How to add a website to WAF in transparent proxy mode - Web Application Firewall

You can add your website to Web Application Firewall (WAF) in transparent proxy mode by entering your website information without the need to change the Domain Name System (DNS) record. If your origin server is an Elastic Compute Service (ECS) instance or is added to an Internet-facing Server Load Balancer (SLB) instance, you can add your website to WAF in CNAME record mode or transparent proxy mode. The transparent proxy mode uses cloud-native technologies. This topic describes how to add a website to WAF in transparent proxy mode.

Note

If you migrated your WAF 2.0 instance to WAF 3.0, you can add your cloud service instances, such as ECS, Classic Load Balancer (CLB), and Application Load Balancer (ALB) instances, to WAF in cloud native mode. For more information, see Cloud native mode.

Limits

Item	Description
Types of cloud services	Internal-facing SLB instances and IPv6 Internet-facing SLB instances do not support the transparent proxy mode.
Regions in which the transparent proxy mode is available	The transparent proxy mode is available in the following regions: Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen). Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta). Specific Internet-facing SLB instances do not support the transparent proxy mode due to network architecture issues.
Number of traffic redirection ports	The number of ports on which traffic can be forwarded to WAF varies based on the WAF edition. Pro Edition: up to 20 traffic redirection ports. Business Edition: up to 50 traffic redirection ports. Enterprise Edition: up to 100 traffic redirection ports. Transparent proxy mode takes effect only on the specified ports of an origin server. For example, if you enable transparent proxy mode for ports 80 and 443 of an origin server that uses a public IP address, transparent proxy mode is enabled only for these ports. After you enable transparent proxy mode for a port, traffic that is received on the port is redirected to WAF. For example, if you enable transparent proxy mode for ports 80 and 443 of SLB Instance A and SLB Instance B, traffic that is received on the ports is redirected to WAF.
Supported ports	Standard and non-standard ports from ports 0 to 65535 are supported. For more information, see View the ports supported by WAF. Note Only subscription WAF instances of the Business, Enterprise, and Exclusive editions support non-standard ports.
Services protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF	If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name, you can add the services to WAF in transparent proxy mode and protect the services by using Anti-DDoS Pro or Anti-DDoS Premium together with WAF. If you add your services to Anti-DDoS Pro or Anti-DDoS Premium by creating port forwarding rules, you cannot add the services to WAF in transparent proxy mode. In this case, we recommend that you add your services to WAF in CNAME record mode. For more information, see Add a domain name to WAF in CNAME record mode.

Prerequisites

A WAF instance is purchased.
An IPv4 Internet-facing SLB instance that uses a public IP address is created, and mutual authentication is disabled for the ports.
Note
If you use an internal-facing SLB instance that is associated with an Elastic IP Address (EIP), you can add your website to WAF in transparent proxy mode.
If the domain name of your website is hosted on a server in the Chinese mainland, apply for an Internet Content Provider (ICP) filing for the domain name. When you apply for an ICP filing by using the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you enter. For more information, see ICP filing scenarios.
The following operations are performed in sequence on the SSL certificate of the listener port:
1. The certificate is uploaded to or issued in the Certificate Management Service console.
2. The certificate is selected and configured when you configure listeners in the SLB console.
Note
If you use WAF to protect a Layer 4 SLB or ECS instance, a certificate does not need to be selected and configured.
WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Step 1: Add a domain name

Important

The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.
If you perform the following operations after you add an instance to WAF, the traffic redirection ports are automatically removed from WAF. If you do not re-add the traffic redirection ports to WAF, traffic on the ports is not forwarded to WAF.
- Change the public IP address, replace the certificate that is bound to a traffic redirection port with a third-party certificate, or enable mutual authentication for a Layer 7 CLB instance
- Change the public IP address or enable mutual authentication for an ECS instance or Layer 4 CLB instance
If you add an ECS instance to WAF, traffic of the public IP address or elastic IP address (EIP) that is associated with the instance is redirected to WAF.
After you disassociate an EIP from the ECS instance, traffic of the EIP is not redirected to WAF.

Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, click Website Access.
On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.

In the Add Domain Name step, enter the domain name of your website and add a port. The following table describes the parameters.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to add to WAF for protection. The domain name can be an exact match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. When you enter a domain name, take note of the following items: A wildcard domain name can cover all subdomains that are at the same level as the wildcard domain name. For example, `.aliyundoc.com` can cover subdomains such as `www.aliyundoc.com` and `test.aliyundoc.com`. Important A wildcard domain name cannot cover the primary domain name of the wildcard domain name. For example, `*.aliyundoc.com` cannot cover `aliyundoc.com`. If you want to use WAF to protect `aliyundoc.com`, you must separately add the domain name to WAF. If you enter a wildcard domain name and an exact match domain name, WAF uses the forwarding and protection rules of the exact match domain name.
Origin server port	Select the origin server ports that you want to add to WAF. The following instances can be added to WAF in transparent proxy mode: ALB instances, Layer 7 SLB instances, Layer 4 SLB instances, and ECS instances. Click the corresponding tab based on the type of the instance that you want to add to WAF. If your origin server is deployed on an ALB instance and you want to enable WAF protection for traffic on the listener ports of the instance, click the ALB-based Domains tab. You can perform the following operations on the corresponding tab: Add ports The ports of ALB instances and Layer 7 SLB instances are automatically synchronized to WAF. You need to only select the ports that you want to add to WAF. If you want to add Layer 4 SLB or ECS instances to WAF, manually add the ports to WAF. You can click Add to enable traffic redirection for the ports. After you add an origin server port, you can select the port in the instance list. You can also delete the port or disable traffic redirection on the Servers tab. For more information, see View origin servers and manage traffic redirection ports. Enable WAF protection for the listener ports of the instance. For more information, see Configure a traffic redirection port for an ALB instance.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN. Valid values: No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from clients. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the `REMOTE_ADDR` field. Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy. To make sure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Source IP Address parameter. By default, WAF uses the first IP address in the `X-Forwarded-For` field as the IP address of a client. If you use a proxy that requires the actual IP addresses to be included in a custom header field, such as X-Client-IP or X-Real-IP, select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field. Note We recommend that you use custom header fields to store the IP addresses of clients and configure the custom header fields in WAF. This prevents attackers from forging X-Forwarded-For fields to bypass WAF protection and improves the security of your business. You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Enable Traffic Mark	Specify whether to enable the traffic marking feature. The feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to label the requests that are forwarded by WAF or record the actual IP addresses or ports of clients. If you select Enable Traffic Mark, specify custom header fields. Important We recommend that you do not configure a standard HTTP header field such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. After the origin server receives the requests, we recommend that you check the header fields. If the specified header field exists, the requests are allowed. You can add the following types of header fields: Click Add Mark to add a header field. You can add up to five header fields.
Resource Group	Select the resource group to which you want to add the instance from the drop-down list. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

In the Check and Confirm Added Information step, check and confirm the configurations and click Next.
In the Add Completed step, click Completed. Return to the website list.
After you add the domain name, you can view the configurations and origin server of the domain name on the Domain Names tab. You can modify or delete the domain name configurations based on your business requirements.
By default, WAF detects traffic on the port that is enabled in the Add Domain Name step and forwards normal traffic to the origin server. On the Servers tab, you can change the traffic protection status of a port based on your business requirements.

Step 2: View and manage traffic redirection ports

View origin servers and manage traffic redirection ports

After you add a domain name to WAF, you can view information about the origin server. If you want to implement disaster recovery in emergency management, you can disable traffic redirection or delete traffic redirection ports.

On the Website Access page, click the Servers tab.
You can click the icon on the left side of an instance name to view the ports that are added to WAF.
Note
The ports of Layer 4 SLB and ECS instances cannot be automatically synchronized to WAF. You must manually add the ports to WAF. For more information, see Add ports.
Description of Traffic Status:
- Traffic Status (labeled 1 in the preceding figure) indicates whether traffic on the port is protected by WAF. Valid values: Enabled and Disabled. To enable or disable traffic redirection, you can click Disable Traffic Redirection or Enable Traffic Redirection in the Actions column.
  Note
  If you disable traffic redirection, traffic on the port is no longer redirected to WAF.
- Traffic Status (labeled 2 in the preceding figure) indicates the overall WAF protection status of the ports of the instance. Valid values: Unprotected, Partially Protected, and Fully Protected.
Optional. If your instance is a Layer 4 SLB instance or an ECS instance, click Delete in the Actions column. In the Tips message, click Confirm to delete the port that no longer requires WAF protection.

Update the certificates of traffic redirection ports

If the instance is an ALB instance or Layer 7 SLB instance, you do not need to upload another certificate.
- If the certificate that is configured for the listener port of the instance is updated, you must update the certificate in the SLB console. The updated certificate is automatically synchronized to WAF. The time required to synchronize a certificate to WAF is approximately 30 minutes.
  Important
  If the certificate that is bound to a traffic redirection port is replaced with a certificate that is not purchased by using Alibaba Cloud Certificate Management Service, update the certificate and re-add the instance to WAF.
- If the certificate that is automatically synchronized to WAF does not take effect, click the icon on the Servers tab to manually update the certificate.
If the instance is an ECS instance or a Layer 4 SLB instance, you must re-upload a certificate in the WAF console.
On the Servers tab, find the instance whose certificate you want to update and click Edit in the Actions column. In the dialog box that appears, set the Upload Type parameter to Manual Upload or Select Existing Certificate and then upload a certificate.

What to do next

After you add a website to WAF, all access traffic of the website is detected and filtered by WAF. WAF provides multiple features to protect websites against different types of attacks. By default, the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. You can enable other features and configure protection rules for the features based on your business requirements. For more information, see Overview of website protection features.

Web Application Firewall:Transparent proxy mode