Anti-DDoS:Use an Anti-DDoS Origin paid edition and WAF

Procedure

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. On the CNAME Record tab, click Add.

4. In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.

   Parameter	Description
   Domain Name	Enter the domain name that you want to protect. You can enter an exact match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name. The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you prove your ownership of the domain name. For more information, see Verify the ownership of a domain name. Note You can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover www.aliyundoc.com and example.aliyundoc.com but *.aliyundoc.com cannot cover www.example.aliyundoc.com. A second-level wildcard domain name can cover the second-level parent domain name of the wildcard domain name. For example, *.aliyundoc.com can cover aliyundoc.com. A third-level wildcard domain name cannot cover the third-level parent domain name of the wildcard domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com. If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
   Protocol Type	Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number. Note The port number that you enter must be within the range of ports that are supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports. If you select HTTPS, you must configure the HTTPS Upload Type parameter and upload an SSL certificate that is associated with the domain name of the website. This way, WAF can protect and listen to the HTTPS traffic of the website. Specify the method that you want to use to upload an SSL certificate. Manual Upload Select Manual Upload and configure the Certificate Name, Certificate File, and Private Key File parameters. For example, the value of the Certificate File parameter is in the -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- format, and the value of the Private Key parameter is in the -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content. If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console to convert the file format by using a tool. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format? If a domain name is associated with multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content to WAF. Select Existing Certificate If your certificate meets one of the following conditions, you can select a certificate that you want to upload to WAF from the certificate list. The certificate is issued by Alibaba Cloud Certificate Management Service (Original SSL Certificate). The certificate is a third-party certificate that is uploaded to Alibaba Cloud Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the message Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. appears, click Cloud Security - Certificates Service and upload the certificate in the Certificate Management Service console. For more information, see Purchase an SSL certificate. Purchase Certificate Click Purchase Certificate to go to the Apply page in the Certificate Management Service console to apply for a certificate for the domain name. Note In this case, you can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase an SSL Certificate. After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF. If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements: If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests. Note HTTP/2 uses the same ports as HTTPS. Advanced Settings Enable HTTPS Routing By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected as HTTPS requests to port 443. This feature helps improve security. Important You can enable this feature only if you do not select HTTP. TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses a version of the TLS protocol that is not supported, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you select the TLS version of traffic to which WAF listens based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access the website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access the website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen to traffic that is sent by using TLS 1.3. HTTPS Cipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks the requests that are sent from the client. Default value: All Cipher Suites (High Compatibility and Low Security) If your website supports only specific cipher suites, we recommend that you set this parameter to a different value. Valid values: All Cipher Suites (High Compatibility and Low Security) (default) Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value. Then, select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suits. Clients that use other cipher suites cannot access the website.
   Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No. If no Layer 7 proxies are deployed in front of WAF, select No. The value No specifies that WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field. If a Layer 7 proxy is deployed in front of WAF, select Yes. The value Yes specifies that WAF receives requests from other Layer 7 proxies. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the actual IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the actual IP address of a client from the fields in sequence. WAF scans the header fields in sequence until WAF obtains the IP address of the client. If WAF cannot obtain the IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
   More Settings	IPv6 By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can enable IPv6 to enable WAF protection for IPv6 traffic. After you enable IPv6, WAF assigns a WAF IPv6 address to the domain name to process IPv6 requests. This feature is supported only in the Chinese Mainland. Important After you enable IPv6, you cannot enable Exclusive IP Address or configure the Protection Resource. Exclusive IP Address By default, all domain names that are added to a WAF instance are protected by the same WAF IP address. If you enable this feature, WAF assigns an exclusive IP address to protect the domain name. A domain name that is protected by using an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names that are protected by the same WAF IP address. For more information, see Exclusive IP addresses. If you want to use an exclusive IP address to protect your domain name, you can enable this feature. Important You can purchase exclusive IP addresses for subscription WAF instances of the following editions: Pro, Enterprise, and Ultimate. To purchase an exclusive IP address, click Upgrade Now on the Overview page and configure the Exclusive IP Address parameter. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Pay-as-you-go billing overview. After you turn on Exclusive IP Address, you cannot turn on IPv6, and Shared Cluster is selected for the Protection Resource parameter. Protection Resource Select the type of protection resource that you want to use. Shared Cluster (default) Shared Cluster-based Intelligent Load Balancing After you enable intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to perform automatic disaster recovery. The WAF instance uses the intelligent Domain Name System (DNS) resolution feature and the Least-time back-to-origin algorithm to reduce the latency of traffic that is sent from protection nodes to origin servers. For more information, see Intelligent load balancing. Important You can enable Shared Cluster-based Intelligent Load Balancing for subscription WAF instances of the following editions: Pro, Enterprise, and Ultimate. If you select Shared Cluster-based Intelligent Load Balancing, you are charged for the feature. To enable Shared Cluster-based Intelligent Load Balancing, click Upgrade Now on the Overview page and set the Intelligent Load Balancing parameter to Enable. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on whether you enable Shared Cluster-based Intelligent Load Balancing. For more information, see Pay-as-you-go billing overview. After you enable Shared Cluster-based Intelligent Load Balancing, you cannot enable IPv6 or exclusive IP addresses.
   Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

   Parameter	Description
   Load Balancing Algorithm	If you specify multiple origin server addresses, select a Load Balancing Algorithm for WAF to forward back-to-origin requests to the origin servers. Valid values: IP hash (default) Requests that are sent from a specific IP address are forwarded to the same origin server. Round-robin Requests are sequentially distributed to origin servers. Least time WAF uses the intelligent DNS resolution feature and the least-time back-to-origin algorithm to reduce the path and latency when requests are forwarded to origin servers. Important You can set the Load Balancing Algorithm parameter to Least time only if you set the Protection Resource parameter to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see the description of the Protection Resource parameter.
   Origin Server Address	Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values: IP Address Make sure that the IP address can be accessed over the Internet. You can enter multiple origin IP addresses. Press the Enter key each time you enter an origin IP address. You can enter up to 20 origin IP addresses. Note If you enter multiple origin IP addresses, WAF distributes workloads to different origin IP addresses. You can enter both IPv4 and IPv6 addresses or only IPv4 addresses. However, you cannot enter only IPv6 addresses. If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses. Important If you want WAF to forward requests that are sent from IPv6 addresses to origin servers that use IPv6 addresses, you must turn on IPv6 in the Configure Listener step. For more information, see Enable IPv6. Domain Name (Such as CNAME) If you select Domain Name (Such as CNAME), the domain name can be resolved to only an IPv4 address, and WAF forwards back-to-origin requests to the IPv4 address.
   Advanced HTTPS Settings	Enable HTTP Routing If you enable this feature, WAF forwards requests over HTTP. The default port is 80. Then, WAF forwards requests to the origin server over port 80 regardless of whether clients access WAF over port 80 or port 443. If you enable this feature, clients can access your website over HTTPS. This helps reduce the workload of your website and eliminates the need to modify the settings of the origin server. Important If the domain name does not support HTTPS, turn on Enable HTTP Routing. Origin SNI Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection must be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature. After you select Origin SNI, you can configure the SNI field. Valid values: Use Domain Name in Host Header (default) This value specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. For example, if the domain name that you configure is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. The value of the Host header field is the www.aliyundoc.com domain name. Custom This value specifies that you can enter a custom value for the SNI field in WAF back-to-origin requests. If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you must specify a custom value for the SNI field.
   Other Advanced Settings	Enable Traffic Mark If you want to tag requests that pass through WAF, you can select Enable Traffic Mark to record and pass the actual IP addresses or source ports of clients to the origin server. If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and specify custom header fields. After the origin server receives the requests, we recommend that you verify the header fields. If the specified header fields exist, the requests are allowed. Important We recommend that you do not configure a standard HTTP header field such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. You can add the following types of header fields: Custom Header If you want to add a custom header field, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data. For example, you can add the ALIWAF-TAG: Yes custom header field to label the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes. Originating IP Address You can configure a custom header to record the actual IP address of a client. This way, your origin server can obtain the actual IP address of the client. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic. Source Port You can configure a custom header to record the port of a client. This way, your origin server can obtain the actual port of the client. Click Add Mark to add a header field. You can add up to five header fields. Specify the timeout periods for back-to-origin requests Connection Timeout Period: The maximum amount of time that WAF waits while it attempts to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: The maximum amount of time that clients wait for responses from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: The maximum amount of time that WAF waits while it forwards requests to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Retry Back-to-origin Requests After you enable this feature, WAF retries to forward requests to the origin server three times when WAF fails to forward requests to the origin server. If you do not enable this feature, WAF forwards requests to the origin server only once. Back-to-origin Keep-alive Requests If you enable this feature, you must configure the following parameters: Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period of idle keep-alive requests. Valid values: 1 to 60. Unit: seconds. Default value: 15. Note If you do not enable this feature, back-to-origin keep-alive requests do not support WebSocket.

6. In the Add Completed step, obtain the CNAME that is assigned by WAF to the domain name. Modify the DNS record to map the domain name to the CNAME. For more information, see Modify the DNS record of a domain name.

   Important

   Before you modify the DNS record, make sure that the following prerequisites are met:

   • The forwarding configurations of your website are correct and in effect. If you change the DNS record before the forwarding configurations of your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

   • The WAF back-to-origin IP addresses are added to the IP address whitelist of the third-party firewall that is used by the origin server. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, click Back-to-origin CIDR Blocks above the domain name list to view and copy back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

   

   After you complete the preceding configurations, you can perform the following operations to check whether the domain name is added to WAF:

   • Enter the domain name in the browser. If you can access the website, the domain name is added to WAF.

   • Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

7. Run the ping command ping CNAME of WAF on your computer to obtain the IP address of the WAF instance.

8. Add the IP address of the WAF instance to your Anti-DDoS Origin instance of a paid edition for protection. For more information, see Add an object for protection.

   After you add the IP address of the WAF instance, the Anti-DDoS Origin instance of a paid edition provides best-effort protection. The Anti-DDoS Origin instance of a paid edition automatically scrubs service traffic to mitigate DDoS attacks.