Website configuration refers to the process of configuring traffic forwarding for a website added to Web Application Firewall (WAF) in the WAF console. This topic describes how to add and manage website configurations when you use the DNS proxy mode to configure WAF for your website.

Background information

Note You can use the transparent proxy mode to configure WAF for your website if all the following conditions are met: You have activated a subscription-based WAF instance. Your origin server is deployed on an ECS instance in the China (Beijing) region. The ECS instance has a public IP address or is bound to an EIP.
  • Transparent proxy mode: This mode reroutes HTTP requests targeting port 80 of the specified origin server to WAF. WAF processes these requests and then redirects the requests to the origin server.

    To use this mode, you must authorize WAF to access the ECS instance where your origin server is deployed. To configure this mode, add a domain and specify the IP address of the origin server in the WAF console. For more information, see Use the transparent proxy mode to configure WAF.

  • DNS proxy mode: This mode reroutes requests targeting the protected domain to WAF by changing the DNS records. WAF processes and redirects the requests to the specified origin server.

    In DNS proxy mode, you must add the website configuration of your website in the WAF console and change the DNS records of the domain.

To use the DNS proxy mode, you can either Add website configurations automatically or Add website configurations manually.
  • Add website configurations automatically When you add website configurations, WAF can automatically read the A record from the Alibaba Cloud DNS console and obtain the domain name of your website and the origin server IP address. After WAF obtains this information, it automatically adds the website configuration. After the website configuration is added, WAF automatically updates the DNS records of the domain name to complete the configuration.
    Note The protection resource assigned for an automatically added website is a shared cluster and a shared WAF IP address. If you want to change the protection resource to an exclusive cluster or an exclusive WAF IP, modify Protection Resource for the website on the Website Configuration page.
  • Add website configurations manually If your DNS records are not managed by Alibaba Cloud DNS, you must add website configurations manually and change DNS records at your DNS service provider to redirect requests to WAF.

    For more information about changing the DNS records, see Configure DNS settings.

Note The number of website configurations that you can add on the Website Configuration page depends on your WAF instance specification and the number of extra domains. For more information, see Extra domains.

If the configuration of your website such as the origin server address, protocol, or server port is changed, or you need to modify advanced HTTPS settings, Edit website configurations.

If you no longer need to protect a domain, you can restore the DNS settings and then Delete website configurations.

Add website configurations automatically

Prerequisites

Procedure

Add website configurations manually

Prerequisites

  • You have obtained the domain name of the website that needs protection.
  • You have obtained the origin server IP address of the website.
  • Check whether you have configured or need to configure other proxy services for your website. For example, Alibaba Cloud CDN and Alibaba Cloud Anti-DDoS Pro.
  • If your website is deployed in a Mainland China region, make sure that you have obtained an ICP license.
  • For an HTTPS-based website, you must obtain the HTTPS certificate and the private key file, or host your certificate on Alibaba Cloud SSL Certificates Service.
  1. Log on to the WAF console.
  2. In the left-side navigation pane, choose Management > Website Configuration. On the top of the Website Configuration page, set the region of your WAF instance to Mainland China or International.
  3. Optional: Select DNS Proxy Mode.
  4. Click Add Domain.
    WAF automatically lists all domain names that have an A record configured on Alibaba Cloud DNS under the current Alibaba Cloud account. If no A records have been created on Alibaba Cloud DNS, the Choose your domain page will not appear.
  5. Optional: On the Choose your domain page, click Add other domains manually.
  6. On the Fill in the website information page, complete the following configuration.
    Parameter Description
    Domain name Enter the domain name that needs WAF protection.
    Note
    • Supports wildcard domains, such as *.aliyun.com. WAF automatically matches all subdomains for the wildcard domain.
    • If you enter a wildcard domain and a specific domain name, such as *.aliyun.com and www.aliyun.com, WAF will use the forwarding rules and protection policies of the specific domain name.
    • Currently, .edu domain names are not supported. If you need to use a .edu domain name, submit a ticket for technical support.
    Protection resource The default protection resource is Shared Cluster. If you have upgraded to Exclusive edition, you can change the protection resource to Exclusive Cluster to enable custom protection. For more information about an exclusive cluster, see Create an exclusive cluster.
    Protocol type Select a protocol type. Valid values: HTTP, HTTPS, and HTTP 2.0.
    Note
    • If your website supports HTTPS, select HTTPS and upload the certificate and the private key file after you add the website configuration. For more information, see Update HTTPS certificates.
    • After you select HTTPS, click Advanced settings to enable HTTP force redirect and HTTP back-to-origin to ensure efficient access to your website. For more information, see HTTPS advanced settings.
    • To enable protection for HTTP 2.0 requests, make sure the following conditions are met:
      • You have upgraded your WAF instance to Business edition or Enterprise edition.
      • You have selected HTTPS.
    Server address Enter the address of the origin server. Both IP addresses and other address formats are supported. WAF filters and redirects the requests to this address.
    • (Recommended) Select IP and enter the public IP address of the origin server, such as the IP address of the ECS or SLB instance.
      Note
      • Separate multiple IP addresses with commas (,). You can enter up to 20 server IP addresses.
      • If you enter multiple IP addresses, WAF automatically performs health check and load balancing on these addresses before redirecting requests. For more information, see Load balance across multiple origin IP addresses.
    • Select Other addresses and enter the origin domain of the server, such as an OSS CNAME address.
      Note
      • The origin domain and the protected domain must be different.
      • If you enter an OSS CNAME address for your origin server, you must bind a custom domain name to the OSS CNAME address in the OSS console after you complete the website configuration. For more information, see Manage domains.
    Server port Specify the server port. After you configure WAF for your website, WAF redirects the filtered requests to this port.
    Notice The protocol and the port must be the same as those of the origin server IP address. You cannot change the port after it is specified.
    • If you select HTTP, the default port is 80.
    • If you select HTTPS, the default port is 443.
    • If you need to use other ports, click Custom to add ports.
      Note
      • For more information about the non-standard ports supported by WAF, see Supported non-standard ports.
      • If you are using an exclusive cluster to protect your website, you can only select ports from the Destination Server Port field on the Exclusive Cluster Settings page.
    • The HTTP 2.0 ports and the HTTPS ports are the same.
    Whether a layer 7 proxy (such as Anti-DDoS Pro and CDN) is enabled Select yes or no based on the actual status of your website. If you need to configure a layer 7 proxy to redirect requests before WAF, select yes. Otherwise, WAF cannot obtain the real IP addresses of clients that initiate requests to your website.
    Load balancing algorithm When multiple origin server addresses are specified, select IP hash or Round-robin. WAF distributes requests to these servers based on the specified algorithm
    Traffic labeling Enter an unused Header Field name and specify a Header Field Value. WAF adds the specified header field to the filtered requests. This enables your backend server to identify the requests redirected by WAF.
    Note If a request already contains the specified header field, WAF overwrites the original field value with the specified value.
  7. Click Next to complete the configuration.
    You can perform the following operations after you configure WAF.
    • Enter the required information on the Change DNS Record page. For more information, see Configure DNS settings.
    • If you select HTTPS as the protocol type, upload the HTTPS certificate and the private key file. For more information, see Update HTTPS certificates.
    • Choose Management > Website Configuration to view the website configuration that you have added. You can edit or delete it.

Edit website configurations

If the configuration of your website such as the server address, protocol type, or server port is changed, or you need to configure advanced HTTPS settings, edit the website configuration of your website.

  1. Log on to the WAF console.
  2. On the top of the page, select Mainland China or International.
  3. Choose Management > Website Configuration, select DNS Proxy Mode, and click Edit to modify the website configuration for the specified website.
  4. On the Edit page, perform step 6 described in the Add website configurations manually section to modify the configuration.
    Note You cannot change the domain name. If you want to configure WAF for another domain, we recommend that you add a website configuration and delete unnecessary configurations.
  5. Click OK to complete the operation.

Delete website configurations

If you want to disable WAF for your website, you can restore the DNS settings to reroute requests to the origin server, and delete the website configuration.

  1. Log on to the Alibaba Cloud WAF console.
  2. On the top of the page, select Mainland China or International.
  3. Choose Management > Website Configuration, select DNS Proxy Mode, and click Delete.
    Note You must restore the DNS settings before deleting the website configuration. Otherwise, the website may become inaccessible.
  4. In the Prompt dialog box, click OK to confirm the deletion.

Migrate website configurations between accounts

To prevent traffic forwarding errors caused by improper operations during website configuration migration, a 30-minute protection period is configured for your website. To migrate a website configuration to another account, you must delete the website configuration from the current account. Then, wait for 30 minutes until you can add the website configuration to the WAF instance of another account.

If you want to migrate the website configuration immediately, open a ticket or apply for a protection period cancellation for this domain in the DingTalk customer support group. After the protection period is canceled, you can add the domain to the WAF instance of another account.