All Products
Search

This Product

    Web Application Firewall:Allow access from back-to-origin CIDR blocks of WAF

    Document Center

    Web Application Firewall:Allow access from back-to-origin CIDR blocks of WAF

    Last Updated:Jul 08, 2025

    In CNAME record mode, Web Application Firewall (WAF) uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. After you add a website to WAF in CNAME record mode, you must configure security software or access control policies for the origin server to allow inbound traffic from the back-to-origin CIDR blocks of WAF.

    Scenarios

    In CNAME Record mode, if your origin server has configured security group rules, firewall rules, or other access control policies, or if you use security software such as SafeDog or Yunsuo, you must add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software. This ensures the security software does not block normal traffic forwarded by WAF to the origin server.

    For more information:

    • What Is A Back-to-origin CIDR Block Of WAF?

      A back-to-origin CIDR block of WAF is a CIDR block that WAF uses to forward requests from clients to the origin server. After a website is added to WAF, the origin server considers that all requests originate from the back-to-origin CIDR blocks of WAF. The originating IP addresses of clients are added to the X-Forwarded-For (XFF) fields in the HTTP headers of requests.

      image

    • Why Do I Need To Add The Back-to-origin CIDR Blocks Of WAF To The IP Address Whitelist Of The Security Software On The Origin Server?

      After a website is added to WAF, the origin server receives requests from the back-to-origin CIDR blocks of WAF at a high rate. The firewall or security software on the origin server might consider these CIDR blocks as attack IP addresses and block them. If these IP addresses are blocked, WAF cannot receive responses from the origin server as expected. After adding a website to WAF, ensure that the back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the origin server. Otherwise, the website may become inaccessible or slow.

    Obtain the back-to-origin CIDR blocks of WAF

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. Click the CNAME Record tab.

    4. Click Back-to-origin CIDR Blocks above the domain name list.

      回源IP

    5. In the Back-to-origin CIDR Block dialog box, click Copy to copy all back-to-origin CIDR blocks to the clipboard.

      Note

      The back-to-origin CIDR blocks that you copy are separated by commas (,). IPv6 addresses may be included, such as 2408:400a:3c:xxxx::/56. You can determine whether to allow IPv6 addresses based on your business requirements. If your origin server supports only IPv4 addresses, you do not need to allow IPv6 addresses.

      回源IP段

    What to do next

    After you obtain the back-to-origin CIDR blocks of WAF, you must add them to the IP address whitelist of the security software on the origin server. You can also configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF.

    Warning

    If you do not add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software on the origin server, normal requests forwarded by WAF may be blocked. This may cause service interruptions.

    For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This prevents attackers from bypassing WAF to attack the origin server.