Adds a domain name to a WAF instance by using Website Config for protection.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
yundun-waf:CreateDomain |
create |
*DefenseResource
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| InstanceId |
string |
Yes |
The ID of the WAF instance. Note
You can call DescribeInstance to query the ID of the current WAF instance. |
waf_cdnsdf3**** |
| ResourceManagerResourceGroupId |
string |
No |
The Alibaba Cloud resource group ID. |
rg-acfm***q |
| Domain |
string |
Yes |
The domain name to query. |
www.aliyundoc.com |
| Listen |
object |
Yes |
The listening configuration. |
|
| HttpsPorts |
array |
No |
The listening ports for HTTPS. |
|
|
integer |
No |
The listening ports for HTTPS, in the format of [port1,port2,......,portN]. |
[443,8443] |
|
| HttpPorts |
array |
No |
The listening ports for HTTP. |
|
|
integer |
No |
The listening ports for HTTP, in the format of [port1,port2,……]. |
[80,81] |
|
| Http2Enabled |
boolean |
No |
Specifies whether to enable HTTP/2. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
true |
| CertId |
string |
No |
The ID of the certificate to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. |
123 |
| SM2Enabled |
boolean |
No |
Specifies whether to enable the China Encryption (SM) certificate. |
true |
| SM2CertId |
string |
No |
The ID of the China Encryption (SM) certificate to add. This parameter is used only when SM2Enabled is set to true. |
123-cn-hangzhou |
| SM2AccessOnly |
boolean |
No |
Specifies whether only China Encryption (SM) clients can access the domain name. This parameter is used only when SM2Enabled is set to true.
|
true |
| TLSVersion |
string |
No |
The TLS version to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
tlsv1 |
| EnableTLSv3 |
boolean |
No |
Specifies whether to support TLS 1.3. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
true |
| CipherSuite |
integer |
No |
The type of cipher suite to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
2 |
| CustomCiphers |
array |
No |
The custom cipher suites to add. |
|
|
string |
No |
The custom cipher suites to add. This parameter is used only when CipherSuite is set to 99. |
["xxx","ffas"] |
|
| FocusHttps |
boolean |
No |
Specifies whether to enable forced HTTPS redirect. This parameter is used only when HttpsPorts is not empty (which indicates that the domain name uses HTTPS) and HttpPorts is empty (which indicates that the domain name does not use HTTP). Valid values:
|
true |
| XffHeaderMode |
integer |
No |
The method that WAF uses to obtain the originating IP address of the client. Valid values:
|
1 |
| XffHeaders |
array |
No |
The list of custom header fields used to obtain the client IP address. |
|
|
string |
No |
The list of custom header fields used to obtain the client IP address, in the format of ["header1","header2",……]. Note
This parameter is required only when XffHeaderMode is set to 2, which indicates that WAF reads the value of a custom header field that you specify as the client IP address. |
["Client-ip","cip"] |
|
| IPv6Enabled |
boolean |
No |
Specifies whether to enable IPv6. Valid values:
|
true |
| ProtectionResource |
string |
No |
The type of protection resource to use. Valid values:
|
share |
| ExclusiveIp |
boolean |
No |
Specifies whether to enable an exclusive IP address. This parameter is used only when IPv6Enabled is set to false (which indicates that IPv6 is not enabled) and ProtectionResource is set to share (which indicates that a shared cluster is used). Valid values:
|
true |
| HstsIncludeSubDomain |
boolean |
No |
Specifies whether HSTS includes subdomains. Valid values:
|
|
| HstsPreload |
boolean |
No |
Specifies whether to enable HSTS preloading. This feature is disabled by default. Valid values:
|
false |
| HstsMaxAge |
integer |
No |
The HSTS expiration time. Unit: seconds. |
365000 |
| Redirect |
object |
Yes |
The forwarding configuration. |
|
| Backends |
array |
No |
The IP addresses or back-to-origin domain names of the origin server corresponding to the domain name. |
|
|
string |
No |
The IP addresses or back-to-origin domain names of the origin server corresponding to the domain name. You can set only one type: origin server IP addresses or back-to-origin domain names. When the back-to-origin address is a domain name, only IPv4 is supported. IPv6 is not supported.
|
[ "1.1.XX.XX", "2.2.XX.XX" ] |
|
| Loadbalance |
string |
Yes |
The load balancing algorithm used for back-to-origin. Valid values:
|
roundRobin |
| FocusHttpBackend |
boolean |
No |
Specifies whether to enable forced HTTP back-to-origin. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
true |
| SniEnabled |
boolean |
No |
Specifies whether to enable back-to-origin SNI. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:
|
true |
| SniHost |
string |
No |
The value of the custom SNI extension field. If this parameter is not set, the value of the Host field in the request header is used as the SNI extension field value by default. In most cases, you do not need to customize the SNI unless your service has special configuration requirements and you want WAF to use an SNI that is different from the actual request Host in back-to-origin requests (the custom SNI set here). Note
This parameter is required only when SniEnabled is set to true, which indicates that back-to-origin SNI is enabled. |
www.aliyundoc.com |
| RequestHeaders |
array<object> |
No |
The traffic mark field and value of the domain name, used to mark traffic processed by WAF. By specifying custom request header fields and corresponding values, when the access traffic of the domain name passes through WAF, WAF automatically adds the specified custom field values to the request header as traffic marks, which helps the backend service collect relevant information. |
|
|
object |
No |
The value of this parameter is in the format of [{"k":"key","v":"value"}]. key indicates the specified custom request header field, and value indicates the value set for the field. |
||
| Key |
string |
No |
The specified custom request header field. |
aaa |
| Value |
string |
No |
The value set for the custom request header field. |
bbb |
| ConnectTimeout |
integer |
No |
The connection timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 5. |
120 |
| ReadTimeout |
integer |
No |
The read timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120. |
200 |
| WriteTimeout |
integer |
No |
The write timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120. |
200 |
| CnameEnabled |
boolean |
No |
Specifies whether to enable public cloud disaster recovery. Valid values:
|
true |
| RoutingRules |
string |
No |
The hybrid cloud forwarding rules. The value is a string converted from a JSON array. Each element in the JSON array is a structure that contains the following fields:
|
[ { "rs": [ "1.1.XX.XX" ], "backupRs": [ "2.2.XX.XX" ], "locationId": 535, "location": "test1111" } ] |
| Keepalive |
boolean |
No |
Specifies whether to enable persistent connections. Valid values:
|
true |
| Retry |
boolean |
No |
Specifies whether to retry when WAF fails to forward requests to the origin server. Valid values:
|
true |
| KeepaliveRequests |
integer |
No |
The number of requests that reuse persistent connections. Valid values: 60 to 1000. Default value: 1000. Note
The number of persistent connections to reuse after persistent connections are enabled. |
1000 |
| KeepaliveTimeout |
integer |
No |
The idle timeout period for persistent connections. Valid values: 1 to 60. Default value: 15. Unit: seconds. Note
The idle time after which a reused persistent connection is released. |
15 |
| XffProto |
boolean |
No |
Specifies whether to use X-Forward-For-Proto to pass the protocol used by WAF. Valid values:
|
false |
| BackupBackends |
array |
No |
The backup origin server IP addresses or back-to-origin domain names corresponding to the domain name. |
|
|
string |
No |
The backup origin server IP addresses or back-to-origin domain names corresponding to the domain name. You can set only one type: origin server IP addresses or back-to-origin domain names. When the back-to-origin address is a domain name, only IPv4 is supported. IPv6 is not supported.
|
[ "1.1.XX.XX", "2.2.XX.XX" ] |
|
| XClientIp |
boolean |
No |
Specifies whether to allow WAF to overwrite X-Client-IP. Valid values:
|
true |
| XTrueIp |
boolean |
No |
Specifies whether to allow WAF to overwrite X-True-IP. Valid values:
|
true |
| WebServerType |
boolean |
No |
Specifies whether to allow WAF to overwrite Web-Server-Type. Valid values:
|
true |
| WLProxyClientIp |
boolean |
No |
Specifies whether to allow WAF to overwrite WL-Proxy-Client-IP. Valid values:
|
true |
| MaxBodySize |
integer |
No |
The maximum request body size. Valid values: 2 to 10. Default value: 2. Unit: GB. Note
Only the Ultimate Edition supports this feature. |
2 |
| Http2Origin |
boolean |
No |
Specifies whether to enable HTTP/2 back-to-origin. Valid values:
|
true |
| Http2OriginMaxConcurrency |
integer |
No |
The maximum number of concurrent connections for HTTP/2 back-to-origin. Valid values: 1 to 512. Default value: 128. |
128 |
| BackendPorts |
array<object> |
No |
The custom port configuration. |
|
|
object |
No |
The custom port configuration. |
||
| ListenPort |
integer |
No |
The listening port. |
80 |
| BackendPort |
integer |
No |
The back-to-origin port. |
80 |
| Protocol |
string |
No |
The protocol of the listening port. Valid values:
|
http |
| ProxyProtocol |
boolean |
No |
Specifies whether the client source IP preservation feature is enabled.
|
false |
| RegionId |
string |
Yes |
The region where the WAF instance is deployed. Valid values:
|
cn-hangzhou |
| AccessType |
string |
No |
The access type of the WAF instance. Valid values:
|
share |
| Tag |
array<object> |
No |
The tag list, which contains a maximum of 20 items. |
|
|
object |
No |
The tags of the resource. A maximum of 20 items are supported. |
||
| Key |
string |
No |
The tag key. |
Tagkey1 |
| Value |
string |
No |
The tag value. |
TagValue1 |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response returned after the domain name is added. |
||
| RequestId |
string |
The request ID. |
D7861F61-5B61-46CE-A47C-6B19160D5EB0 |
| DomainInfo |
object |
The information about the added domain name. |
|
| Cname |
string |
The CNAME assigned by WAF to the domain name. |
xxxxxwww.****.com |
| Domain |
string |
The added domain name. |
www.aliyundoc.com |
| DomainId |
string |
The domain name ID. |
www.aliyundoc.com-waf |
Examples
Success response
JSON format
{
"RequestId": "D7861F61-5B61-46CE-A47C-6B19160D5EB0",
"DomainInfo": {
"Cname": "xxxxxwww.****.com",
"Domain": "www.aliyundoc.com",
"DomainId": "www.aliyundoc.com-waf"
}
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | Waf.Pullin.ResourceExsit | Access resource already exists, resource:%s. | Access resource already exists, existing resource:%s. |
| 400 | Waf.Pullin.BusinessViolation | The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s. | The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s. |
| 400 | Waf.Pullin.Http2OriginMustOnHttp2Enable | When HTTP2 origin is enabled, HTTP2 listening must be enabled. | When HTTP2 back-to-source is enabled, HTTP2 listening must be enabled. |
| 400 | Waf.Pullin.Http2OriginMustOnKeepaliveEnable | When the HTTP2 origin is turned on, the keepalive must be turned on. | When the HTTP2 origin is turned on, the keepalive must be turned on. |
| 400 | Waf.Pullin.Http2OriginEnabledFocusHttpBackendForbidden | When HTTP2 origin is enabled, HTTP origin cannot be enabled. | When HTTP2 origin is enabled, HTTP origin cannot be enabled. |
| 400 | Waf.Pullin.BatchDnsScheduleCheckFailed | Batch dns scheduling is in progress, and access related operations are prohibited. | batch dns scheduling is in progress, and access-related operations are prohibited. |
| 400 | Waf.Pullin.InvalidMaxAgeWithPreload | HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000. | HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000 |
| 400 | Waf.Pullin.InvalidIncludeSubDomainWithPreload | The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true. | The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true. |
| 400 | Waf.Pullin.InvalidCustomCiphers | Invalid custom cipher suite. | Invalid custom cipher suite. |
| 400 | Waf.Pullin.InvalidHttp2OriginWithProxyProtocol | http2Origin and proxyProtocol cannot be opened at the same time. | http2Origin and proxyProtocol cannot be opened at the same time. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.