Add a Layer 4 CLB instance to WAF - Web Application Firewall

If you created a Classic Load Balancer (CLB) instance and created TCP listeners for the ports of the instance, you can add the ports of the CLB instance to Web Application Firewall (WAF). Then, the traffic on the ports is redirected to WAF. This topic describes how to add a Layer 4 CLB instance to WAF.

Limits


Item	Description
Supported instances	If you want to add an instance to WAF, the instance must meet the following requirements: The instance is an Internet-facing instance. The instance does not use an IPv6 IP address. Mutual authentication is disabled for the instance.
Supported regions	If your WAF instance resides in the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen). If your WAF instance resides outside the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Number of traffic redirection ports	You can specify up to 65 traffic redirection ports.
Services that are protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF	For example, you want to protect your services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF. You can add the services to WAF in transparent proxy mode only if you add the services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
A CLB instance that meets the preceding limit conditions is created. A TCP listener is created for this CLB instance. For information about the limits on CLB instances that you can add to WAF, see the "Limits" section in this topic. For information about how to create a TCP listener for CLB instances, see Add a TCP listener.
WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Procedure

Important

The first time you add a website to WAF, the web services of your website may be interrupted for several seconds. After your website is added to WAF, your web services are automatically resumed.
After you change the public IP address of an instance that is added to WAF, you must re-add the instance to WAF. If you do not re-add the instance to WAF, the service traffic is not protected by WAF.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab of the Website Configuration page, click CLB(TCP) in the left-side product list.

Click Add and configure the parameters. The following table describes the parameters.


Parameter	Operation
Select the instance and port to be added.	Optional:Synchronize Instances If the instance that you want to add to WAF is not displayed in the instance list, click Synchronize Instances to refresh the instance list. Add Port Find the instance that you want to add to WAF and click Add Port in the Actions column. Select the port that you want to add to WAF. Select the protocol type for the port that you want to add. Valid values: HTTP and HTTPS. If you select HTTPS, you must upload a certificate. Default Certificate Upload Click Upload Certificate and configure the following parameters: Certificate Name, Certificate File, and Certificate Key. For example, the value of the Certificate File parameter is in the `-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----` format, and the value of the Certificate Key parameter is in the `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` format. Important If the certificate file is in the PEM format, CER format, or CRT format, you can use a text editor to open the certificate file and copy the text content. If the certificate file is in other formats, such as PFX or P7B, convert the certificate file to the PEM format before you use a text editor to open the certificate file and copy the text content. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format? If a domain name is associated with multiple SSL certificates or a certificate chain, combine the text content of the certificate files and then upload the combined content. Select Existing Certificate Select a certificate that you want to upload to WAF from the certificate list. The certificate list displays the certificates that are issued by using Alibaba Cloud Certificate Management Service and the third-party certificates that are uploaded to the Certificate Management Service console. Click Alibaba Cloud Security - Certificate Management Service to go to the Certificate Management Service console and view the existing certificates. Additional Certificate If the instance is configured to allow traffic from multiple domain names over HTTPS, you can click + Additional Certificate to import the certificates of the domain names. The roles of the parameters that you can configure to upload an additional certificate are the same as the roles of the parameters that you can configure to upload a default certificate. For more information, see the description of the Default Certificate parameter in this topic. If you select HTTPS, you can click Advanced Settings to configure the following advanced settings: TLS Version Specify the versions of Transport Layer Security (TLS) that are supported for HTTPS communication. If a client uses a TLS version that does not meet the requirements, WAF blocks the requests that are sent from the client. A later version of TLS provides higher security but lower compatibility. We recommend that you select the TLS version for traffic to which WAF listens based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security). This is the default value. TLS 1.1 and Later (High Compatibility and High Security). If you select this value, a client that uses TLS 1.0 cannot access the website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access the website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for traffic that is sent by using TLS 1.3. Cipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that do not meet the requirements, WAF blocks the requests that are from the client. Default value: All Cipher Suites (High Compatibility and Low Security). We recommend that you modify this parameter only if your website supports only specific cipher suites. Valid values: All Cipher Suites (High Compatibility and Low Security). Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value. Then, select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suits. Clients that use other cipher suites cannot access the website.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No. No: No Layer 7 proxies are deployed in front of WAF. By default, No is selected. The value No indicates that WAF receives requests that are directly sent from clients. The requests are not forwarded by proxies. Note WAF uses the IP address that is used to establish connections to WAF as the actual IP address of a client. WAF obtains the actual IP address from the `REMOTE_ADDR` field of a request. Yes: A Layer 7 proxy is deployed in front of WAF. If proxies are deployed, select Yes. The value Yes indicates that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. The requests are not sent from clients. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value. By default, WAF uses the first IP address in the `X-Forwarded-For` field as the actual IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery. If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field. Note To store the actual IP addresses of clients and configure the header fields in WAF, we recommend that you use custom header fields. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the actual IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the actual IP address of the client is obtained. If WAF cannot obtain the actual IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.
Enable Traffic Mark	Specify whether WAF adds or modifies the custom header fields that you specified for the headers of back-to-origin requests. If you do not want to enable the traffic mark feature, skip this parameter. If you want to enable the traffic mark feature, perform the following operations. If you select Enable Traffic Mark, you must add custom header fields. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. You can add the following types of header fields: Custom Header If you want to add a custom header, you must configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data. For example, you can use the `ALIWAF-TAG: Yes` header field to mark the requests that pass through WAF. In this example, `ALIWAF-TAG` is the name of the header field and `Yes` is the value of the header field. Originating IP Address You can specify a custom header to record the origin IP address of a client. This allows your origin server to obtain the actual port of the client. For more information about how WAF obtains the origin IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Source Port You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client. Click + Add Mark to add a header field. You can add up to five header fields.
Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

Select the CLB instance that you want to add to WAF and click OK.
After you add the CLB instance to WAF, the CLB instance is displayed on the Protected Objects page in the WAF console. To go to the Protected Objects page, you can click the CLB instance that you added to WAF on the Cloud Native tab of the Website Configuration page. The protected object name of the CLB instance is in the following format: Instance ID-Port-Asset type. Basic protection rules are automatically enabled for the CLB instance. You can also configure protection rules for the CLB instance on the Protected Objects page. For more information, see Protection configuration overview.