This topic describes how to add your website to Web Application Firewall (WAF) after you purchase a WAF instance.
Prerequisites
- WAF is activated, and the number of second-level domain names and subdomains that
you add to a WAF instance does not reach the upper limit.
Note The total number of domain names that you can add to a WAF instance depends on the specifications of the instance and the number of extra domain packages that you purchase. For more information, see Extra domain quota.
- If your domain name is protected by a WAF instance in mainland China, you must complete ICP filing for your domain name. If you do not complete ICP filing but still add your domain name to WAF, an error may occur and the system prompts you to complete ICP filing.
Background information
- Configure WAF to automatically add website configurations: You need only to select the domain name that you want to add and the network protocol
type on the Add Domain Name page. WAF automatically reads information about the domain name assets under your
Alibaba Cloud account. Then, WAF adds website configurations, such as the domain name,
server address, and standard ports (80 and 443), and changes the DNS record of the
domain name.
Note The account that you use to add domain names must have management permissions on Alibaba Cloud DNS resources. Otherwise, WAF cannot automatically change the DNS record. If the automatic change operation fails, you can manually change the DNS record of the domain name after the domain name is added.
- Manually add website configurations: If your website does not support the first method, you can manually add the website configurations, such as the domain name, protocol, server address, and server port. After you manually add the website configurations, you must manually change the DNS record of the domain name of your website to redirect requests destined for your website to WAF for protection.
Configure WAF to automatically add website configurations
The Add Domain Name page appears only when an eligible domain name exists. If the page appears, you can select the domain name that you want to add to WAF. The website is automatically added to WAF.
Eligible domain names contain only valid domain names that are configured in Alibaba Cloud DNS.
Procedure
Manually add website configurations
The following steps describe how to manually add a website in CNAME mode.
What to do next
After you add the website, the requests destined for the website are protected by WAF. You can also configure website protection configurations for better protection.
WAF provides multiple protection features to protect your website against different types of attacks. Among the features, only RegEx Protection Engine and HTTP Flood Protection are enabled by default. The RegEx Protection Engine feature protects your website against common web attacks, such as SQL injection, XSS, and webshell upload. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You need to manually enable other features and configure protection rules. For more information, see Overview.
Upload HTTPS certificates
If your domain name uses HTTPS, you must upload the valid and correct HTTPS certificate associated with the domain name in the WAF console. This ensures that WAF protects HTTPS requests.
- Manual uploading:
You must prepare the following files for your website before you upload the certificate:
- The certificate file in the CRT or PEM format
- The private key file in the KEY format
- Selecting an existing certificate: You can select the certificate that is associated with the domain name. For more information, see SSL Certificates Service.
Procedure
References
- Upload HTTPS certificates: If your website uses HTTPS, make sure that the correct
certificate and private key file are uploaded to WAF. This ensures that WAF protects
HTTPS requests. To upload the HTTPS certificate and private key for the domain name,
you can click the
icon in the Origin Server column.
For more information, see Upload HTTPS certificates.
- Enable Log Service for WAF: Click Log Service in the Quick Access column to enable the Log Service for WAF feature. This feature collects logs of your
website. The logs can be used for query, analysis, dashboard data visualization, and
alerting.
For more information, see Enable log collection.
Note Log Service for WAF is a value-added service provided by WAF. You can use this feature only after you enable it. For more information, see Enable Log Service for WAF. - Configure protection resources: Click the
icon next to Protection Resource in the Quick Access column. Then, configure protection resources for the domain name.
The following protection resource types are supported:- Shared Cluster and Shared IPNote By default, websites that are automatically added to WAF use protection resources of the Shared Cluster and Shared IP type.
- Shared Cluster and Exclusive IP : For more information, see Exclusive IP addresses.
- Shared Cluster and Load Balancing Among Multiple WAF Nodes: For more information, see Intelligent load balancing.
- Exclusive Cluster: For more information, see Create an exclusive cluster.
- Shared Cluster and Shared IP
- View attack monitoring reports: Click View Report in the Attack Monitoring column to navigate to the Security report page. On this page, you can view the protection report of the domain name. For more information, see View security reports.
- Configure protection policies: Click Config in the Actions column to navigate to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Configure the RegEx Protection Engine.
- Edit a domain name: Click Edit in the Actions column to modify the website configurations, such as the protocol type, server address, and server port. You cannot change the domain name.
- Delete a domain name: Click Delete in the Actions column to delete a domain name.
Warning Before you delete a domain name, change the DNS record to map the domain name to the IP address of the origin server. Otherwise, requests to the domain name cannot be forwarded after the domain name is deleted.
FAQ
What do I need to know about migrating website configurations across accounts?
To prevent traffic forwarding errors caused by misoperations during website configuration migration, a 30-minute protection period is configured for your website. To migrate the website configurations to another account, you must delete the website configurations from the current account. Then, wait for 30 minutes until you can add the website configurations to the WAF instance of another account.
If you want to immediately migrate the website configurations, submit a ticket. Alternatively, apply for a protection period cancellation for this domain name in the DingTalk group. After the protection period is canceled, you can add the website configurations to the WAF instance of another account.