All Products
Search

This Product

    Web Application Firewall:Enable WAF protection for a CLB instance

    Document Center

    Web Application Firewall:Enable WAF protection for a CLB instance

    Last Updated:Nov 24, 2025

    Protect your public-facing Classic Load Balancer (CLB) instances from web attacks by enabling Web Application Firewall (WAF) 3.0. This method transparently redirects traffic from specified ports to WAF for inspection, requiring no changes to your DNS or network architecture.

    How it works

    image

    • How it works: WAF integrates with CLB instances via a transparent proxy method. You only need to configure the protected port on the CLB instance, and the system will automatically adjust the underlying network routing policies to route all HTTP/HTTPS traffic on that port to WAF for security inspection. After WAF inspects the traffic and blocks any malicious requests, it forwards the legitimate requests to the origin CLB instance.

    • Protection scope: Covers all domain names associated with the specified protected port. It also supports services accessed only by a public IP address (without a configured domain name).

    • Supported listener protocols: WAF integrates with CLB instances that have HTTP, HTTPS, or TCP listeners. For TCP listeners, WAF can only protect HTTP/HTTPS traffic on their ports. It does not support forwarding or protecting non-HTTP/HTTPS protocol traffic, such as FTP, SMTP, or database traffic.

    Usage notes

    If your CLB instance does not meet the following requirements, use CNAME-based onboarding.

    Instance requirements:

    • The instance must be a public-facing instance or a private instance with an EIP attached.

    • Before onboarding, you must add listeners to the CLB instance, and the listener protocol must be HTTP, HTTPS, or TCP.

    • The IP version must be IPv4.

    • Shared CLB instances are not supported.

    Instance region requirements:

    • WAF instances in the Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao).

    • WAF instances outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), and Singapore.

    Important

    Your web services may experience a brief connection interruption lasting a few seconds when you add the instance to WAF. Perform this operation during off-peak hours and monitor your services afterward. If your clients or services have an effective reconnection mechanism, the connection is automatically restored without affecting your business.

    Procedure

    1. Go to the WAF console.

      Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance. In the navigation pane on the left, click Onboarding. Click the Cloud Native tab. From the list of cloud service types on the left, select Classic Load Balancer (CLB).

    2. Cloud product authorization (Initial configuration).

      Follow the on-screen instructions and click Authorize Now to grant the required permissions. You can view the created service-linked role, AliyunServiceRoleForWAF, on the Roles page of the RAM console.

    3. Onboard the CLB instance.

      1. In the list on the right, find the target CLB instance and view its WAF protection status. Click the image.png icon to expand its details. Select the port to protect and click Add Now in the Actions column.

        • If you cannot find the target instance, click Synchronize Assets in the upper-right corner. If the instance still does not appear, it does not meet the Requirements.

        • If the Add Now button is unavailable or the status is Protection Exception, refer to the FAQ section.image

      2. Perform the following steps based on the protocol of the port that you are onboarding.

        HTTP/HTTPS

        On the Configure Instance page, to customize settings such as Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF, or traffic tag, see Obtain the real IP address of a client. To customize origin timeout or origin keep-alive, see Optimize back-to-origin connections. If no custom settings are required, click OK to apply the default configurations.

        Note

        If the protocol is HTTPS, you must configure certificate-related settings on the CLB side. You do not need to configure certificates in the WAF console.

        TCP

        On the Configure Instance page, select the Protocol Type for the traffic on the port.

        HTTP

        To customize Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF, see Obtain the real IP address of a client. To customize origin timeout or origin keep-alive , see Optimize back-to-origin connections. Otherwise, click OK to apply the default configurations.

        HTTPS

        1. You can customize settings such as HTTP/2, TLS version, cipher suite, or additional certificate. For more information, see Enhance security (HTTPS). Otherwise, keep the default settings for other fields.

        2. In the Default Certificate area, select how to upload the certificate:

          • Upload: Use this option if your certificate is not uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate).

          • Select Existing Certificate: Select a certificate that is issued or uploaded in Alibaba Cloud Certificate Management Service (Original SSL Certificate).

            Upload

            • Certificate Name: Enter a unique name for the certificate. The name must not match any existing certificate.

            • Certificate File: Open the certificate file in a text editor and paste the full content of the PEM, CER, or CRT formatted certificate.

              Example format: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

              • Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.

              • Certificate chain: If an intermediate certificate is included, paste the server certificate first, followed by the intermediate certificate.

            • Private Key: Paste the content of the private key file in PEM format.

              Example format: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

            Select Existing Certificate

            Select the certificate to upload to WAF from the dropdown list.

            Note

            If the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", it indicates an issue with the certificate chain. Ensure your certificate content is correct and complete, then re-upload it in the Digital Certificate Management Service console. For more information, see Upload, sync, and share SSL certificates.

        3. To customize settings such as Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF, or traffic tag, see Obtain the real IP address of a client. To customize origin timeout or origin keep-alive, see Optimize back-to-origin connections. Otherwise, click OK to apply the default configurations.

    4. Verify the protection.

      After onboarding is complete, verify that WAF protection is active by visiting the website hosted on the CLB instance in a browser and appending a web attack test payload to its URL (for example, http://yourdomain/alert(xss)). If WAF returns its 405 block page, the attack was successfully intercepted.

    5. View and configure protection rules.

      After onboarding, WAF automatically creates a protected object named instance-id-port-asset-type and enables protection rule modules, such as web core protection rules, for the object by default. You can view these on the Protection Configuration > Protected Objects page. If the default rules do not meet your needs (for example, if you need to add a specific IP address to an whitelist to permit all its requests), you can create or edit protection rules. For more information, see Protection configuration overview.

      image

    Important

    • Certificate and instance status requirements: After you add the instance, ensure that the certificate is valid and the instance status is normal. WAF protection becomes invalid if the certificate expires or the EIP of the instance changes. For more information, see Update the certificate for a traffic routing port and Add the CLB instance to WAF again after changes.

    • Scenario with multiple domain names on a single CLB instance: If multiple domain names are resolved to the same CLB instance and you need to configure different mitigation rules for them, you must manually add each domain name as a protected object. For more information, see Manually add a protected object.

    Enhance security (HTTPS)

    Note

    You can configure HTTPS-related options only if the protocol of the port is TCP and the traffic it handles is HTTPS.

    Parameter

    Description

    HTTP/2

    Uses the HTTP/2 protocol to improve page loading speed, reduce latency, and enhance user experience. If your website supports HTTP/2, enable this feature. After it is enabled, HTTP/2 and HTTPS use the same port.

    TLS version

    Defines the TLS versions allowed between clients and WAF. Higher versions offer stronger security but may have lower compatibility with older clients. For high-security scenarios, we recommend selecting TLS 1.2 or later.

    Cipher suite

    Defines the encryption algorithms allowed between clients and WAF. Strong cipher suites provide high security but may have low compatibility with older clients. For high-security scenarios, we recommend selecting strong cipher suites.

    Additional certificate

    If a CLB instance hosts HTTPS websites for multiple domain names and a single certificate cannot cover all of them, you must upload the corresponding certificate for each domain name.

    • HTTP/2

      On the Configure Instance page, enable HTTP/2.

    • TLS version

      On the Configure Instance page, select an option from the TLS Version section.

      • TLS 1.0 and Later (Best Compatibility and Low Security): Allows access from all older clients.

      • TLS 1.1 and Later (High Compatibility and High Security): Prevents clients that use TLS 1.0 from accessing the website.

      • TLS 1.2 and Later (High Compatibility and Best Security): Meets the latest security compliance requirements but prevents clients that use TLS 1.0 or 1.1 from accessing the website.

      • Support TLS 1.3: Select this option if your website supports the TLS 1.3 protocol. By default, WAF does not listen for client requests that use TLS 1.3.

    • Cipher suite

      On the Configure Instance page, select an option from the Cipher Suite section.

      • All Cipher Suites (High Compatibility and Low Security)

      • Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): If your website supports only specific cipher suites, select this option and then choose the supported suites from the list.

        Strong cipher suites

        Weak cipher suites

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-ECDSA-AES256-SHA384

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES128-SHA256

        • ECDHE-RSA-AES256-SHA384

        • ECDHE-ECDSA-AES128-SHA

        • ECDHE-ECDSA-AES256-SHA

        • AES128-GCM-SHA256

        • AES256-GCM-SHA384

        • AES128-SHA256

        • AES256-SHA256

        • ECDHE-RSA-AES128-SHA

        • ECDHE-RSA-AES256-SHA

        • AES128-SHA

        • AES256-SHA

        • DES-CBC3-SHA

        Note

        • Cipher suite security recommendation: The cipher suites ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 use ECDHE for key exchange, RSA for authentication, and the AES-CBC encryption mode. Compared to suites that use the authenticated encryption modes such as AES-GCM, they offer lower security and performance. Some security scanning tools may flag these as weak cipher suites. If this occurs, select a custom cipher suite policy and manually exclude these two suites.

        • Cipher suite naming standards: Cipher suites have different naming standards. WAF displays cipher suites using the OpenSSL format, while some scanning tools may use the Internet Assigned Numbers Authority (IANA) standard. For example, ECDHE-ECDSA-AES256-GCM-SHA384 in OpenSSL corresponds to TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 in the IANA standard. To quickly look up the corresponding names, visit ciphersuite.infoor use other TLS lookup tools.

    • Additional certificate

      On the Configure Instance page, you can upload certificates in the Additional Certificate section. The upload method is the same as that for a default certificate. For more information, see Default Certificate.

      Note

      When you add multiple additional certificates, all certificates must be valid. If any certificate has expired, the operation fails.

    Obtain the real IP address of a client

    Parameter

    Description

    Is a Layer 7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF?

    If you deploy a Layer 7 proxy such as CDN in front of WAF, you must set the Obtain Actual IP Address of Client to ensure that WAF can obtain real client IP addresses for security analytics, such as identifying the Attacker IP Address of attacks in Security Reports.

    Enable Traffic Tag

    Helps the origin server distinguish requests that have passed through WAF and obtain the originating IP address or port of the client.

    Use the X-Forwarded-Proto header to identify the listener protocol of WAF

    By default, WAF inserts the X-Forwarded-Proto header into HTTP requests that it processes. This header identifies the protocol used by the client to connect to the nearest Layer 7 proxy. If your web application needs to process this header, configure it as needed.

    • Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF

      On the Configure Instance page, configure the settings in the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF section. The options are:

      No, no other proxy

      Indicates that business requests that are received by WAF are initiated directly by the client.

      Yes, there is another proxy

      This setting indicates that WAF receives business requests from another Layer 7 proxy service. You must also configure the Obtain Actual IP Address of Client.

      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client

        After you select this option, WAF obtains the client IP in the following order:

        1. Reads X-Real-IP from the request header as the client IP.

        2. If X-Real-IP does not exist, WAF uses the first IP address in X-Forwarded-For (XFF) as the client IP.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

        Note

        You can configure the other proxy service to write the source IP address of the client into a specified Header field (such as X-Real-IP or X-Client-IP) and select this configuration to prevent attackers from bypassing WAF by spoofing the XFF field.

        In the Header Field box, enter one or more header fields and press Enter after each field. WAF obtains the client IP from these fields in the following order:

        1. Matches the configured Header Field in sequence.

        2. If none of the specified Headers exist, WAF tries to read the X-Real-IP field.

        3. If there is still no result, WAF uses the first IP address in XFF as the client IP.

    • Enable Traffic Tag

      On the Configure Instance page, expand Advanced Settings, select Enable Traffic Tag, and configure the following marking fields:

      • Custom Header: You can configure WAF to add a custom header to back-to-origin requests by specifying a Header Name and a Header Value. This allows your server to identify requests forwarded by WAF. For example, you can set the header to WAF-TAG: Yes, where WAF-TAG is the header name and Yes is the header value. Your server can then use this field to implement validation or access control policies to enhance security and request identification.

        Important

        Do not enter standard HTTP header fields, such as User-Agent. Otherwise, the content of the standard header field is overwritten by the custom field value.

      • Originating IP Address: Specifies the header field that contains the source IP address of the client. WAF records this header field and forwards it to the origin server. For more information about how WAF determines the originating IP address of the client, see the description of the Is a Layer 7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF? parameter.

      • Source Port: Specifies the name of the header field that contains the client source port. WAF records this header field and passes it to the origin server.

    • Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field.

      On the Configure Instance page, expand Advanced Settings. If necessary, select Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field.

    Optimize back-to-origin connections

    Parameter

    Description

    Set read and write connection timeouts

    If the origin server takes a long time to process requests, which may cause timeouts, you can configure the WAF read and write timeouts.

    Back-to-origin persistent connection

    Configures the ability to maintain a long-term connection between WAF and the origin server. If you encounter occasional 502 errors after adding the service, check the relevant parameters of the origin server. We recommend that you set the value of the WAF persistent connection parameter to be less than or equal to the corresponding parameter value of the origin server.

    • Set read and write connection timeouts

      On the Configure Instance page, expand the Advanced Settings section and set the following parameters:

      • Read Connection Timeout Period: Specifies the timeout for receiving a response from the origin server. For operations that require a long response time, such as report exporting or batch data processing, you may need to increase this value. The default value is 120 s, and the value can range from 1 s to 3,600 s.

      • Write Connection Timeout Period: This parameter specifies the timeout period for a request that WAF sends to the origin server. You do not need to adjust this parameter in most cases. However, you can increase the value if the origin server load is extremely high and causes slow request processing. The default value is 120 s, and the configurable range is 1 s to 3,600 s.

    • Back-to-origin Keep-alive Requests

      Important

      If you disable this feature, origin keep do not support the WebSocket protocol.

      On the Configure Instance page, expand Advanced Settings. In the Back-to-origin Keep-alive Requests section, enable the feature and configure the following settings:

      • Max Requests per Connection: The value can be an integer from 60 to 1,000. The default value is 1,000. For example, if the origin server uses Nginx, this parameter corresponds to the Nginx keepalive_requests parameter. For more information, see the Nginx documentation.

      • Timeout Period of Idle Keep-alive Requests: The default value is 3,600 s. The value can be set to a range from 10 s to 3,600 s. For example, if the origin server uses Nginx, this parameter corresponds to the Nginx parameter keepalive_timeout.

    Improve resource management efficiency

    Resource Group

    • Description: Simplifies resource management and permission configuration for improved management efficiency. If no resource group is specified, the instance is added to the Default Resource Group. For more information, see Resource groups.

    • Procedure: On the Configure Instance page, in the Resource Group section, select the resource group for the instance from the drop-down list.

    Daily O&M

    Update the certificate for a traffic routing port

    If a certificate is about to expire or changes for other reasons, such as being revoked, you must update the certificate bound to the traffic routing port.

    Step 1: Prepare a new certificate

    Purchase a new certificate from Alibaba Cloud

    Renew the SSL certificate in the Certificate Management Service (Original SSL Certificate) console. For more information, see Renew an SSL certificate.

    Upload a new certificate purchased from another platform to Alibaba Cloud

    1. Download the certificate file from the platform where you purchased it.

    2. Go to the Upload Certificate page. Click Upload Certificate to upload the certificate in PEM format. For more information, see Upload a local certificate.

    Step 2: Replace the old certificate

    Original CLB protocol is HTTP/HTTPS

    1. In the CLB console, create a certificate and select Alibaba Cloud Certificates as the certificate source. Do not select certificate not issued by Alibaba Cloud. For more information, see Create a certificate.

    2. In the CLB console, modify the listener configuration to replace the server certificate with the newly uploaded certificate. For more information, see Step 2: Configure an SSL certificate.

    Original CLB protocol is TCP

    1. On the Cloud Native tab, select the Classic Load Balancer (CLB) tab. Find the target instance, click the image.png icon, and then in the Actions column for the target port, click Modify.image

    2. In the Default Certificate section, select Select Existing Certificate, and then select the replacement certificate.

    Note

    • When a certificate has less than 30 calendar days of validity remaining, WAF displays an image.png icon in the record list to indicate that the certificate is about to expire. You must update it promptly to avoid affecting normal business operations.

    • You can set up SSL certificate message reminders to receive notifications by email, text message, and other methods before the certificate expires. For more information, see Set up message notifications for SSL certificates.

    • To avoid business interruptions caused by an expired certificate, enable the certificate hosting service of Alibaba Cloud Certificate Management Service (Original SSL Certificate). This service automatically requests certificates before they expire. For more information, see What is Certificate Hosting Service?.

    Temporarily disable/remove the instance

    • Temporarily disable WAF protection: If you encounter issues after onboarding, such as a high number of false positives, you can turn off the WAF Protection Status switch on the Protected Objects page in the WAF console. For more information, see Disable WAF protection with one click.

    • Remove the instance: If you no longer want to use WAF to protect the CLB instance, follow these steps to remove it.

      On the Cloud Native tab, click the Classic Load Balancer (CLB) tab. Find the target instance, click the image.png icon, and then click Remove. In the Remove dialog box, click OK.image

    Important

    • Service impact: Removing an instance from WAF may cause a seconds-long connection interruption for your web services. Perform this operation during off-peak hours and monitor your services afterward. If your clients or services have an effective reconnection mechanism, the connection is automatically restored without affecting your business.

    • Re-onboarding: After removal, traffic to the instance will no longer be protected by WAF. Click Add Now to reconfigure the traffic forwarding port.

    • Billing: For a pay-as-you-go WAF instance, in addition to request processing fees, you are also charged for features, including the instance itself and protection rules. If you want to stop using WAF and stop billing, see Disable WAF.

    Add the CLB instance to WAF again after changes

    WAF protects service traffic through the traffic redirection ports of a CLB instance. If a CLB instance is changed due to any of the following operations, the original traffic redirection port configuration becomes invalid. This causes service traffic to bypass WAF and be exposed to public network threats:

    • Releasing the CLB instance.

    • Deleting a listener port that has been added to WAF.

    • Replacing the EIP attached to the CLB instance.

    To restore security protection, you must add the modified CLB instance to the WAF console again.

    Apply in production

    To ensure security and stability in a production environment, we recommend that you follow these best practices when you add a production CLB instance.

    • HTTPS configuration: Configure an HTTPS traffic redirection port and using the following configurations for efficient certificate management.

      • Upload the certificate file to Certificate Management Service (Original SSL Certificate).

      • Set the TLS version to TLS 1.2 or later.

      • Set up notifications for SSL certificates to promptly update them when they are about to expire.

    • Canary release strategy: First, add a non-production CLB instance during off-peak hours. After you run it for a period and confirm that the service is normal, you can add the production CLB instance.

    • Check services: After onboarding is complete, confirm that your services are normal in the following ways:

      • Check logs: Check for significant fluctuations in the percentage of 200 status codes in your logs and look for sudden spikes or drops in QPS. If you have enabled the WAF log service, see WAF logs.

      • Application monitoring: Check if core application functions, such as user access and transactions, are working normally.

    • Maintenance: After onboarding in a production environment, continuous maintenance is required to monitor for attacks and false positive events.

      • Event handling: Check Security Reports and configure CloudMonitor notifications to stay informed about attacks and security events.

      • Rule tuning: Continuously monitor attack logs to analyze whether legitimate user requests are being mistakenly blocked and optimize protection rules accordingly.

    Limitations

    • Number of ports: The total number of configured traffic forwarding ports cannot exceed the limit of your WAF instance subscription.

      • WAF subscription instance: Basic Edition (300). Pro (600). Enterprise (2,500). Ultimate (10,000).

      • WAF pay-as-you-go instance: 10,000.

    • Requirements for CLB instances with HTTPS listeners:

      • The certificate must not be expired.

      • Only the built-in TLS security policies of CLB are supported.

      • Certificates manually uploaded to the CLB console are not supported.

      • Mutual authentication cannot be enabled.

    • Certificate requirements: SM certificates are not supported.

    FAQ

    What do I do if the "Add Now" button is grayed out or the status is "Protection Abnormal"?

    Protocol is TCP

    Find the target CLB instance. You must click the image.png icon to expand the instance details before you click Add Now.image

    Protocol is HTTPS

    • Possible causes

      • The certificate has expired.

      • Mutual authentication is enabled.

      • The certificate was manually uploaded to the CLB console.

    • Solutions

      • If the certificate has expired, see Update the certificate for a traffic routing port to update it.

      • If mutual authentication is enabled, disable it before you add the instance. For more information, see Configure mutual authentication.

      • If the certificate was manually uploaded to the CLB console, perform the following operations:

        1. Upload the certificate to Certificate Management Service (Original SSL Certificate). For more information, see Upload an SSL certificate.

        2. In the CLB console, you can create a certificate and set the certificate source to Alibaba Cloud Certificates. For more information, see Create a certificate.

        3. In the CLB console, configure the listener to replace the server certificate with the newly uploaded certificate. For more information, see Step 2: Configure an SSL certificate.

        Note

        When certificates are manually uploaded to the CLB console, the certificate information is not automatically synchronized to the Certificate Management Service. This issue occurs because WAF retrieves certificate information exclusively from the Certificate Management Service.

    Why can't I find the CLB instance that I want to add?

    First, on the Onboarding page, click Synchronize Assets in the upper-right corner.image

    If you still cannot find the instance, the instance does not meet the Requirements. For example, a CLB instance in a region outside the Chinese mainland must be added to a WAF instance purchased for a region outside the Chinese mainland using the cloud native mode, or you must use CNAME record mode.

    image

    How to add a domain name that resolves to multiple CLB instances?

    • Use cloud native mode: You must add each of these CLB instances one by one to ensure that WAF directs traffic to all target instances.

    • Use CNAME record mode: Add this domain name using CNAME-based provisioning and configure the public IP addresses of the multiple CLB instances as the addresses of the origin server.

    How to add multiple domains that resolve to the same CLB instance?

    • Use cloud native mode: After you add this CLB instance, all domain names on the instance are protected by the default protection policy of WAF. However, to configure different protection rules for these domain names, you must manually add each domain name as a protected object. For more information, see Manually add a protected object.

    • Use CNAME record mode: Add the multiple domain names one by one.