Web Application Firewall:Website Config

Prerequisites

• A WAF instance is purchased, and the number of domain names that are added to the WAF instance is less than the upper limit.

  Note

  The maximum number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of extra domain names that you purchase. For more information, see Extra domain package.

• If you use a WAF instance in the Chinese mainland to protect a domain name, you must complete an Internet Content Provider (ICP) filing for the domain name before you add the domain name to the instance. If you add the domain name to a WAF instance before you complete an ICP filing, WAF may report an error and prompt you to complete the ICP filing.

• You have deployed an on-premises WAF protection node cluster, and the nodes in the cluster can connect to the Internet. For more information, see Deploy a Hybrid Cloud WAF protection cluster.

Limits

If you use Hybrid Cloud WAF protection nodes to protect internal services, clients cannot use IP addresses in the 172.16.0.0/16 CIDR block to access these services.

Add a hybrid cloud website

1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Asset Center > Website Access.

3. On the Domain Names tab, click Website Access.

   Note

   By default, the Access Mode parameter is set to CNAME Record on the Add Domain Name page.

4. Enter the website information and click Next.

   Configuration item	Description
   Domain Name	Enter the domain name that you want to protect. You can enter an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name. If this is the first time you add the domain name, you must verify its ownership before you can add it. How to verify domain name ownership To confirm that you own the domain name, you must complete ownership verification. You can use one of the following verification methods: DNS verification: Manually add a TXT record that is provided by WAF to your DNS provider. This method is recommended. File verification: Upload a verification file that is provided by WAF to the specified root directory of the origin server of the domain name. You must have the permissions to operate the origin server. DNS verification In the verification section, click the Method 1: DNS Verification tab. Add a TXT record to your DNS provider based on the Record Type, Host Record, and Record Value that are provided in the WAF console. If you use Alibaba Cloud DNS, perform the following steps. If you use another DNS provider, perform similar operations in the provider's system. Log on to the Alibaba Cloud DNS console. On the Authoritative DNS On Public Networks page, find the primary domain name and click DNS Settings in the Actions column. Click Add Record. Enter the Record Type, Host Record, and Record Value, and then click OK. Keep the default values for other parameters. After you add the record, you can view it in the record list. The record takes effect by default. The Status of the record is Enabled. Wait for the TXT record to take effect. If this is the first time you configure a TXT record for the domain name, the record takes effect immediately. If you modify a TXT record, the modification takes effect in 10 minutes. The time to live (TTL) of the DNS record determines how long it takes for the record to take effect. The default TTL is 10 minutes. Return to the WAF console and click Click To Verify. If Verification successful is displayed, the domain name ownership is verified. If Verification failed is displayed, perform the following steps to troubleshoot the issue: Check the TXT record: Make sure that the host record and record value are the same as the information that is provided in the WAF console. If they are different, delete the incorrect record, add the record again, and then perform the verification again. Wait for the DNS record to take effect: The DNS record may not take effect immediately after it is configured. The time it takes for the record to take effect depends on the TTL that is specified in your DNS server. We recommend that you wait 10 minutes and then perform the verification again. Use another verification method: If the verification still fails after multiple attempts, we recommend that you use "Method 2: File verification". File verification In the verification section, click the Method 2: File Verification tab. Click the link to download the verification file (① in the preceding figure). Important The verification file is valid for only three days after it is downloaded. If you do not complete the file verification within three days, you must download the file again. Do not perform any operations on the verification file, such as opening, editing, or renaming the file. WAF accesses your origin server based on the selected protocol type. Make sure that the corresponding security group rules or firewall rules are enabled for the origin server: If you select HTTP, you must allow inbound traffic over TCP port 80 from 0.0.0.0/0. If you select HTTPS, you must allow inbound traffic over TCP port 443 from 0.0.0.0/0. Manually upload the verification file to the root directory of the origin server that is prompted in the console (② in the preceding figure). The origin server can be an ECS instance, an OSS bucket, a CVM instance, a COS bucket, or an EC2 instance. Note If you add a wildcard domain name, such as *.aliyun.com, you must upload the verification file to the root directory of aliyun.com. After the file is uploaded, you can use one of the following methods to check whether the verification file is uploaded. Return to the WAF console and click Click To Verify. If Verification successful is displayed, the domain name ownership is verified. If Verification failed is displayed, troubleshoot the issue based on the error message. Note A wildcard domain name can match subdomains at the same level and at different levels. For example, *.aliyundoc.com can match multi-level domain names such as www.aliyundoc.com, example.aliyundoc.com, and www.example.aliyundoc.com. A second-level wildcard domain name can match the corresponding second-level primary domain name. For example, *.aliyundoc.com can match aliyundoc.com. A third-level wildcard domain name cannot match the corresponding third-level primary domain name. For example, *.example.aliyundoc.com cannot match example.aliyundoc.com. If a protected object contains both an exact-match domain name and a wildcard domain name that can match the exact-match domain name, the protection rules and forwarding configurations of the exact-match domain name take precedence.
   Protection Resource	Select the type of resource that you want WAF to protect. In this case, select Hybrid Cloud Cluster.
   Protocol Type	Select the protocol that the website uses. Valid values: HTTP HTTPS Important If the website supports HTTPS encryption, select HTTPS. After you add the domain name, upload the certificate and private key file for the domain name. For more information, see Upload an HTTPS certificate. After you select HTTPS, you can enable the following features: (Advanced) Enable HTTPS Routing HTTPS force redirect converts HTTP requests from clients to HTTPS requests. If you enable this feature, clients use HTTPS requests to access WAF over port 443. WAF also forwards the requests to the origin server over port 443. Enable this feature if you want to force clients to use HTTPS requests to access your website for enhanced security. Important You can enable this setting only when the HTTP protocol is not selected. Make sure that your website supports HTTPS before you enable this setting. After you enable this setting, some browsers are forced to use HTTPS to access the website. (Advanced) Enable HTTP Routing HTTP origin fetch indicates that WAF uses HTTP to forward requests to the origin server. The default origin fetch port is 80. If you enable this feature, WAF forwards requests to the origin server over port 80, regardless of whether clients access WAF over port 80 or 443. You can enable HTTP origin fetch to implement HTTPS access through WAF without modifying the origin server. This helps reduce the workload on your website. Important If your website does not support HTTPS for origin fetch, you must enable this setting. If you disable both Enable HTTPS Routing and Enable HTTP Routing If a client accesses WAF over port 80, WAF forwards the request to the origin server over port 80. If a client accesses WAF over port 443, WAF forwards the request to the origin server over port 443. Enable Origin SNI Origin Server Name Indication (SNI) indicates that when WAF forwards a client request to an origin server, WAF specifies the host to be accessed in the SNI field during the TLS handshake with the origin server. Then, WAF establishes an HTTPS connection with the host. If your origin server has multiple virtual hosts that correspond to different domain names, you must enable this feature. After you select Enable Origin SNI, you can specify a value for the SNI field. Valid values: Use Domain Name in Host Header (Default): The value of the SNI field in the origin fetch request from WAF is the same as the value of the Host field in the request header. For example, if you configure *.aliyundoc.com as the website domain name and a client requests www.aliyundoc.com, the value of the Host field is www.aliyundoc.com. In this case, the value of the SNI field in the origin fetch request from WAF is www.aliyundoc.com. Custom: You can specify a custom value for the SNI field in the origin fetch request from WAF. In most cases, you do not need to specify a custom SNI. You may need to specify a custom SNI only if your service has special configuration requirements and you want WAF to use an SNI that is different from the host of the actual request in origin fetch requests. HTTP2 (This option is available only after you select HTTPS.) If your website supports HTTP 2.0, enable this setting. The port for HTTP 2.0 is the same as the port for HTTPS. After you enable this setting, you only need to set the HTTPS port. For more information, see Does adding a service that uses HTTP 2.0 to WAF affect the origin server?. Note Only WAF instances of the Enterprise, Ultimate, and Exclusive editions support HTTP2.
   Node Settings	Select a Protection Node Group Name. If one of your websites is deployed on multiple protection nodes, you can click Add Protection Node to the right of Node Settings to add multiple protection nodes to WAF at the same time.
   Origin Server Address	Specify the addresses of the origin server of the website. You can specify addresses in IP address format or Domain Name (such As CNAME) format. After the website is added, WAF forwards filtered access requests to the server address that you specify. The following items describe the settings: IP address format: Enter the public IP address of the origin server. The IP address must be reachable over the Internet. You can enter multiple IP addresses. Press the Enter key after you enter each IP address. You can add a maximum of 20 origin IP addresses. Note If you specify multiple IP addresses, WAF automatically performs health checks and load balancing among these addresses. WAF instances outside the Chinese mainland support only IPv4 addresses. WAF instances in the Chinese mainland support the following configuration methods: Configure both IPv4 and IPv6 addresses If you enable Follow IPv4/IPv6 For Origin Fetch Protocol, requests from IPv6 addresses are forwarded to IPv6 origin servers, and requests from IPv4 addresses are forwarded to IPv4 origin servers. If you do not enable Follow IPv4/IPv6 For Origin Fetch Protocol, no distinction is made, and hybrid origin fetch is performed. This means that both IPv4 and IPv6 requests may be forwarded to IPv4 or IPv6 origin servers. Important When you use origin fetch over IPv6, you must make sure that the IPv6 Status of the domain name in the Website Config list is enabled. For more information, see Enable IPv6 protection. Configure only IPv4 addresses Both IPv4 and IPv6 requests are forwarded over IPv4. This means that WAF forwards requests to the IPv4 origin server address that you specify. Configure only IPv6 addresses Both IPv4 and IPv6 requests are forwarded over IPv6. This means that WAF forwards requests to the IPv6 origin server address that you specify. Instructions on how to enter a server IP address If the origin server is on Alibaba Cloud, enter the public IP address of the ECS instance. If an SLB instance is deployed in front of the ECS instance, enter the public IP address of the SLB instance. If the origin server is in a data center that is not deployed on Alibaba Cloud or is hosted by another cloud service provider, we recommend that you run the PING command on the domain name to query its public IP address and then enter the public IP address. The IP address that you enter does not have traffic redirection enabled in transparent proxy mode. Domain Name (such As CNAME) format: Enter the origin URL of the server, such as the CNAME of an OSS bucket. If you use the domain name format, origin fetch over IPv4 is supported. This means that WAF forwards client requests to the IPv4 address to which the origin URL is resolved. Important The origin URL of the server must be different from the domain name of the website that you want to protect. If the address of your origin server is an OSS domain name, you must go to the OSS console to attach a custom domain name to the OSS domain name after you add the website. For more information, see Attach a custom domain name.
   Destination Server Port	Add the forwarding service ports that the website uses. Note This feature can be configured only by Alibaba Cloud technical support. The ports must be within the range of enabled ports for the hybrid cloud cluster. By default, ports 80, 8080, 443, and 8443 are enabled for a hybrid cloud cluster. When you create a hybrid cloud cluster, you can specify a custom range of ports to enable. For more information, see Configure basic information for a hybrid cloud cluster. WAF uses the ports that you add here to receive and forward service traffic for the website. The service traffic of the website domain name is forwarded only through the added service ports. WAF does not forward any access requests on other ports to the origin server. Therefore, enabling these ports does not pose any security threats to the origin server. Important The Protocol Type and Destination Server Port that you set for the website must be the same as the protocol and port that the origin server uses to provide web services. Port mapping is not supported. For example, if the origin server uses port 80 and the HTTP protocol to provide web services, you must configure the same port and protocol for the domain name. If you set other ports, requests cannot be forwarded. Default ports: If you set Protocol Type to HTTP, the server port is set to HTTP 80 by default. If you set Protocol Type to HTTPS, the server port is set to HTTPS 443 by default. Note The port for HTTP 2.0 is the same as the port for HTTPS. Custom ports: Click Custom and specify custom ports for the HTTP or HTTPS protocol. Separate multiple ports with commas (,). Click View Port Range to query all available ports.
   Load Balancing Algorithm	If you specify multiple addresses of origin servers, select a load balancing algorithm for the origin servers. Valid values: IP hash (default): Requests from the same client are forwarded to the same origin server. This algorithm is suitable for scenarios in which session consistency needs to be maintained. However, this may cause uneven load balancing. Polling: Client requests are sequentially forwarded to origin servers from the origin server list. This algorithm is suitable for scenarios in which multiple origin servers are used and a high requirement for even load balancing on origin servers is imposed. Least time: The intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm ensure the shortest latency for the entire link from when service traffic is connected to a protection node to when the traffic is forwarded to an origin server. Note You can select Least time only after you enable intelligent load balancing. For more information, see Intelligent load balancing. After the settings take effect, WAF distributes origin fetch requests to multiple origin server addresses based on the specified load balancing algorithm to implement load balancing.
   Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF?	No other proxy service. Select No (default). This indicates that the business requests received by WAF are directly initiated by clients, not forwarded by other proxy services. In this scenario, WAF directly obtains the IP address that establishes the connection with WAF (from the REMOTE_ADDR field of the request) as the client IP address. Another proxy service exists. Select Yes. This indicates that the business requests received by WAF are forwarded from other Layer 7 proxy services, not directly initiated by clients. To ensure that WAF can obtain the real client IP addresses for security analytics, you must further set the Obtain Source IP Address. Options: (Default) Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client By default, WAF preferentially reads the X-Real-IP request header field as the client IP address. If the X-Real-IP field does not exist, WAF reads the first IP address in the X-Forwarded-For (XFF) field as the client IP address. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If your website service is configured through other proxy services to place the originating IP address of the client in a custom header field (such as X-Real-IP or X-Client-IP), you must select this option and enter the corresponding header field in the Header Field box. Note We recommend that you use a custom header to store client IP addresses in your service and configure the corresponding header field in WAF. This method can prevent attackers from forging the XFF field to evade WAF detection rules and improve the security of your business. You can enter multiple header fields. Press the Enter key after you enter each header field. If you set multiple headers, WAF attempts to read the client IP address in sequence. If the first header does not exist, WAF reads the second, and so on. If none of the specified headers exist, WAF first attempts to read the X-Real-IP field. If no result is found, WAF uses the first IP address in the X-Forwarded-For (XFF) header as the client IP address.
   Enable Traffic Mark	Enable Traffic Mark You can enable traffic marking to help the origin server identify requests that pass through WAF and obtain the originating IP addresses or ports of clients. You can configure the following types of marking fields: Custom Header You can configure a Header Name and a Header Value to allow WAF to add the header information to origin fetch requests. This marks requests that pass through WAF and helps your backend service perform statistical analysis. For example, you can use ALIWAF-TAG: Yes to mark requests that pass through WAF. In this example, ALIWAF-TAG is the header name and Yes is the header value. Originating IP Address You can specify the header field that stores the originating IP address of the client. WAF records the header field and passes it to the origin server. For information about how WAF determines the originating IP address of a client, see the description of the Is There A Layer 7 Proxy (such As Anti-DDoS Or CDN) In Front Of WAF? parameter. Source Port You can specify the header field that stores the originating port of the client. WAF records the header field and passes it to the origin server. Important Do not enter standard HTTP header fields, such as User-Agent. Otherwise, the content of the standard header fields is overwritten by the custom field values. Click Add Tag to add a marking field. You can add up to five marking fields.
   Resource Group	Select the resource group to which the domain name belongs from the resource group list. Note You can use the Resource Management service to create resource groups to manage cloud resources by business department, project, or other dimensions. For more information, see Create a resource group.

5. Bind the host of your computer to the Server Load Balancer (SLB) instance that is deployed in front of the on-premises WAF instance, and then test whether traffic passes through WAF as expected.

   Note

   Currently, this operation can be performed only by Alibaba Cloud technical support.

6. Change the DNS record of the domain name to the IP address of the on-premises SLB instance.

7. Click the Complete. Return to Domain Name List button.

   The domain name is now protected by Hybrid Cloud WAF.