This topic describes how to enable WAF protection for your domain names by using the CNAME record method.

Prerequisites

  • WAF is activated, and the numbers of top-level domain names and subdomains that are added to a WAF instance do not exceed the upper limits.
    Note The total number of domain names that can be added to a WAF instance depends on the specifications of the instance and the number of extra domain name packages that you purchase. For more information, see Extra domain quota.
  • To add a domain name to an instance that is deployed in a region inside mainland China, you must obtain an ICP license for the domain name.

Background information

You can use either of the following methods to add your website configurations:
  • Automatically add website configurations: This mode requires you to select the desired domain name and network protocol type on the Add Domain Name page because WAF automatically reads the information about the domain name assets under your Alibaba Cloud account. Then, WAF adds website configurations, such as the website domain name, server address, and standard ports (80 and 443), and changes the DNS record of the domain name.
    Note The account that is used to add domain names must have management permissions on Alibaba Cloud DNS resources. Otherwise, DNS resolution fails. If DNS resolution fails, you can manually change the DNS record of the domain name after the domain name is automatically added.
  • Manually add website configurations: This mode requires you to manually add your website configurations, such as the domain name, protocol, server address, and server port. You also need to change the DNS record of the domain name to forward the web requests of the website to WAF for traffic scrubbing.

Automatically add website configurations

The Add Domain Name page appears only when an eligible domain name exists. Eligible domain names are the valid domain names configured in Alibaba Cloud DNS. Otherwise, you need to manually add the domain name.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Add Domain Name.
  5. On the Add Domain Name page, select the target domain name in the Domain Name column, as well as the protocol in the Protocol Status column, and click Add domain protection now.
    Note The Add Domain Name page appears only when an eligible domain name exists. If the Add Domain Name page is not displayed, we recommend that you manually add the website configurations. For more information, see Step 6.
    Automatically add website configurations

    If you select https, you must complete certificate verification before you add the website configurations.

    HTTPS protocol

    Follow these steps to verify the certificate:

    1. Select a domain name and https and click Verify Certificate in the HTTPS Certificate column.
    2. In the Verify Certificate dialog box, set Upload Type and upload the HTTPS certificate.
      • Manual Upload: Specify Certificate Name, Certificate File, and Private Key File.Manual upload
      • Select Existing Certificate: Select a certificate from the Certificate list. You can click Cloud Security - Certificate Service to go to the SSL Certificates Service console to manage certificates.Select existing certificate
      • Purchase Certificate: Click Buy now to go to the SSL Certificates Service buy page and purchase a certificate for your domain name. Purchase a certificate

        In this step, you can purchase only paid DV certificates. To purchase a different type of certificate, go to the SSL Certificates Service buy page. For more information, see Select and purchase certificates.

    3. Click Confirm after the HTTPS certificate is uploaded.
      • If the certificate verification succeeds, click Add domain protection now.
      • If the certificate verification fails, verify the certificate again based on the error message, such as The certificate and key do not match, until the verification succeeds.
    WAF automatically adds the website configurations and changes the DNS record.
    Note To add ports other than 80 and 443, we recommend that you manually edit the domain name after the domain name is automatically added. For more information, see References.

    Possible issues and solutions:

    • Domain name was added successfully, but you need to manually change the DNS record.
      Possible causes: The account used to add the domain name does not have management permissions on Alibaba Cloud DNS resources, or the uploaded HTTPS certificate does not match your domain name.
      Note If your website supports HTTPS and the certificate verification succeeds, the certificate detection still fails if the uploaded certificate and the website do not match. The DNS record is not automatically changed. If that happens, you must upload a valid and correct certificate and then manually change the DNS record. For more information, see Upload HTTPS certificates.

      Click manually access the DNS. In the Manual Configuration dialog box that appears, change the DNS settings. For more information, see Change the DNS settings.

    • The maximum number of domain names has been reached.

      Click extra domain package to purchase an extra domain name package. Add the domain name again.

    • No ICP filing records are found for the domain name.

      If your domain name is deployed in mainland China, you must complete ICP filing for the domain name. Otherwise, an error message is displayed, indicating that the system fails to add the website configurations. Complete ICP filing for your domain name. For more information, see ICP filing application overview.

Manually add website configurations

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, click Add Domain Name.
  5. Optional:On the Add Domain Name page, click Manually Add Other Websites.
    Note The Add Domain Name page appears only when an eligible domain name exists. If the Add Domain Name page is not displayed, skip this step.
  6. Follow the Add Domain Name wizard to complete the configuration.
    1. Enter your website information.Enter the website information
      Parameter Description
      Domain Name Enter the domain name that needs WAF protection.
      • WAF supports exact match domains, such as www.aliyun.com, and wildcard domains, such as *.aliyun.com.
        • If you use a wildcard domain, WAF automatically matches all subdomains for the wildcard domain.
        • If you configure both a wildcard domain and an exact match domain, WAF will use forwarding rules and protection policies of the exact match domain.
      • Currently, .edu domain names are not supported. To use .edu domain names, submit a ticket for technical support.
      Protection Resource If you are using the WAF Exclusive edition, select a protection resource.
      Note This parameter is available for only the WAF Exclusive edition.
      Valid values:
      • Shared Cluster: This is the default value.
      • Exclusive Cluster: You can customize an exclusive cluster to deliver business-specific protection. For more information, see Create an exclusive cluster.
      Protocol Type Select a protocol type. Valid values:
      • HTTP
      • HTTPS: If your website supports HTTPS, select HTTPS and upload the certificate and the private key file after you add the website configurations. For more information, see Upload HTTPS certificates.
        After you select HTTPS, click Advanced Settings to show more options.HTTPS
        Advanced Settings supports the following features:
        • Enforce HTTPS Routing: When HTTPS routing is enforced, HTTP requests are delivered over HTTPS port 443. You must clear HTTP before you turn on Enforce HTTPS Routing.Enforce HTTPS Routing
          Notice Make sure that your website supports HTTPS. After this feature is enabled, requests are delivered over HTTPS.
        • Enable HTTP: When this feature is enabled, WAF returns requests over HTTP. The default port is port 80. Turn on Enable HTTP if your website does not support HTTPS.Enable HTTP

        For more information, see Enable HTTPS advanced settings.

      • HTTP2: This option is available only when you use WAF Business edition or Enterprise edition and have selected HTTPS.
      Destination Server (IP Address) Enter the address of the origin server. You can select either IP or Destination Server (Domain Name). WAF filters and redirects the requests to this address.
      • IP: Enter the public IP address of the origin server.

        Separate multiple IP addresses with commas (,). You can enter up to 20 IP addresses. Do not use line breaks.

        Note If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on these addresses before redirecting requests. For more information, see Specify a load balancing algorithm.
        • If the origin server is hosted on an Alibaba Cloud ECS instance, enter the public IP address of the instance.
        • If the ECS instance is associated with an SLB instance, enter the public IP address of the SLB instance.
        • If your origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the domain name, and then enter the public IP address.
      • Destination Server (Domain Name): Enter the origin domain of the server, such as an OSS CNAME address.

        The origin domain and the protected domain must be different.

        Note If you enter an OSS CNAME address for your origin server, you must bind a custom domain name to the OSS CNAME address in the OSS console after you complete the website configurations. For more information, see Bind custom domain names.
      Destination Server Port The port number used to forward website requests.

      WAF redirects the filtered requests through only the ports that you specify. Therefore, enabling ports that you do not specify does not pose any security threats to the origin server.

      Notice Protocol Type and Destination Server Port must be the protocol and port used by the origin server to provide web services. You cannot change them after they are specified. For example, if the origin server provides web services through HTTP port 80, HTTP and port 80 must be enabled in your domain name.
      Default port:
      • HTTP 80: This port is used when HTTP is selected.
      • HTTPS 443: This port is used when HTTPS is selected.
        Note HTTP/2 uses the same port as HTTPS does.
      Custom port: Click Customize and configure the HTTP and HTTPS custom ports.Custom port

      Click View Allowed Port Range to query all available ports. Separate multiple ports with commas (,).

      Note
      • For more information about ports supported by the shared cluster, see Customize server ports.
      • If you are using the WAF Exclusive edition, you can select ports from only the Server Ports section on the Exclusive Cluster Settings page. For more information, see Create an exclusive cluster.
      Load Balancing Algorithm If multiple origin IP addresses are configured, select a value. Valid values:
      • IP hash: Requests from a specific IP address are redirected to the same origin server. This is the default value.
        Note If the IP addresses of origin servers are not scattered after this algorithm is selected, imbalanced loads may occur.
      • Round Robin: All requests are distributed to origin servers in turn.
      • Least time: You can use the intelligent DNS resolution feature and the upgraded Least-time back-to-origin algorithm to achieve the lowest latency when traffic is forwarded to origin servers.
        Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.
      Whether a layer 7 proxy (such as Anti-DDoS Pro and CDN) is enabled Select Yes if you need to configure a Layer 7 proxy in front of WAF. Otherwise, WAF cannot obtain the actual IP addresses of clients. For more information, see the following topics:

      Select No if you do not need to configure a Layer 7 proxy in front of WAF.

      Request Tag Enter a Header Field Name that is not occupied and a custom Header Field Value to mark web requests forwarded by WAF.

      WAF adds the specified header field to the filtered requests. This enables your backend server to identify the requests redirected by WAF.

      Notice If a request already contains the specified header field, WAF overwrites the original field value with the specified value.

      For more information, see Mark back-to-origin traffic.

      Resource Group Select the resource group to which the domain name belongs from the resource group list.
      Note You can use Resource Management to create resource groups and manage resources under your Alibaba Cloud account by department or project. For more information, see Create a resource group.
    2. Change DNS Settings.
      Change the DNS record of the domain name to resolve the domain name to WAF for traffic scrubbing. For more information, see Change the DNS settings.
    3. Add Completed.
      If your server is using firewall services other than WAF, we recommend that you disable them or add the IP address of WAF to the whitelist to avoid false positives. For more information, see Whitelist Alibaba Cloud WAF IP addresses. If your server does not use other firewall services, no configuration is required.

      Click Completed. Return to the website list. The website access page appears.

References

You can go to the Website Access page to view the added domain name in the domain name list and perform the following operations as needed:Domain name list-International site
  • Check the DNS resolution status: The DNS Status of the domain name is Normal only when it is resolved to the WAF CNAME address and WAF detects access traffic to it. If DNS Status is Abnormal, click the Abnormal icon to query the cause. After the exception is fixed, click the Recheck icon to perform the check again.

    For more information, see DNS resolution status exception.

  • Upload HTTPS certificates: If your website supports HTTPS, make sure that the correct certificate and private key are uploaded to WAF. This ensures that your website can handle HTTPS traffic. You can click the Upload icon next to HTTPS to upload the HTTPS certificate and private key for the domain name.

    For more information, see Upload HTTPS certificates.

  • Enable Log Service: You can turn on Log Service of WAF to collect all logs of your website. The logs can be used for query, analysis, dashboard data visualization, and alerting.

    For more information, see Enable log collection.

    Note The Log Service function is a value-added service provided by WAF. Log Service is available after you enable the function. For more information, see Activate Log Service for WAF.
  • Configure protection resources: Click the Configure protection resources icon in the Protection Resource column to configure protection resources for the domain name.
    Supported protection resource types include:
    • Shared Cluster and Shared IP
      Note By default, websites that are automatically added use protection resource of the Shared Cluster and Shared IP type.
    • Shared Cluster and Exclusive IP : For more information, see Exclusive WAF IP addresses.
    • Shared Cluster and Load Balancing Among Multiple WAF Nodes: For more information, see Intelligent load balancing.
    • Exclusive Cluster: For more information, see Create an exclusive cluster.
  • View attack monitoring reports: Click View Report in the Attack Monitoring column to navigate to the Security report page to view the domain name protection report. For more information, see View security reports.
  • Configure protection policies: Click Config in the Actions column to navigate to the Website Protection page. On the page that appears, you can configure Web Security, Bot Management, and Access Control/Throttling policies. For more information, see Configure the RegEx Protection Engine.
  • Edit a domain name: Click Edit in the Actions column to modify the website information, such as the protocol type, server address, and server port. Domain names cannot be changed.
  • Delete a domain name: Click Delete in the Actions column to delete a domain name.
    Warning Before you delete the domain name, resolve the domain name to the IP address of the origin server. Otherwise, the traffic to the domain name cannot be forwarded after the domain name is deleted.

FAQ

What do I need to know about migrating website configurations across accounts?

To prevent traffic forwarding errors caused by improper operations during website configuration migration, a 30-minute protection period is configured for your website. To migrate the website configurations to another account, you must delete the website configurations from the current account. After 30 minutes, you can add the website configurations to the WAF instance of another account.

If you want to migrate the website configurations immediately, submit a ticket or apply for a protection period cancellation for this domain name in the DingTalk customer support group. After the protection period is canceled, you can add the domain name to the WAF instance of another account.