All Products
Search
Document Center

Web Application Firewall:Add a domain name to WAF

Last Updated:Jul 15, 2024

To use Web Application Firewall (WAF) to protect a website, you must add the domain name of the website to WAF. This topic describes how to add a domain name to WAF in CNAME record mode and check whether the domain name is successfully added to WAF.

How WAF protection works

After you add the domain name of a website to WAF in CNAME record mode, all the website traffic is redirected to WAF for inspection. To ensure service and data security of the website, WAF filters out malicious traffic and forwards normal traffic to the origin server. WAF inspects and forwards traffic as a reverse proxy cluster.

image

Prerequisites

  • A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

  • If the domain name of your website is hosted on a server in the Chinese mainland, apply for an ICP filing for the domain name and make sure that the ICP filing information is valid.

    Note

    WAF instances that are deployed in the Chinese mainland regularly check whether the ICP filing information of your domain names is valid. If the ICP filing information of a domain name becomes invalid, WAF manages the domain name based on relevant laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.

    • If your website is hosted on Alibaba Cloud, apply for an ICP filing for your domain name by using the Alibaba Cloud ICP Filing system. For more information, see Scenarios.

    • If your website is not deployed on Alibaba Cloud, you can contact Alibaba Cloud or another cloud service provider to apply for an ICP filing.

Procedure

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, click Website Configuration.

  3. On the CNAME Record tab, click Add.

  4. In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.

    Parameter

    Description

    Domain Name

    Enter the domain name that you want to protect. You can enter an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name.

    The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after you successfully verify your ownership of the domain name. For more information, see Verify the ownership of a domain name.

    Note
    • You can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover www.aliyundoc.com and example.aliyundoc.com but *.aliyundoc.com cannot cover www.example.aliyundoc.com.

    • A second-level wildcard domain name can cover its second-level parent domain name. For example, *.aliyundoc.com can cover aliyundoc.com.

    • A third-level wildcard domain name cannot cover its third-level parent domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com.

    • If you add an exact-match domain name and a wildcard domain name that covers the exact-match domain name, the protection rules that are configured for the exact-match domain name take precedence.

    Protocol Type

    Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number.

    Note

    The port number that you enter must be supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports.

    • If you select HTTPS, configure the HTTPS Upload Type parameter to specify the method that you want to use to upload an SSL certificate. Then, upload the SSL certificate bound to the domain name to WAF. This way, WAF can monitor the HTTPS traffic of the website.

      Specify the method that you want to use to upload an SSL certificate.

      Note

      Customized WAF for shared virtual hosting does not support HTTPS.

      Manual Upload

      Select Manual Upload and configure the Certificate Name, Certificate File, and Private Key parameters. For example, the value of the Certificate File parameter is in the -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- format, and the value of the Private Key parameter is in the -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- format.

      Important
      • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in a format other than the preceding formats, such as PFX or P7B, convert the certificate file into the PEM format and then use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console to use a tool to convert the file format. For more information, see Convert the format of a certificate.

      • If a domain name is bound to multiple SSL certificates or a certificate chain, combine the text content of the certificate files and upload the combined content to WAF.

      Select Existing Certificate

      If your certificate meets one of the following conditions, you can select the certificate that you want to upload to WAF from the certificate list:

      • The certificate is issued by Alibaba Cloud Certificate Management Service (formerly SSL Certificates Service).

      • The certificate is a third-party certificate that is uploaded to Alibaba Cloud Certificate Management Service.

      • Important

        If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and upload the certificate in the Certificate Management Service console. For more information, see Upload an SSL certificate.

      Purchase Certificate

      Click Purchase Certificate to go to the Apply page in the Certificate Management Service console to apply for a certificate for the domain name.

      Note
      • You can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase SSL Certificates.

      • After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF.

    • If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements:

      • If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests.

        Note

        The HTTP/2 ports are the same as the HTTPS ports.

      • Advanced Settings

        • Enable HTTPS Routing

          By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves security. After this feature is enabled, HTTP Strict Transport Security (HSTS) is enabled by default and the Strict-Transport-Security header is included in responses to ensure that the website can be accessed only by using HTTPS.

          Important

          You can enable this feature only if you do not select HTTP.

        • TLS Version

          Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses a version of the TLS protocol that is not supported, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility.

          We recommend that you select the TLS version based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value.

          Valid values:

          • TLS 1.0 and Later (Best Compatibility and Low Security) (default)

          • TLS 1.1 and Later (High Compatibility and High Security)

            If you select this value, a client that uses TLS 1.0 cannot access your website.

          • TLS 1.2 and Later (High Compatibility and Best Security)

            If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website.

          If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for traffic that is sent by using TLS 1.3.

        • HTTPS Cipher Suite

          Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks the requests from the client.

          Default value: All Cipher Suites (High Compatibility and Low Security). We recommend that you set this parameter to a different value only if your website supports only specific cipher suites.

          Valid values:

          • All Cipher Suites (High Compatibility and Low Security)

          • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website. For more information, see View supported cipher suites.

            Clients that use other cipher suites cannot access the website.

    Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF

    Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy or Alibaba Cloud CDN, is deployed in front of WAF.

    • No: No Layer 7 proxy is deployed in front of WAF.

      WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection to WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field.

    • Yes: A Layer 7 proxy is deployed in front of WAF.

      WAF receives requests from a Layer 7 proxy. To ensure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Actual IP Address of Client parameter.

      Valid values:

      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default)

        By default, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of a client.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

        If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field.

        Note

        We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business.

        You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF scans the header fields in sequence until it obtains the IP address of the client. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

    More Settings

    • IPv6

      By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can turn on IPv6 to enable WAF protection for IPv6 traffic. After you turn on IPv6, WAF assigns a WAF IP address to the domain name to process IPv6 traffic. This feature is available only in the Chinese Mainland.

    • Exclusive IP Address

      By default, all domain names that are added to WAF are protected by the same WAF IP address. If you enable this feature, WAF assigns an exclusive IP address to protect the domain name. A domain name that is protected by an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names. For more information, see Exclusive IP addresses.

      If you want to use an exclusive IP address to protect your domain name, you can enable this feature.

      Important
      • You can purchase exclusive IP addresses for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. To purchase an exclusive IP address, click Upgrade Now on the Overview page and configure the Exclusive IP Address parameter. For more information, see Upgrade or downgrade a WAF instance.

      • If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Pay-as-you-go billing overview.

    • Protection Resource

      Select the type of protection resource that you want to use.

      • Shared Cluster (default)

      • Shared Cluster-based Intelligent Load Balancing

        After you enable shared cluster-based intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to support automatic disaster recovery. The WAF instance uses the intelligent Domain Name System (DNS) resolution feature and the least-time back-to-origin algorithm to reduce the latency of traffic that is sent from protection nodes to origin servers. For more information, see Intelligent load balancing.

        Important
        • You can enable shared cluster-based intelligent load balancing for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. You are charged for this feature. To enable shared cluster-based intelligent load balancing, click Upgrade Now on the Overview page and set the Intelligent Load Balancing parameter to Enable. For more information, see Upgrade or downgrade a WAF instance.

        • If you use a pay-as-you-go WAF instance, you are charged based on whether you enable shared cluster-based intelligent load balancing. For more information, see Pay-as-you-go billing overview.

        • After you enable shared cluster-based intelligent load balancing, you cannot turn on IPv6 or Exclusive IP Address.

    Resource Group

    Select the resource group to which you want to add the domain name. If you do not select a resource group, the domain name is added to the default resource group.

    Note

    You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

  5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

    Parameter

    Description

    Load Balancing Algorithm

    If you specify multiple origin server addresses, select the load balancing algorithm that you want WAF to use to forward back-to-origin requests to the origin servers. Valid values:

    • IP hash (default)

      Requests that are sent from a specific IP address are forwarded to the same origin server.

    • Round-robin

      Requests are distributed to origin servers in turn.

    • Least time

      WAF uses the intelligent DNS resolution feature and the least-time back-to-origin algorithm to reduce the path and latency when requests are forwarded to origin servers.

      Important

      You can set the Load Balancing Algorithm parameter to Least time only if you set the Protection Resource parameter to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see the description of the Protection Resource parameter in this topic.

    Origin Server Address

    Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values:

    • IP

      • Make sure that the IP address can be accessed over the Internet.

      • You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address.

        Note

        If you enter multiple IP addresses, WAF distributes workloads across the IP addresses, achieving load balancing.

      • You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses.

        If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses.

        Important

        If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see Enable IPv6.

    • Domain Name (Such as CNAME)

      If you select Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.

    Advanced HTTPS Settings

    • Enable HTTP Routing

      If you enable this feature, WAF forwards requests over HTTP. The default port is 80. In this case, WAF forwards requests that are sent to port 80 to the origin server, regardless of whether the client accesses WAF on port 80 or port 443. This feature allows all requests to be forwarded to the origin server over HTTP, and you do not need to modify the settings of the origin server. This reduces the impact of traffic on the performance of the website.

      Important

      If your website does not support HTTPS, turn on Enable HTTP Routing.

    • Origin SNI

      Origin Server Name Indication (SNI) allows you to specify the domain name to which an HTTPS connection must be established at the start of the TLS handshake process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, enable this feature.

      After you select Origin SNI, you can configure the SNI field. Valid values:

      • Use Domain Name in Host Header (default)

        This value specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field.

        For example, if the domain name that you configured is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name in the Host header field, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com.

      • Custom

        This value specifies that you can enter a custom value for the SNI field in WAF back-to-origin requests.

        If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, specify a custom value for the SNI field.

    Other Advanced Settings

    • Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field

      The X-Forwarded-Proto header field is automatically added to HTTP requests. The X-Forwarded-Proto header field is used to identify the original protocol used by the client. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur. To prevent such issues, clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field.

    • Enable Traffic Mark

      If you select Enable Traffic Mark, requests that pass through WAF are labeled. This way, your origin server can obtain the originating IP addresses or ports of clients.

      If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark to intercept the malicious traffic. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked.

      You can configure the following types of header fields:

      • Custom Header

        If you want to add a custom header field, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the backend server to check whether requests passed through WAF, collect statistics, and analyze data.

        For example, you can add the ALIWAF-TAG: Yes custom header field to label the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes.

      • Originating IP Address

        You can configure a custom header field to record the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For information about how WAF obtains the originating IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic.

      • Source Port

        You can configure a custom header field to record the ports of clients. This way, your origin server can obtain the ports of clients.

      Important

      We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field in the result is overwritten by the value of the custom header field.

      Click Add Mark to configure a custom header field. You can configure up to five custom header fields.

    • Specify the timeout periods for back-to-origin requests

      • Connection Timeout Period: the maximum amount of time WAF waits to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5.

      • Read Connection Timeout Period: the maximum amount of time WAF waits to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.

      • Write Connection Timeout Period: the maximum amount of time WAF waits to forward a request to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.

    • Retry Back-to-origin Requests

      After you enable this feature, WAF retries up to three times when it fails to forward requests to the origin server. If you do not enable this feature, WAF does not retry forwarding requests if it fails the first time.

    • Back-to-origin Keep-alive Requests

      If you enable this feature, you must configure the following parameters:

      • Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000.

      • Timeout Period of Idle Keep-alive Requests: the timeout period for idle keep-alive requests. Valid values: 1 to 60. Default value: 15. Unit: seconds.

      Note

      If you do not enable this feature, back-to-origin keep-alive requests do not support WebSocket.

  6. In the Add Completed step, obtain the CNAME assigned to the domain name. Modify the DNS record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

    Important

    Before you modify the DNS record, make sure that the following conditions are met:

    • The forwarding configurations for your website are correct and have taken effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

    • The back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the third-party firewall that is used by the origin server on which the domain name is hosted. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, click Back-to-origin CIDR Blocks above the domain name list to view and copy the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

    复制CNAME

    After you complete the preceding configurations, you can perform the following operations to check whether the domain name is protected by WAF:

    • Enter the domain name in your browser. If you can access the website, the domain name is protected by WAF.

    • Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

More operations

View the DNS resolution status of a domain name

WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. You can view the DNS resolution status of the domain names that you added to WAF in the domain name list and modify the DNS records based on the error messages that are displayed in the WAF console.

DNS状态

DNS resolution status

Description

Operation

The DNS resolution is normal.

The domain name is pointed to the CNAME that is provided by WAF.

None.

The DNS resolution is abnormal. An A record is used.

An A record is used and service interruptions may occur.

Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The DNS resolution is abnormal. An invalid WAF IP address is used.

An A record is used and the domain name is pointed to an invalid WAF IP address. Service interruptions may occur.

Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The DNS resolution is abnormal. An invalid CNAME is used.

A CNAME record is used and the domain name is pointed to an invalid CNAME.

Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The unknown DNS resolution issue occurs. A proxy is deployed.

A Layer 7 proxy is used in front of WAF and the back-to-origin address is not the CNAME that is provided by WAF.

Check whether the back-to-origin address is the CNAME that is provided by WAF.

The DNS resolution status check timed out.

None.

Click the update icon to recheck the DNS resolution status.

No DNS records are found.

No DNS records are configured for the domain name. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF.

Add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The domain name is not pointed to the CNAME provided by WAF.

The domain name is not pointed to the CNAME provided by WAF. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF.

Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

Add tags to or remove tags from domain names

You can add tags to domain names that are added to WAF and search for specific domain names by tag.

  • Add tags to or remove tags from a domain name

    1. Find the domain name whose tags you want to manage and move the pointer over the 编辑 icon in the Tag column. If no tags are added to the domain name, click Add. If a tag is added to the domain name, click Edit.

    2. In the Edit Tag dialog box, configure the Tag Key and Tag Value parameters.

      Note
      • You can enter up to 10 tag keys and leave the Tag Value parameter empty.

      • The tag key or tag value can be up to 128 characters in length, and cannot contain http:// or https://. The tag key or tag value cannot start with acs: or aliyun.

      • When you add a domain name to WAF, you can add tags to the domain name. You can also add tags to the corresponding protected object when you configure protection policies. The tags that are added to a domain name are automatically added to the corresponding protected object.

      After you add tags to domain names, you can select tags from the Filter Tags drop-down list to search for domain names to which the selected tags are added.

    3. Optional. To remove a tag from a domain name, click the 删除 icon to the right of the tag in the Edit Tag dialog box.

  • Add a tag to or remove a tag from multiple domain names at the same time

    Select the domain names whose tags you want to manage and click Add Tag or Remove Tag below the domain name list.

Modify or remove a domain name that is added to WAF

Warning

Before you remove a domain name, you must change the DNS record configuration back to the original configuration. For example, modify the DNS record to resolve the domain name to the IP address of the origin server. If you do not change the DNS record configuration, WAF cannot forward the requests that are sent to the domain name to the origin server and your website cannot be accessed.

Find the domain name that you want to manage and click Edit or Delete in the Actions column.

Configure default SSL or TLS settings

If you add multiple domain names to the same WAF instance, a shared WAF virtual IP address (VIP) is used to monitor the traffic of the domain names.

To meet the security compliance and compatibility requirements of HTTPS, WAF allows you to configure SSL or TLS settings. Before you perform compliance scan and detection, you can upload an HTTPS certificate for the VIP and disable or enable specific TLS protocol versions and cipher suites.

Note

If you purchase and enable an exclusive IP address, the configuration takes effect for the exclusive IP address. For more information about exclusive IP addresses, see Exclusive IP addresses.

  1. Click Default SSL/TLS Settings above the domain name list.image.png

  2. In the Default SSL/TLS Settings dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    HTTPS Upload Type

    Specify the method used to upload the SSL certificate. For more information, see Upload a certificate.

    TLS Version

    Specify the TLS protocol versions that are supported for HTTPS communication. Valid values:

    • TLS 1.0 and Later (Best Compatibility and Low Security) (default)

    • TLS 1.1 and Later (High Compatibility and High Security)

    • TLS 1.2 and Later (High Compatibility and Best Security)

    If you want to enable TLS 1.3, select Support TLS 1.3.

    HTTPS Cipher Suite

    Specify the cipher suites that are supported for HTTPS communication. Valid values:

    • All Cipher Suites (High Compatibility and Low Security) (default)

    • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.)

      For more information about custom cipher suites, see View supported cipher suites.

Update the SSL certificate bound to a domain name

If the SSL certificate that is bound to a domain name is about to expire or the certificate is changed, such as when the certificate is revoked, you must update the certificate.

Note
  • If the remaining validity period of the certificate is less than 30 days, the image.png icon is displayed in the domain name list. This indicates that your SSL certificate is about to expire. In this case, you must update the certificate at the earliest opportunity.

  • If you want to receive notifications when the certificate is about to expire, perform the following steps: Log on to the Certificate Management Service console. Find the certificate and click the image.png icon in the Notification Reminder column. On the Notification page, enable and configure a notification policy for the certificate.

  • To prevent service interruptions due to certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate. For more information, see Overview of the certificate hosting feature.

To update an SSL certificate that is bound to a domain name, perform the following steps:

  1. Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload an SSL certificate.

  2. Synchronize the certificate to WAF.

    • In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.

    • Upload the certificate in the WAF console.

      1. On the CNAME Record tab of the Website Configuration page, find the domain name whose certificate you want to update and click Edit in the Actions column.

      2. Set the HTTPS Upload Type parameter to Select Existing Certificate and select the new certificate.

What to do next

After you add a domain name to WAF, the domain name automatically becomes a protected object of WAF and basic protection rules are enabled for the protected object. The name of the protected object is in the "Domain name-waf" format. The protected object is displayed on the Protected Objects page. To go to the Protected Objects page, choose Protection Configuration > Protected Objects in the left-side navigation pane. On the Protected Objects page, you can view the protected object and configure protection rules for it.防护对象

References

  • Protection configuration overview: describes the protected objects, protection policies, and the protection process.

  • CreateDomain: describes how to add a domain name to WAF in CNAME record mode by calling the CreateDomain operation.

  • DescribeDomainDetail: describes how to query the access configurations of domain names that are added to WAF in CNAME record mode by calling the DescribeDomainDetail operation.