servers in turn. Least time: You can use the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to minimize the latency when requests are forwarded to origin servers. Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing. After the settings take effect, WAF distributes back-to-origin requests to the IP addresses of multiple origin servers to achieve load balancing.
      Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether to deploy a Layer 7 proxy in front of WAF. The Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Content Delivery Network (CDN). Valid values: No: indicates that WAF receives requests from clients. WAF uses the IP address that establishes the connection with WAF as the actual IP address of the client. WAF can obtain the IP address from the REMOTE_ADDR field. Yes: indicates that WAF receives requests from a Layer 7 proxy, instead of the clients. By default, WAF uses the first IP address in the X-Forwarded-For header field as the actual IP address of a client.
      Enable Traffic Mark	Specify whether to enable the WAF traffic marking feature. If you want to tag requests that pass through WAF, you can enable this feature. This way, you can distinguish requests that do not pass through WAF, which facilitates statistical analysis of backend services. When you enable this feature, you must specify a custom HTTP header field. This header field includes Header Field Name and Header Field Value. For example, you can specify the ALIWAF-TAG: Yes header field to mark the requests that pass through WAF. ALIWAF-TAG is the field name and Yes is the field value. Notice We recommended that you do not specify a standard HTTP header field, such as User-Agent. If you specify a standard HTTP header field, the value of the standard header field is overwritten by the custom field value.

   2. Change the DNS record.
      Change the DNS record as prompted and click Next. After you change the DNS record, the domain name is mapped to WAF. For more information, see Change a DNS record.
   3. Complete the settings.
      Configure back-to-origin CIDR blocks of WAF as prompted and click Completed. Return to the website list. to go to the Website Access page. For more information, see Allow access from WAF back-to-origin CIDR blocks.

What to do next

After you add the website, the requests that are destined for the website are protected by WAF. You can also modify website configurations for better protection.

WAF provides multiple features to protect your website against different types of attacks. Among the features, only RegEx Protection Engine and HTTP Flood Protection are enabled by default. The RegEx Protection Engine feature protects your website against common web attacks, such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You must manually enable other features and configure protection rules. For more information, see Overview.

Upload an HTTPS certificate

If your domain name uses HTTPS, you must upload the valid and correct HTTPS certificate associated with the domain name in the WAF console. This ensures that WAF protects HTTPS requests.

Procedure

1. Log on to the Web Application Firewall console.
2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
3. In the left-side navigation pane, choose Asset Center > Website Access.
4. On the Domain Names tab, find the domain name that you want to manage, and click the icon in the Origin Server column.
   Note The icon appears in the Origin Server column only when you select HTTPS for your domain name that you add to WAF.

   
5. In the Upload Certificate or Update Certificate dialog box, specify Upload Type to upload an HTTPS certificate.
   Note If a certificate has been uploaded, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.
   • Manual Upload: Specify Certificate Name, copy and paste the content in the certificate file to the Certificate File field, and then copy and paste the content in the private key file to the Private Key File field.
     For more information about the certificate file, see the following descriptions:

     • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy its text content.
     • If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy its text content. For information about how to convert the format of a certificate file, see How do I convert an HTTPS certificate to the PEM format?
     • If the domain name is associated with multiple certificate files, for example, a certificate chain, you must combine the text content in the certificate files and then copy and paste the combined content to the Certificate File field.
   • Select Existing Certificate: Select the certificate that you want to upload from the Certificate drop-down list.

     The Certificate drop-down list is a collection of certificates that are issued in the SSL Certificates Service console. You can select the certificate associated with the domain name in this list. You can click Cloud Security - Certificates Service to go to the SSL Certificates Service console to manage certificates.

   • Purchase Certificate: Click Buy Now to go to the configuration page of SSL Certificates Service to purchase a certificate for the domain name.

     The certificate that you purchase is automatically uploaded to WAF.

     Note You can purchase only a domain validated (DV) certificate on this page. If you want to purchase a different type of certificate, go to the buy page of SSL Certificates Service. For more information, see Select and purchase certificates.
6. Click Confirm.

References

FAQ

For more information, see FAQ about website access configuration in FAQ.