After you add your website to Web Application Firewall (WAF) in CNAME record mode, you can configure access control policies for your origin server to allow inbound traffic only from back-to-origin CIDR blocks of WAF. This way, your website is protected from direct-to-origin attacks. This topic describes how to configure security group rules or whitelist policies for an origin server that is deployed on an Elastic Compute Service (ECS) instance or a Classic Load Balancer (CLB) instance. CLB is formerly known as Server Load Balancer (SLB).

Prerequisites

  • The origin server is deployed on an ECS instance or a CLB instance. For more information about ECS and CLB instances, see ECS instances and CLB instances.
  • All domain names that are hosted on the ECS instance or CLB instance are added to WAF in CNAME record mode.

    For more information, see Add a domain name.

Precautions

After you add your website to WAF for protection, traffic is forwarded regardless of whether protection is configured for your origin server. If the IP address of your origin server is exposed, attackers can bypass WAF and launch direct-to-origin attacks. In this scenario, you must configure protection for your origin server. For more information about how to check whether the IP address of your origin server is exposed, see How do I check whether the IP address of my origin server is exposed?.

If you configure access control policies on the origin server, security risks may occur. Before you configure protection for the origin server, take note of the following points:
  • Make sure that all domain names that are hosted on the origin server are added to WAF. This way, attackers cannot use these domain names that are not added to WAF to attack the origin server. If a domain name that is not added to WAF is used to attack the origin server, services of the other domain names that are hosted on the origin server are not affected.
  • If a WAF cluster fails, requests that are destined for your website are directed to the origin server in bypass mode. This ensures service continuity. In this case, if you have configured ECS security group rules or CLB whitelist policies for the origin server, the origin server cannot be accessed over the Internet.
  • If back-to-origin CIDR blocks are added during a WAF cluster scale-out and you have configured ECS security group rules and CLB whitelist policies for the origin server, HTTP 5XX status codes may be frequently returned. We recommend that you take note of the notifications of changes in back-to-origin CIDR blocks in the Web Application Firewall console and update the access control policies that involve back-to-origin CIDR blocks at the earliest opportunity.
  • If you no longer need to use WAF, you must delete the access control policies that you added before you switch traffic back to the origin server. This way, traffic is sent to the origin server and service interruptions are prevented.

Obtain the WAF back-to-origin CIDR blocks

Notice The WAF back-to-origin CIDR blocks are updated on a regular basis. To avoid service interruptions, take note of update notifications and add the updated back-to-origin CIDR blocks to the security group rules and whitelist policies that are configured for your origin server at the earliest opportunity.
  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose System Management > Product Information.
  4. In the lower part of the Product Information page, find the WAF IP Segments section and click Copy All IPs.
    The WAF IP Segments section displays the latest back-to-origin CIDR blocks. Back-to-origin CIDR blocks of WAF

Configure ECS security group rules

If your origin server is deployed on an ECS instance, you must configure security group rules for the ECS instance after you obtain the WAF back-to-origin CIDR blocks. The security group rules allow inbound traffic only from the WAF back-to-origin CIDR blocks.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the resource group and the region to which the ECS instance belongs.
  4. On the Instances page, find the ECS instance for which you want to configure security group rules and choose More > Network and Security Group > Configure Security Group in the Actions column.
  5. Find the security group that you want to configure and click Add Rules in the Actions column.
  6. Add a security group rule that has the highest priority to allow inbound traffic only from the WAF back-to-origin CIDR blocks.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save. Security group rule - allow
      Parameter Description
      Action Select Allow.
      Priority Enter 1, which specifies the highest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Copy and paste the back-to-origin CIDR blocks of WAF to the Source field.

      You can press Ctrl+V to paste the back-to-origin CIDR blocks.

      Description The description of the security group rule. Example: Allow inbound traffic from the WAF back-to-origin CIDR blocks.
      Notice If your origin server uses IP addresses and ports other than the specified WAF back-to-origin CIDR blocks and HTTP or HTTPS ports to communicate with applications, you must add these IP addresses and ports to the security group rule.
      After the security group rule is added, it takes the highest priority in the security group. This way, the ECS instance allows all inbound traffic from the WAF back-to-origin CIDR blocks.
      Warning Make sure that all WAF back-to-origin CIDR blocks are added to the security group rule. Otherwise, access exceptions may occur.
  7. Add a security group rule that has the lowest priority to block all inbound traffic.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save. Security group rule - block
      Parameter Description
      Action Select Forbid.
      Priority Enter 100, which specifies the lowest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Enter 0.0.0.0/0 in the Source field. 0.0.0.0/0 specifies all CIDR blocks.
      Description The description of the security group rule. Example: Block all inbound traffic.
      After the security group rules are added, the ECS instance blocks inbound traffic from all CIDR blocks except the CIDR blocks that are specified in Step 6. This way, all service traffic passes through WAF before the traffic reaches the ECS instance.

Configure CLB access control policies

If your origin server is deployed on a CLB instance, you must obtain the WAF back-to-origin CIDR blocks and configure an access control policy (whitelist) for the CLB instance. The whitelist policy allows inbound traffic only from the WAF back-to-origin CIDR blocks.

The following example describes how to configure a whitelist policy. In this example, a CLB instance is used. If you use an Application Load Balancer (ALB) instance, configure a whitelist policy based on the following steps and the description in Enable access control for ALB instances.

  1. Log on to the SLB console.
  2. In the left-side navigation pane, choose CLB (FKA SLB) > Access Control.
  3. In the top navigation bar, select the resource group and the region to which the CLB instance belongs.
  4. Create an access control list (ACL).
    1. On the Access Control page, click Create Access Control List.
    2. In the Create Access Control List panel, configure the following parameters and click Create.
      The following configurations are used to create an ACL forWAF back-to-origin CIDR blocks.
      Parameter Description
      Name Enter the name of the ACL. Example: WAF back-to-origin CIDR blocks.
      Add Multiple Addresses and Descriptions Copy and paste all the back-to-origin CIDR blocks of WAF.

      Enter one CIDR block in each line. Press Enter to start a new line.

      Note All the back-to-origin CIDR blocks that are copied are separated by commas (,). Before you paste the CIDR blocks, we recommend that you use a text editor that supports extension replacement to replace the commas (,) with line breaks (\n).
  5. Configure the ACL for a listener.
    1. In the left-side navigation pane, choose CLB (FKA SLB) > Instances.
    2. On the Instances page, find the instance that you want to manage and click the ID of the instance.
    3. On the Listeners tab, find the listener that you want to configure, click the More icon in the Actions column, and then click Set Access Control.
      Select the listener based on the type of service that is protected by WAF:
      • If HTTP services are added to WAF, configure an HTTP listener.
      • If HTTPS services are added to WAF, configure an HTTPS listener.
      • If HTTP and HTTPS services are added to WAF, configure an HTTP listener and an HTTPS listener.
    4. In the Access Control Settings panel, turn on Enable Access Control and configure the following parameters. Access control settings
      Parameter Description
      Access Control Mode Select Whitelist to allow specified IP addresses to access the CLB instance.
      Select ACL

      Select the ACL that you created for the back-to-origin CIDR blocks of WAF.

    After the preceding configurations are complete, the CLB instance allows inbound traffic from the back-to-origin CIDR blocks of WAF.

What to do next

After you configure an ECS security group rules and CLB whitelist policies, we recommend that you check whether the origin server can be connected over ports 80 and 8080. This way, you can check whether the protection configurations are in effect.

If the origin server cannot be connected over port 80 or 8080, but the service runs as expected, the protection configurations are in effect.

How do I check whether the IP address of my origin server is exposed?

Use Telnet to establish a connection from a host that is not deployed on Alibaba Cloud to your origin server by using the service port and the public IP address.
  • If the connection is successful, the IP address of your origin server is exposed. In this case, attackers that obtain the public IP address can bypass WAF and launch attacks on your origin server.
  • If the connection fails, the IP address of your origin server is not exposed.
Example: Check whether an origin server that is protected by WAF can be connected over ports 80 and 8080. If the origin server can be connected over ports 80 and 8080, the IP address of your origin server is exposed. Established connection, WAF