Hybrid Cloud Web Application Firewall (WAF) can protect websites that are deployed in hybrid clouds. This topic describes how to add a website to Hybrid Cloud WAF.
Hybrid Cloud WAF is a web application protection and management solution that protects web applications that are deployed across public clouds, private clouds, and data centers. Hybrid cloud WAF combines shared resources and exclusive resources in and outside the cloud to deliver an elastic and efficient protection system. This allows you to manage and protect web applications in a centralized manner. After you add your website to Hybrid Cloud WAF, the requests that are sent to the protected website can be forwarded to the origin server over the Internet or a private network. WAF forwards the requests based on the network type of the origin server.
A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.Note
The total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of additional domain names that you purchased. For more information, see Extra domain package.
If you use a WAF instance in the Chinese mainland to protect a domain name, you must complete an Internet Content Provider (ICP) filing for the domain name before you can add the domain name to the WAF instance. If you add the domain name to a WAF instance before you complete the ICP filing, WAF may report an error and prompt you to complete the ICP filing.
A protection cluster for Hybrid Cloud WAF that uses on-premises servers as WAF protection nodes is deployed. The WAF protection nodes can communicate with the Internet. For more information, see Deploy a protection cluster for Hybrid Cloud WAF.
If you use protection nodes of Hybrid Cloud WAF to protect internal network services, clients whose CIDR block is 172.16.0.0/16 are not supported.
Add a website to Hybrid Cloud WAF
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, click Website Access.Note
On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default. You do not need to change the value of the parameter.
Enter the information about your website by configuring the parameters and click Next. The following table describes the parameters.
Enter the domain name of your website. You must specify the domain name based on the following requirements:
The domain name can be an exact match domain name, such as
www.aliyundoc.com, or a wildcard domain name, such as
*.aliyundoc.com. Take note of the following information:
If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name. For example, if you enter
*.aliyundoc.com, WAF matches subdomains such as
If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com, WAF does not match
aliyundoc.com. If you want to use WAF to protect
aliyundoc.com, you must separately add the domain name to WAF.
If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection rules of the exact match domain name.
.edudomain names are not supported.
Select the type of resource that you want WAF to protect. Set this parameter to Hybrid Cloud Cluster.
Select a protocol type. Valid values:
If your website supports HTTPS, select HTTPS. After you add your domain name configurations, upload the required certificate and private key files. For more information, see Upload an HTTPS certificate.
If you select HTTPS, you can enable the following features:
(Advanced Settings) Enforce HTTPS Routing
If you enable this feature, HTTP requests that are sent from the client are automatically converted into HTTPS requests. In this case, the client sends HTTPS requests to WAF on port 443 and WAF forwards the HTTPS requests to the origin server on port 443. If you want a client to access your website by using HTTPS, enable this feature to improve access security.Important
You can enable this feature only when HTTP is not selected.
Before you enable this feature, make sure that your website supports HTTPS. After you enable this feature, requests are delivered over HTTPS.
(Advanced Settings) Enable HTTP
If you enable this feature, WAF forwards requests over HTTP. The default port is port 80. In this case, WAF forwards requests that are sent to port 80 to the origin server, regardless of whether the client accesses WAF on port 80 or 443. After you enable this feature, you can use WAF to convert HTTPS requests that are sent to your website into HTTP requests. This way, the workload of the origin server is reduced. Clients can access your website over HTTPS without the need to configure settings on the origin server.Important
If the domain name does not support HTTPS, turn on Enable HTTP.
(Advanced Settings) Enforce HTTPS Routing and Enable HTTP: both disabled
If the client accesses WAF on port 80, WAF forwards requests that are sent to port 80 to the origin server. If the client accesses WAF on port 443, WAF forwards requests that are sent to port 443 to the origin server.
Enable Origin SNI
Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection must be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature.
After you select Origin SNI, you can configure the SNI field. Valid values:
Use Domain Name in Host Header: specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. This is the default value.
For example, if the domain name that you add is
*.aliyundoc.comand the client sends requests to the
www.aliyundoc.comdomain name, the value of the SNI field in WAF back-to-origin requests is
www.aliyundoc.com. The value of the Host header field is www.aliyundoc.com.
Custom: specifies that you can enter a custom value for the SNI field in WAF back-to-origin requests.
If you want WAF to use an SNI field whose value is different from the value of the Host field in back-to-origin requests, you can specify a custom value for the SNI field.
HTTP2 (You can select HTTP2 only after you select HTTPS.)
If your domain name supports HTTP/2, you must select HTTP2. The HTTP/2 port is the same as the HTTPS port. After you select HTTP2, you need to only specify the HTTPS port. For more information, see Is the origin server affected when HTTP/2 services are added to WAF?Note
You can select HTTP2 only if your WAF instance is of the Business, Enterprise, or Exclusive edition.
Select Name of Protected Node Group.
If you deployed your website in multiple protection nodes, you can click Add Node for Protection to the right of Node Settings to add the protection nodes to WAF.
Destination Server (IP Address)
Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters and forwards requests to this address. Take note of the following items:
IP: Enter the public IP address of the origin server. The public IP address must be accessible over the Internet.
Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses.Note
If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on the addresses.
Outside the Chinese mainland Chinese mainland
Specify both IPv4 addresses and IPv6 addresses
If you select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4 and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF forwards random requests to the origin server over IPv4 or IPv6.Important
If you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.
Specify only IPv4 addresses
WAF forwards all requests to the origin server over IPv4.
Specify only IPv6 addresses
WAF forwards all requests to the origin server over IPv6.
When you enter an IP address, take note of the following items:
If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the instance.
If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address of the origin server.
Make sure that Enable Traffic Redirection is turned off for the specified IP address in transparent proxy mode.
Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.
The domain name can be resolved as an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address.Important
The domain name of the origin server must be different from the domain name that you want to protect.
If you enter a domain name of an OSS bucket, you must map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
Destination Server Port
Specify the port that you want to use to forward requests.Note
Only the Alibaba Cloud technical support team can configure this parameter.
The port must be within the range of the ports that are supported for the hybrid cloud cluster. By default, ports 80, 8080, 443, and 8443 are enabled for hybrid cloud clusters. When you create a hybrid cloud cluster, you can specify the custom ports that you want to enable. For more information, see Configure basic information for a hybrid cloud cluster.
WAF uses only the port that you specify to receive and forward requests. This way, the origin server is protected against security threats regardless of whether you enable ports that are not specified.Important
You must set the Protocol Type and Destination Server Port parameters to the protocol and port that the origin server uses to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, you must set the Protocol Type parameter to HTTP and the Destination Server Port parameter to 80.
80: By default, this port is used when HTTP is selected.
443: By default, this port is used when HTTPS is selected.Note
HTTP/2 uses the same port as HTTPS.
Custom ports: Enter port numbers in the HTTP Port and HTTPS Port fields. Separate multiple port numbers with commas (,).
Click View Allowed Port Range to query all supported ports.
Load Balancing Algorithm
If you enter multiple addresses of origin servers, you must configure this parameter. Valid values:
IP hash: Requests that are sent from a specific IP address are forwarded to the same origin server. This is the default value.Note
If you select IP hash but the IP addresses of origin servers are not scattered across different network segments, workloads may be unbalanced.
Round-robin: All requests are distributed to origin servers in sequence.
Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to reduce latency when requests are forwarded to origin servers.Note
You can select Least time only when intelligent load balancing is enabled. For more information, see Intelligent load balancing.
After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF:
Specify whether a Layer 7 proxy is deployed in front of WAF. The Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN (CDN). Valid values:
No: No Layer 7 proxies are deployed in front of WAF, and WAF receives requests from the client. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the
Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy instead of the client. To ensure that WAF can obtain the actual IP address of the client for security analysis, you must configure the Obtain Source IP Address parameter.
By default, WAF uses the first IP address in the
X-Forwarded-Forfield as the IP address of a client.
If a proxy that requires the actual IP addresses to be included in a custom header field is used, such as X-Client-IP or X-Real-IP, you must select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.Note
We recommend that you use custom header fields to store the IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business.
You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Enable Traffic Mark
Specify whether to enable the WAF traffic mark feature.
This feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to tag the requests that are forwarded by WAF or record the IP addresses of clients.
If you select Enable Traffic Mark, you must add custom header fields.Important
We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. We recommend that you verify the header fields after the origin server receives the requests. If the specified header fields exist, the requests are allowed.
You can add the following types of header fields:
If you want to add a custom header, you must configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data.
For example, you can specify the
ALIWAF-TAG: Yesheader field setting to tag the requests that pass through WAF. In this example, the header field name is
ALIWAF-TAGand the header field value is
Originating IP Address
You can configure a custom header to record the actual IP address of a client. This way, your origin server can obtain the actual IP address of the client. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter.
You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client.
Click + Add Mark to add a header field. You can add up to five header fields.
Select the resource group to which you want to add the domain name from the drop-down list.Note
You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
Modify the hosts file of your computer to map the domain name to the load balancer that is deployed in front of the on-premises WAF node. Then, test whether WAF can filter and forward requests as expected.Note
Only the Alibaba Cloud technical support team can perform this operation.
Modify the DNS record of the domain name that you want to protect to map the domain name to the on-premises load balancer.
Click Completed. Return to the website list.
After you complete the steps, the domain name is protected by Hybrid Cloud WAF.