Web Application Firewall (WAF) inspects web traffic before it reaches your origin server. To activate protection, add your website to WAF by configuring a domain name and routing traffic through WAF.
Prerequisites
Before you begin, ensure that you have:
An active WAF instance
The domain name of the website to protect
The public IP address or domain name (CNAME) of your origin server
The protocol and port your origin server uses (HTTP port 80, HTTPS port 443, or a custom port)
Choose an onboarding type
WAF supports two onboarding types. Choose based on your origin server's infrastructure.
| CNAME record | Transparent proxy | |
|---|---|---|
| How it works | Add your domain to WAF, then update your DNS record to point traffic to WAF. | Add your domain to WAF. WAF intercepts traffic at the network level — no DNS changes needed. |
| Supported origin servers | All origin servers, whether on Alibaba Cloud or elsewhere. | ECS instances and Internet-facing SLB instances only. |
| Domains per operation | One domain at a time. | All domains under an instance at once. |
| DNS record change required | Yes | No |
| Back-to-origin settings required | Yes | No |
| Origin server protection required | Yes — configure an access control policy to block direct traffic to your origin. | No |
Limitations of transparent proxy mode:
Does not support internal-facing SLB instances
Does not support IPv6
Limits the number of configurable traffic redirection ports
Applies default protection settings that cannot be modified. You must add a domain name before you can edit domain-level protection rules.
For details, see Transparent proxy mode.
HTTP 1.0, HTTP 1.1, and HTTP 2.0 are supported by default. If your website uses HTTP 2.0, enable the HTTP2 switch to extend WAF protection to HTTP 2.0 traffic.
Add a website using CNAME record
This method applies to all origin server types. After you add the domain, update your DNS record to redirect traffic through WAF.
Steps at a glance:
Add the domain name and configure back-to-origin settings
Verify settings locally (before touching DNS)
Update the DNS record
Confirm WAF protection is active
Step 1: Add the domain name
Go to the Add Domain Name page in the WAF console.
Fill in the following configuration:
Configuration item Description Domain Name The domain name to protect. Protection Resource Select the protection resource type. Protocol Type Select the protocols your website supports. Options: Enable Force Redirect To HTTPS, Enable HTTP For Back-to-origin Traffic, Enable Origin SNI. Destination Server Port The port on your origin server. Default: HTTP port 80 or HTTPS port 443. If your origin uses a non-standard port, enter a custom value within the ports supported by WAF. Origin Server Address The address WAF forwards requests to. Use IP for a public IP address (SLB instance, ECS instance, or non-Alibaba Cloud server), or Domain Name for a CNAME-based back-to-origin address. The back-to-origin domain name cannot be the same as the protected domain name. Only IPv4 is supported for back-to-origin traffic. Load Balancing Algorithm If you specify multiple origin server addresses, select a load balancing algorithm. Whether Layer 7 Proxy, Such as Anti-DDoS Proxy, or Alibaba Cloud CDN, Is Deployed in Front of WAF Select Yes if Anti-DDoS Proxy, CDN, or another Layer 7 proxy sits in front of WAF. Enable Traffic Mark Specify whether to enable the traffic mark feature. Click Save. For the full list of configuration options, see Add a domain name.
Step 2: Verify settings locally
Before updating your DNS record, verify that the WAF configuration is correct to avoid service interruptions. See Local verification.
Step 3: Update the DNS record
Update your DNS record to route traffic through WAF. The following steps use Alibaba Cloud DNS as an example.
Get the WAF CNAME address. See Obtain the CNAME address of WAF.
Go to the Domain Name Resolution page in the Alibaba Cloud DNS console. Find your domain, click DNS Settings in the Actions column, and update the CNAME record to the WAF CNAME address.
For other DNS providers, see Modify the DNS record of a domain name.
Step 4: Confirm WAF protection is active
Verify that traffic is flowing through WAF. See Step 6: Verify domain name settings.
Post-setup configuration
After adding your domain, complete these steps for full protection:
Upload an HTTPS certificate — Required if your website uses HTTPS. Without a valid certificate, WAF cannot process HTTPS traffic. See Add a domain name.
Whitelist the back-to-origin CIDR blocks of WAF — WAF forwards traffic to your origin from specific IP ranges. Add these ranges to your origin server's allowlist to prevent its security software from blocking WAF traffic. See Whitelist the back-to-origin IP address CIDR blocks of WAF.
Protect your origin server — Configure an access control policy on your origin server to accept inbound traffic only from WAF's back-to-origin CIDR blocks. This prevents attackers from bypassing WAF by targeting your origin directly. See Configure protection for an origin server.
Configure custom TLS settings — Customize TLS protocol versions and cipher suites for your domain if needed. See Configure custom TLS settings.
Add a website using transparent proxy
This method requires no DNS changes. WAF intercepts traffic at the network level based on your ECS instance or SLB instance configuration.
Step 1: Add the domain name
Go to the Add Domain Name page in the WAF console. Set Connection Type to Transparent Proxy Mode.
Fill in the following configuration:
Configuration item Description Domain Name The website domain name. SLB-based Domains / Layer 7 SLB-based Domains / Layer 4 SLB-based Domains / ECS-based Domains Select the instance type and the service port. Supported types: ALB, Layer 7 SLB, Layer 4 SLB, ECS. Whether Layer 7 Proxy, Such as Anti-DDoS Proxy, or Alibaba Cloud CDN, Is Deployed in Front of WAF Select Yes if Anti-DDoS Pro/Premium, CDN, or another Layer 7 proxy sits in front of WAF. Enable Traffic Mark Specify whether to enable the traffic mark feature. Click Save. For details, see Transparent proxy mode.
Step 2: Confirm WAF protection is active
Verify that traffic is flowing through WAF. See Step 6: Verify domain name settings.
What to do next
Your website is now protected by WAF. Two protection modules are enabled by default:
Web Intrusion Prevention - Protection Rules Engine: blocks common web attacks including SQL injection, cross-site scripting (XSS), and webshell uploads.
Access Control/Throttling - HTTP Flood Protection: defends against HTTP flood attacks.
To extend protection coverage, enable additional modules and configure rules. See Overview of website protection configurations.
Defend against DDoS attacks
Deploy Anti-DDoS Proxy and WAF together in front of your origin server to protect against both web application attacks and volumetric DDoS attacks. See Jointly deploy Anti-DDoS Proxy and WAF to enhance website protection.
Accelerate content delivery with WAF protection
Deploy CDN and WAF together to combine content acceleration with web application security. See Deploy WAF and CDN to provide WAF protection for domain names that have content acceleration enabled.