CreateDomain - Web Application Firewall - Alibaba Cloud Documentation Center

Add a domain name to a Web Application Firewall (WAF) instance to enable protection.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:CreateDomain

create

*DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call DescribeInstance to query the ID of the current WAF instance.	waf_cdnsdf3****
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q
Domain	string	Yes	The domain name to query.	www.aliyundoc.com
Listen	object	Yes	You can configure the listening information.
HttpsPorts	array	No	The listening ports for HTTPS.
	integer	No	The listening ports for HTTPS, in the format of [port1,port2,......,portN].	[443,8443]
HttpPorts	array	No	The listening ports for HTTP.
	integer	No	The listening ports for HTTP, in the format of [port1,port2,……].	[80,81]
Http2Enabled	boolean	No	Specifies whether to enable HTTP/2. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: true: Enables HTTP/2. false (default): Disables HTTP/2.	true
CertId	string	No	The ID of the certificate that you want to add. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS).	123
SM2Enabled	boolean	No	Specifies whether to add an SM certificate.	true
SM2CertId	string	No	The ID of the SM certificate that you want to add. This parameter is available only if you set SM2Enabled to true.	123-cn-hangzhou
SM2AccessOnly	boolean	No	Specifies whether to allow access only from SM certificate-based clients. This parameter is available only if you set SM2Enabled to true. true: Only SM certificate-based clients can access. false: Both SM certificate-based and non-SM certificate-based clients can access.	true
TLSVersion	string	No	The Transport Layer Security (TLS) version that you want to add. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: tlsv1 tlsv1.1 tlsv1.2	tlsv1
EnableTLSv3	boolean	No	Specifies whether to support TLS 1.3. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: true: Supports TLS 1.3. false: Does not support TLS 1.3.	true
CipherSuite	integer	No	The type of the cipher suite that you want to add. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: 1: Adds all cipher suites. 2: Adds strong cipher suites. This value is available only if you set TLSVersion to tlsv1.2. 99: Adds custom cipher suites.	2
CustomCiphers	array	No	The custom cipher suites that you want to add.
	string	No	The custom cipher suites that you want to add. This parameter is available only if you set CipherSuite to 99.	["xxx","ffas"]
FocusHttps	boolean	No	Specifies whether to enable force redirect from HTTP to HTTPS for received requests. This parameter is available only if you specify HttpsPorts and leave HttpPorts empty. Valid values: true: Enables force redirect from HTTP to HTTPS. false: Disables force redirect from HTTP to HTTPS.	true
XffHeaderMode	integer	No	The method that WAF uses to obtain the originating IP address of a client. Valid values: 0 (default): The client traffic does not pass through other Layer 7 proxies before it reaches WAF. 1: WAF uses the first value in the X-Forwarded-For (XFF) header as the client IP address. 2: WAF uses the value of a custom header field that you specify as the client IP address.	1
XffHeaders	array	No	The custom header fields that are used to obtain the originating IP address of a client.
	string	No	The custom header fields that are used to obtain the originating IP address of a client, in the format of ["header1","header2",……]. Note This parameter is required only if you set XffHeaderMode to 2 (indicating that WAF uses the value of a custom header field that you specify as the client IP address).	["Client-ip","cip"]
IPv6Enabled	boolean	No	Specifies whether to enable IPv6. Valid values: true: Enables IPv6. false (default): Disables IPv6.	true
ProtectionResource	string	No	The type of protection resource that you want to use. Valid values: share (default): Uses a shared cluster. gslb: Uses intelligent load balancing for a shared cluster.	share
ExclusiveIp	boolean	No	Specifies whether to enable the exclusive IP address feature. This parameter is available only if you set IPv6Enabled to false (indicating that IPv6 is disabled) and ProtectionResource to share (indicating that a shared cluster is used). Valid values: true: Enables the exclusive IP address feature. false (default): Disables the exclusive IP address feature.	true
HstsIncludeSubDomain	boolean	No	Specifies whether HSTS includes subdomains. Valid values: true: Includes subdomains. false: Does not include subdomains.
HstsPreload	boolean	No	Specifies whether to enable HSTS preloading. Valid values: true: Enables HSTS preloading. false: Disables HSTS preloading.
HstsMaxAge	integer	No	The time-to-live (TTL) for HSTS. Unit: seconds.	365000
Redirect	object	Yes	The forwarding configurations.
Backends	array	No	The IP address or domain name of the origin server.
	string	No	The IP address or domain name of the origin server. You can use only one of the address types. If you use the domain name type, the domain name can be resolved only to an IPv4 address: To specify IP addresses, use the format of ["ip1","ip2",……]. You can specify up to 20 IP addresses. To specify domain names, use the format of ["domain"]. You can enter up to 20 domain names.	[ "1.1.XX.XX", "2.2.XX.XX" ]
Loadbalance	string	Yes	The load balancing algorithm that you want to use when WAF forwards requests to the origin server. Valid values: iphash: IPHash algorithm. roundRobin: Polling algorithm. leastTime: Least Time algorithm. This value is available only if you set ProtectionResource to gslb (indicating that intelligent load balancing for a shared cluster is used).	roundRobin
FocusHttpBackend	boolean	No	Specifies whether to enable force redirect from HTTPS to HTTP for back-to-origin requests. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: true: Enables force redirect from HTTPS to HTTP for back-to-origin requests. false: Disables force redirect from HTTPS to HTTP for back-to-origin requests.	true
SniEnabled	boolean	No	Specifies whether to enable the Server Name Indication (SNI) feature for back-to-origin requests. This parameter is available only if you specify HttpsPorts (indicating that the domain name uses HTTPS). Valid values: true: Enables the SNI feature for back-to-origin requests. false (default): Disables the SNI feature for back-to-origin requests.	true
SniHost	string	No	The custom value of the SNI field. If you do not specify this parameter, the value of the Host header in the request is used as the value of the SNI field. This parameter is optional. If you want WAF to use an SNI field value that is different from the Host field value in back-to-origin requests, you can specify a custom value for the SNI field. Note This parameter is required only if you set SniEnabled to true (indicating that the SNI feature is enabled for back-to-origin requests).	www.aliyundoc.com
RequestHeaders	array<object>	No	The key-value pairs that you want to use to label the requests that pass through the WAF instance. When a request passes through WAF, WAF automatically adds the custom header fields to the request to mark the request. This way, the backend service can identify requests that are processed by WAF.
	object	No	The format of this parameter value is [{"k":"*key","v":"value"}]. key* indicates the custom header field that you specify, and *value* indicates the value that you set for the field.
Key	string	No	The key of the custom header field.	aaa
Value	string	No	The value of the custom header field.	bbb
ConnectTimeout	integer	No	The timeout period for connections. Unit: seconds. Valid values: 1 to 3600. Default value: 5.	120
ReadTimeout	integer	No	The timeout period for read operations. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
WriteTimeout	integer	No	The timeout period for write operations. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
CnameEnabled	boolean	No	Specifies whether the public cloud disaster recovery feature is enabled for the domain name. Valid values: true: Enables the public cloud disaster recovery feature. false (default): Disables the public cloud disaster recovery feature.	true
RoutingRules	string	No	The forwarding rules for hybrid cloud mode. This parameter is a JSON string. Each element in the JSON array is a struct that contains the following fields: rs: Array \| The IP addresses or canonical names of the origin servers. backupRs: Array \| The backup IP addresses or canonical names of the origin servers. Required. An empty array [] means no backup is configured. location: String \| The name of the protection node. locationId: Long \| The ID of the protection node.	[ { "rs": [ "1.1.XX.XX" ], "backupRs": [ "2.2.XX.XX" ], "locationId": 535, "location": "test1111" } ]
Keepalive	boolean	No	Specifies whether to enable the persistent connection feature. Valid values: true (default): Enables the persistent connection feature. false: Disables the persistent connection feature.	true
Retry	boolean	No	Specifies whether WAF retries if WAF fails to forward requests to the origin server. Valid values: true (default): Retries. false: Does not retry.	true
KeepaliveRequests	integer	No	The number of reused persistent connections. Valid values: 60 to 1000. Default value: 1000. Note The number of reused persistent connections after the persistent connection feature is enabled.	1000
KeepaliveTimeout	integer	No	The timeout period of idle persistent connections. Valid values: 1 to 60. Default value: 15. Unit: seconds. Note This parameter specifies the time for which a reused persistent connection can remain in the Idle state before the persistent connection is closed.	15
XffProto	boolean	No	Specifies whether to use the X-Forward-For-Proto header to identify the protocol used by WAF to forward requests to the origin server. Valid values: true (default): Uses the X-Forward-For-Proto header to identify the protocol used by WAF. false: Does not use the X-Forward-For-Proto header to identify the protocol used by WAF.	false
BackupBackends	array	No	The secondary IP address or domain name of the origin server.
	string	No	The secondary IP address or domain name of the origin server. You can use only one of the address types. If you use the domain name type, the domain name can be resolved only to an IPv4 address: To specify IP addresses, use the format of ["ip1","ip2",……]. You can specify up to 20 IP addresses. To specify domain names, use the format of ["domain"]. You can enter up to 20 domain names.	[ "1.1.XX.XX", "2.2.XX.XX" ]
XClientIp	boolean	No	Specifies whether to allow WAF to overwrite the X-Client-IP header. Valid values: true (default): Allows WAF to overwrite the header. false: Does not allow WAF to overwrite the header.	true
XTrueIp	boolean	No	Specifies whether to allow WAF to overwrite the X-True-IP header. Valid values: true (default): Allows WAF to overwrite the header. false: Does not allow WAF to overwrite the header.	true
WebServerType	boolean	No	Specifies whether to allow WAF to overwrite the Web-Server-Type header. Valid values: true (default): Allows WAF to overwrite the header. false: Does not allow WAF to overwrite the header.	true
WLProxyClientIp	boolean	No	Specifies whether to allow WAF to overwrite the WL-Proxy-Client-IP header. Valid values: true (default): Allows WAF to overwrite the header. false: Does not allow WAF to overwrite the header.	true
MaxBodySize	integer	No	The maximum size of a request body. Valid values: 2 to 10. Default value: 2. Unit: GB. Note This parameter is supported only by the Ultimate edition.	2
Http2Origin	boolean	No	Specifies whether to enable HTTP/2 for back-to-origin traffic. Valid values: true: Enables HTTP/2 for back-to-origin traffic. false: Disables HTTP/2 for back-to-origin traffic.	true
Http2OriginMaxConcurrency	integer	No	The maximum number of concurrent HTTP/2 back-to-origin requests. Valid values: 1 to 512. Default value: 128.	128
BackendPorts	array<object>	No	The custom port configuration.
	object	No	The custom port configuration.
ListenPort	integer	No	The listener port.	80
BackendPort	integer	No	The back-to-origin port.	80
Protocol	string	No	The protocol of the listener port. Valid values: http: HTTP. https: HTTPS.	http
ProxyProtocol	boolean	No	Specifies whether to enable the Proxy Protocol feature to preserve the client's source IP address. Valid values: true: Enables the Proxy Protocol feature. After enabling this feature, backend services can view the original IP address of the client. false: Disables the Proxy Protocol feature.
RegionId	string	Yes	The region where the WAF instance is deployed. Valid values: cn-hangzhou: The Chinese mainland. ap-southeast-1: Outside the Chinese mainland.	cn-hangzhou
AccessType	string	No	The access type of the WAF instance. Valid values: share (default): CNAME access. hybrid_cloud_cname: Hybrid cloud CNAME access.	share
Tag	array<object>	No	The tags. You can specify up to 20 tags.
	object	No	The tag. You can specify up to 20 tags.
Key	string	No	The tag key.	Tagkey1
Value	string	No	The tag value.	TagValue1

Response elements

Element	Type	Description	Example
	object	The result of the request.
RequestId	string	The request ID.	D7861F61-5B61-46CE-A47C-6B19160D5EB0
DomainInfo	object	The information about the domain name that is added.
Cname	string	The CNAME assigned by WAF to the domain name.	xxxxxwww.****.com
Domain	string	The domain name that you added to WAF.	www.aliyundoc.com
DomainId	string	The domain ID.	www.aliyundoc.com-waf

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-6B19160D5EB0",
  "DomainInfo": {
    "Cname": "xxxxxwww.****.com",
    "Domain": "www.aliyundoc.com",
    "DomainId": "www.aliyundoc.com-waf"
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Pullin.ResourceExsit	Access resource already exists, resource:%s.	Access resource already exists, existing resource:%s.
400	Waf.Pullin.BusinessViolation	The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s.
400	Waf.Pullin.Http2OriginMustOnHttp2Enable	When HTTP2 origin is enabled, HTTP2 listening must be enabled.	When HTTP2 back-to-source is enabled, HTTP2 listening must be enabled.
400	Waf.Pullin.Http2OriginMustOnKeepaliveEnable	When the HTTP2 origin is turned on, the keepalive must be turned on.	When the HTTP2 origin is turned on, the keepalive must be turned on.
400	Waf.Pullin.Http2OriginEnabledFocusHttpBackendForbidden	When HTTP2 origin is enabled, HTTP origin cannot be enabled.	When HTTP2 origin is enabled, HTTP origin cannot be enabled.
400	Waf.Pullin.BatchDnsScheduleCheckFailed	Batch dns scheduling is in progress, and access related operations are prohibited.	batch dns scheduling is in progress, and access-related operations are prohibited.
400	Waf.Pullin.InvalidMaxAgeWithPreload	HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000.	HstsMaxAge the parameter is incorrect, when the HstsPreload is True, the HstsMaxAge must be greater than or equal to 31536000
400	Waf.Pullin.InvalidIncludeSubDomainWithPreload	The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true.	The parameter HstsIncludeSubDomain is invalid. When the parameter HstsPreload is true, the HstsIncludeSubDomain must be true.
400	Waf.Pullin.InvalidCustomCiphers	Invalid custom cipher suite.	Invalid custom cipher suite.
400	Waf.Pullin.InvalidHttp2OriginWithProxyProtocol	http2Origin and proxyProtocol cannot be opened at the same time.	http2Origin and proxyProtocol cannot be opened at the same time.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.