Alibaba Cloud CDN can integrate with Web Application Firewall (WAF) to provide security services on the edge nodes. WAF can identify and filter out malicious requests. Only trusted requests can be redirected to origin servers. WAF can protect web servers against intrusions, secure business-critical data, and prevent server anomalies caused by attacks.

Important WAF is not compatible with WebSocket. You cannot enable both.

Prerequisites

  • WAF Pro Edition or WAF Business Edition is activated. To activate WAF Pro Edition or WAF Business Edition, Submit a ticket.
  • Before you enable WAF for an accelerated domain name, make sure that the acceleration region of the domain name is set to Global or Global (Excluding the Chinese Mainland). For more information about how to change the acceleration region for an accelerated domain name, see Change the accelerated region.

Description

Alibaba Cloud CDN can integrate with WAF to protect resources on CDN edge nodes. For more information about the features of WAF, see What is WAF?

For more information about how to configure features of WAF, see What is WAF?. The following table lists the features supported by WAF Business Edition.
FeatureBusiness Edition
Scan protectionSupported
Account securitySupported
HTTP flood protectionSupported
IP address blacklistSupported
Rate LimitSupported
Bot threat intelligence rulesSupported
JavaScript validationSupported
Crawler whitelistSupported
Web application protectionSupported
Zero-day attack protectionSupported
Block and warning modesSupported
Decoding and analytics of request data in specified formatsSupported
Custom rule groupsSupported
Access control based on HTTP fieldsSupported
Log ServiceSupported with a storage capacity up to 3 TB

Scenarios

WAF is applicable to sectors and industries such as finance, e-commerce, online-to-offline (O2O), Internet Plus, gaming, public service, and insurance. WAF prevents websites accelerated by Alibaba Cloud CDN from unexpected losses caused by attacks.

WAF provides the following security features:
  • Prevents website data leaks caused by SQL injections.
  • Protects websites against Trojans that may compromise the public trust of your website.
  • Provides virtual patches to quickly fix newly discovered vulnerabilities.

Billing

After you enable WAF for a domain name, WAF scans all requests that are sent to the domain name, counts the number of requests by account, and then charges fees based on the billing rules. For more information about the pricing of WAF, see Value-added services - WAF.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
    Domain Names
  4. In the left-side navigation pane of the domain name, click Security Settings.
  5. On the WAF tab, turn on CDN WAF.
  6. Click Modify.
  7. Follow the on-screen instructions to configure the security features on the Web Security, Bot Traffic Management, or Access Control/Throttling tabs.
    ItemParameterDescription
    Web SecurityStatusYou can turn on or turn off Web Intrusion Prevention.
    ModeWeb Intrusion Prevention supports the following protection modes:
    • Block: blocks attacks immediately after they are detected.
    • Warn: sends alerts when attacks are detected, but does not block the attacks.
    Protection Rule GroupWeb Intrusion Prevention supports the following protection rule groups:
    • Loose rule group: If Medium rule group settings result in a high false positive rate, we recommend that you select Loose rule group. The loose rule group has the lowest false positive rate, but the highest false negative rate.
    • Medium rule group: the default protection rule group.
    • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command injections, we recommend that you select Strict rule group.
    Decoding SettingsYou can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
    1. Click jiema.
    2. Select or deselect data formats based on your business requirements.
      • You cannot deselect the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
      • You can deselect the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
    3. Click OK.
    Note To enhance protection, the RegEx protection engine decodes and analyzes the request content in all formats. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can deselect the formats to reduce the false positive rate.
    Bot Traffic Management (Business Edition only)Allowed CrawlersStatusYou can turn on or turn off Allowed Crawlers.
    Note This feature maintains a whitelist of search engines. The crawlers of these search engines are allowed to access all accelerated domain names. You can click Settings to enable or disable allowed crawlers based on your business requirements.
    Typical Bot Behavior IdentificationStatusYou can turn on or turn off Typical Bot Behavior Identification.
    Note This feature provides common algorithms to identify typical crawler behaviors. You can set relevant parameters and thresholds to identify advanced crawlers. You can click Settings to add algorithm rules based on your business requirements.
    Bot Threat IntelligenceStatusYou can turn on or turn off Bot Threat Intelligence.
    Note This feature leverages the computing capabilities of Alibaba Cloud to provide information about suspicious IP addresses of dialers, data centers, and malicious scanners. This feature also maintains a dynamic IP library of malicious crawlers and prevents crawlers from accessing specific domain names or paths. You can click Settings to configure this feature based on your business requirements.
    Access Control/ThrottlingBlacklistsStatusYou can turn on or turn off Blacklists.
    Note This feature allows you to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions. You can click Settings to add IP addresses or regions to the blacklist.
    Custom Protection PolicyStatusYou can turn on or turn off Custom Protection Policy.
    Note This feature allows you to create an access control rule and apply the access control rule to a specific object. You can click Settings to add an access control rule.

Assign a service-linked role

The first time you enable WAF in the Alibaba Cloud CDN console, you must authorize Alibaba Cloud CDN to access WAF. Alibaba Cloud CDN automatically creates the service-linked role AliyunServiceRoleForCDNAccessingWAF. After you assign this role to Alibaba Cloud CDN, Alibaba Cloud CDN can assume this role to access WAF.

The AliyunServiceRoleForCDNAccessingWAF role has the following permissions:

  • DescribePayInfo
  • CreatePostpaidInstance
  • CreateOutputDomainConfig
  • DeleteOutputDomainConfig
  • DescribeDomainWebAttackTypePv
  • ModifyLogServiceStatus
  • DescribeProtectionModuleMode
  • DescribeDomainRuleGroup
  • DescribeRegions
  • ModifyProtectionRuleStatus
  • ModifyProtectionRuleCacheStatus
  • DescribePeakValueStatisticsInfo
  • DescribeDomainAccessStatus
  • DescribeFlowStatisticsInfo
  • DescribeDomainTotalCount
  • DescribeResponseCodeStatisticsInfo
  • DescribeDDosCreditThreshold
  • ModifyDomainClusterType
  • DescribeInstanceInfo
  • DescribeOutputDomains
  • CreateOutputDomain
  • DeleteOutputDomain
  • DeleteInstance
  • DescribeInstanceSpecInfo
  • DescribeDomainBasicConfigs

If you want to delete the AliyunServiceRoleForCDNAccessingWAF role, submit a ticket to delete the WAF instance and disable WAF features for all accelerated domain names. Then, delete this role in the Resource Access Management (RAM) console.