Anti-DDoS Origin and WAF integration

Updated at:
Copy as MD

This topic describes how to configure Anti-DDoS Origin and Web Application Firewall (WAF) to protect your website services from Layer 4 DDoS attacks, Layer 7 web attacks, and CC attacks.

Prerequisites

  • You have created an ECS instance and deployed your web application on it. The ECS instance has a public IP address and your website has a domain name.

    Note

    If your web application serves users in the Chinese Mainland, its domain name must have an ICP filing. Otherwise, you cannot add the domain name to a Web Application Firewall instance in the Chinese Mainland.

  • You have purchased an Anti-DDoS Origin instance. For more information, see Purchase an Anti-DDoS Origin instance.

    Note

    When purchasing an Anti-DDoS Origin instance, select the same region as your ECS instance.

  • You have purchased a Web Application Firewall 3.0 instance. For more information, see Purchase a subscription WAF 3.0 instance.

Background

If you use Anti-DDoS Origin and also need to defend against web and CC attacks, use Web Application Firewall (WAF). WAF protects your applications from common web and CC attacks. For more information about WAF, see What is Web Application Firewall?.

To use Anti-DDoS Origin and Web Application Firewall together, you must first add your domain name to WAF. Then, add the IP address of the WAF instance as a protected object in Anti-DDoS Origin. After you finish the configuration, WAF scrubs all incoming traffic. Malicious traffic, including DDoS, web, and CC attacks, is blocked. Only legitimate traffic is forwarded to your origin server.

Procedure

Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region of the WAF instance (Chinese Mainland or Outside Chinese Mainland). In the left navigation bar, click Onboarding, and then on the CNAME Record tab, click Add.

Step 1: Configure listeners

  1. Enter a single domain name to protect in the Domain Name field. The domain can be an exact domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com.

    • Wildcard domain name matching rules:

      • A wildcard matches only subdomains at the same level. For example, *.aliyundoc.com matches www.aliyundoc.com and example.aliyundoc.com but does not match www.example.aliyundoc.com.

      • When a wildcard applies to a second-level domain name such as *.aliyundoc.com, it also matches the second-level domain name itself, aliyundoc.com.

      • When a wildcard applies to a third-level domain name such as *.example.aliyundoc.com, it does not match the third-level domain name itself, example.aliyundoc.com.

    • Priority rule: When a request matches both an exact-match and a wildcard domain name, the rules for the exact-match domain name take precedence.

    To verify domain ownership, you must complete a validation process. If the system prompts for validation after you enter the domain name, choose one of the following methods.

    • DNS validation: Manually add the TXT record provided by WAF in your DNS provider's console. This method is recommended.

    • File validation: Upload the validation file provided by WAF to the specified root directory of your origin server. You must have permissions to access the origin server and configure a security group policy to allow access from all IP addresses. This allows WAF to access and validate the file from the internet.

    DNS validation

    1. In the verification prompt area, click the Method 1: DNS Record tab.

    2. Based on the Record Type, Hostname, and Record Value provided by the WAF console, add a TXT record with your DNS provider.

      If you use Alibaba Cloud DNS, follow these steps. If you use a different DNS provider, perform similar steps in their console.

      1. On the Authoritative DNS page, find the target primary domain name, and click Settings on the right.

      2. Click Add Record, configure the following parameters, and then click OK. Leave the other parameters at their default settings.

        • Record Type: Select TXT.

        • Hostname: Copy and paste the domain prefix, for example, verification.

        • Record Value: Copy and paste the record value generated by WAF, for example, verify_8fca29dec226****.

    3. Wait for the TXT record to take effect. A newly configured TXT record takes effect immediately. However, changes to an existing TXT record usually take 10 minutes to take effect. The actual time depends on the Time to Live (TTL) setting of your DNS record, which defaults to 10 minutes.

    4. Return to the WAF console and click "Verify".

      • If Verification succeeded appears, the domain ownership validation is complete.

      • If Verification failed appears, perform the following troubleshooting steps:

        1. Check the TXT record: Ensure the hostname and record value match exactly what the WAF console shows. If they differ, delete the incorrect record, add the correct one, and verify again.

        2. Wait for DNS propagation: DNS record changes may not take effect immediately. The time required depends on the TTL cache time set on the DNS server. Wait 10 minutes before you try to verify again.

        3. Change verification method: If you still fail the verification after multiple attempts, we recommend using Method 2: Verification File.

    File validation

    1. In the validation prompt area, click the Method 2: Verification File tab.

    2. Click the download link to download the validation file. In the Protocol Type section, select HTTP or HTTPS. After you upload the file to the root directory of your domain, select Uploaded and click Verify.

      Important
      • The validation file is valid for only three days after you download it. If you do not complete the validation within the validity period, you must download the file again.

      • Do not modify the validation file. For example, do not edit or rename the file.

      • WAF accesses your origin server based on the selected protocol type. Ensure that the security group or firewall rules on your origin server allow traffic on the corresponding port:

        • If you select HTTP, you must allow inbound traffic on TCP port 80 from 0.0.0.0/0.

        • If you select HTTPS, you must allow inbound traffic on TCP port 443 from 0.0.0.0/0.

    3. Manually upload the validation file to the web root directory of your origin server, such as an ECS, OSS, CVM, COS, or EC2 instance.

      Note

      If you add a wildcard domain name such as *.aliyun.com, you must upload the validation file to the root directory of aliyun.com.

      After the upload is complete, you can use the following methods to check whether the validation file was successfully uploaded.

    4. Return to the WAF console and click Verify.

      • If Verification succeeded appears, the domain ownership validation is complete.

      • If Verification failed appears, troubleshoot the issue based on the error message:

        Issue

        Solution

        Cannot access the domain name

        1. Check your domain name's DNS resolution to make sure a record points to the origin server. If you use Alibaba Cloud DNS, see Add a DNS record for instructions.

        2. Check the security group or firewall rules of your origin server to make sure that public access requests are allowed. If you use an ECS security group, see Add a security group rule for instructions.

        Validation file not found

        Re-upload the validation file to your domain's origin server.

        Incorrect file content

        1. Go to the origin server of your domain name and delete the incorrect validation file.

        2. Re-upload the validation file.

    5. A security group rule that allows access from all IP addresses poses a security risk. If the initial security group configuration of your origin server does not include the 0.0.0.0/0 rule, we recommend that you delete the rule that you added for validation after ownership validation is complete.

  2. Select the Protocol Type (HTTP or HTTPS) and enter the corresponding configuration information. You can configure both protocols at the same time.

    Note

    WAF Customized for Shared Virtual Host does not support HTTPS.

    HTTP

    HTTP Port

    Enter the port that users use to access your website. We recommend that you use port 80 for HTTP. To use a custom port, select a port from the port range. Press Enter after you enter each port.

    HTTPS

    1. HTTPS Port

      Enter the port that users use to access your website. We recommend that you use port 443 for HTTPS. To use a custom port, select a port from the port range. Press Enter after you enter each port.

    2. HTTPS Upload Type

      To protect HTTPS traffic, you must upload your domain's SSL certificate to WAF. The following options are available:

      • Manual upload: Use this if your certificate is not uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate).

      • Select existing certificate: Select a certificate that is issued or uploaded in Alibaba Cloud Certificate Management Service (Original SSL Certificate).

      • Apply for new certificate: If you do not have an SSL certificate for the domain name, you must purchase a certificate. After the certificate is issued, you can add it to WAF.

      Manual upload

      • Certificate Name: Enter a unique name for the certificate. The name cannot be the same as an existing certificate name.

      • Certificate File: Open the certificate file with a text editor and paste the certificate content that is in the PEM, CER, or CRT format.

        Example format: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

        • Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.

        • Certificate chain: If an intermediate certificate is included, concatenate the server certificate and the intermediate certificate in that order and paste the content.

      • Private Key: Open the private key file with a text editor and paste the content of the private key that is in the PEM format.

        • RSA: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

        • ECC: -----BEGIN EC PRIVATE KEY-----......-----END EC PRIVATE KEY-----

      Select existing certificate

      Select the certificate that you want to upload to WAF from the drop-down list.

      Note

      If the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", this indicates an integrity issue with the certificate chain. Check that the certificate content is correct and complete, and then re-upload it in the Certificate Management Service console. For more information, see Upload, synchronize, and share SSL certificates.

      Apply for new certificate

      If you have not yet purchased a certificate, see Purchase a commercial certificate to purchase one, and click Apply to read the documentation on how to apply for a certificate.

Step 2: Configure forwarding

  1. In the Server address section, specify the IP address or domain name of your origin server based on the server type. WAF uses this address to forward legitimate requests.

  2. After you determine the type of your origin server, complete the following configurations.

    IP
    • Origin Port: The port that the website uses. Users access the website through the HTTP/HTTPS Port configured in Step 1, and WAF uses this Origin Port to access the origin server.

      image
      • By default, this port is the same as the Protocol Type that you configured for the HTTP/HTTPS Port in the previous step. You can customize the origin port within the port range. This applies to scenarios where you need to specify a port for WAF to use for requests to the origin server.

    • Origin IP Address: Enter the IP address of your origin server.

      • The IP address must be an accessible public IP address.

      • You can add up to 20 IP addresses for origin servers. Press Enter after you enter each IP address. If you enter multiple IP addresses, WAF forwards requests to the origin server based on the load balancing algorithm that you configure.

      • You can configure IPv4 and IPv6 addresses individually or simultaneously. To configure an IPv6 address, you must ensure that IPv6 protection is enabled when you Configure Listener.

    Domain Name (Such as CNAME)
    • Origin Port: The port that the website uses. Users access the website through the HTTP/HTTPS port that you configured in Step 1, and WAF accesses the origin server through the Origin Port.

      image
      • By default, this port is the same as the port specified for the Protocol Type in the previous step. You can customize the origin port within the Port Range. This is useful if you need WAF to use a specific port to forward requests to the origin server.

    • Origin Domain Name: Enter the domain name of your origin server.

      • WAF can forward client requests only to the IPv4 address that is resolved from the domain name. For IPv6 websites, select the IP option for onboarding.

    Important

    If the address of your origin server changes, you must update the server address here promptly.

  3. To configure advanced settings such as Load balancing algorithm, Secondary origin server, HTTP origin fetch, Origin SNI, Request header field configuration, Traffic tagging, Origin connection timeout, Retry on 5XX error, Origin keep-alive, SM SSL, HTTP/2, Force redirect, TLS version, SSL cipher suite, Layer 7 proxy before WAF (such as CDN), IPv6, Exclusive IP, and Intelligent load balancing for WAF clusters, see Advanced configuration. If you do not need to customize these settings, keep the default values for the other parameters and click Submit.

Step 3: Switch traffic

After you complete the preceding configurations in the WAF console, you must perform the following steps to switch traffic to WAF. Otherwise, WAF protection will not be active.

  1. Add the back-to-origin IP range of WAF to the allowlist: If you have configured access control policies such as security group rules or firewall rules on your origin server, or use security software such as Safedog or Yunsuo, you must add the back-to-origin IP range of WAF to the allowlist on the origin server. Otherwise, back-to-origin traffic from WAF may be blocked, which causes a service outage.

    Note

    As a best practice, configure your origin server to allow traffic only from the WAF back-to-origin IP range. This ensures that only WAF can communicate with your origin server and prevents attackers from bypassing WAF by directly accessing the public IP address of your origin server.

    1. In the upper-right corner of the Add Completed wizard page, click WAF IP Address.

    2. In the Back-to-origin CIDR Block dialog box, click Copy to copy all WAF back-to-origin IP addresses to the clipboard.

      Note

      The copied IP address ranges are separated by commas (,) and may include IPv6 address ranges such as 2408:400a:3c:xxxx::/56.

    3. Allow these IP ranges in your server firewall. For example, if your origin server is an Alibaba Cloud ECS instance, you need to add the IP ranges to an ECS security group. For more information about security groups, see Add a security group rule.

      1. On the ECS instance details page, click Security Group > Security Groups, and select the target security group to go to its details page.

      2. On the security group details page, under Inbound, click Add Rule.

      3. A single security group rule cannot contain both IPv4 and IPv6 addresses. You must perform the following two steps:

        1. Add an IPv4 rule: In the Source area of the Create Security Group Rule panel, paste the IP ranges that you copied in the previous step, manually delete the IPv6 addresses, set Destination (This Instance) to the origin port that you configured in Step 2, keep the default settings for the other parameters, and click Submit.

        2. Add an IPv6 rule: Click Add Rule again. In the Source area, select IPv6 and add the IPv6 address range.

  2. Verify the WAF configuration locally: Before you modify the DNS resolution settings for your domain, we recommend that you verify the configuration by modifying your local hosts file to map the domain. This can prevent service interruptions caused by configuration errors.

    1. On the Add Completed wizard page, click Copy CNAME to obtain the CNAME address provided by WAF.

    2. Go to Network Diagnostic Analysis, select Network Diagnostic Analysis, enter the copied CNAME address, such as xxx.c.yundunwaf2.com, and click Detect Now.

    3. Copy the IP address from the DNS resolution result. Modify the hosts file on your local computer.

      Windows

      1. Open the C:\Windows\System32\drivers\etc\hosts file in Notepad. Add the following record at the end of the file and save it.

        <IP_address_copied_in_step_c> <domain_name_added_to_WAF>
      2. Open cmd and run the ping <the domain name that you added to WAF> command. If the output IP address is the same as the IP address that you added, it indicates that the hosts file modification has taken effect. Otherwise, run the ipconfig /flushdns command to flush the DNS cache and then run the ping command again.

      3. Open a browser and enter the protected domain name in the address bar to access the website.

        • If the website is accessible, the WAF domain name configuration is correct. You can proceed to the next step to modify the DNS resolution.

        • If the website is inaccessible, the WAF domain name configuration may be incorrect. We recommend that you check the preceding configurations, fix any issues, and then perform local verification again.

      4. After the local verification is complete, restore the hosts file to its original state.

      macOS

      1. Press Command + Space to search for and open Terminal.

      2. Enter sudo vim /etc/hosts to open the hosts file.

      3. Add the following record at the end of the file and save it.

        <IP_address_copied_in_step_c> <domain_name_added_to_WAF>
      4. Run the ping <your WAF domain name> command. If the output IP address matches the IP address that you added, the hosts file modification has taken effect. Otherwise, run sudo killall -HUP mDNSResponder to flush the DNS cache and then run the ping command again.

      5. Open a browser and enter the protected domain name in the address bar to access the website.

        • If the website is accessible, the WAF domain name configuration is correct. You can proceed to the next step to modify the DNS resolution.

        • If the website is inaccessible, the WAF domain name configuration may be incorrect. We recommend that you check the preceding configurations, fix any issues, and then perform local verification again.

      6. After the local verification is complete, restore the hosts file to its original state.

  3. Modify the DNS resolution of your domain name: Change the DNS resolution of your domain name to point to the CNAME address provided by WAF. This routes web requests for your domain name through WAF for protection.

    Note

    We recommend that you perform this operation during off-peak hours to minimize the impact on your services.

    1. On the Add Completed wizard page, click Copy CNAME to obtain the WAF CNAME address.

    2. Change the DNS resolution address of your domain name to the address that you copied in the previous step. If your domain name is hosted by Alibaba Cloud DNS, follow these steps. If you use the DNS service of another provider, perform similar steps in their system.

      1. On the Authoritative DNS page, click Settings in the Actions column of the target domain.

      2. On the Settings page, locate the Hostname that you want to set, and click Edit in its Actions column. For example, if the domain name added to WAF is www.aliyundoc.com, you need to locate the record for the www hostname under the main domain aliyundoc.com and modify it.

      3. In the Edit Record panel, set Record Type to CNAME, change the Record Value to the CNAME address provided by WAF, and leave the other settings unchanged.

        When you modify a DNS record:

        • For the same hostname, you can specify only one CNAME record value. You need to change the record value to the WAF CNAME address.

        • For the same hostname, a CNAME record conflicts with other record types such as A, MX, and TXT. You must delete the conflicting records before you add a new CNAME record.

          Warning

          During the DNS change period, some users may experience service interruptions. Therefore, you must add the new CNAME record immediately after you delete the original record.

      4. Click OK to save the resolution settings, and then wait for the updated DNS resolution record to take effect.

        Note

        DNS record changes require time to propagate. If your website is inaccessible after the change, wait 10 minutes and then refresh the page.

Step 4: Add protected object

  1. Log on to the Traffic Security console,In the left-side navigation pane, choose DDoS.

  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Native > Protected Objects.

  3. In the upper-left corner of the top menu bar, select the resource group where the instance is located, and for Region, select All Regions.

  4. Click Add Object for Protection. On the Add Asset tab, select WAF from the Objects to Select area, move the WAF asset to the Selected Objects area, and then click Confirm. For more information, see Protected Object.

After you add the protected object, the WAF instance gains the unlimited protection capability of the Anti-DDoS Origin instance. If a DDoS attack occurs on your services, traffic scrubbing is automatically triggered to mitigate the attack.