All Products
Search

This Product

    Web Application Firewall:Transparent proxy mode

    Document Center

    Web Application Firewall:Transparent proxy mode

    Last Updated:May 25, 2023

    You can enter your website information to add your website to Web Application Firewall (WAF) in transparent proxy mode without the need to change the Domain Name System (DNS) record. If your origin server is an Elastic Compute Service (ECS) instance or is added to an Internet-facing Server Load Balancer (SLB) instance, you can use the CNAME record mode or the transparent proxy mode to add your website to WAF. The transparent proxy mode is based on cloud native technologies. This topic describes how to add a website to WAF in transparent proxy mode.

    For more information about the CNAME record mode and transparent proxy mode, see Tutorial.

    Limits

    Item

    Description

    Types of cloud services

    Internal-facing SLB instances and IPv6 Internet-facing SLB instances do not support the transparent proxy mode.

    Regions where the transparent proxy mode is supported

    The following regions are supported:

    • Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).

    • Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

    Specific Internet-facing SLB instances do not support the transparent proxy mode due to known issues related to the network architecture.

    Number of traffic redirection ports

    The number of ports on which traffic can be forwarded to WAF varies based on the WAF editions.

    • Pro Edition: up to 20 traffic redirection ports.

    • Business Edition: up to 50 traffic redirection ports.

    • Enterprise Edition: up to 100 traffic redirection ports.

    The transparent proxy mode takes effect for specific ports of an origin server. For example, you can enable the transparent proxy mode for port 80 and port 443 of an origin server that uses a public IP address. After you enable the transparent proxy mode for a port, traffic that is received on the port is redirected to WAF.

    For example, if you enable transparent proxy mode for port 80 and port 443 of SLB Instance A and SLB Instance B, traffic that is received on the four ports is redirected to WAF.

    Supported ports

    Standard and non-standard ports from port 0 to port 65535 are supported. For more information, see View the ports supported by WAF.

    Note

    Only subscription WAF instances of Business Edition, Enterprise Edition, and Exclusive Edition support non-standard ports.

    Services protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF

    For example, you want to protect your services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF. If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name, you can add the services to WAF in transparent proxy mode.

    If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by creating forwarding rules, you cannot add the services to WAF in transparent proxy mode. We recommend that you add your services to WAF in CNAME record mode. For more information, see Add a domain name in CNAME record mode.

    Prerequisites

    • A WAF instance is purchased.

    • An IPv4 Internet-facing SLB instance that uses a public IP address is created, and mutual authentication is disabled for the listening port.

      Note

      If you use an internal-facing SLB instance that is associated with Elastic IP Address (EIP), you can add your website to WAF in transparent proxy mode.

    • If your website is hosted on an instance that resides in a region in the Chinese mainland, you must apply for an Internet Content Provider (ICP) filing for the website. When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the operations that you must perform based on the website information that you specify. For more information, see Scenarios.

    • The following operations are performed in sequence on the SSL certificate of the listening port:

      1. The certificate is uploaded to or issued in the Certificate Management Service console.

      2. The certificate is selected and configured when you specify the listening port in the SLB console.

      Note

      Before you use WAF to protect a Layer 7 SLB instance, make sure that the preceding prerequisite is met. If you use WAF to protect a Layer 4 SLB or ECS instance, you can ignore the preceding prerequisite.

    • WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

    Step 1: Add a domain name

    Warning

    The first time you add a website to WAF in transparent proxy mode, the web services of your website may be interrupted for several seconds. After your website is added to WAF, your web services automatically resume.

    1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Asset Center > Website Access.

    3. On the Domain Names tab, click Website Access.

    4. On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.

    5. In the Add Domain Name step, enter the domain name of your website and add a port.

      Parameter

      Description

      Domain Name

      Enter the domain name of the website that you want to protect. The domain name can be an exact match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. When you enter a domain name, take note of the following items:

      • If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches subdomains such as www.aliyundoc.com and test.aliyundoc.com.

        Important

        If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com. If you want to use WAF to protect aliyun.com, you must separately add the domain name to WAF.

      • If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding and protection rules of the exact match domain name.

      Origin server port

      You can add the following instance types to WAF in transparent proxy mode: Application Load Balancer (ALB) instances, Layer 7 SLB instances, Layer 4 SLB instances, and ECS instances. Click the corresponding tab based on the instance type that you want to add to WAF. If your web services are hosted on an ALB instance and you want to enable WAF protection for the listening ports of the ALB instance, click the SLB-based Domains tab.

      You can perform the following operations on the corresponding tab:

      • View instances

        The instance list displays the instances that you created and the HTTP and HTTPS listening ports of each instance in the Port column.

      • Enable WAF protection for the listening ports of the instance. For more information, see Configure a traffic redirection port for an ALB instance.

      Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF:

      Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values:

      • No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from the client. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the REMOTE_ADDR field.

      • Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy instead of the client. To ensure that WAF can obtain the actual IP address of the client for security analysis, you must configure Obtain Source IP Address.

        By default, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

        If another proxy that requires actual IP addresses to be included in a custom header field is used, such as X-Client-IP or X-Real-IP, you must select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

        Note

        We recommend that you use custom header fields to store the IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This helps improve the security of your business.

        You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

      Enable Traffic Mark

      Specify whether to enable the WAF traffic mark feature.

      The feature adds custom header fields to WAF back-to-origin requests. You can configure or modify the custom header fields to tag the requests that are forwarded by WAF or record the actual IP addresses or ports of clients.

      If you select Enable Traffic Mark, you must add custom header fields.

      Important

      • We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

      • If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. We recommend that you verify the header fields after the origin server receives the requests. If specified header fields exist, the requests are allowed.

      You can add the following types of header fields:

      • Custom Header

        If you want to add a custom header, you must configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data.

        For example, you can specify the ALIWAF-TAG: Yes header field setting to tag the requests that pass through WAF. In this example, the header field name is ALIWAF-TAG and the header field value is Yes.

      • Originating IP Address

        You can configure a custom header to record the actual IP address of a client. This way, your origin server can obtain the actual IP address of the client. For information about how WAF obtains the actual IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter.

      • Source Port

        You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client.

      Click + Add Mark to add a header field. You can add up to five header fields.

      Resource Group

      Select the resource group to which you want to add the domain name from the drop-down list.

      Note

      You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

    6. In the Check and Confirm Added Information step, check and confirm the configurations and click Next.

    7. In the Add Completed step, click Completed. Return to the website list.

      After you add the domain name, you can view the configurations and origin server of the domain name on the Domain Names tab. You can modify or delete the domain name configurations based on your business requirements.

      By default, WAF detects traffic on the port that is enabled in the Add Domain Name step and forwards normal traffic to the origin server. On the Servers tab, you can change the traffic protection status of a port based on your business requirements.

    Step 2: View and manage traffic redirection ports

    View origin servers and manage traffic redirection ports

    After you add a domain name to WAF, you can view information about the origin server. If you want to implement disaster recovery in emergency management, you can disable traffic redirection or delete the traffic redirection port.

    1. On the Website Access page, click the Servers tab.

    2. You can click the Show icon to the left of an instance to view the ports that are added to WAF.

      Protection status

      Description of Traffic Status:

      • Traffic Status (marked with 1 in the preceding figure) indicates whether traffic on the port is protected by WAF. Valid values: Enabled and Disabled. To enable or disable traffic redirection, you can click Disable Traffic Redirection or Enable Traffic Redirection in the Actions column.

        Note

        If you disable traffic redirection, traffic on the port is no longer redirected to WAF.

      • Traffic Status (marked with 2 in the preceding figure) indicates the overall WAF protection status of the ports of the instance. Valid values: Unprotected, Partially Protected, and Fully Protected.

    3. Optional: If your instance is a Layer 4 SLB instance or an ECS instance, click Delete in the Actions column. In the Tips message, click Confirm to delete the port that no longer requires WAF protection.

    Update certificates of traffic redirection ports

    • If the instance is an ALB instance or Layer 7 SLB instance, you do not need to re-upload a certificate.

      • If the certificate that is configured for the listening port of the instance is updated, you need to only update the certificate in the SLB console. The updated certificate is automatically synchronized to WAF. The period of time that is required to synchronize a certificate to WAF is approximately 30 minutes.

      • If the certificate that is automatically synchronized to WAF does not take effect, click the Update icon on the Servers tab to manually update the certificate.

    • If the instance is an ECS instance or a Layer 4 SLB instance, you must re-upload a certificate in the WAF console.

      On the Servers tab, find the instance whose certificate you want to update and click Edit in the Actions column. In the dialog box that appears, set the Upload Type parameter to Manual Upload or Select Existing Certificate and then upload a certificate. Upload certificate

    What to do next

    After a website is added to WAF, all access traffic of the website is detected and filtered by WAF. WAF provides multiple features to protect websites against different types of attacks. By default, the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. You can enable other features and configure protection rules for the features based on your business requirements. For more information, see Overview of website protection configuration.

    References

    Add a website in CNAME record mode

    Upload a certificate