After you add a website to Web Application Firewall (WAF), you can enable the website tamper-proofing feature. This feature locks web pages that you want to protect, such as sensitive pages. When a request for a locked page is received, WAF returns the cached page to prevent the content on the origin server from being maliciously tampered with.
Prerequisites
A WAF instance is purchased, and its edition is Enterprise, Ultimate, or Exclusive.
Your website is added to WAF. For more information, see Tutorial.
Procedure
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the upper part of the Website Protection page, select the domain name for which you want to configure protection from the Switch Domain Name drop-down list.
Click the Web Security tab, find the Website Tamper-proofing section, turn on the Status switch, and then click Settings.
ImportantAfter you enable website tamper-proofing, all requests to your website are checked against website tamper-proofing rules by default. You can configure a data security whitelist to allow conditional requests to bypass website tamper-proofing detection. For more information, see Configure a data security whitelist.
Add a website tamper-proofing rule.
On the Website Tamper-proofing page, click Create Rule.
In the Create Rule dialog box, enter the Service Name and URL for the web page that you want to protect, and then click OK.
Service Name: The name of the service that corresponds to the web page.
URL: The exact path that you want to protect. The path must start with
http://orhttps://. Wildcard characters (such as/*) or parameters (such as/abc?xxx=yyy, wherexxx=yyyis the parameter part) are not supported. Files in this path, such as TXT, HTML, and image files, are protected. The size of a single protected file cannot exceed 1 MB.ImportantRequests that contain URL parameters do not hit tamper-proofing rules and are forwarded to the origin server by WAF. For example, if the URL path is set to
/abcand the request URL is/abc?xxx=yyy, the request does not hit the tamper-proofing rule for the URL path/abc.
After a website tamper-proofing rule is created, it is disabled by default. The new rule appears in the rule list, and its Protection Status switch is turned off.
Enable the rule. In the rule list, find the rule that you want to enable and turn on its Protection Status switch.
After the rule is enabled, WAF returns the cached record when it receives a request for the protected page.
Optional: Update the cache. In the rule list, find the enabled rule and click Update Cache in the Protection Status column.
If you update the content of the protected page, you must click Update Cache to update the cached record in WAF. If you do not update the cache, WAF continues to return the last cached record, which renders the protection invalid.
If your origin server uses a whitelist for access control, add the following WAF IP addresses to the whitelist:
The Chinese mainland: 121.196.106.101, 121.196.100.214, 121.196.110.192, and 121.196.107.0.
Outside the Chinese mainland: 8.219.104.2 and 8.219.41.212.
After you create a tamper-proofing rule, WAF immediately and automatically pulls the resources and caches them. Subsequent access requests are served the cached pages.
If you re-enable the Module Switch or enable the rule's Status switch, the effect is the same as manually clicking Refresh Cache. WAF re-accesses the protected resources and refreshes the cache.