This topic describes how to add a domain name to Web Application Firewall (WAF) in CNAME record mode after you purchase a WAF instance.
Prerequisites
- A WAF instance is purchased. The number of domain names that are added to the WAF
instance does not reach the upper limit.
Note The total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of extra domain packages that you purchased. For more information, see Extra domain package.
- If you use a WAF instance in the Chinese mainland to protect your domain name, you
must complete Internet Content Provider (ICP) filing for your domain name before you
can add your domain name to the WAF instance. If you have not completed ICP filing
for your domain name, an error is reported when you add your domain name to WAF. For
more information about ICP filing, see ICP filing application overview.
Notice After you add your domain name to WAF, we recommend that you keep the ICP filing information up-to-date. To meet the requirements of laws and regulations, WAF removes the domain names whose ICP filing information is invalid on a regular basis.
Background information
When you add your domain name to WAF in CNAME record mode, you must enter the domain name information and change the DNS record to resolve the domain name to the CNAME assigned by WAF. This way, the requests destined for your domain name are redirected to WAF. This mode is supported regardless of whether your origin server is deployed on the cloud. However, the origin server must be accessible over the Internet. The following sections describe how to add a domain name in CNAME record mode.
You can use one of the following methods to add a domain name:
- Configure WAF to automatically add domain name configurations: You need only to select the domain name that you want to add and the network protocol
type on the Add Domain Name page. WAF automatically reads the information about the domain name within your Alibaba
Cloud account. Then, WAF automatically adds the domain name configurations, such as
the domain name, server address, and standard ports 80 and 443, and changes the DNS
record of the domain name.
Notice The account that you use to add domain names must have management permissions on Alibaba Cloud DNS resources. If the account does not have the permissions, WAF cannot automatically change the DNS record. If WAF does not automatically change the DNS record, you can manually change the DNS record of the domain name after the domain name is added.
- Manually add domain name configurations: If WAF cannot automatically add the configurations of a domain name, you can add the domain name configurations, such as the domain name, protocol type, server address, and server port. After you add the domain name configurations, you must change the DNS record of the domain name to redirect the requests that are destined for the domain name to WAF.
Configure WAF to automatically add domain name configurations
You can select an eligible domain name that you want to add to WAF from the list on the Automatically Add tab. Then, the domain name is automatically added.
Eligible domain names include only the valid domain names that are configured in Alibaba Cloud DNS.
Procedure
Manually add domain name configurations
To add a domain name to WAF in CNAME record mode, perform the following steps:
Upload an HTTPS certificate
If you select HTTPS when you add a domain name, you must upload the valid and correct HTTPS certificate that is associated with the domain name in the WAF console. This way, WAF can protect HTTPS requests.
- Manually upload a certificate:
You must prepare the following files before you upload a certificate. Before you upload a certificate, make sure that the certificate chain is valid.
- The certificate file in the CRT or PEM format
- The private key file in the KEY format
- Select an existing certificate: You can select the certificate that is associated with the domain name and is managed in the SSL Certificates Service console.
Procedure
Subsequent configurations
After you add the domain name, the requests that are destined for the domain name are protected by WAF. You can modify domain name configurations to enhance protection.
Type | Description | References |
---|---|---|
Website protection configuration | WAF provides multiple features to protect your domain name against different types of attacks. By default, the Protection Rules Engine and HTTP Flood Protection features are enabled. The protection rules engine feature protects your domain name against common web attacks, such as SQL injections, XSS attacks, and webshell uploads. The HTTP flood protection feature protects your domain name against HTTP flood attacks. You must manually enable other features and configure protection rules. | Overview |
Alert configuration | You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business in a timely manner. | Configure WAF alerting |
Configuration of the Log Service for WAF feature | After you enable the Log Service for WAF feature, WAF can collect and store the log data of your domain name. You can query and analyze the log data. By default, the Log Service for WAF feature stores full logs for 180 days. This helps you meet the requirements of classified protection. | Overview of the Log Service for WAF feature |
What to do next
- Upload an HTTPS certificate: If your domain name supports HTTPS, make sure that the
correct certificate and private key files are uploaded to WAF. This ensures that WAF
protects HTTPS requests. To upload the HTTPS certificate and private key files for
the domain name, you must click the
icon in the Origin Server column.
For more information, see Upload SSL certificates.
- Enable IPv6 traffic protection: If you want to protect IPv6 traffic destined for your
domain name, turn on IPV6 for the domain name in the Quick Action column.
For more information, see Enable IPv6 traffic protection.
- Enable Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Log Service for WAF feature. This feature allows you to collect
logs of your domain name. You can use the logs for query, analysis, dashboard data
visualization, and alerting.
For more information, see Step 2: Enable the log collection feature.
Notice Log Service for WAF is a value-added feature that is provided by WAF. You must enable this feature before you can use it. For more information, see Enable Log Service for WAF. - Configure protection resources: Click the
icon next to Protection Resource in the Quick Access column. Then, configure the protection resources for the domain name.
The following types of protection resources are supported:- Shared Cluster and Shared IP: This is the default value.
- Shared Cluster and Exclusive IP : For more information about exclusive IP addresses, see Exclusive IP addresses.
- Shared Cluster and Load Balancing Among Multiple WAF Nodes: For more information about global load balancing, see Intelligent load balancing.
- Exclusive Cluster: For more information about exclusive clusters, see Create an exclusive cluster.
- View attack monitoring reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View Security Reports.
- Configure protection policies: Click Config in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Overview.
- Modify domain name configurations: Click Edit in the Actions column to modify domain name configurations, such as the protocol type, server address, and server port. The domain name cannot be changed.
- Delete a domain name: Click Delete in the Actions column to delete a domain name.
Warning Before you can delete a domain name, you must change the DNS record to map the domain name to the IP address of the origin server. If you do not change the DNS record, the requests that are destined for the domain name cannot be forwarded after the domain name is deleted.
FAQ
For more information, see FAQ about website access configuration in FAQ.