Web Application Firewall (WAF) protects websites that are deployed in hybrid clouds. This topic describes how to add a website that is deployed in a hybrid cloud to WAF for protection.

Prerequisites

  • A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.
    Note The total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of extra domain packages that you purchased. For more information, see Extra domain package.
  • If you use a WAF instance in the Chinese mainland to protect your domain name, you must complete Internet Content Provider (ICP) filing for your domain name before you can add your domain name to the WAF instance. If you add your domain name to WAF before you complete ICP filing, an error may occur and WAF prompts you to complete ICP filing.
  • A protection cluster for Hybrid Cloud WAF that uses on-premises servers as WAF protection nodes is deployed. The WAF protection nodes can communicate with the Internet. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.

Background information

Hybrid Cloud WAF is a hybrid cloud solution that enables you to protect and manage web applications in various environments in a centralized manner. Hybrid Cloud WAF is available across public clouds and data centers. Both Alibaba Cloud and third-party clouds are supported. Hybrid Cloud WAF combines the shared and exclusive resources both in and outside the cloud to deliver an elastic effective system. This allows you to protect web applications in a centralized manner. After you add your website to WAF, the traffic destined for the protected website can be forwarded to your origin server over the Internet or a private network. WAF forwards the requests based on the network type of the origin server.

Limits

If you use protection nodes of Hybrid Cloud WAF to protect internal network services, clients whose CIDR block is 172.16.0.0/16 are not supported.

Add a website deployed in a hybrid cloud

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab, click Website Access.
  5. Set Access Mode to CNAME Record and click the Manually Add tab.
  6. Specify the information about the website that you want to use WAF to protect.
    Configure the website parameters and click Next. The following table describes the parameters.
    Parameter Description
    Domain Name Enter the domain name. The domain name must meet the following requirements:
    • The domain name can be an exact match domain name such as www.aliyun.com. The domain name can also be a wildcard domain name such as *.aliyun.com.
      • If you enter a wildcard domain name, WAF automatically matches specific domain names for the wildcard domain name. For example, if you enter *.aliyun.com, WAF matches www.aliyun.com and test.aliyun.com.
        Notice If you enter a wildcard domain name, WAF does not match the parent domain name of the wildcard domain name. For example, if you enter *.aliyun.com, WAF does not match aliyun.com. If you want to use WAF to protect aliyun.com, you must separately add the domain name to WAF.
      • If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection policies of the exact match domain name.
    • .edu domain names are not supported. If you want to add .edu domain names, you must submit a ticket to request technical support.
    Protection Resource Select the type of resource that you want to use WAF to protect. For this example, select Hybrid Cloud Cluster.
    Protocol Type Select a protocol type. Valid values:
    • HTTP
    • HTTPS: If your website uses HTTPS, select HTTPS and upload the certificate and private key files after you add the website configurations. For more information, see Upload an HTTPS certificate.
      If you select HTTPS, you can configure the following settings.Select HTTPS
      • Select HTTP2. If your website uses HTTP/2, you must select HTTP2. The HTTP/2 port is the same as the HTTPS port. After you select HTTP2, you need to only set the HTTPS port.
        Notice You can select HTTP2 only for WAF instances of the Business or higher edition.
      • Click Advanced Settings. Advanced Settings supports the following features:
        • Enforce HTTPS Routing: If this feature is enabled, HTTP requests are automatically redirected to HTTPS requests on port 443. If you want a client to access your website by using HTTPS, enable this feature. This feature improves access security.
          Notice
          • You must clear HTTP before you turn on Enforce HTTPS Routing.
          • Before you enable this feature, make sure that your domain name supports HTTPS. After this feature is enabled, requests are delivered over HTTPS.
        • Enable HTTP: If this feature is enabled, WAF forwards requests over HTTP. The default port is 80. This feature allows HTTPS access to your website without changes to the origin server. This way, the workload of the origin server is reduced.
          Notice If your website does not support HTTPS, turn on Enable HTTP.
      • Select Enable Origin SNI. Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection needs to be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature. After you select Enable Origin SNI, you can configure the SNI field. Valid values:
        • Use Domain Name in Host Header: indicates that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. This is the default value. For example, if the domain name of your website is *.example.com and the client requests www.example.com, which is the value of the Host header field, the value of the SNI field in WAF back-to-origin requests is www.example.com.
        • Custom: If you select Custom, you can customize the SNI field in WAF back-to-origin requests. If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you must specify a custom value for the SNI field.
    Node Settings Select Name of Protected Node Group.

    If your website is deployed in multiple protection nodes, you can click Add Node for Protection to the right of Node Settings to add the protection nodes to WAF.

    Destination Server (IP Address) Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters and forwards requests to this address.
    • IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet.
      Press Enter each time you enter an IP address. You can enter up to 20 IP addresses.
      Note If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on these addresses.
      If your WAF instance resides outside the Chinese mainland, you can enter only IPv4 addresses. If your WAF instance resides in the Chinese mainland, you can enter IPv4 and IPv6 addresses or only IPv4 addresses. However, you cannot enter only IPv6 addresses. You can enter IPv4 or IPv6 addresses based on the following descriptions:
      • If you configure both IPv4 and IPv6 addresses and select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4, and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF randomly forwards requests to the origin server over IPv4 or IPv6.
        Notice If you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.
      • If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4.
      The following list describes how to enter an IP address:
      • If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the instance.
      • If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
      • If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address of the origin server.
    • Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.

      If you select Domain Name (Such as CNAME), WAF forwards all requests to the origin server over IPv4.

      Notice
      • The domain name of the origin server must be different from the domain name that you want to protect.
      • If you enter a domain name of an OSS bucket, you must map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
    Destination Server Port Specify the port that you use to forward requests.
    Note Only Alibaba Cloud technical support can configure this parameter.

    The port must be within the range of the ports that are enabled for the hybrid cloud cluster. By default, ports 80, 8080, 443, and 8443 are enabled for hybrid cloud clusters. When you create a hybrid cloud cluster, you can specify the custom ports that you want to enable. For more information, see Configure basic information for a hybrid cloud cluster.

    WAF forwards filtered requests only by using the ports that you specify. If you enable ports that are not specified here, no security threats are posed to the origin server.

    Notice Protocol Type and Destination Server Port must be the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP port 80, HTTP and port 80 must be configured for your domain name.
    Default ports:
    • If you set Protocol Type to HTTP, Destination Server Port is automatically set to HTTP 80.
    • If you set Protocol Type to HTTPS, Destination Server Port is automatically set to HTTPS 443.
      Note HTTP/2 uses the same port as HTTPS.
    Custom Port: Click Customize and specify port numbers based on the protocol type (HTTP or HTTPS). Separate multiple port numbers with commas (,). Custom ports

    Click View Allowed Port Range to query all supported ports.

    Load Balancing Algorithm If you enter multiple addresses for origin servers, configure this parameter. Valid values:
    • IP hash: Requests from a specific IP address are forwarded to the same origin server. This is the default value.
      Note If you select IP hash but the IP addresses of origin servers are not scattered on different network segments, workloads may be unbalanced.
    • Round-robin: All requests are distributed to origin servers in turn.
    • Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to minimize the latency when requests are forwarded to origin servers.
      Note You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.

    After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF Specify whether a Layer 7 proxy is deployed in front of WAF. The Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values:
    • No: No Layer 7 proxies are deployed in front of WAF, and WAF receives requests from clients. WAF uses the IP address that is used to establish connections with WAF as the actual IP address of a client. WAF obtains the actual IP address from the REMOTE_ADDR field.
    • Yes: A Layer 7 proxy is deployed in front of WAF, and WAF receives requests from the Layer 7 proxy, instead of clients. To make sure that WAF can obtain the actual IP address of a client for security analysis, you must configure Obtain Source IP Address.

      By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

      Obtain Source IP Address

      You can use other proxies that require the actual IP addresses of clients to be contained in a custom header field, such as X-Client-IP or X-Real-IP. In this case, you must select Use the First IP Address in Specified Header Field as Source IP Address to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

      Note We recommend that you use custom header fields to store the actual IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business.

      You can enter multiple header fields. You must enter a comma (,) each time you enter a header field. If you enter multiple header fields, WAF attempts to obtain the actual IP address of a client from the fields in sequence. WAF obtains the actual IP address of a client from the first header field until the IP address is obtained. If WAF fails to obtain the actual IP address of the client from all header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.

    Enable Traffic Mark Specify whether to enable the WAF traffic marking feature.

    This feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to tag the requests that are forwarded by WAF or record the IP addresses of clients.

    If you select Enable Traffic Marking, you must add custom header fields. Enable Traffic MarkYou can add the following two types of header fields:
    • Custom Header: If you want to add a header field of this type, you must specify a header field name and header field value. WAF adds the header field to the back-to-origin requests. This helps the backend service identify whether requests pass through WAF, collect statistics, and analyze data.

      For example, you can specify the ALIWAF-TAG: Yes header field setting to tag the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name, and Yes is the header field value.

      Notice We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
    • Client IP Address: If you want to add a header field of this type, you must specify the name of the header field that records an IP address. This way, WAF adds the header field to the back-to-origin requests and adds the IP addresses of clients to the value of the header field. For more information about how WAF obtains the IP addresses of clients, see the description of the Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF parameter.

      If the backend service needs to obtain the IP addresses of clients from a specified custom header field such as example-client-ip for analysis, you must add a header field of the Client IP Address type.

      Notice We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

    Click Add Mark to add a header field. You can add up to five header fields.

    Resource Group Select the resource group to which the domain name belongs from the resource group list.
    Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
  7. Modify the hosts file of your computer to map the domain name to the load balancer that is deployed in front of the on-premises WAF node. Then, test whether WAF can filter and forward requests as expected.
    Note Only Alibaba Cloud technical support can perform this step.
  8. Modify the DNS record of the domain name that you want to protect to map the domain name to the on-premises load balancer.
  9. Click Completed. Return to the website list..
    After you complete these steps, the domain name is protected by Hybrid Cloud WAF.