You can add your website to Web Application Firewall (WAF) in transparent proxy mode by entering your website information, without the need to change the DNS record. If your origin server is an Elastic Compute Service (ECS) instance or is added to an Internet-facing Server Load Balancer (SLB) instance, you can use either the CNAME record mode or the transparent proxy mode to add your website. The transparent proxy mode is based on cloud-native technologies. This topic describes how to add a website to WAF in transparent proxy mode.

For more information about the two access modes, see Tutorial.

Limits

Item Description
Types of cloud services Internal-facing SLB instances and IPv6 Internet-facing SLB instances do not support the transparent proxy mode.
Regions where the transparent proxy mode is supported Internet-facing SLB instances and ECS instances that reside in the following regions support the transparent proxy mode: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
  • Select as the region of your WAF instance if your Internet-facing SLB instances and ECS instances reside in one of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).
  • Select as the region of your WAF instance if your Internet-facing SLB instances and ECS instances reside in one of the following regions: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

Some Internet-facing SLB instances do not support the transparent proxy mode due to known issues in network architecture.

For more information about the limits on the transparent proxy mode, see .

Number of traffic redirection ports The number of ports on which traffic can be redirected to WAF varies based on the WAF editions.
  • Pro Edition: up to 20 traffic redirection ports
  • Business Edition: up to 50 traffic redirection ports
  • Enterprise Edition: up to 100 traffic redirection ports

The transparent proxy mode takes effect for specific ports of an origin server. For example, you can enable transparent proxy mode for port 80 and port 443 of an origin server that uses a public IP address. After you enable transparent proxy mode for a port, traffic that is received on the port is redirected to WAF.

For example, if you enable transparent proxy mode for port 80 and port 443 of SLB Instance A and SLB Instance B, traffic that is received on the four ports is redirected to WAF.

Supported ports Custom ports from port 0 to port 65535 are supported. For more information, see View the ports supported by WAF.
Services protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF Assume that you want to protect your services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF. If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name, you can add the services to WAF in transparent proxy mode.

If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by creating forwarding rules, you cannot add the services to WAF in transparent proxy mode. In this case, we recommend that you add your services to WAF in CNAME record mode. For more information, see Add a website in CNAME record mode.

Prerequisites

  • A WAF instance is purchased. For more information, see Purchase a subscription WAF instance.
  • An IPv4 Internet-facing SLB instance that uses a public IP address is created, and mutual authentication is disabled for the listening port.
    Note If you use an internal-facing SLB instance that is associated with Elastic IP Address (EIP), you can add your website to WAF in transparent proxy mode.
  • If your website is hosted on an instance in the , you must apply for an Internet Content Provider (ICP) filing for the website. When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the operations that you must perform based on the website information that you specified. For more information, see ICP Filing.
  • The following operations are performed in sequence on the SSL certificate for the listening port:
    1. The certificate is uploaded to SSL Certificates Service console or issued in the Certificate Management Service console.
    2. The certificate is selected and configured when you configure the listening port in the SLB console.
    Important Before you use WAF to protect a Layer 7 SLB instance, make sure that this prerequisite is met. If you want to use WAF to protect a Layer 4 SLB instance or ECS instance, you can ignore this prerequisite.
  • WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Step 1: Add a domain name

You can use WAF to protect your website by adding the domain name of your website.

Warning The first time you add a website in transparent proxy mode, the web services of your website may be interrupted for multiple seconds. After your website is added to WAF, your web services are automatically resumed.
  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Domain Names tab, click Website Access.
  4. On the Add Domain Name page, set Access Mode to Transparent Proxy Mode.
  5. In the Add Domain Name step, enter the domain name of your website and add a port.
    Parameter Description
    Domain Name Enter the domain name of the website that you want to protect. The domain name can be an exact match domain name (example: www.aliyundoc.com) or a wildcard domain name (example: *.aliyundoc.com). Take note of the following items:
    • If you enter a wildcard domain name, WAF automatically matches specific domain names for the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches www.aliyundoc.com and test.aliyundoc.com.
      Important If you enter a wildcard domain name, WAF does not match the parent domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com. If you want to use WAF to protect aliyundoc.com, you must separately add the domain name to WAF.
    • If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding rules and protection rules for the exact match domain name.
    Port WAF supports the following types of instances: ALB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, and ECS-based Domains. Click the corresponding tab based on the type of the instance that you want to add to WAF. If your web services are hosted on an ALB instance, and you want to enable WAF protection for the listening ports of the ALB instance, click the ALB-based Domains tab.
    You can complete the following configurations on the corresponding tab:
    • View instances

      The instance list displays the instances that you have created and the HTTP listening ports or HTTPS listening ports of each instance in the Port column.

    • Enable WAF protection for a listening port

      For more information, see Configure a traffic redirection port for an ALB instance.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF Specify whether your website has been added to a Layer 7 service such as Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN before you add the website to WAF. Valid values: Yes and No.
    • No: No Layer 7 proxies are deployed in front of WAF, and WAF receives requests from the client. WAF uses the IP address that is used by a client to establish a connection with WAF as the originating IP address of the client. WAF obtains the originating IP address from the REMOTE_ADDR field.
    • Yes: A Layer 7 proxy is deployed in front of WAF, and WAF receives requests from the Layer 7 proxy, instead of the client. To make sure that WAF can obtain the IP address of the client for security analysis, you must configure Obtain Source IP Address.

      By default, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of the client.

      If another proxy is used, which requires that originating IP addresses to be contained in a custom header field such as X-Client-IP or X-Real-IP, you must select Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

      Note We recommend that you use custom header fields to store the originating IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This helps improve the security of your business.

      You can enter multiple header fields. You must enter a comma (,) each time you enter a header field. If you enter multiple header fields, WAF scans the header fields in sequence until the originating IP address of the client is obtained. If WAF cannot obtain the originating IP address of the client from any header fields, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of the client.

    Enable Traffic Mark Specify whether to enable the WAF traffic marking feature.

    The feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to tag the requests that are forwarded by WAF or record the originating IP addresses or ports of clients.

    If you select Enable Traffic Mark, you must add custom header fields.
    Important We recommend that you do not configure a standard HTTP header field such as User-Agent. If you configure a standard HTTP header field such as User Agent, the value of the standard header field is overwritten by the value of the custom header field.
    You can add the following types of header fields:
    • Custom Header: If you want to add a header field of this type, you must specify Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This helps the backend service identify whether requests pass through WAF, collect statistics, and analyze data.

      For example, you can specify the ALIWAF-TAG: Yes header field setting to tag the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name, and Yes is the header field value.

    • Client IP Address: If you want to add a header field of this type, you must specify the name of the header field that records an IP address. This way, WAF adds the header field to the back-to-origin requests and adds the IP addresses of clients to the value of the header field. For more information about how WAF obtains the IP addresses of clients, see the description of the Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF parameter.

      If the backend service needs to obtain the IP addresses of clients from a specified custom header field such as example-client-ip for analysis, you must add a header field of the Client IP Address type.

    Click Add Mark to add a header field. You can add up to five header fields.

    Resource Group Select the resource group to which the domain name belongs from the resource group list.
    Note If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list. For more information, see Create a resource group.
  6. In the Check and Confirm Added Information step, confirm the configurations and click Next.
  7. In the Add Completed step, click Completed. Return to the website list.
    After the domain name is added, you can view the configurations and origin server of the domain name on the Domain Names tab. You can modify or delete the domain name configurations based on your business requirements.

    By default, WAF detects the traffic on the port that is enabled in the Add Domain Name step and forwards normal traffic to the origin server. You can change the traffic protection status of a port on the Servers tab based on your business requirements. For more information, see Step 2: View the server list.

Step 2: View the server list

After a domain name is added to WAF, you can view information about the origin server. If you want to implement urgent disaster recovery, you can disable traffic redirection or delete the traffic redirection port.

On the Website Access page, click the Servers tab. On the Servers tab, you can view the origin servers that are added to WAF, including ALB instances, SLB instances, and ECS instances.
  1. You can click the open icon next to an instance to view the ports that are added to WAF.
    Status
    Description of Traffic Status:
    • Traffic Status (marked with 1 in the preceding figure) indicates whether traffic on the port is protected by WAF. Valid values: Enabled and Disabled. You can click Disable Traffic Redirection or Enable Traffic Redirection in the Actions column to enable or disable traffic redirection.
      Note If you disable traffic redirection, traffic on the port is not redirected to WAF.
    • Traffic Status (marked with 2 in the preceding figure) indicates the overall WAF protection status of the ports of the instance. Valid values: Unprotected, Partially Protected, and Fully Protected.
  2. If your instance is a Layer 4 SLB instance or an ECS instance, click Delete in the Actions column. In the Tips message that appears, click Confirm to delete the port that no longer requires WAF protection.

    If you want to enable WAF protection for the port again, you must add the port again.

What to do next

After a website is added, all of its access traffic of the traffic is detected and filtered by WAF. WAF provides multiple features to protect websites against different types of attacks. By fault, only Protection Rules Engine and HTTP Flood Protection are enabled by default. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. You must manually enable the other features as needed and configure their protection rules based on your business requirements. For more information, see Overview of website protection features.

References

Add a website in CNAME record mode

Upload a certificate