In CNAME record mode, Web Application Firewall (WAF) uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. After you add a website to WAF in CNAME record mode, you must configure security software or access control policies for the origin server to allow inbound traffic from the back-to-origin CIDR blocks of WAF.

Scenarios

In CNAME record mode, if you use security software such as SafeDog or Yunsuo for your origin server, you must add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software. This way, the security software does not block the normal traffic forwarded by WAF to the origin server.

FAQ
  • What is a back-to-origin CIDR block of WAF?
    A back-to-origin CIDR block is a CIDR block used by WAF to forward requests that are sent from clients to the origin server. After a website is added to WAF, the origin server considers that all requests come from the back-to-origin CIDR blocks of WAF. The originating IP addresses of clients are added to the X-Forwarded_For (XFF) fields in the HTTP headers of requests. Architecture in which WAF is used
  • Why must I add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software on the origin server?

    After a website is added to WAF, the origin server receives most requests from the back-to-origin CIDR blocks of WAF, and requests are sent at a high rate. In this case, the firewall or security software on the origin server may consider these CIDR blocks as attack IP addresses and block them. If these IP addresses are blocked, WAF cannot receive responses from the origin server as expected. Make sure that the back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the origin server after you add a website to WAF. Otherwise, the website may be inaccessible or become slow.

Obtain the back-to-origin CIDR blocks of WAF

  1. Log on to the WAF 3.0 console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
  3. In the left-side navigation pane, click Website Configuration.
  4. Click the CNAME Record tab.
  5. Click Back-to-origin CIDR Blocks above the domain name list.
    Back-to-origin CIDR Blocks
  6. In the Back-to-origin CIDR Block message, click Copy to copy all back-to-origin CIDR blocks to the clipboard.
    Note The back-to-origin CIDR blocks that you copy are separated by commas (,).
    Back-to-origin CIDR Block

What to do next

After you obtain the back-to-origin CIDR blocks of WAF, you must add them to the IP address whitelist of the security software on the origin server. You can also configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF.

Warning If you do not add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the origin server, normal requests forwarded by WAF may be blocked. This may cause service interruptions.

For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server.