All Products
Search
Document Center

Web Application Firewall:Add a Layer 7 CLB instance to WAF

Last Updated:May 15, 2024

If you created a Classic Load Balancer (CLB) instance and added an HTTP or HTTPS listener to the instance, you can add the listener ports to Web Application Firewall (WAF) to redirect traffic on the ports to WAF. This topic describes how to add a Layer 7 CLB instance to WAF.

Background information

After you add Elastic Compute Service (ECS) instances that are deployed in the same region to a CLB instance, CLB uses virtual IP addresses to distribute network traffic across the ECS instances based on forwarding rules to ensure high performance and high availability. For more information, see What is CLB?

You can add a Layer 7 CLB instance to WAF. After you add a Layer 7 CLB instance to WAF, all traffic of the CLB instance is redirected to WAF by using a specified gateway. WAF filters out malicious traffic and forwards legitimate traffic to the CLB instance. The following figure shows the network architecture.

image

Limits

You can add web services to WAF in cloud native mode only if your web services use one of the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Item

Description

Supported instances

To add an instance to WAF, the instance must meet the following requirements:

  • The instance is an Internet-facing instance.

  • The instance does not use IPv6.

  • Mutual authentication is disabled for the instance.

Supported regions

  • Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Qingdao).

  • Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

Number of traffic redirection ports

The limits on the number of traffic redirection ports are the same as the limits on the number of protected objects.

  • Subscription WAF instances: 300 for Basic Edition, 600 for Pro Edition, 2,500 for Enterprise Edition, and 10,000 for Ultimate Edition.

  • Pay-as-you-go WAF instances: 10,000.

TLS security policies

If HTTPS listener ports are configured, only built-in Transport Layer Security (TLS) security policies are supported. If custom TLS security policies are configured for the ports, you cannot add the ports to WAF. For more information, see Supported TLS security policies.

Services that are protected by Anti-DDoS Proxy and WAF

If you want to protect your web services by using Anti-DDoS Proxy and WAF, you can add the web services to WAF in transparent proxy mode only if you add the web services to Anti-DDoS Proxy by adding a domain name.

Prerequisites

  • A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

  • A CLB instance that meets the preceding limits is created. An HTTP or HTTPS listener is added to the CLB instance. For more information, see the "Limits" section of this topic. For more information about how to add an HTTP or HTTPS listener, see Add an HTTP listener or Add an HTTPS listener.

  • If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.

    To view the number of protected objects that you can add to WAF, go to the Protected Objects page. image.png

Add traffic redirection ports

Important
  • The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.

  • If you perform the following operations after you add a Layer 7 CLB instance to WAF, traffic redirection ports are automatically removed from WAF. If you do not re-add the ports to WAF, traffic on the ports is not redirected to WAF.

    • Change the public IP address of the instance.

    • Replace the certificate that is bound to a traffic redirection port with a certificate that is not purchased by using Certificate Management Service (formerly SSL Certificates Service).

    • Enable mutual authentication.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, click Website Configuration.

  3. On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side cloud service list.

  4. Click Add.

  5. Click Authorize Now to authorize your WAF instance to access CLB.

    Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

    Note

    If your WAF instance is already authorized to access CLB, skip this step.

  6. In the Configure Instance - Layer 7 CLB Instance panel, configure the parameters. The following table describes the parameters.

    image.png

    Parameter

    Operation

    Select the instance and port to be added.

    1. Synchronize Instances

      If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list.

    2. Add Port

      1. Find the instance that you want to add to WAF and click Add Port in the Actions column.

      2. Select the HTTP or HTTPS ports that you want to add and click OK.

        Important

    Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF

    Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy and Alibaba Cloud CDN, is deployed in front of WAF.

    • By default, No is selected. This value specifies that WAF receives requests that are sent from clients. The requests are not forwarded by proxies.

      Note

      WAF uses the IP address that is used to establish connections with WAF as the IP address of a client. WAF obtains the IP address from the REMOTE_ADDR field of the request.

    • If Layer 7 proxies are deployed in front of WAF, select Yes. This value specifies that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. To ensure that WAF can obtain the actual IP addresses of clients for security analysis, configure the Obtain Actual IP Address of Client parameter.

      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default)

        By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

        If you use proxies that contain the IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, include the custom header field in the Header Field field.

        Note

        We recommend that you use custom header fields to store the IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF inspection. This enhances the security of your business.

        You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

    Resource Group

    Select the resource group to which you want to add the CLB instance. If you do not select a resource group, the instance is added to the default resource group.

    Note

    You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

    Advanced Settings

    • Enable Traffic Mark

      If you select Enable Traffic Mark, requests that pass through WAF are labeled. This way, your origin server can obtain the actual IP addresses or ports of clients.

      If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark. This way, the origin server can check whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and the request is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and the request is blocked.

      You can configure the following types of header fields:

      • Custom Header

        If you want to add a custom header field, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data.

        For example, you can add the ALIWAF-TAG: Yes custom header field to label the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes.

      • Originating IP Address

        You can configure a custom header field to record the actual IP addresses of clients. This way, your origin server can obtain the actual IP addresses of clients. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic.

      • Source Port

        You can configure a custom header field to record the ports of clients. This way, your origin server can obtain the actual ports of clients.

      Important

      We recommend that you do not specify a standard HTTP header field, such as User-Agent. If you specify a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

      Click Add Mark to specify a header field. You can specify up to five header fields.

    • Back-to-origin Keep-alive Requests

      If the persistent connection between WAF and your origin server times out, you can configure the timeout period for persistent connections, the number of reused persistent connections, and the timeout period for idle persistent connections.

      • Read Connection Timeout Period: the amount of time that WAF waits for a response from the origin server. If the timeout period is exceeded, WAF closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds.

      • Write Connection Timeout Period: the amount of time that is required for requests to be forwarded to the origin server. If the timeout period is exceeded, the origin server closes the connection. Valid values: 1 to 3600. Default value: 120. Unit: seconds.

      • Back-to-origin Keep-alive Requests: If you want to configure the number of reused persistent connections or the timeout period for idle persistent connections, turn on Back-to-origin Keep-alive Requests and configure the following parameters:

        • Reused Keep-alive Requests: the number of requests that WAF can send to the origin server or the number of responses that WAF can receive from the origin server at the same time. Valid values: 60 to 1000. Default value: 1000.

        • Timeout Period of Idle Keep-alive Requests: the timeout period for idle persistent connections. Valid values: 10 to 3600. Default value: 3600. Unit: seconds.

  7. Select the CLB instance that you want to add to WAF and click OK.

    After you add a CLB instance to WAF, the CLB instance automatically becomes a protected object of WAF. The name of the protected object is in the following format: Instance ID-Port-Asset type. Basic protection rules are automatically enabled for the protected object. You can configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the ID of the CLB instance that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.防护对象

Manage WAF protection

Manage WAF protection in the WAF console

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, click Website Configuration.

  3. Manage WAF protection

    • On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side cloud service list. Then, you can view CLB instances that are added to WAF.

    • View protected objects and configure protection rules

      After you add a CLB instance to WAF, the instance automatically becomes a protected object of WAF. The name of the protected object contains the -clb7 suffix and basic protection rules are automatically enabled for the protected object. You can view and configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the instance ID on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.image

    • View origin servers and remove a CLB instance from WAF

      After you add a CLB instance to WAF, you can view the protection details of the origin servers and disable traffic redirection or remove traffic redirection ports in emergency disaster recovery scenarios.

      • Click the image.png icon to the left of the instance name and view the ports that are added to WAF.image.png

      • View port details: Click Port Details to view information about the port, protocol, and certificate, and then configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF, Enable Traffic Mark (Advanced Settings), and Back-to-origin Keep-alive Requests (Advanced Settings) parameters.

      • Remove a traffic redirection port: Find the port that you want to remove from WAF and click Remove in the Actions column. In the Remove message, click OK.

        Important

        After you remove a traffic redirection port, traffic on the port is no longer protected by WAF. To re-add the port to WAF, click Add. For more information, see Add traffic redirection ports.

Manage WAF protection in the CLB console

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to create the ALB instance.

  3. Manage WAF protection.

    Operation

    Procedure

    Check whether WAF protection is enabled for an instance

    Protection Enabled indicates that WAF protection is enabled for the CLB instance. To check whether WAF protection is enabled for a CLB instance, use one of the following methods:

    Method 1: On the Instances page, find the instance that you want to view and move the pointer over the 未开启 icon to the right of the instance name. In the WAF Protection section, check whether WAF protection is enabled for the instance.

    Method 2:

    1. On the Instances page, click the ID of the CLB instance that you want to view.

    2. On the Instance Details tab, check whether WAF protection is enabled in the Basic Information section.

    Method 3:

    1. On the Instances page, click the ID of the CLB instance that you want to view.

    2. On the Security Protection tab, check whether WAF protection in enabled for the CLB instance in the WAF Protection section.

    View security reports

    After you add a CLB instance to WAF, you can view the WAF protection records of the instance in security reports.

    Method 1: On the Instances page, find the instance whose protection records you want to view and move the pointer over the 未开启 icon. In the WAF Protection section, click View WAF Security Report to go to the Security Reports page of the WAF 3.0 console.

    Method 2:

    1. On the Instances page, click the ID of the CLB instance whose protection records you want to view.

    2. On the Instance Details tab, click View WAF Security Report to the right of WAF Security Protection in the Basic Information section to go to the Security Reports page of the WAF 3.0 console.

    Method 3:

    1. On the Instances page, find the CLB instance whose protection records you want to view and click the ID of the instance.

    2. On the Security Protection tab, click Manage WAF Protection in the WAF Protection section. In the Manage WAF panel, click View WAF Security Report to go to the Security Reports page of the WAF 3.0 console.

    For more information, see Security reports.

    Disable WAF protection

    After you disable WAF protection, traffic of the CLB instance is no longer protected by WAF and the protection records are no longer included in the security reports.

    Important

    After you disable WAF protection for a CLB instance, you are no longer charged request processing fees. However, you are still charged feature fees for the protection rules that you configured for the CLB instance. Before you disable WAF protection for a CLB instance, we recommend that you delete the protection rules that you configured. For more information, see Billing overview and Protection configuration overview.

    Method 1:

    1. On the Instances page, find the CLB instance that you want to manage and choose 选择 > Manage in the Actions column.

    2. On the Listener tab, find the CLB instance and move the pointer over the 未开启 icon to the right of the instance name. Then, click Disable.

    3. In the Disable WAF Protection dialog box, click OK.

    Method 2:

    1. On the Instances page, click the ID of the CLB instance that you want to manage.

    2. On the Listener tab, find the CLB instance and move the pointer over the 未开启 icon to the right of the instance name. Then, click Disable.

    3. In the Disable WAF Protection dialog box, click OK.

    Method 3:

    1. On the Instances page, click the ID of the CLB instance that you want to manage.

    2. On the Security Protection tab, click Manage WAF Protection in the WAF Protection section.

    3. In the Manage WAF panel, turn off image in the WAF Protection column. In the Disabled message, click OK.

Update the SSL certificate that is bound to a traffic redirection port

If the SSL certificate that is bound to a traffic redirection port is about to expire or is modified, you must update the certificate.

Note
  • If the remaining validity period of the certificate is less than 30 days, image.png is displayed in the domain name list. This indicates that your SSL certificate is about to expire. You must update the certificate at the earliest opportunity.

  • If you want to receive notifications when the certificate is about to expire, log on to the Certificate Management Service console. Find the certificate that is about to expire and click the image.png icon in the Notification Reminder column. On the Notification page, enable and configure a notification policy for the certificate.

  • To prevent service interruptions that are caused by certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate. For more information, see Certificate Management Service overview.

To update the SSL certificate that is bound to a traffic redirection port, perform the following steps:

  1. Renew the certificate or upload the certificate to Certificate Management Service (Original SSL Certificate). For more information, see Certificate renewal or Upload an SSL certificate.

  2. Synchronize the SSL certificate to your Layer 7 CLB instance.

    If you replace the certificate in the CLB console, the certificate is automatically synchronized to WAF. Otherwise, you must perform the following operations to manually synchronize the certificate in the WAF console:

    1. On the Cloud Native tab of the Website Configuration page, click CLB(HTTP/HTTPS) in the left-side cloud service list. Then, click Add.

    2. In the Configure Instance - Layer 7 CLB Instance panel, click Synchronize Instances to synchronize the updated certificate.

  3. If the new certificate that is bound to a traffic redirection port is a third-party certificate, the traffic redirection port is automatically removed from WAF. After you replace the certificate, re-add the port to WAF. For more information, see Add traffic redirection ports.

Important

If a certificate has expired, certificates cannot be synchronized to WAF. You must delete the certificate that has expired.

FAQ

  • Check whether WAF protection is enabled for a Layer 7 CLB instance

    1. Enter the domain name that you added to WAF in the address bar of a browser. If the domain name can be accessed, the domain name is protected by WAF.

    2. Insert malicious SQL code, such as xxx.xxxx.com?id=1 and 1=1, into requests and check whether the requests are blocked. If the 405 Method Not Allowed error is returned, the requests are blocked.

      image.png

  • CLB supports Layer 4 and Layer 7 listeners. Layer 4 listeners use the TCP or UDP protocol, and Layer 7 listeners use the HTTP or HTTPS protocol.

    • Layer 4 listeners directly forward requests to backend servers. When a CLB instance receives a request, the CLB instance modifies the destination IP address and destination port of the data packet based on the listener port. Then, the CLB instance forwards the request to a backend server. A TCP connection is established between the client and the backend server.

    • A Layer 7 listener functions as a reverse proxy. After a client request reaches a Layer 7 listener of CLB, CLB establishes a new TCP connection to a backend server over HTTP, instead of directly forwarding the request to the backend server. Compared with Layer 4 listeners, Layer 7 listeners require an additional step of Tengine processing. The throughput capacity of Layer 7 listeners may be limited by factors such as client port exhaustion or excessive workloads on backend servers. If your business requires higher performance, we recommend that you use Layer 4 listeners.

    For more information, see CLB listener overview.

  • Can I add an HTTP port and an HTTPS port to WAF when I add a Layer 7 CLB instance to WAF?

    Yes, you can add an HTTP port and an HTTPS port.

  • What do I do if the "The CLB certificate whose port number is 443 is incomplete. Go to the SLB console and select a certificate that is from Certificate Management Service." error message appears when I add a CLB instance to WAF?

    You must log on to the Certificate Management Service console to renew or upload the certificate and then select the certificate in the CLB console. For more information, see Certificate renewal or Upload an SSL certificate.

References