After you purchase a instance, you can add websites that you want to protect to the WAF instance in CNAME record mode. This topic describes how to add a website to WAF in CNAME record mode.

Prerequisites

  • A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
  • If you want to use a WAF instance that resides in the Chinese mainland to protect your domain name, you must complete Internet Content Provider (ICP) filing for the domain name before you can add it to the WAF instance. You must keep the ICP filing information up-to-date. If you want to use a WAF instance that resides outside the Chinese mainland, ICP filling is not required.

    If you have not completed ICP filing for your domain name, an error is reported when you add the domain name to a WAF instance in the Chinese mainland. You can complete ICP filing in the Alibaba Cloud ICP Filing System. For more information, see ICP filing application overview.

    Warning After you add your domain name to WAF, you must keep the ICP filing information up-to-date. WAF instances that reside in the Chinese mainland perform regular checks on the validity of the ICP filing information of your domain names. If the ICP filing information for a domain name becomes invalid, WAF manages the domain name based on relevant laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.

Add a domain name

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. On the CNAME Record tab, click Add.
  4. Complete the Add Domain Name wizard as prompted.
    The wizard consists of the following steps:
    1. Configure Listener: Configure information about the web service traffic that WAF listens on and protects, such as the domain name, protocol type, and port.
    2. Change Forwarding Rule: Configure the information that WAF uses to forward normal service traffic to your origin server, such as the origin server address and load balancing algorithm.
    3. Add Completed: Change the DNS record of the domain name to resolve the domain name to the CNAME that is provided by WAF.

    For more information, see Configuration wizard description.

    After you complete the wizard, you can view the domain name that is added to WAF on the CNAME Record tab.
    The domain names that are added to WAF become protected objects in WAF, and the default protection templates are automatically applied to the domain names. For more information, see Manage protected objects. You can view the domain names and their protection rules on the Protected Objects page. For more information, see Manage protected objects.
    Note The value of Asset Type for the domain names that are added to WAF in CNAME record mode is waf.

Configuration wizard description

Step 1: Configure Listener

You must configure information about the web service traffic that WAF listens on and protects.

Parameter Sub-parameter or associated feature Description
Domain Name N/A Enter the domain name that you want WAF to protect based on the following requirements:
  • You can enter an exact-match domain name (example: www.aliyundoc.com) or a wildcard domain name (example: *.aliyundoc.com).
    If you enter a wildcard domain name, WAF automatically matches all of the domain names at the same level with the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches www.aliyundoc.com and example.aliyundoc.com.
    Important
    • If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com. In addition, WAF does not match the domain names at different levels from the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match www.example.aliyundoc.com.
    • If you enter both an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
  • .edu domain names are not supported. If you want to add .edu domain names, you must submit a https://workorder-intl.console.aliyun.com/?#/ticket/add/?productId=80 for technical support.
Protocol Type

The protocol type and ports that are used by the website.

HTTP Select HTTP and configure HTTP Port.

Press the Enter key each time you enter a port number in the HTTP Port field.

The port number that you enter must be within the range of ports that are supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports that are supported by WAF. For more information, see View supported ports.

HTTPS Select HTTPS, and configure HTTPS Port and Upload Type.
Configure the parameters based on the following requirements:
  • HTTPS Port

    Press the Enter key each time you enter a port number in the HTTPS Port field.

    The port number that you enter must be within the range of ports that are supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports that are supported by WAF. For more information, see View supported ports.

  • Upload Type
    Upload an SSL certificate that is associated with the domain name of the website to WAF. This way, WAF can listen on and protect the HTTPS traffic of the website. You can upload a certificate by using one of the following methods:
    • Upload: Configure Certificate Name, Certificate File, and Certificate Key. For example, the value of Certificate File is in the -----BEGIN CERTIFICATE-----......-----END CERTIFICATE----- format, and the value of Certificate Key is in the -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY----- format.
      Important
      • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content.
      • If the certificate file is in other formats such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. For more information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?.
      • If the domain name is associated with multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content.
    • Select Existing Certificate: Select a certificate that you want to upload to WAF from the existing certificate list. The certificate list displays certificates that are issued by using Alibaba Cloud Certificate Management Service and third-party certificates that are uploaded to the Certificate Management Service console.

      You can click Alibaba Cloud Security - Certificate Management Service to go to the Certificate Management Service console to view the existing certificates.

    • Purchase Certificate: Click Apply to go to the Purchase Certificate page of the Certificate Management Service console to apply for a certificate for the domain name.

      After you apply for a certificate for the domain name as prompted, the certificate is automatically uploaded to WAF.

      Note In this case, you can only apply for a paid domain validated (DV) certificate. If you want to apply for other types of certificates, you must purchase a certificate by using Certificate Management Service. For more information, see Purchase an SSL certificate.

If you select HTTPS, you can also configure Advanced Settings.

  • Enable HTTPS Routing
    By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves access security.
    Important You can enable this feature only if HTTP is not selected.
  • TLS Version

    Specify the TLS versions allowed for HTTPS communication. If a client uses a TLS version that does not meet requirements, WAF blocks the requests from the client. A later TLS version offers higher security but lower compatibility.

    We recommend that you select the TLS version for the traffic that WAF listens on based on the HTTPS settings of your website. If you are unable to obtain the HTTPS settings of your website, we recommend that you retain the default value.

    Valid values:
    • TLS 1.0 and Later (Best Compatibility and Low Security). This is the default value.
    • TLS 1.1 and Later (High Compatibility and High Security).

      If you select this value, a client that uses TLS 1.0 cannot access the website.

    • TLS 1.2 and Later (High Compatibility and Best Security)

      If you select this value, a client that uses TLS 1.0 or 1.1 cannot access the website.

    If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen on the traffic that uses TLS 1.3.
  • Cipher Suite

    Specify the cipher suites allowed for HTTPS communication. If a client uses cipher suites that do not meet requirements, WAF blocks the requests from the client.

    The default value is All Cipher Suites (High Compatibility and Low Security). We recommend that you modify this parameter only when your website supports only specific cipher suites.

    Valid values:
    • All Cipher Suites (High Compatibility and Low Security).
    • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value. Then, select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suits.

      The clients that use other cipher suites cannot access the website.

HTTP/2

You can select HTTP2 only if you set Protocol Type to HTTPS.

If your website supports HTTP/2, set Protocol Type to HTTPS and select HTTP2 to protect HTTP/2 requests.
Note HTTP/2 uses the same port as HTTPS.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN (CDN), Is Deployed in Front of WAF

Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and CDN.

No proxy deployed By default, No is selected, which indicates that WAF receives requests directly from clients. The requests are not forwarded by any proxy.
Note WAF uses the IP address that is used to establish connections with WAF as the actual IP address of a client. WAF obtains the actual IP address from the REMOTE_ADDR field of a request.
Obtain Actual IP Address of Client

You can configure this parameter only after you select Yes.

If proxies are deployed, select Yes, which indicates that the requests received by WAF are forwarded by a Layer 7 proxy. The requests are not directly initiated by clients. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure Obtain Actual IP Address of Client.
Valid values:
  • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value.

    By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

  • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.
    If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field.
    Note We recommend that you use custom header fields to store the actual IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business.

    You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF attempts to obtain the actual IP address of a client from the fields in sequence. WAF cycles through the header fields in sequence until the actual IP address of the client is obtained. If WAF cannot obtain the actual IP address of the client from any header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.

More Settings IPv6 If your website supports IPv6, you can enable this feature to instruct WAF to protect IPv6 traffic.
Important If you enable this feature, you are charged additional fees. For more information, see Overview.

By default, WAF processes only IPv4 traffic. After the IPv6 protection feature is enabled, WAF assigns a WAF IPv6 address to the domain name to process IPv6 traffic.

Exclusive IP Address If you want to protect the domain name by using an exclusive IP address, you can enable this feature.
Important If you enable this feature, you are charged additional fees. For more information, see Overview.

By default, all the domain names that are added to a WAF instance are protected by the same WAF IP address. If you enable this feature, WAF assigns an exclusive IP address to protect the domain name. A domain name that is protected by using an exclusive IP address is accessible even if other domain names in the same WAF instance experience volumetric DDoS attacks. In addition, traffic is redirected to the exclusive IP address that is nearest to the origin server. For more information, see Enable an exclusive IP address.

Protection Resource Select the type of protection resource that you want to use. Valid values:
  • Shared Cluster: This is the default value.
  • Shared Cluster-based Intelligent Load Balancing.

    After you enable intelligent load balancing for a WAF instance, the WAF instance is allocated at least three protection nodes that are deployed in different regions to achieve automatic disaster recovery. In addition, the WAF instance uses the intelligent DNS resolution feature and the Least-time back-to-origin algorithm to minimize the latency of traffic from protection nodes to origin servers.

    Important If you enable the intelligent load balancing feature, you are charged additional fees. For more information, see Overview.

    For more information, see Use the intelligent load balancing feature.

Step 2: Configure Forwarding Rule

You must configure the rule based on which WAF uses to forward normal requests to the origin server.

Parameter Sub-parameter or associated feature Description
Load Balancing Algorithm N/A If multiple origin server addresses are configured, select the load balancing algorithm for WAF to forward back-to-origin requests to the origin servers.
Valid values:
  • IP hash: WAF forwards requests from the same client IP address to the same origin server address. This is the default value.
    Important If you select IP hash but the IP addresses of origin servers are not scattered on different network segments, workloads may be unbalanced.
  • Round-robin: All requests are distributed to origin servers in turn.
  • Least time: WAF uses the intelligent DNS resolution feature and the least response time algorithm to minimize the path and latency when requests are forwarded to origin servers.
    Important You can set Load Balancing Algorithm to Least time only if you set Protection Resource to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step.
Origin Server Address

Enter the origin server address for the website. The address is used to receive the back-to-origin requests forwarded by WAF.

Valid values: IP and Domain Name (Such as CNAME).

IP Enter the public IP address of the origin server based on the following requirements:
  • The IP address must be accessible over the Internet.
  • You can enter multiple IP addresses. Press the Enter key each time you enter an IP address. You can enter up to 20 origin IP addresses.
    Note If you enter multiple origin IP addresses, WAF automatically distributes workloads across the origin IP addresses.
  • You can enter both IPv4 and IPv6 addresses or just IPv4 addresses. However, you cannot enter only IPv6 addresses.

    If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv6 addresses to origin servers that use IPv6 addresses and requests from IPv4 addresses to origin servers that use IPv4 addresses.

    Important If you want WAF to forward requests from IPv6 addresses to origin servers that use IPv6 addresses, you must turn on IPv6 in the Configure Listener step.
Domain Name (Such as CNAME) Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.

If you select Domain Name (such as CNAME), the domain name can be resolved only to an IPv4 address, and WAF forwards back-to-origin requests to the IPv4 address.

Other Advanced Settings Enable Traffic Mark WAF adds or modifies the custom header fields that you specify to the headers of back-to-origin requests. If you select Enable Traffic Mark, you must add custom header fields.
Important We recommend that you do not configure a standard HTTP header field such as User-Agent. Otherwise, the value of the standard header field is overwritten by the value of the custom header field.
You can add the following types of header fields:
  • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value.

    By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

  • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.
    If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field.
    Note We recommend that you use custom header fields to store the actual IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business.

Click + Add Mark to add a header field. You can add up to five header fields.

Connection Timeout Period Specify the timeout period of a request that is forwarded by WAF to the origin server.
  • Connection Timeout Period: the timeout period for establishing a connection with the origin server. Valid values: 5 to 120. Unit: seconds. Default value: 5.
  • Read Connection Timeout Period: the timeout period for waiting responses from the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.
  • Write Connection Timeout Period: the timeout period for forwarding requests to the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.

Step 3: Add Completed

After you complete the Configure Listener and Change Forwarding Rule steps, WAF generates a CNAME for the domain name. You must change the DNS record of your website to resolve the domain name to the CNAME that is provided by WAF. This way, requests that are destined for your website are protected by WAF. For more information about how to change the DNS record, see Change the DNS record of a domain name.

Important If your origin server uses other firewall services, you must add the WAF IP address to the IP address whitelist of the firewall services before you change the DNS record of your website. This prevents normal requests that are forwarded by WAF from being blocked. You can click WAF IP Addresses to view and copy the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

Remove a domain name

If you no longer need WAF to protect a domain name, you can remove the domain name from WAF. Before you can remove the domain name, you must change the DNS record back to the previous configuration. For example, change the DNS record to resolve the domain name to the IP address of the origin server. Then, you can remove the domain name on the CNAME Record tab.

Warning If you remove a domain name while the DNS record of the domain name is still the CNAME that is provided by WAF, WAF cannot forward the requests that are destined for the domain name to the origin server, and your website cannot be accessed.
  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. Click the CNAME Record tab. Find the domain name that you want to remove and click Delete in the Actions column.
  4. In the Delete message, click OK.