This topic describes how to use an Anti-DDoS Origin paid edition and Web Application Firewall (WAF) to provide protection. This solution protects your website against Layer 4 distributed denial of service (DDoS) attacks, Layer 7 web attacks, and HTTP flood attacks.
Prerequisites
An Elastic Compute Service (ECS) instance is created and has web applications deployed. The ECS instance has a public IP address, and your website has a domain name.
NoteIf your website provides services in the Chinese mainland, you must complete Internet Content Provider (ICP) filing for the domain name of your website. Otherwise, you cannot add the domain name to WAF instances in the Chinese mainland to protect your website.
An Anti-DDoS Origin instance of a paid edition is purchased. For more information, see Purchase an Anti-DDoS Origin instance of a paid edition.
NoteWhen you purchase an Anti-DDoS Origin instance of a paid edition, you must select a region. Make sure that the Anti-DDoS Origin instance of a paid edition and the ECS instance reside in the same region.
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance.
Background information
You can use an Anti-DDoS Origin paid edition to mitigate DDoS attacks for your website. If your website encounters web attacks and HTTP flood attacks, we recommend that you use WAF to protect your website. For more information about WAF, see What is WAF?
If you use an Anti-DDoS Origin paid edition and WAF to protect your website, you must add your website to WAF and then add the IP address of the WAF instance to the Anti-DDoS Origin paid edition for protection. In this case, all service traffic is first scrubbed by WAF, and only normal traffic is forwarded to the origin server. Attack traffic, such as DDoS attacks, web attacks, and HTTP flood attacks, is blocked.
Procedure
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the CNAME Record tab, click Add.
In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Domain Name
Enter the domain name that you want to protect. You can enter an exact match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
. You can enter only one domain name.The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you prove your ownership of the domain name. For more information, see Verify the ownership of a domain name.
NoteYou can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example,
*.aliyundoc.com
can coverwww.aliyundoc.com
andexample.aliyundoc.com
but*.aliyundoc.com
cannot coverwww.example.aliyundoc.com
.A second-level wildcard domain name can cover the second-level parent domain name of the wildcard domain name. For example,
*.aliyundoc.com
can coveraliyundoc.com
.A third-level wildcard domain name cannot cover the third-level parent domain name of the wildcard domain name. For example,
*.example.aliyundoc.com
cannot coverexample.aliyundoc.com
.If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
Protocol Type
Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number.
NoteThe port number that you enter must be within the range of ports that are supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports.
If you select HTTPS, you must configure the HTTPS Upload Type parameter and upload an SSL certificate that is associated with the domain name of the website. This way, WAF can protect and listen to the HTTPS traffic of the website.
Specify the method that you want to use to upload an SSL certificate.
If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements:
If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests.
NoteHTTP/2 uses the same ports as HTTPS.
Advanced Settings
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No.
More Settings
Resource Group
Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.
Parameter
Description
Load Balancing Algorithm
If you specify multiple origin server addresses, select a Load Balancing Algorithm for WAF to forward back-to-origin requests to the origin servers. Valid values:
Origin Server Address
Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values:
Advanced HTTPS Settings
Other Advanced Settings
In the Add Completed step, obtain the CNAME that is assigned by WAF to the domain name. Modify the DNS record to map the domain name to the CNAME. For more information, see Modify the DNS record of a domain name.
ImportantBefore you modify the DNS record, make sure that the following prerequisites are met:
The forwarding configurations of your website are correct and in effect. If you change the DNS record before the forwarding configurations of your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
The WAF back-to-origin IP addresses are added to the IP address whitelist of the third-party firewall that is used by the origin server. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, click Back-to-origin CIDR Blocks above the domain name list to view and copy back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
After you complete the preceding configurations, you can perform the following operations to check whether the domain name is added to WAF:
Enter the domain name in the browser. If you can access the website, the domain name is added to WAF.
Enter the domain name and malicious code such as
<Protected domain name>/alert(xss)
andalert(xss)
. If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.
Run the ping command
ping CNAME of WAF
on your computer to obtain the IP address of the WAF instance.Add the IP address of the WAF instance to your Anti-DDoS Origin instance of a paid edition for protection. For more information, see Add an object for protection.
After you add the IP address of the WAF instance, the Anti-DDoS Origin instance of a paid edition provides best-effort protection. The Anti-DDoS Origin instance of a paid edition automatically scrubs service traffic to mitigate DDoS attacks.