Protect a website service by using Anti-DDoS Proxy and WAF - Anti-DDoS

If a website service encounters volumetric attacks and sophisticated web application attacks, such as SQL injection, cross-site scripting (XSS), and command injection attacks, we recommend that you add the website service to Anti-DDoS Proxy and Web Application Firewall (WAF) to protect against various potential threats. This topic describes how to add a website service to Anti-DDoS Proxy and WAF.

Network architecture

To configure Anti-DDoS Proxy and WAF for your website service, you can apply the following network architecture: Use Anti-DDoS Proxy at the ingress to defend against DDoS attacks. Use WAF at the intermediate layer to defend against web application attacks. Configure an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, virtual private cloud (VPC), or server in a data center as the origin server. This way, traffic is scrubbed by Anti-DDoS Proxy and then filtered by WAF. Only service traffic is forwarded to the origin server. This ensures service and data security. The following figure shows how traffic is forwarded.

Usage notes

Requests are sent to multiple intermediate proxy servers before the requests reach the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. For information about how to obtain the originating IP addresses, see Obtain the originating IP addresses of requests.

Prerequisites

An Anti-DDoS Proxy instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A WAF instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance or Purchase a pay-as-you-go WAF 3.0 instance.
Note
In this topic, WAF 3.0 is used as an example. If you use WAF 2.0, you can also refer to the steps in this topic.

Step 1: Add your website service to WAF

You can add your website service to WAF in CNAME record mode or cloud native mode. Before you add your website service, we recommend that you understand the recommended scenarios for each mode. For more information, see Overview.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.

On the CNAME Record or Cloud Native tab, add your website service to WAF.

CNAME record mode

On the CNAME Record tab, click Add.

In the Configure Listener step, configure the parameters and click Next.

The following table briefly describes the parameters. For more information about the detailed description of the parameters, see Add a domain name to WAF.

Parameter	Description
Domain Name	Enter the domain name of your website service.
Protocol Type	Select the protocol type and ports that are used by your website service. Press the Enter key each time you enter a port number. Note If you select HTTPS, you must upload the certificate that is associated with the domain name to WAF. After you select HTTPS and configure the certificate, you can also specify whether to enable HTTP/2, turn on Enable HTTPS Routing, select a TLS version, and select an HTTPS cipher suite.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Select Yes and specify Obtain Actual IP Address of Client. Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the `X-Forwarded-For` field as the originating IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business.
More Settings	Specify whether to enable IPv6 and exclusive IP addresses, and select the type of protection resources that you want to use based on your business requirements.
Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.

In the Configure Forwarding Rule step, configure the parameters and click Submit.

Parameter	Description
Load Balancing Algorithm	If the origin server has multiple addresses, select a load balancing algorithm based on your business requirements.
Origin Server Address	Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF.
Advanced HTTPS Settings	Specify whether to select Retry Back-to-origin Request and Enable Traffic Mark based on your business requirements.
Other Advanced Settings	Specify whether to select Enable Traffic Mark and Retry Back-to-origin Requests, enable Back-to-origin Keep-alive Requests, and configure the Connection Timeout Period parameter based on your business requirements.

In the Add Completed step, obtain the CNAME that is provided by WAF.

Cloud native mode
For more information, see Cloud native mode.
If you use the following Alibaba Cloud services for your website service, we recommend that you add your website service to WAF in SDK module mode: Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute. If you use Alibaba Cloud Classic Load Balancer (CLB) or ECS for your website service, we recommend that you add your website service to WAF in reverse proxy cluster mode.

Step 2: Add your website service to Anti-DDoS Proxy

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Website Config.

On the Website Config page, click Add Website. The following table describes the parameters for adding your website service.

Parameter	Description
Function Plan	Select the function plan of the Anti-DDoS Proxy instance that you want to use.
Instance	Select the Anti-DDoS Proxy instance that you want to use. You can associate up to eight instances with a domain name. The instances associated with the domain name must use the same Function Plan.
Websites	Enter the domain name of your website service.
Protocol Type	Select the protocol type of your website service. Note If you select HTTPS, you must upload the certificate that is used by the domain name of your website service. After you select HTTPS, you can turn on Enable HTTPS Redirection, Enable HTTP Redirection of Back-to-origin Requests, and Enable HTTP/2 based on your business requirements.
Enable OCSP	Specify whether to enable the Online Certificate Status Protocol (OCSP) feature. Important This feature is available only for a website service that supports HTTPS. If HTTPS is selected for Protocol Type, we recommend that you enable this feature.
Server Address	If you add the domain name to WAF in CNAME record mode, select Origin Domain Name and enter the CNAME that is obtained in Step 1. If you add the domain name of your website service to WAF in cloud native mode, select Origin IP Address and enter the public IP address of the origin server.
Server Port	The server port that you specify based on the value of Protocol Type. If you select HTTP or Websocket, the default port 80 is used. If you select HTTPS, HTTP/2, or Websockets, the default port 443 is used. You can click Custom to enter custom ports. Separate multiple ports with commas (,).
CNAME Reuse	Specifies whether to enable CNAME reuse. This parameter is available only for Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Use the CNAME reuse feature.

Copy the CNAME provided by Anti-DDoS Proxy.

Step 3: Modify the DNS record of the domain name

You must resolve the domain name of your website service to the CNAME provided by Anti-DDoS Proxy. In the following example, a domain name is hosted on Alibaba Cloud DNS (DNS). If you use a third-party DNS service, the following steps are only for reference.

Log on to the DNS console.
On the Domain Name Resolution page, find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, find the DNS record that you want to manage and click Modify in the Actions column.
Note
If you cannot find the DNS record that you want to modify in the list, you can click Add DNS Record to add a record.
In the Modify DNS Record (or Add DNS Record) panel, select CNAME for Record Type and set Record Value to the CNAME that is obtained in Step 2.
Click OK and wait for the settings to take effect.
Check whether your website service is accessible from a browser.

References

For more information about how to add domain names to WAF 2.0 in CNAME record mode and transparent proxy mode, see Add a domain name to WAF and Transparent proxy mode.
For more information about how to troubleshoot the exceptions that may occur when you access your website service after you modify the DNS record, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Proxy instance?.
For more information about how to deploy both Anti-DDoS Proxy and CDN, see Use the CDN or DCDN interaction feature.