Anti-DDoS:Use an Anti-DDoS Origin paid edition and WAF

Procedure

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. On the CNAME Record tab, click Add.

4. In the Configure Listener step, configure the parameters and click Next.

   Parameter	Description
   Domain Name	Enter the domain name that you want to protect. You can enter an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name. The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you successfully verify your ownership of the domain name. For more information, see Verify the ownership of a domain name. Note You can use a wildcard domain name to match all subdomains at the same level but not across different levels. For example, *.aliyundoc.com can match www.aliyundoc.com and example.aliyundoc.com, but not *.aliyundoc.com cannot match www.example.aliyundoc.com. A second-level wildcard domain name can cover its second-level parent domain name. For example, *.aliyundoc.com can cover aliyundoc.com. A third-level wildcard domain name cannot cover its third-level parent domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com. If you add an exact-match domain name and a wildcard domain name that covers the exact-match domain name, the protection rules that are configured for the exact-match domain name take precedence.
   Protocol Type	Select the protocol type and ports that are used by your website service. Press the Enter key each time you enter a port number. Note The port number that you enter must be within the range of ports that are supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports that are supported by WAF. For more information, see View supported ports. If you select HTTPS, configure the HTTPSUpload Type parameter to specify the method that you want to use to upload an SSL certificate. Then, upload the SSL certificate bound to the domain name to WAF. This way, WAF can monitor the HTTPS traffic of the website. In the HTTPS Certificate Upload Mode section, specify the method that you want to use to upload an SSL certificate. Note WAF (version_share_vm) does not support HTTPS. Manual Upload Select Manual Upload and configure the Certificate Name, Certificate File (in the -----BEGIN CERTIFICATE-----......-----END CERTIFICATE----- format), and Private Key (in the -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY----- format) parameters. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content. If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console and use the certificate format conversion tool. For more information, see Convert the format of a certificate. If a domain name is bound to multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content to WAF. Select Existing Certificate If your certificate meets one of the following conditions, you can select Select Existing Certificate and select the certificate that you want to upload to WAF from the certificate list: The certificate is issued by Certificate Management Service (Original SSL Certificate). The certificate is a third-party certificate that is uploaded to Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and re-upload the certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate. Purchase Certificate Select Purchase Certificate and click Apply. In the Certificate Management Service console, apply for a certificate for the domain name. Note You can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase an official certificate. After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF. If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements: If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests. Note The HTTP/2 ports are the same as the HTTPS ports. Advanced Settings Enable HTTPS Routing (disabled by default) If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves security. After this feature is enabled, HTTP Strict Transport Security (HSTS) is enabled by default and the Strict-Transport-Security header is included in responses to ensure that your website can be accessed only by using HTTPS. Important You can enable this feature only if you do not select HTTP. TLS Version Specify the versions of the Transport Layer Security (TLS) protocol supported for HTTPS communication. If a client uses an unsupported TLS version, WAF blocks requests sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you specify the TLS versions based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for requests sent by using TLS 1.3. HTTPS Cipher Suite Specify the cipher suites that are allowed for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks the requests that are sent from the client. The default value is All Cipher Suites (High Compatibility and Low Security). We recommend that you modify this parameter only if your website supports only specific cipher suites. Options: All Cipher Suites (High Compatibility and Low Security) (default): The following strong cipher suites and weak cipher suites are supported: Strong cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Note TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 The two cipher suites may be classified into weak cipher suites by specific security detection tools because the two cipher suites use the RSA encryption algorithm and the AES-CBC encryption mode and offer lower security than the cipher suites that use the ECDSA encryption algorithm or the AES-GCM encryption mode. Weak cipher suites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value and then select the cipher suites that are supported by your website from View supported cipher suites. Clients that use other cipher suites cannot access the website.
   Whether Layer 7 Proxy, Such As Anti-DDoS Pro, Anti-DDoS Premium, Or Alibaba Cloud CDN, Is Deployed In Front Of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Pro or Alibaba Cloud CDN, is deployed in front of WAF. Valid values: No Layer 7 proxy is deployed in front of WAF. Select No (default). The value No specifies that WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection to WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field. A Layer 7 proxy is deployed in front of WAF. Select Yes. The value Yes specifies that WAF receives requests from other Layer 7 proxies. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Options: (Default) Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client By default, WAF uses the first IP address in the X-Forwarded-For (XFF) field as the originating IP address of the client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the actual IP address of a client from the fields in sequence. If the first header field does not exist, WAF reads the second header field, and so on. If WAF cannot obtain the actual IP address of the client from any header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.
   More Settings	Enable IPv6 By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can turn on IPv6 to enable WAF protection for IPv6 traffic. After you turn on IPv6, WAF assigns a WAF IP address to the domain name to process IPv6 traffic. This feature is available only for pay-as-you-go WAF instances and subscription WAF instances of the Enterprise and Ultimate editions in the Chinese Mainland. Exclusive IP Address By default, all domain names that are added to WAF are protected by the same WAF IP address. If you turn on Exclusive IP Address, WAF assigns an exclusive IP address to monitor the requests of your domain name. A domain name that is protected by an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names. For more information, see Exclusive IP addresses. If you want to use an exclusive IP address to protect your domain name, you can enable this feature. Important You can purchase exclusive IP addresses for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Billing overview. Protection Resource Select the type of protection resource that you want to use. Shared Cluster (default) Shared Cluster-based Intelligent Load Balancing After you enable intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to perform automatic disaster recovery. The WAF instance uses the intelligent DNS resolution feature and the least-time back-to-origin algorithm to reduce the latency of traffic that is sent from protection nodes to origin servers. For more information, see Use the intelligent load balancing feature. Important You can enable Shared Cluster-based Intelligent Load Balancing for subscription WAF instances of the Pro, Enterprise, and Ultimate editions. You can click Upgrade Now on the Overview page, enable Intelligent Load Balancing, and then enable Shared Cluster-based Intelligent Load Balancing. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on whether you enable Shared Cluster-based Intelligent Load Balancing. For more information, see Billing overview. After you enable Shared Cluster-based Intelligent Load Balancing, you cannot turn on IPv6 or Exclusive IP Address.
   Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the Default Resource Group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

5. In the In the Configure Forwarding Rule step, configure the parameters and click Submit.

   Parameter	Description
   Load Balancing Algorithm	If you specify multiple origin server addresses, select the Load Balancing Algorithm that you want WAF to use to forward back-to-origin requests to the origin servers. Valid values: IP hash (default) Requests from the same client are forwarded to the same origin server through load balancing. This algorithm is suitable for scenarios requiring session persistence but may result in uneven load distribution. Round-robin Client requests are sequentially forwarded to origin servers from the origin server list. This algorithm is suitable for scenarios requiring even load distribution across multiple origin servers. Least time WAF uses the intelligent DNS resolution capability and the least-time back-to-origin algorithm to minimize the path and latency when requests are forwarded to origin servers. Important To use the Least time algorithm, you must set Protection Resource to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see Configure protection resources.
   Origin Server Address	Specify the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values: IP Make sure that the IP address can be accessible over the Internet. You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address. Note If you enter multiple IP addresses, WAF distributes workloads across the IP addresses, achieving load balancing. You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses. If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses. Important If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see the description of the IPv6 parameter in this topic. Important If the public IP address of the origin server changes, you need to manually add the new back-to-origin IP address. Domain Name (Such as CNAME) If you select Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.
   Standby Link Back-to-origin	After you enable the standby link back-to-origin feature, if all IP addresses in the primary link are unreachable, the system automatically switches to the IP addresses in the standby link. The switchover is triggered when the traffic is at least 100 QPS and takes effect within 30 seconds. After the primary link is restored, the system automatically switches back to the primary link. Configuration parameters: IP Make sure that the IP address can be accessed over the Internet. You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address. Note If you enter multiple IP addresses, WAF distributes workloads across the IP addresses to achieve load balancing. You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses. If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses. Important If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see the description of the IPv6 parameter in this topic. Important If the public IP address of the origin server changes, you need to manually add the new back-to-origin IP address. Domain Name (Such as CNAME) If you select Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.
   Advanced HTTPS Settings	Enable HTTP Routing If you turn on Enable HTTP Routing, WAF forwards requests over HTTP. The default port is 80. After you turn on Enable HTTP Routing, WAF forwards requests to the origin server on port 80, regardless of whether the client accesses WAF on port 80 or port 443. All requests can be forwarded to the origin server over HTTP, and you do not need to modify the settings of the origin server. This reduces the impact of traffic on the performance of the website. Important If your website does not support HTTPS, you must turn on Enable HTTP Routing. Origin SNI Specify the domain name to which an HTTPS connection must be established at the start of the Transport Layer Security (TLS) handshake process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature. After you select Origin SNI, you can configure a Server Name Indication (SNI) field. Valid values: Use Domain Name in Host Header (default) The value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. For example, if the domain name that you configure is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name (in the Host header field), the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. Custom You can enter a custom value for the SNI field in WAF back-to-origin requests. In most cases, you do not need to specify a custom value for the SNI field. However, if you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you can specify a custom value for the SNI field.
   Other Advanced Settings	Obtain The Listening Protocol Of WAF By Using The X-Forwarded-Proto Header Field WAF 3.0 automatically adds the X-Forwarded-Proto header field to HTTP requests. The X-Forwarded-Proto header field is used to identify whether HTTP or HTTPS is used to access the proxy server. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur and your business may be affected. To prevent such issues, you can clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field. Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are labeled. This helps origin servers obtain the originating IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, you must configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the origin server to check whether requests passed through WAF, collect statistics, and analyze data. For example, you can add the ALIWAF-TAG: Yes custom header field to mark the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes. Originating IP Address You can specify a header field that records the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For more information about how WAF obtains the originating IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such As Anti-DDoS Pro, Anti-DDoS Premium, Or Alibaba Cloud CDN, Is Deployed In Front Of WAF parameter in this topic. Source Port You can specify a header field that records the originating ports of clients. This way, your origin server can obtain the ports of clients. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field. You can click Add Mark to add a header field. You can specify up to five header fields. Specify the timeout periods for back-to-origin requests Connection Timeout Period: the maximum amount of time that WAF can wait to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: the maximum amount of time that WAF can wait to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: the maximum amount of time that WAF can wait to forward a request to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Retry Back-to-origin Requests After you enable this feature, WAF retries up to three times when it fails to forward requests to the origin server. If you do not enable this feature, WAF does not retry forwarding requests if it fails the first time. Back-to-origin Keep-alive Requests If you turn on Back-to-origin Keep-alive Requests, you must configure the following parameters: Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1,000. Default value: 1,000. Timeout Period of Idle Keep-alive Requests: the timeout period for idle keep-alive requests. Valid values: 10 to 3,600. Unit: seconds. Default value: 15. Note If you turn off Back-to-origin Keep-alive Requests, back-to-origin keep-alive requests do not support WebSocket.

6. In the Add Completed step, obtain the CNAME assigned to the domain name. Modify the DNS record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

   Important

   Before you modify the DNS record, make sure that the following conditions are met:

   • The forwarding configurations for your website are correct and have taken effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

   • The back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the third-party firewall used by the origin server on which the domain name is hosted. This prevents normal requests that are forwarded by WAF from being blocked. You can click Back-to-origin CIDR Blocks to view and copy the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

   

   After you complete the preceding configurations, you can perform the following operations to check whether the domain name is added to WAF:

   • Enter the domain name in your browser. If you can access the website, the domain name is added to WAF.

   • Enter the domain name and malicious code such as <Protected domain name>/alert(xss), where alert(xss) is cross-site scripting (XSS) attack code used for testing. If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

   Important

   If you add a domain name to WAF in CNAME record mode, WAF checks whether ICP filing is complete for the domain name and whether the ICP filing information is valid on a regular basis. If the ICP filing information of the domain name becomes invalid, WAF stops forwarding requests for the domain name, as shown in the following figure.

   If the ICP filing information of a domain name that is added to WAF becomes invalid, you must re-apply for an ICP filing for the domain name. After the application is successful, you can go to the CNAME Record tab of the Website Configuration page and click Add Again in the Actions column to re-add the domain name to WAF.

7. Run the ping command ping CNAME of WAF on your computer to obtain the IP address of the WAF instance.

8. Add the IP address of the WAF instance to your Anti-DDoS Origin instance of a paid edition for protection. For more information, see Add an object for protection.

   After you add the IP address of the WAF instance, the Anti-DDoS Origin instance of a paid edition provides best-effort protection. The Anti-DDoS Origin instance of a paid edition automatically scrubs service traffic to mitigate DDoS attacks.