Add a Layer 7 CLB instance to WAF - Web Application Firewall

If you have created a Classic Load Balancer (CLB) instance and created HTTP or HTTPS listeners for the ports of the CLB instance, you can add the ports of the CLB instance to Web Application Firewall (WAF). Then, the traffic on the ports is redirected to WAF. This topic describes how to add a Layer 7 CLB instance to WAF.

Limits


Item	Description
Supported instances	If you want to add an instance to WAF, the instance must meet the following requirements: The instance is an Internet-facing instance. The instance does not use an IPv6 IP address. Mutual authentication is disabled for the instance.
Supported regions	If your WAF instance resides in the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen). If your WAF instance resides outside the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Number of traffic redirection ports	You can specify up to 65 traffic redirection ports.
TLS security policies	If HTTPS listeners are created for traffic redirection ports, only built-in TLS security policies are supported. If custom TLS security policies are configured for the ports, the ports cannot be added to WAF. For more information, see TLS security policies.
Services that are protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF	For example, you want to protect your services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF. You can add the services to WAF in transparent proxy mode only if you add the services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A CLB instance that meets the preceding limits is created. An HTTP or HTTPS listener is created for this CLB instance. For more information about the limits on CLB instances that you can add to WAF, see the "Limits" section of this topic. For more information about how to create HTTP or HTTPS listeners for CLB instances, see Add an HTTP listener and Add an HTTPS listener.
WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Procedure

Important

The first time you add a website to WAF, the web services of your website may be interrupted for several seconds. After your website is added to WAF, your web services are automatically resumed.
After you change the public IP address of an instance that is added to WAF, you must re-add the instance to WAF. If you do not re-add the instance to WAF, the service traffic is not protected by WAF.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click CLB(HTTP/HTTPS) in the left-side product list.

Click Add and configure the parameters. The following table describes the parameters.


Parameter	Operation
Select the instance and port to be added.	Synchronize Instances If the instance that you want to add to WAF is not displayed in the instance list, click Synchronize Instances to refresh the instance list. Add Port Find the instance that you want to add to WAF and click Add Port in the Actions column. Select the HTTP or HTTPS ports that you want to add to WAF and click OK.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No. No: No Layer 7 proxies are deployed in front of WAF. By default, No is selected. The value No indicates that WAF receives requests that are directly sent from clients. The requests are not forwarded by proxies. Note WAF uses the IP address that is used to establish connections to WAF as the actual IP address of a client. WAF obtains the actual IP address from the `REMOTE_ADDR` field of a request. Yes: A Layer 7 proxy is deployed in front of WAF. If proxies are deployed, select Yes. The value Yes indicates that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. The requests are not sent from clients. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value. By default, WAF uses the first IP address in the `X-Forwarded-For` field as the actual IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery. If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field. Note To store the actual IP addresses of clients and configure the header fields in WAF, we recommend that you use custom header fields. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the actual IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the actual IP address of the client is obtained. If WAF cannot obtain the actual IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.
Enable Traffic Mark	Specify whether WAF adds or modifies the custom header fields that you specified for the headers of back-to-origin requests. If you do not want to enable the traffic mark feature, skip this parameter. If you want to enable the traffic mark feature, perform the following operations. If you select Enable Traffic Mark, you must add custom header fields. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. You can add the following types of header fields: Custom Header If you want to add a custom header, you must configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data. For example, you can use the `ALIWAF-TAG: Yes` header field to mark the requests that pass through WAF. In this example, `ALIWAF-TAG` is the name of the header field and `Yes` is the value of the header field. Originating IP Address You can specify a custom header to record the origin IP address of a client. This allows your origin server to obtain the actual port of the client. For more information about how WAF obtains the origin IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Source Port You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client. Click + Add Mark to add a header field. You can add up to five header fields.
Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

Select the CLB instance that you want to add to WAF and click OK.
After you add the CLB instance to WAF, the CLB instance is displayed on the Protected Objects page in the WAF console. To go to the Protected Objects page, you can click the CLB instance that you added to WAF on the Cloud Native tab of the Website Configuration page. The protected object name of the CLB instance is in the following format: Instance ID-Port-Asset type. Basic protection rules are automatically enabled for the CLB instance. You can also configure protection rules for the CLB instance on the Protected Objects page. For more information, see Protection configuration overview.