All Products
Search
Document Center

Web Application Firewall:CreateDomain

Last Updated:Jul 06, 2026

Adds a domain name to a WAF instance by using Website Config for protection.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:CreateDomain

create

*DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/*

None None

Request parameters

Parameter

Type

Required

Description

Example

InstanceId

string

Yes

The ID of the WAF instance.

Note

You can call DescribeInstance to query the ID of the current WAF instance.

waf_cdnsdf3****

ResourceManagerResourceGroupId

string

No

The Alibaba Cloud resource group ID.

rg-acfm***q

Domain

string

Yes

The domain name to query.

www.aliyundoc.com

Listen

object

Yes

The listening configuration.

HttpsPorts

array

No

The listening ports for HTTPS.

integer

No

The listening ports for HTTPS, in the format of [port1,port2,......,portN].

[443,8443]

HttpPorts

array

No

The listening ports for HTTP.

integer

No

The listening ports for HTTP, in the format of [port1,port2,……].

[80,81]

Http2Enabled

boolean

No

Specifies whether to enable HTTP/2. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • true: HTTP/2 is enabled.

  • false (default): HTTP/2 is not enabled.

true

CertId

string

No

The ID of the certificate to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS.

123

SM2Enabled

boolean

No

Specifies whether to enable the China Encryption (SM) certificate.

true

SM2CertId

string

No

The ID of the China Encryption (SM) certificate to add. This parameter is used only when SM2Enabled is set to true.

123-cn-hangzhou

SM2AccessOnly

boolean

No

Specifies whether only China Encryption (SM) clients can access the domain name. This parameter is used only when SM2Enabled is set to true.

  • true: Only China Encryption (SM) clients can access the domain name.

  • false: Both China Encryption (SM) and non-China Encryption (SM) clients can access the domain name.

true

TLSVersion

string

No

The TLS version to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • tlsv1

  • tlsv1.1

  • tlsv1.2

tlsv1

EnableTLSv3

boolean

No

Specifies whether to support TLS 1.3. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • true: TLS 1.3 is supported.

  • false: TLS 1.3 is not supported.

true

CipherSuite

integer

No

The type of cipher suite to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • 1: all cipher suites.

  • 2: strong cipher suites. This value is available only when TLSVersion is set to tlsv1.2.

  • 99: custom cipher suites.

2

CustomCiphers

array

No

The custom cipher suites to add.

string

No

The custom cipher suites to add. This parameter is used only when CipherSuite is set to 99.

["xxx","ffas"]

FocusHttps

boolean

No

Specifies whether to enable forced HTTPS redirect. This parameter is used only when HttpsPorts is not empty (which indicates that the domain name uses HTTPS) and HttpPorts is empty (which indicates that the domain name does not use HTTP). Valid values:

  • true: Forced HTTPS redirect is enabled.

  • false: Forced HTTPS redirect is not enabled.

true

XffHeaderMode

integer

No

The method that WAF uses to obtain the originating IP address of the client. Valid values:

  • 0 (default): The client traffic has not been forwarded by any Layer 7 proxy before reaching WAF.

  • 1: WAF reads the first value in the X-Forwarded-For (XFF) header as the client IP address.

  • 2: WAF reads the value of a custom header field that you specify as the client IP address.

1

XffHeaders

array

No

The list of custom header fields used to obtain the client IP address.

string

No

The list of custom header fields used to obtain the client IP address, in the format of ["header1","header2",……].

Note

This parameter is required only when XffHeaderMode is set to 2, which indicates that WAF reads the value of a custom header field that you specify as the client IP address.

["Client-ip","cip"]

IPv6Enabled

boolean

No

Specifies whether to enable IPv6. Valid values:

  • true: IPv6 is enabled.

  • false (default): IPv6 is not enabled.

true

ProtectionResource

string

No

The type of protection resource to use. Valid values:

  • share (default): shared cluster.

  • gslb: shared cluster-based intelligent load balancing.

share

ExclusiveIp

boolean

No

Specifies whether to enable an exclusive IP address. This parameter is used only when IPv6Enabled is set to false (which indicates that IPv6 is not enabled) and ProtectionResource is set to share (which indicates that a shared cluster is used). Valid values:

  • true: An exclusive IP address is enabled.

  • false (default): An exclusive IP address is not enabled.

true

HstsIncludeSubDomain

boolean

No

Specifies whether HSTS includes subdomains. Valid values:

  • true: Enabled.

  • false: Not enabled.

HstsPreload

boolean

No

Specifies whether to enable HSTS preloading. This feature is disabled by default. Valid values:

  • true: Enabled.

  • false: Disabled.

false

HstsMaxAge

integer

No

The HSTS expiration time. Unit: seconds.

365000

Redirect

object

Yes

The forwarding configuration.

Backends

array

No

The IP addresses or back-to-origin domain names of the origin server corresponding to the domain name.

string

No

The IP addresses or back-to-origin domain names of the origin server corresponding to the domain name. You can set only one type: origin server IP addresses or back-to-origin domain names. When the back-to-origin address is a domain name, only IPv4 is supported. IPv6 is not supported.

  • To set origin server IP addresses, use the format ["ip1","ip2",……]. A maximum of 20 IP addresses are supported.

  • To set back-to-origin domain names, use the format ["domain"]. A maximum of 20 domain name addresses are supported.

[ "1.1.XX.XX", "2.2.XX.XX" ]

Loadbalance

string

Yes

The load balancing algorithm used for back-to-origin. Valid values:

  • iphash: IP hash algorithm.

  • roundRobin: round-robin algorithm.

  • leastTime: Least Time algorithm. This value is available only when ProtectionResource is set to gslb, which indicates that the shared cluster-based intelligent load balancing is used.

roundRobin

FocusHttpBackend

boolean

No

Specifies whether to enable forced HTTP back-to-origin. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • true: Forced HTTP back-to-origin is enabled.

  • false: Forced HTTP back-to-origin is not enabled.

true

SniEnabled

boolean

No

Specifies whether to enable back-to-origin SNI. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values:

  • true: Back-to-origin SNI is enabled.

  • false (default): Back-to-origin SNI is not enabled.

true

SniHost

string

No

The value of the custom SNI extension field. If this parameter is not set, the value of the Host field in the request header is used as the SNI extension field value by default. In most cases, you do not need to customize the SNI unless your service has special configuration requirements and you want WAF to use an SNI that is different from the actual request Host in back-to-origin requests (the custom SNI set here).

Note

This parameter is required only when SniEnabled is set to true, which indicates that back-to-origin SNI is enabled.

www.aliyundoc.com

RequestHeaders

array<object>

No

The traffic mark field and value of the domain name, used to mark traffic processed by WAF.

By specifying custom request header fields and corresponding values, when the access traffic of the domain name passes through WAF, WAF automatically adds the specified custom field values to the request header as traffic marks, which helps the backend service collect relevant information.

object

No

The value of this parameter is in the format of [{"k":"key","v":"value"}]. key indicates the specified custom request header field, and value indicates the value set for the field.

Key

string

No

The specified custom request header field.

aaa

Value

string

No

The value set for the custom request header field.

bbb

ConnectTimeout

integer

No

The connection timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 5.

120

ReadTimeout

integer

No

The read timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120.

200

WriteTimeout

integer

No

The write timeout period. Unit: seconds. Valid values: 1 to 3600. Default value: 120.

200

CnameEnabled

boolean

No

Specifies whether to enable public cloud disaster recovery. Valid values:

  • true: Public cloud disaster recovery is enabled.

  • false (default): Public cloud disaster recovery is not enabled.

true

RoutingRules

string

No

The hybrid cloud forwarding rules. The value is a string converted from a JSON array. Each element in the JSON array is a structure that contains the following fields:

  • rs: Array type | The list of back-to-origin IP addresses or back-to-origin CNAMEs.

  • backupRs: Array type | The list of backup back-to-origin IP addresses or back-to-origin CNAMEs. This field is required. Use [] to indicate that no backup is set.

  • location: String type | The name of the protection node.

  • locationId: Long type | The ID of the protection node.

[ { "rs": [ "1.1.XX.XX" ], "backupRs": [ "2.2.XX.XX" ], "locationId": 535, "location": "test1111" } ]

Keepalive

boolean

No

Specifies whether to enable persistent connections. Valid values:

  • true (default): Persistent connections are enabled.

  • false: Persistent connections are not enabled.

true

Retry

boolean

No

Specifies whether to retry when WAF fails to forward requests to the origin server. Valid values:

  • true (default): Retry is enabled.

  • false: Retry is not enabled.

true

KeepaliveRequests

integer

No

The number of requests that reuse persistent connections. Valid values: 60 to 1000. Default value: 1000.

Note

The number of persistent connections to reuse after persistent connections are enabled.

1000

KeepaliveTimeout

integer

No

The idle timeout period for persistent connections. Valid values: 1 to 60. Default value: 15. Unit: seconds.

Note

The idle time after which a reused persistent connection is released.

15

XffProto

boolean

No

Specifies whether to use X-Forward-For-Proto to pass the protocol used by WAF. Valid values:

  • true (default): The protocol used by WAF is passed.

  • false: The protocol used by WAF is not passed.

false

BackupBackends

array

No

The backup origin server IP addresses or back-to-origin domain names corresponding to the domain name.

string

No

The backup origin server IP addresses or back-to-origin domain names corresponding to the domain name. You can set only one type: origin server IP addresses or back-to-origin domain names. When the back-to-origin address is a domain name, only IPv4 is supported. IPv6 is not supported.

  • To set origin server IP addresses, use the format ["ip1","ip2",……]. A maximum of 20 IP addresses are supported.

  • To set back-to-origin domain names, use the format ["domain"]. A maximum of 20 domain name addresses are supported.

[ "1.1.XX.XX", "2.2.XX.XX" ]

XClientIp

boolean

No

Specifies whether to allow WAF to overwrite X-Client-IP. Valid values:

  • true (default): WAF is allowed to overwrite.

  • false: WAF is not allowed to overwrite.

true

XTrueIp

boolean

No

Specifies whether to allow WAF to overwrite X-True-IP. Valid values:

  • true (default): WAF is allowed to overwrite.

  • false: WAF is not allowed to overwrite.

true

WebServerType

boolean

No

Specifies whether to allow WAF to overwrite Web-Server-Type. Valid values:

  • true (default): WAF is allowed to overwrite.

  • false: WAF is not allowed to overwrite.

true

WLProxyClientIp

boolean

No

Specifies whether to allow WAF to overwrite WL-Proxy-Client-IP. Valid values:

  • true (default): WAF is allowed to overwrite.

  • false: WAF is not allowed to overwrite.

true

MaxBodySize

integer

No

The maximum request body size. Valid values: 2 to 10. Default value: 2. Unit: GB.

Note

Only the Ultimate Edition supports this feature.

2

Http2Origin

boolean

No

Specifies whether to enable HTTP/2 back-to-origin. Valid values:

  • true: HTTP/2 back-to-origin is enabled.

  • false: HTTP/2 back-to-origin is not enabled.

true

Http2OriginMaxConcurrency

integer

No

The maximum number of concurrent connections for HTTP/2 back-to-origin. Valid values: 1 to 512. Default value: 128.

128

BackendPorts

array<object>

No

The custom port configuration.

object

No

The custom port configuration.

ListenPort

integer

No

The listening port.

80

BackendPort

integer

No

The back-to-origin port.

80

Protocol

string

No

The protocol of the listening port. Valid values:

  • http: The protocol of the listening port is HTTP.

  • https: The protocol of the listening port is HTTPS.

http

ProxyProtocol

boolean

No

Specifies whether the client source IP preservation feature is enabled.

  • true: The client source IP preservation feature is enabled. After this feature is enabled, the backend service can view the originating IP address of the client.

  • false: The client source IP preservation feature is not enabled.

false

RegionId

string

Yes

The region where the WAF instance is deployed. Valid values:

  • cn-hangzhou: the Chinese mainland.

  • ap-southeast-1: outside the Chinese mainland.

cn-hangzhou

AccessType

string

No

The access type of the WAF instance. Valid values:

  • share (default): CNAME access.

  • hybrid_cloud_cname: hybrid cloud CNAME access.

share

Tag

array<object>

No

The tag list, which contains a maximum of 20 items.

object

No

The tags of the resource. A maximum of 20 items are supported.

Key

string

No

The tag key.

Tagkey1

Value

string

No

The tag value.

TagValue1

Response elements

Element

Type

Description

Example

object

The response returned after the domain name is added.

RequestId

string

The request ID.

D7861F61-5B61-46CE-A47C-6B19160D5EB0

DomainInfo

object

The information about the added domain name.

Cname

string

The CNAME assigned by WAF to the domain name.

xxxxxwww.****.com

Domain

string

The added domain name.

www.aliyundoc.com

DomainId

string

The domain name ID.

www.aliyundoc.com-waf

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-6B19160D5EB0",
  "DomainInfo": {
    "Cname": "xxxxxwww.****.com",
    "Domain": "www.aliyundoc.com",
    "DomainId": "www.aliyundoc.com-waf"
  }
}

Error codes

HTTP status code

Error code

Error message

Description

400 Waf.Pullin.ResourceExsit Access resource already exists, resource:%s. Access resource already exists, existing resource:%s.
400 Waf.Pullin.BusinessViolation The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s. The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s.
400 Waf.Pullin.Http2OriginMustOnHttp2Enable When HTTP2 origin is enabled, HTTP2 listening must be enabled. When HTTP2 back-to-source is enabled, HTTP2 listening must be enabled.
400 Waf.Pullin.Http2OriginMustOnKeepaliveEnable When the HTTP2 origin is turned on, the keepalive must be turned on. When the HTTP2 origin is turned on, the keepalive must be turned on.
400 Waf.Pullin.Http2OriginEnabledFocusHttpBackendForbidden When HTTP2 origin is enabled, HTTP origin cannot be enabled. When HTTP2 origin is enabled, HTTP origin cannot be enabled.
400 Waf.Pullin.BatchDnsScheduleCheckFailed Batch dns scheduling is in progress, and access related operations are prohibited. batch dns scheduling is in progress, and access-related operations are prohibited.
400 Waf.Pullin.InvalidMaxAgeWithPreload HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000. HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000
400 Waf.Pullin.InvalidIncludeSubDomainWithPreload The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true. The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true.
400 Waf.Pullin.InvalidCustomCiphers Invalid custom cipher suite. Invalid custom cipher suite.
400 Waf.Pullin.InvalidHttp2OriginWithProxyProtocol http2Origin and proxyProtocol cannot be opened at the same time. http2Origin and proxyProtocol cannot be opened at the same time.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.