All Products
Search
Document Center

Web Application Firewall:Add a domain name to WAF

Last Updated:May 29, 2023

To add a website to Web Application Firewall (WAF) in CNAME record mode, you must add the domain name of the website to WAF. This topic describes how to add a domain name to WAF.

Prerequisites

  • A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.

    Note

    The total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of additional domain names that you purchased. For more information, see Extra domain package.

  • To use a WAF instance in the Chinese mainland to protect a domain name, an Internet Content Provider (ICP) filing must be completed for the domain name.Chinese mainland

    Important

    After you add the domain name to WAF, make sure that the ICP filing information is valid. To meet the requirements of laws and regulations, WAF removes domain names whose ICP filing information is invalid on a regular basis.Chinese mainland

Add a domain name to WAF

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Asset Center > Website Access.

  3. On the Domain Names tab, click Website Access.

    Note

    On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default. You do not need to change the value of the parameter.

  4. Enter the information about your website and click Next.

    Parameter

    Description

    Domain Name

    Enter the domain name of your website. You must specify the domain name based on the following requirements:

    • The domain name can be an exact match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. Take note of the following information:

      • If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches subdomains such as www.aliyundoc.com and test.aliyundoc.com.

        Important

        If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com. If you want to use WAF to protect aliyundoc.com, you must separately add the domain name to WAF.

      • If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection rules of the exact match domain name.

    • .edu domain names are not supported.

    Protection Resource

    Select the type of protection resource that you want to use. Valid values:

    • Shared Cluster: This is the default value.

    • Exclusive Cluster: This option is available only when you use a WAF instance of the Exclusive edition. You can use a exclusive cluster to deliver service-specific protection. For more information, see Best practices for WAF exclusive clusters.

    • Hybrid Cloud Cluster: If you use Hybrid Cloud WAF, you must select this option. For more information, see Add a website to Hybrid Cloud WAF.

    Protocol Type

    Select a protocol type. Valid values:

    • HTTP

    • HTTPS

      Important

      If your website supports HTTPS, select HTTPS. After you add your domain name configurations, upload the required certificate and private key files. For more information, see Upload an HTTPS certificate.

      If you select HTTPS, you can enable the following features:

      • (Advanced Settings) Enforce HTTPS Routing

        If you enable this feature, HTTP requests that are sent from the client are automatically converted into HTTPS requests. The client sends HTTPS requests to WAF on port 443 and WAF forwards the HTTPS requests to the origin server on port 443. If you want a client to access your website by using HTTPS, enable this feature to improve access security.

        Important
        • You can enable this feature only when HTTP is not selected.

        • Before you enable this feature, make sure that your website supports HTTPS. After you enable this feature, requests are delivered over HTTPS.

      • (Advanced Settings) Enable HTTP

        If you enable this feature, WAF forwards requests over HTTP. The default port is port 80. WAF forwards requests on port 80 to the origin server, regardless of whether the client accesses WAF on port 80 or 443. After you enable this feature, you can use WAF to convert HTTPS requests that are sent to your website into HTTP requests. This way, the workload of the origin server is reduced. Clients can access your website over HTTPS without the need to modify settings on the origin server.

        Important

        If the domain name does not support HTTPS, turn on Enable HTTP.

      • (Advanced Settings) Enforce HTTPS Routing and Enable HTTP: both disabled

        If the client accesses WAF on port 80, WAF forwards requests that are sent to port 80 to the origin server. If the client accesses WAF on port 443, WAF forwards requests that are sent to port 443 to the origin server.

      • Enable Origin SNI

        Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection must be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature.

        After you select Enable Origin SNI, you can configure the SNI field. Valid values:

        • Use Domain Name in Host Header: specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. This is the default value.

          For example, if the domain name you configured is *.aliyundoc.com and the client sends requests to the www.aliyundoc.com domain name, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. The www.aliyundoc.com domain name is the value of the Host header field.

        • Custom: specifies that a custom value can be entered for the SNI field in WAF back-to-origin requests.

          If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you must specify a custom value for the SNI field.

    • HTTP2 (You can select HTTP/2 only after you select HTTPS.)

      If your domain name supports HTTP/2, you must select HTTP2. The HTTP/2 port is the same as the HTTPS port. After you select HTTP2, you need to only specify the HTTPS port. For more information, see Is the origin server affected when HTTP/2 services are added to WAF?

      Note

      You can select HTTP2 only when your WAF instance is of the Business edition, Enterprise edition, or Exclusive edition.

    Destination Server (IP Address)

    Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters and forwards requests to this address. Take note of the following items:

    • IP: Enter the public IP address of the origin server. The public IP address must be accessible over the Internet.

      Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses.

      Note

      If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on the addresses.

      Outside the Chinese mainland Chinese mainland

      • Specify both IPv4 addresses and IPv6 addresses

        If you select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4 and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF forwards random requests to the origin server over IPv4 or IPv6.

        Important

        If you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.

      • Specify only IPv4 addresses

        WAF forwards all requests to the origin server over IPv4.

      • Specify only IPv6 addresses

        WAF forwards all requests to the origin server over IPv6.

      When you enter an IP address, take note of the following items:

      • If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the instance.

      • If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.

      • If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address of the origin server.

      • Make sure that Enable Traffic Redirection is turned off for the specified IP address in transparent proxy mode.

    • Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.

      The domain name can be resolved as an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address.

      Important
      • The domain name of the origin server must be different from the domain name that you want to protect.

      • If you enter a domain name of an OSS bucket, you must map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.

    Destination Server Port

    Specify the port that you want to use to forward requests.

    WAF uses only the port that you specify to receive and forward requests. This way, the origin server is protected against security threats regardless of whether you enable ports that are not specified.

    Important

    Protocol Type and Destination Server Port must be set to the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, you must set Protocol Type to HTTP and Destination Server Port to 80.

    Default ports:

    • 80: By default, this port is used when HTTP is selected.

    • 443. By default, this port is used when HTTPS is selected. HTTP2 uses the same port as HTTPS.

    Custom ports: Enter port numbers in the HTTP Port field and HTTPS Port field. Press the Enter key each time you enter a port number. Click View Allowed Port Range to query all supported ports.

    Note
    • A WAF instance of the Enterprise or Exclusive edition supports up to 50 ports, including port 80, port 8080, port 443, and port 8443. A WAF instance of the Pro edition or Business edition supports up to 10 ports, including port 80, port 8080, port 443, and port 8443.

    • For more information about the ports that are supported by shared clusters, see View the ports supported by WAF.

    • If you are using a WAF instance of the Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Settings page. For more information, see Configure an exclusive cluster.

    Load Balancing Algorithm

    If you enter multiple addresses of origin servers, you must configure this parameter. Valid values:

    • IP hash: Requests that are sent from a specific IP address are forwarded to the same origin server. This is the default value.

      Note

      If you select IP hash but the IP addresses of origin servers are not scattered across different network segments, workloads may be unbalanced.

    • Round-robin: All requests are distributed to origin servers in sequence.

    • Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to reduce latency when requests are forwarded to origin servers.

      Note

      You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.

    After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF

    Specify whether a Layer 7 proxy is deployed in front of WAF. The Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN (CDN). Valid values:

    • No: No Layer 7 proxies are deployed in front of WAF, and WAF receives requests from the client. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the REMOTE_ADDR field.

    • Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy instead of the client. To ensure that WAF can obtain the actual IP address of the client for security analysis, you must configure the Obtain Source IP Address parameter.

      By default, WAF uses the first IP address in the X-Forwarded-For field as the IP address of a client.

      If a proxy that requires the actual IP addresses to be included in a custom header field is used, such as X-Client-IP or X-Real-IP, you must select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

      Note

      We recommend that you use custom header fields to store the IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business.

      You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

    Enable Traffic Mark

    Specify whether to enable the WAF traffic mark feature.

    The feature adds custom header fields to WAF back-to-origin requests. You can configure or modify the custom header fields to tag the requests that are forwarded by WAF or record the actual IP addresses or ports of clients.

    If you select Enable Traffic Mark, you must add custom header fields.

    Important
    • We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

    • If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. We recommend that you verify the header fields after the origin server receives the requests. If the specified header fields exist, the requests are allowed.

    You can add the following types of header fields:

    Custom Header

    If you want to add a custom header, configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests to allow the backend service to check whether requests pass through WAF, collect statistics, and analyze data.

    For example, you can specify the ALIWAF-TAG: Yes header field setting to tag the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name, and Yes is the header field value.

    Originating IP Address

    You can configure a custom header to record the actual IP address of a client. This way, your origin server can obtain the actual IP address of the client. For more information about how WAF obtains the actual IP addresses of clients, see the description of the Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF parameter.

    Source Port

    You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client.

    Click Add Mark to add a header field. You can add up to five header fields.

    Back-to-origin Timeout Configuration

    Specify the timeout periods for back-to-origin requests.

    • Connection Timeout Period: the timeout period that is required for WAF to establish a connection with the origin server. Valid values: 5 to 120. Unit: seconds. Default value: 5.

    • Read Connection Timeout Period: the timeout period that is required to receive responses from the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.

    • Write Connection Timeout Period: the timeout period that is required for WAF to forward requests to the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.

    Note

    You can configure the timeout period settings only if you use an on-cloud WAF instance of the Pro, Business, Enterprise, or Exclusive edition. You cannot configure the timeout period settings for Hybrid Cloud WAF instances.

    Resource Group

    Select the resource group to which you want to add the domain name from the drop-down list.

    Note

    You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

  5. If the domain names that are matched to the wildcard domain name specified in Step4 are occupied by another user, configure the TXT record based on the record type, domain name, and record value that are displayed in the Tips dialog box.

    For example, if you use Alibaba Cloud DNS, you can log on to the Alibaba Cloud DNS console and configure the TXT record based on the information that is displayed in the Tips dialog box. For more information, see Add a DNS record.

  6. Modify the DNS record.

    Follow the on-screen instructions to modify the DNS record and click Next. After you modify the DNS record, the domain name is mapped to WAF. For more information, see Change a DNS record.

  7. Complete the settings.

    Configure the back-to-origin CIDR blocks of WAF as prompted and click Completed. Return to the website list.. Then, the Website Access page appears. For more information, see Allow WAF back-to-origin CIDR blocks of WAF.

Upload an HTTPS certificate

If you select HTTPS for Protocol Type in Step4 when you add a domain name, you must upload a valid HTTPS certificate that is associated with the domain name in the WAF console. If you do not upload the required HTTPS certificate, WAF cannot protect HTTPS requests.

You can use one of the following methods to upload an HTTPS certificate:

  • Upload a certificate.

    You must prepare the following files before you upload a certificate and make sure that the certificate chain is valid.

    • The certificate file in the CRT or PEM format

    • The private key file in the KEY format

  • Select an existing certificate: You can select the certificate that is associated with the domain name in the Certificate Management Service console. For more information, see What is Certificate Management Service.

  • Purchase a certificate.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Asset Center > Website Access.

  3. On the Domain Names tab, find the domain name that you want to manage and click the Upload icon in the Origin Server column.

    Note

    The Upload icon appears in the Origin Server column.

  4. In the Upload Certificate dialog box or Update Certificate dialog box, specify Upload Type to upload an HTTPS certificate.

    Note

    If the certificate is uploaded, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog box use the same configuration items.

    • Manual Upload: Specify Certificate Name, copy and paste the content of the certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key File field.

      For information about the certificate file, see the following descriptions:

      • If the certificate file is in the PEM format, CER format, or CRT format, you can use a text editor to open the certificate file and copy the text content.

      • If the certificate file is in a different format such as PFX or P7B, you must convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy the text content. For more information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?

      • Make sure that the certificate chain is valid. If the domain name is associated with multiple certificate files, you must combine the text content of the certificate files and then copy and paste the combined content to the Certificate File field.

    • Select Existing Certificate: Select a certificate from the Certificate list.

      The Certificate drop-down list is a collection of certificates that are issued in the Certificate Management Service console. Select the certificate that is associated with the domain name. You can click Cloud Security - Certificates Service to go to the Certificate Management Service console to manage certificates.

    • Purchase Certificate: Click Buy Now to go to the Purchase Certificate page in the Certificate Management Service console and then purchase a certificate for your domain name.

      After you purchase and configure the certificate, the certificate is automatically uploaded to WAF.

      Note

      You can purchase only a domain validated (DV) certificate on this page. If you want to purchase a different type of certificate, go to the buy page of Certificate Management Service. For more information, see Purchase an SSL certificate.

  5. Click OK.

Subsequent configurations

After you add the domain name, the requests that are sent to the domain name are protected by WAF. You can modify domain name configurations to improve website protection.

Type

Description

References

Website protection configuration

WAF provides multiple features to protect your website against different types of attacks. By default, only the Protection Rules Engine feature and HTTP Flood Protection feature are enabled. The Protection Rules Engine feature protects your website against common web attacks such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You must enable other features and configure protection rules.

Website protection configuration

Alert configuration

You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business in a timely manner.

Configure WAF alerting

Log Service configurations

After you enable the Log Service for WAF feature, WAF can collect and store the log data of your domain name. You can query and analyze the log data. By default, the Log Service for WAF feature stores full logs for 180 days to meet the Multi-Level Protection Scheme (MLPS) requirements.

Overview of the Log Service for WAF feature

What to do next

View and manage the domain names that are added to WAF

You can go to the Domain Names tab of the Website Access page to view the added domain name and perform the following operations.

  • Upload an HTTPS certificate: If your domain name supports HTTPS, make sure that the correct certificate and private key files are uploaded to WAF. This helps ensure that WAF protects HTTPS requests. To upload the HTTPS certificate and private key files for the domain name, you must click the Upload icon in the Origin Server column.

    For more information, see Upload an HTTPS certificate.

  • Enable IPv6 traffic protection: If you want to protect IPv6 traffic that is sent to your domain name, turn on IPV6 for the domain name in the Quick Access column.

    For more information, see Enable IPv6 traffic protection.

  • Enable Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Log Service for WAF feature. You can use this feature to collect the logs of your domain name. You can use the logs for query, analysis, dashboard data visualization, and alerting. For more information, see Get started with the Log Service for WAF feature.

    Note

    Log Service for WAF is a value-added feature provided by WAF. You must enable this feature before you can use the feature. For more information, see Step 1: Enable the Log Service for WAF feature.

  • Configure protection resources: Click the Configure protection resources icon to the right of Protection Resource in the Quick Access column. Then, configure the protection resources for the domain name.

    The following types of protection resources are supported:

    • Shared Cluster and Shared IP: This is the default value.

    • Shared Cluster and Exclusive IP : For more information about exclusive IP addresses, see Exclusive IP addresses.

    • Shared Cluster and Load Balancing Among Multiple WAF Nodes: For more information about global load balancing, see Intelligent load balancing.

    • Exclusive Cluster: For more information about exclusive clusters, see Create an exclusive cluster.

  • View attack reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View security reports.

  • Configure protection policies: Click Config in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Website protection configuration.

  • Modify domain name configurations: Click Edit in the Actions column to modify domain name configurations such as the protocol type, server address, and server port. The domain name cannot be changed.

  • Delete a domain name: Click Delete in the Actions column to delete a domain name.

    Warning

    Before you delete a domain name, you must modify the DNS record to map the domain name to the IP address of the origin server. If you do not modify the DNS record, the requests that are sent to the domain name cannot be forwarded after the domain name is deleted.

  • After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with legal regulations, WAF instances check the validity of added domain names on a regular basis. Domain names whose ICP filing information is invalid are not protected by WAF. If the ICP filing information about your domain name is invalid, you can perform the following operations:

    1. Update the ICP filing information about your domain name.

    2. Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.

Check the validity of the ICP filing information

After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with laws and regulations, WAF instances check protected domain names on a regular basis. Domain names whose ICP filing information is invalid are not protected by WAF. If the ICP filing information about your domain name is invalid and your domain name is no longer protected by WAF, you can perform the following operations:

  1. Update the ICP filing information about your domain name.

  2. Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.

FAQ

For more information, see FAQ about website access configuration in FAQ.