If your web application in Function Compute is bound to a custom domain name, you can add the custom domain name to Web Application Firewall (WAF) in the Function Compute console. This way, web traffic is forwarded to WAF. This topic describes how to add a custom domain name in Function Compute to WAF.
Function Compute is an event-driven computing service that uses a serverless architecture. Function Compute allows you to write and upload code without the need to manage infrastructure resources. You can use Function Compute to create applications and services in an efficient manner. For more information, see What is Function Compute?
The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can enable WAF protection for custom domain names in Function Compute. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.
You can add your web services to WAF in cloud native mode only if your web services use ALB, MSE, Function Compute, CLB, or ECS. If your web services do not use ALB, MSE, Function Compute, CLB, or ECS, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
You can enable WAF protection for custom domain names that reside in the following regions: China (Hangzhou), China (Shanghai), and China (Beijing).
You cannot enable the following protection modules for custom domain names in Function Compute that are added to WAF: website tamper-proofing, data leakage prevention, bot management, and API security.
If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not reach the upper limit. If the number of protected objects that you added to WAF reaches the upper limit, you cannot add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
You can enable WAF protection when or after you create a custom domain name for your web application.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group of the WAF instance. Select Chinese Mainland for the region of the WAF instance.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click FC in the left-side product type list. Then, click Add.
Click Authorize Now to authorize your WAF instance to access Function Compute.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.Note
If you already authorized WAF to access Function Compute, skip this step.
Then, you are redirected to the Function Compute console.
On the Custom Domains page in the Function Compute console, enable WAF protection for custom domain names.
Create a custom domain name and enable WAF protection for the domain name
In the top navigation bar, select China (Hangzhou), China (Shanghai), or China (Beijing) for the region and click Add Custom Domain Name.
On the Add Custom Domain Name page, configure the parameters and click Create. The following table describes the parameters.
Enter the custom domain name that obtained the Internet Content Provider (ICP) filing in the Alibaba Cloud ICP Filing system or the custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. Single domain names are supported. Example:
www.aliyun.com. Wildcard domain names are also supported. Example:
Select Enable or Disable to allow or deny access to the custom domain name over HTTPS.
Enable: allows access to the custom domain name over HTTPS. If you select this option, users can access the custom domain name over HTTP or HTTPS.
After you enable HTTPS, upload an Alibaba Cloud SSL certificate that is bound to the custom domain name.
Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate from the Certificate Name drop-down list. If the Certificate Name drop-down list is empty, you did not purchase an Alibaba Cloud SSL certificate. Log on to the Certificate Management Service console to purchase an Alibaba Cloud SSL certificate. For more information, see Purchase an SSL certificate.
Manual Upload: Configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.Note
The certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.
You can configure the following parameters based on your business requirements:
Redirects HTTP Requests to HTTPS
After you enable this feature, Function Compute redirects all HTTP requests to HTTPS requests.
Select the version of the Transport Layer Security (TLS) protocol that you want the custom domain name to use from the drop-down list. If you do not configure this parameter, TLS 1.0, TLS 1.1, or TLS 1.2 is used. Valid values:
TLS 1.0 and Later (Best Compatibility and Low Security): TLS 1.0, TLS 1.1, and TLS 1.2 are supported.
TLS 1.1 and Later (High Compatibility and High Security): TLS 1.1 and TLS 1.2 are supported.
TLS 1.2 and Later (High Compatibility and Best Security): Only TLS 1.2 is supported.
After you select a version of the TLS protocol, you can select Enable Support for TLS1.3. This way, TLS 1.3 is supported.
Select cipher suites. If you do not configure this parameter, all cipher suites are selected. Valid values:
All Cipher Suites (High Compatibility and Low Security): Select all cipher suites. The following cipher suites are supported:
Strong cipher suites:
Weak cipher suites:
Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the icon on the right of a cipher suite to deselect the cipher suite. This way, you can delete weak cipher suites and keep the cipher suites that are supported by the TLS protocols that you selected.
For more information about the versions of the TLS protocol and the supported cipher suites, see Mapping between TLS versions and cipher suites.
In Function Compute, cipher suites are named based on the request for comments (RFC) naming convention. The name of a cipher suite varies based on the naming convention. For information about the differences between the names of cipher suites that are based on the RFC and OpenSSL conventions, see Mapping between RFC and OpenSSL cipher suites.
Disable: denies access to the custom domain name over HTTPS.
Specify whether to enable or disable CDN acceleration for the custom domain name. For more information, see (Optional) Step 4: Enable CDN acceleration.
Web Application Firewall (WAF)
Specify whether to enable or disable WAF protection for the custom domain name. After you enable WAF protection for the custom domain name, WAF detects malicious traffic that is sent to the domain name and forwards normal traffic to the backend function to prevent intrusions.
Configure the mapping between paths and functions to access the functions in a more efficient manner. Configure the following fields:
Path: the path from which a request can trigger the specified function in the specified service. For example, you created the custom domain name
/aas the path to access a function. The function can be triggered if the request Uniform Resource Identifier (URI) is
Service Name: the name of the service to which the specified function belongs.
Function Name: the name of the specified function.
Version or Alias: the version or alias of the specified function.
Rewrite Policy: the rule based on which the URI of a request in a specified path is rewritten. For more information, see Configure rewrite policies.
You can configure multiple routes. For more information, see Routing rules.
Add a custom domain name in Function Compute to WAF
In the top navigation bar, select a region for the custom domain name. Find the custom domain name for which you want to enable WAF protection and click Modify in the Actions column.
On the Modify Custom Domain Name page, set the Web Application Firewall (WAF) parameter to Enable and click Save.
After you add a custom domain name to WAF, the custom domain name becomes a protected object of WAF. The protected object name of the custom domain name is in the following format: Domain name-fc. Basic protection rules are automatically enabled for the custom domain name. You can configure protection rules for the custom domain name on the Protected Objects page. To go to the Protected Objects page, click the custom domain name that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.