If a custom domain name is bound to a web application in Function Compute, you can enable Web Application Firewall (WAF) protection for the custom domain name in the Function Compute console. This way, web traffic is forwarded to WAF. This topic describes how to enable WAF protection for a custom domain name bound to a web application in Function Compute.
Background information
Function Compute is an event-driven computing service that uses a serverless architecture. Function Compute allows you to write and upload code without the need to manage infrastructure resources. You can use Function Compute to create applications and services in an efficient manner. For more information, see What is Function Compute?
The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can enable WAF protection for custom domain names that are bound to web applications in Function Compute. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.
Limits
You can add web services to WAF in cloud native mode only if your web services use the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
The custom domain name for which you want to enable WAF protection must be in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), and China (Shenzhen).
You cannot enable the following protection modules for custom domain names that are added to WAF: website tamper-proofing, data leakage prevention, bot management, and API security.
Prerequisites
A WAF 3.0 instance that is deployed in the Chinese mainland is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Procedure
You can enable WAF protection during or after creating a custom domain name for your web application.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group to which the WAF instance that you want to manage belongs, and then select Chinese Mainland for the region of the WAF instance.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click FC in the left-side product type list. Then, click Add.
Click Authorize Now to authorize your WAF instance to access Function Compute.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf you already authorized WAF to access Function Compute, skip this step.
Then, you are redirected to the Function Compute console.
On the Custom Domains page in the Function Compute console, enable WAF protection for custom domain names.
Create a custom domain name and enable WAF protection for the domain name
In the top navigation bar, select China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), or China (Shenzhen) and click Add Custom Domain Name.
On the Add Custom Domain Name page, configure the parameters and click Create. The following table describes the parameters.
Parameter
Description
Domain Name
Enter the custom domain name that obtained the Internet Content Provider (ICP) filing in the Alibaba Cloud ICP Filing system or the custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. Single domain names are supported. Example:
www.aliyun.com. Wildcard domain names are also supported. Example:*.aliyun.com.HTTPS
Select Enable or Disable to allow or deny access to the custom domain name over HTTPS.
Enable: allows access to the custom domain name over HTTPS. If you select this option, users can access the custom domain name over HTTP or HTTPS.
After you enable HTTPS, upload an Alibaba Cloud SSL certificate that is bound to the custom domain name.
Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate from the Certificate Name drop-down list. If the Certificate Name drop-down list is empty, you did not purchase an Alibaba Cloud SSL certificate. Log on to the Certificate Management Service console to purchase an Alibaba Cloud SSL certificate. For more information, see Purchase an SSL certificate.
Manual Upload: Configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.
NoteThe certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.
You can configure the following parameters based on your business requirements:
Select the version of the Transport Layer Security (TLS) protocol that you want the custom domain name to use from the drop-down list. If you do not configure this parameter, TLS 1.0, TLS 1.1, or TLS 1.2 is used. Valid values:
TLS 1.0 and Later (Best Compatibility and Low Security): TLS 1.0, TLS 1.1, and TLS 1.2 are supported.
TLS 1.1 and Later (High Compatibility and High Security): TLS 1.1 and TLS 1.2 are supported.
TLS 1.2 and Later (High Compatibility and Best Security): Only TLS 1.2 is supported.
NoteAfter you select a version of the TLS protocol, you can select Enable Support for TLS1.3. This way, TLS 1.3 is supported.
Select cipher suites. If you do not configure this parameter, all cipher suites are selected. Valid values:
All Cipher Suites (High Compatibility and Low Security): Select all cipher suites. The following cipher suites are supported:
Strong cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
Weak cipher suites:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the
icon on the right of a cipher suite to deselect the cipher suite. This way, you can delete weak cipher suites and keep the cipher suites that are supported by the TLS protocols that you selected.
NoteFor more information about the versions of the TLS protocol and the supported cipher suites, see Mapping between TLS versions and cipher suites.
In Function Compute, cipher suites are named based on the request for comments (RFC) naming convention. The name of a cipher suite varies based on the naming convention. For information about the differences between the names of cipher suites that are based on the RFC and OpenSSL conventions, see Mapping between RFC and OpenSSL cipher suites.
Disable: denies access to the custom domain name over HTTPS.
CDN Acceleration
Specify whether to enable or disable CDN acceleration for the custom domain name. For more information, see (Optional) Step 4: Enable CDN acceleration.
Web Application Firewall (WAF)
Specify whether to enable or disable WAF protection for the custom domain name. After you enable WAF protection for the custom domain name, WAF detects malicious traffic that is sent to the domain name and forwards normal traffic to the backend function to prevent intrusions.
Route
Configure the mapping between paths and functions to access the functions in a more efficient manner. Configure the following fields:
Path: the path from which a request can trigger the specified function in the specified service. For example, you created the custom domain name
example.comand specified/aas the path to access a function. The function can be triggered if the request Uniform Resource Identifier (URI) isexample.com/a.Service Name: the name of the service to which the specified function belongs.
Function Name: the name of the specified function.
Version or Alias: the version or alias of the specified function.
Rewrite Policy: the rule based on which the URI of a request in a specified path is rewritten. For more information, see Configure rewrite policies.
You can configure multiple routes. For more information, see Routing rules.
Add a custom domain name to WAF
In the top navigation bar, select a region for the custom domain name. Find the custom domain name for which you want to enable WAF protection and click Modify in the Actions column.
On the Modify Custom Domain Name page, set the Web Application Firewall (WAF) parameter to Enable and click Save.
After you add a custom domain name to WAF, the custom domain name becomes a protected object of WAF. The protected object name of the custom domain name is in the following format: Domain name-fc. Basic protection rules are automatically enabled for the custom domain name. You can configure protection rules for the custom domain name on the Protected Objects page. To go to the Protected Objects page, click the custom domain name that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.
