Web Application Firewall:Secure CDN origin traffic with WAF integration

Scope

• Applicable architecture: This document applies to the dynamic-static mixed architecture with CDN and ECS, ensuring that static content continues to be accelerated by CDN while WAF focuses on protecting dynamic resources. For CDN+OSS pure static hosting architectures, WAF protection is limited since OSS only stores static files without application-layer attack risks. In this case, adding WAF would increase the origin request chain and access latency, so it is not recommended.

• Prerequisites: The target domain must be connected to Alibaba Cloud CDN, DCDN, or another CDN provider.

• Notes: This document uses Alibaba Cloud CDN as an example. The same logic applies to DCDN or CDN services from other providers.

• Business impact: Perform these operations during off-peak hours to minimize impact on services.

Select a connection method

WAF supports collaborative deployment with other cloud products to build a defense-in-depth architecture. In an architecture without WAF, user requests are resolved through DNS to CDN nodes and then directly routed to the origin server. This means both attack traffic and legitimate traffic reach the origin server unfiltered.

WAF provides two connection methods: CNAME access and cloud product access. Compare the options below and select the method that best fits the architecture.

For more information about the comparison and principles of connection methods, see Overview.

1. Activate WAF (required only if WAF is not activated): If WAF is not activated, visit Web Application Firewall 3.0 (Pay-as-you-go) purchase page. For first-time use, we recommend Payment Method as Pay-as-you-go. For the purchase process, see Activate a pay-as-you-go WAF 3.0 instance.

2. Navigate to the WAF console: Log on to the Web Application Firewall console. In the top navigation bar, select the resource group and region of the WAF instance (Chinese Mainland, Outside Chinese Mainland). In the left-side navigation pane, click Onboarding.

3. Connect assets: Select one of the following methods to connect assets for protection: CNAME access or cloud product access.

   Note

   The following operations require referencing the existing CDN configurations. To ensure accuracy, go to the CDN console to confirm the domain name, origin, and related configurations before proceeding.

   CNAME Access

   1. On the CNAME Record tab, click Add. On the Configure Listener page, configure the following parameters.

      Parameter	Description
      Domain Name	Enter the domain name that is already connected to CDN. Only one domain name to be protected can be entered. Both exact domain names (for example, www.aliyundoc.com) and wildcard domain names (for example, *.aliyundoc.com) are supported.
      Protocol Type and Port	Select based on the origin protocol and port already configured in CDN: Protocol: Must be consistent with the CDN origin protocol. Port: Must be consistent with the CDN origin port. By default, when the CDN origin port is set to 443, HTTPS is used for origin requests. For all other ports, HTTP is used. If HTTPS is used, upload a certificate file that matches the domain name. If the certificate has been uploaded to the Certificate Management Service of the account, the existing certificate can be selected directly.
      Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF	Because traffic is routed through the CDN, select Yes here. If misconfigured, WAF cannot obtain the real client IP, and reports will show all requests as coming from CDN nodes. Set Obtain Actual IP Address of Client to [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery. Set Header Field to ali-cdn-real-ip. This is the HTTP request header that Alibaba Cloud CDN carries by default in origin requests to store the real client IP. Note The field used by Alibaba Cloud CDN origin requests to store the real client IP is ali-cdn-real-ip. When using a CDN product from another provider, refer to its official documentation to confirm the corresponding field name. Alternatively, CDN can also be configured to add custom outbound request headers and use a custom origin request field.

   2. Click Next to go to the Configure Forwarding Rule page. Enter the Origin Address and click Submit.

      The origin address must be the same as the one configured in the CDN console.

   3. On the Add Completed page, click Copy CNAME.

   4. Go to the CDN console. Click Domain Names, locate the domain connected to WAF, and click Actions in the Manage column. In the Origin Information section, click Actions in the Modify column. Change Origin Info to the CNAME address copied in the previous step. This operation points the CDN origin path to WAF.

   Important

   In the following scenarios, additional configurations are required:

   • CDN origin HOST configuration: If the default origin HOST is configured, update it to point the CDN origin path to WAF.

   • Bypass WAF for static files: To reduce performance overhead for static file requests that bypass WAF, configure conditional origin for CDN or add the related resources to the WAF whitelist.

   • Origin server records the real client IP: To have the origin server (for example, the access.log of NGINX) record the real client IP, configure the origin server to extract the real IP field. For more information, see Obtain the Real IP Address of a Client.

   • Advanced features of CNAME access: The CNAME access method of WAF supports advanced features such as HTTPS, IPv6, origin load balancing, and high availability. To customize these configurations, see Add a domain to WAF via CNAME.

   Cloud Product Access

   1. On the Cloud Native tab, select the type of cloud product to connect. Taking an ECS instance as an example, click Elastic Compute Service (ECS), locate the target instance, and click Add Now in its Actions column.

      Note

      When connecting other cloud products, refer to the following configuration items and complete the setup based on the corresponding Cloud native mode documentation.

   2. In the Add Now dialog box that appears, click Add Port in the Actions column. Select based on the origin protocol and port already configured in CDN:

      • Protocol: Must be consistent with the CDN origin protocol.

      • Port: Must be consistent with the CDN origin port.

      By default, when the CDN origin port is set to 443, HTTPS is used for origin requests. For all other ports, HTTP is used.

      If HTTPS is used, upload a certificate file that matches the domain name. If the certificate has been uploaded to the Certificate Management Service of the account, the existing certificate can be selected directly. After configuration, click OK.

   3. Return to the Add Now page. Because traffic is routed through the CDN, select Yes in the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF section. If misconfigured, WAF cannot obtain the real client IP, and reports will show all requests as coming from CDN nodes.

      • Set Obtain Actual IP Address of Client to [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.

      • Set Header Field to ali-cdn-real-ip. This is the HTTP request header that Alibaba Cloud CDN carries by default in origin requests to store the real client IP.

      Note

      The field used by Alibaba Cloud CDN origin requests to store the real client IP is ali-cdn-real-ip.

      When using a CDN product from another provider, refer to its official documentation to confirm the corresponding field name. Alternatively, CDN can also be configured to add custom outbound request headers and use a custom origin request field.

   4. Click OK to complete the connection.

      Note

      To reduce performance overhead for static file requests that bypass WAF, also configure conditional origin for CDN or add the related resources to the WAF whitelist.

4. Verification testing: Enter the domain name of the protected website in a browser to test whether the CDN and WAF connection is successful.

   1. Append web attack code after the domain name (for example, <protected-domain>/alert(xss), where alert(xss) is a cross-site scripting attack code used for testing). If a 405 block page is returned, the attack is intercepted and WAF protection is successful.

   2. Press F12 to open the browser developer tools. After refreshing the page, switch to the Network tab. Click the target static resource. On the Headers tab, locate the X-Cache field. If the value is hit instead of miss, the cache is hit and CDN acceleration is in effect.

5. Configure custom WAF protection rules: WAF enables a set of default protection rules for the connected object, which is suitable for daily protection scenarios. View them on the Protection Config > Protected Objects page. When the default rules do not meet requirements (for example, whitelisting requests with specific characteristics), create or modify protection rules. For more information, see Protection configuration overview.

FAQ