Web Application Firewall:Add a domain name to WAF

Protection mechanism

After you add the domain name of a website to WAF in CNAME record mode, all traffic of the website is redirected to WAF. To ensure service and data security of the website, WAF filters out malicious traffic and forwards normal traffic to the origin server. WAF detects and forwards traffic as a reverse proxy cluster.

Prerequisites

• A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

• If the domain name of your website is hosted on a server in the Chinese mainland, apply for an ICP filing for the domain name and make sure that the ICP filing information is valid.

  Note

  WAF instances that are deployed in the Chinese mainland perform regular checks on the validity of the ICP filing information of your domain names. If the ICP filing information for a domain name becomes invalid, WAF manages the domain name based on the corresponding laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.

  • If your website is hosted on Alibaba Cloud, you must apply for an ICP filing for your domain name by using the Alibaba Cloud ICP Filing system. For more information, see Scenarios.

  • If the website is not hosted on Alibaba Cloud, you can contact Alibaba Cloud or another cloud service provider to apply for an ICP filing.

Procedure

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. On the CNAME Record tab, click Add.

4. In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.

   Parameter	Description
   	Enter the domain name that you want to protect. You can enter an exact match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name. The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you prove your ownership of the domain name. For more information, see Verify the ownership of a domain name. Note You can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover www.aliyundoc.com and example.aliyundoc.com but *.aliyundoc.com cannot cover www.example.aliyundoc.com. A second-level wildcard domain name can cover the second-level parent domain name of the wildcard domain name. For example, *.aliyundoc.com can cover aliyundoc.com. A third-level wildcard domain name cannot cover the third-level parent domain name of the wildcard domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com. If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
   Protocol Type	Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number. Note The port number that you enter must be supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports. If you select HTTPS, configure the HTTPS Upload Type parameter and upload an SSL certificate that is associated with the domain name of the website. This way, WAF can protect and listen to HTTPS traffic of the website. Specify the method that you want to use to upload an SSL certificate. Manual Upload Select Manual Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter is in the -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- format, and the value of the Private Key parameter is in the -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in a format other than the preceding formats, such as PFX or P7B, convert the certificate file into the PEM format before you use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console to use a tool to convert the file format. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format? If a domain name is associated with multiple SSL certificates or a certificate chain, combine the text content of the certificate files and upload the combined content to WAF. Select Existing Certificate If your certificate meets one of the following conditions, you can select a certificate that you want to upload to WAF from the certificate list: The certificate is issued by Alibaba Cloud Certificate Management Service (formerly SSL Certificates Service). The certificate is a third-party certificate that is uploaded to Alibaba Cloud Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Cloud Security - Certificates Service and upload the certificate in the Certificate Management Service console. For more information, see Purchase an SSL certificate. Purchase Certificate Click Purchase Certificate to go to the Apply page in the Certificate Management Service console to apply for a certificate for the domain name. Note You can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase an SSL Certificate. After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF. If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements: If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests. Note HTTP/2 uses the same ports as HTTPS. Advanced Settings Enable HTTPS Routing By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected as HTTPS requests to port 443. This feature improves security. Important You can enable this feature only if you do not select HTTP. TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses a version of the TLS protocol that is not supported, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you select the TLS version of traffic to which WAF listens based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen to traffic that is sent by using TLS 1.3. HTTPS Cipher Suite Specify the cipher suites that are allowed for HTTPS communication. If a client uses cipher suites that do not meet the conditions, WAF blocks the requests from the client. Default value: All Cipher Suites (High Compatibility and Low Security). If your website supports specific cipher suites, we recommend that you set this parameter to a different value. Valid values: All Cipher Suites (High Compatibility and Low Security) Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suites. Clients that use other cipher suites cannot access the website.
   Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. If no Layer 7 proxies are deployed in front of WAF, select No. The default value No specifies that WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field. If a Layer 7 proxy is deployed in front of WAF, select Yes. The value Yes specifies that WAF receives requests from other Layer 7 proxies. To ensure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the actual IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
   More Settings	IPv6 By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can turn on IPv6 to enable WAF protection for IPv6 traffic. After you turn on IPv6, WAF assigns a WAF IPv6 address to the domain name to process IPv6 requests. This feature is available only in the Chinese Mainland. Important After you turn on IPv6, you cannot turn on Exclusive IP Address or configure the Protection Resource parameter. Exclusive IP Address By default, all domain names that are added to WAF are protected by the same WAF IP address. If you enable this feature, WAF assigns an exclusive IP address to protect the domain name. A domain name that is protected by using an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names that are protected by the same WAF IP address. For more information, see Exclusive IP addresses. If you want to use an exclusive IP address to protect your domain name, you can enable this feature. Important You can purchase exclusive IP addresses for subscription WAF instances of the following editions: Pro, Enterprise, and Ultimate. To purchase an exclusive IP address, click Upgrade Now on the Overview page and configure the Exclusive IP Address parameter. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Pay-as-you-go billing overview. After you turn on Exclusive IP Address, you cannot turn on IPv6, and the Protection Resource parameter is set to Shared Cluster. Protection Resource Select the type of protection resource that you want to use. Shared Cluster (default) Shared Cluster-based Intelligent Load Balancing After you enable intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to perform automatic disaster recovery. The WAF instance uses the intelligent Domain Name System (DNS) resolution feature and the Least-time back-to-origin algorithm to reduce the latency of traffic that is sent from protection nodes to origin servers. For more information, see Intelligent load balancing. Important You can enable Shared Cluster-based Intelligent Load Balancing for subscription WAF instances of the following editions: Pro, Enterprise, and Ultimate. If you select Shared Cluster-based Intelligent Load Balancing, you are charged for the feature. To enable Shared Cluster-based Intelligent Load Balancing, click Upgrade Now on the Overview page and set the Intelligent Load Balancing parameter to Enable. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on whether you enable Shared Cluster-based Intelligent Load Balancing. For more information, see Pay-as-you-go billing overview. After you enable Shared Cluster-based Intelligent Load Balancing, you cannot turn on IPv6 or Exclusive IP Address.
   Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

   Parameter	Description
   Load Balancing Algorithm	If you specify multiple origin server addresses, select a load balancing algorithm for WAF to forward back-to-origin requests to the origin servers. Valid values: IP hash (default) Requests that are sent from a specific IP address are forwarded to the same origin server. Round-robin Requests are sequentially distributed to origin servers. Least time WAF uses the intelligent DNS resolution feature and the least-time back-to-origin algorithm to reduce the path and latency when requests are forwarded to origin servers. Important You can set the Load Balancing Algorithm parameter to Least time only if you set the Protection Resource parameter to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see the description of the Protection Resource parameter in this topic.
   Origin Server Address	Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values: IP Address Make sure that the IP address can be accessed over the Internet. You can enter multiple IP addresses. Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses. Note If you enter multiple IP addresses, WAF distributes workloads across the IP addresses. You can enter IPv4 and IPv6 addresses or only IPv4 addresses. However, you cannot enter only IPv6 addresses. If you enter IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses. Important If you want WAF to forward requests that are sent from IPv6 addresses to origin servers that use IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see Enable IPv6. Domain Name (Such as CNAME) If you select Domain Name (Such as CNAME), the domain name can be resolved to only an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.
   Advanced HTTPS Settings	Enable HTTP Routing If you enable this feature, WAF forwards requests over HTTP. The default port is 80. Then, WAF forwards requests to the origin server over port 80 regardless of whether clients access WAF over port 80 or port 443. If you enable this feature, clients can access your website over HTTP. This reduces the workload of your website and eliminates the need to modify the settings of the origin server. Important If the domain name does not support HTTPS, turn on Enable HTTP Routing. Origin SNI Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection must be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, enable this feature. After you select Origin SNI, you can configure the SNI field. Valid values: Use Domain Name in Host Header (default) This value specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. For example, if the domain name that you configured is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. The value of the Host header field is the www.aliyundoc.com domain name. Custom This value specifies that you can enter a custom value for the SNI field in WAF back-to-origin requests. If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, specify a custom value for the SNI field.
   Other Advanced Settings	Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are labeled. This way, your origin server can obtain the actual IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark. This way, the origin server can check whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and the request is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and the request is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the backend server to check whether requests passed through WAF, collect statistics, and analyze data. For example, you can add the ALIWAF-TAG: Yes custom header field to label the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes. Originating IP Address You can configure a custom header to record the actual IP addresses of clients. This way, your origin server can obtain the actual IP addresses of clients. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic. Source Port You can configure a custom header to record the ports of clients. This way, your origin server can obtain the actual ports of clients. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. Click Add Mark to specify a header field. You can specify up to five header fields. Specify the timeout periods for back-to-origin requests Connection Timeout Period: the maximum amount of waiting time for WAF to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: the maximum amount of waiting time for WAF to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: the maximum amount of waiting time for WAF to forward requests to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Retry Back-to-origin Requests After you enable this feature, WAF retries three times to forward requests to the origin server when WAF fails to forward requests to the origin server. If you do not enable this feature, WAF forwards requests to the origin server only once. Back-to-origin Keep-alive Requests If you enable this feature, you must configure the following parameters: Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period of idle keep-alive requests. Valid values: 1 to 60. Unit: seconds. Default value: 15. Note If you do not enable this feature, back-to-origin keep-alive requests do not support WebSocket.

6. In the Add Completed step, obtain the CNAME that is assigned by WAF to the domain name. Modify the DNS record to map the domain name to the CNAME. For more information, see Modify a DNS record.

   Important

   Before you modify the DNS record, make sure that the following prerequisites are met:

   • The forwarding configurations for your website are correct and took effect. If you change the DNS record before the forwarding configurations of your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

   • The WAF back-to-origin IP addresses are added to the IP address whitelist of the third-party firewall that is used by the origin server. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, click Back-to-origin CIDR Blocks above the domain name list to view and copy back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

   

   After you complete the preceding configurations, you can perform the following operations to check whether the domain name is added to WAF:

   • Enter the domain name in the browser. If you can access the website, the domain name is added to WAF.

   • Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

More operations

View the DNS resolution status of a domain name

WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. You can view the DNS resolution status of the domain names that you added to WAF in the domain name list and modify the DNS records based on the error messages that are displayed in the WAF console.

Add tags to or remove tags from domain names

You can add tags to a domain name that is added to WAF and search for specific resources by tag.

• Add tags to or remove tags from a domain name

  1. Find the domain name whose tags you want to manage and move the pointer over the icon in the Tag column. If no tags are added to the domain name, click Add. If a tag is added to the domain name, click Edit.

  2. In the Edit Tag dialog box, configure the Tag Key and Tag Value parameters.

     Note

     • You can enter up to 10 tag keys and leave the Tag Value parameter empty.

     • The tag key or tag value can be up to 128 characters in length, and cannot contain http:// or https://. The tag key or tag value cannot start with acs: or aliyun.

     • When you add a domain name to WAF, you can add tags to the domain name. You can also add tags to the corresponding protected object when you configure protection policies. The tags that are added to a domain name are automatically added to the corresponding protected object.

     After you add tags to a domain name, you can select tags from the Filter Tags drop-down list to search for domain names to which the selected tags are added.

  3. (Optional) To remove a tag from a domain name, click the icon to the right of the tag that you want to delete in the Edit Tag dialog box.

• Add a tag to or remove a tag from multiple domain names at the same time

  Select the domain names whose tags you want to manage and click Add Tag or Remove Tag below the domain name list.

Modify or delete a domain name that is added to WAF

Find the domain name that you want to manage and click Edit or Delete in the Actions column.

Configure default SSL or TLS settings

If you add multiple domain names to the same WAF instance, a shared WAF virtual IP address (VIP) is used to listen to traffic of the domain names.

To meet security compliance and compatibility requirements of HTTPS, WAF allows you to configure SSL or TLS settings. Before you perform compliance scan and detection, you can upload an HTTPS certificate for the VIP, and disable or enable specific TLS protocol versions and cipher suites.

1. Click Default SSL/TLS Settings above the domain name list.

2. In the Default SSL/TLS Settings dialog box, configure the parameters and click OK. The following table describes the parameters.

   Parameter	Description
   HTTPS Upload Type	Upload the SSL certificate. For more information, see Upload a certificate.
   TLS Version	Specify the versions of the TLS protocol that are supported for HTTPS communication. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) TLS 1.2 and Later (High Compatibility and Best Security) If you want to enable TLS 1.3, select Support TLS 1.3.
   HTTPS Cipher Suite	Specify the cipher suites that are supported for HTTPS communication. Valid values: All Cipher Suites (High Compatibility and Low Security) (default) Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.) For information about custom cipher suites, see View supported cipher suites.

Update the SSL certificate associated with a domain name

If the SSL certificate that is associated with a domain name is about to expire or the certificate is changed, such as the certificate being revoked, you must update the certificate.

To update the SSL certificate that is associated with a domain name, perform the following steps:

1. Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload an SSL certificate.

2. Synchronize the certificate to WAF.

   • In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.

   • Upload the certificate in the WAF console.

     1. On the CNAME Record tab of the Website Configuration page, find the domain name whose certificate you want to update and click Edit in the Actions column.

     2. Set the HTTPS Upload Type parameter to Select Existing Certificate and select the new certificate from the drop-down list.

What to do next

References

• Protection configuration overview: describes the protected objects, protection policies, and protection process.

• CreateDomain: describes how to add a domain name to WAF in CNAME record mode by calling the CreateDomain operation.

• DescribeDomainDetail: describes how to query the access configurations of domain names that are added to WAF in CNAME record mode by calling the DescribeDomainDetail operation.