After you add your website to Web Application Firewall (WAF) in CNAME record mode, you can configure access control policies for your origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, your website is protected from direct-to-origin attacks. This topic describes how to configure security group rules or access control (whitelist) policies for an origin server that is an Elastic Compute Service (ECS) instance or is added to a Server Load Balancer (SLB) instance.

Precautions

After you add your website to WAF for protection, traffic is forwarded to the origin server through WAF regardless of whether protection is configured for your origin server. If the IP address of your origin server is exposed, attackers can bypass WAF and launch direct-to-origin attacks. To prevent this from happening, you must configure protection for your origin server. For more information about how to check whether the IP address of your origin server is exposed, see How do I check whether the IP address of my origin server is exposed?.

When you configure access control policies on the origin server, security risks may arise due to improper configurations. Before you configure protection for an origin server, take note of the following items:
  • Make sure that all domain names that are hosted on an origin server are added to WAF. This way, attackers cannot use these domain names to attack the origin server. If a domain name that is not added to WAF is used to attack the origin server, services of the other domain names that are hosted on the origin server are affected.
  • If a WAF cluster fails, requests that are destined for your website are directed to the origin server in bypass mode. This ensures service continuity. In this case, if you have configured ECS security group rules or SLB whitelist policies for the origin server, the origin server cannot be accessed over the Internet.
  • If back-to-origin CIDR blocks are added during a WAF cluster scale-out and you have configured ECS security group rules or SLB whitelist policies for the origin server, HTTP 5XX status codes may be frequently returned. We recommend that you take note of the notifications of changes in back-to-origin CIDR blocks in the Web Application Firewall console and update the access control policies that involve back-to-origin CIDR blocks at the earliest opportunity.
  • If you no longer need to use WAF, you must delete the access control policies that you added before you switch traffic back to the origin server. Otherwise, traffic cannot be sent to the origin server and service interruptions may occur.

Prerequisites

  • The origin server is an ECS instance or is added to a SLB instance. For more information, see What is ECS and SLB overview.
  • All domain names that are hosted on the ECS instance or SLB instance are added to WAF in CNAME record mode. For more information, see Add a domain name.
    Notice If you add a website to WAF in transparent proxy mode, the redirection ports are protected by WAF by default and attackers cannot bypass WAF to launch direct-to-origin attacks. Therefore, you do not need to configure protection for your origin server. For more information, see Add a website in transparent proxy mode.

Obtain the WAF back-to-origin CIDR blocks

Notice The WAF back-to-origin CIDR blocks are updated on a regular basis. To avoid service interruptions, take note of update notifications and add the updated back-to-origin CIDR blocks to the security group rules and whitelist policies that are configured for your origin server at the earliest opportunity.
  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Mainland China or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose System Management > Product Information.
  3. In the lower part of the Product Information page, find the WAF IP Segments section and click Copy All IPs.
    The WAF IP Segments section displays the latest back-to-origin CIDR blocks. Back-to-origin CIDR blocks of WAF

Configure ECS security group rules

If your origin server is an ECS instance, you must configure security group rules for the ECS instance after you obtain the WAF back-to-origin CIDR blocks. The security group rules allow inbound traffic only from the WAF back-to-origin CIDR blocks.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances. In the top navigation bar, select the resource group and the region to which the ECS instance belongs.
  3. On the Instances page, find the ECS instance for which you want to configure security group rules and choose More > Network and Security Group > Configure Security Group in the Actions column.
  4. Find the security group that you want to configure and click Add Rules in the Actions column.
  5. Add a security group rule that has the highest priority to allow inbound traffic only from the WAF back-to-origin CIDR blocks.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save.
      Parameter Description
      Action Select Allow.
      Priority Enter 1, which specifies the highest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Paste the back-to-origin CIDR blocks that you obtained to the Source field.
      Description Enter a description for the security group rule. Example: Allow inbound traffic from the WAF back-to-origin CIDR blocks.
      Notice If your origin server uses IP addresses and ports other than the specified WAF back-to-origin CIDR blocks and HTTP or HTTPS ports to communicate with applications, you must add these IP addresses and ports to the security group rule.
      After the security group rule is added, it takes the highest priority in the security group. This way, the ECS instance allows all inbound traffic from the WAF back-to-origin CIDR blocks.
      Warning Make sure that all WAF back-to-origin CIDR blocks are added to the security group rule. Otherwise, access exceptions may occur.
  6. Add a security group rule that has the lowest priority to block all inbound traffic.
    1. On the Inbound tab of the Access Rule section, click Add Rule.
    2. Configure the following parameters and click Save.
      Parameter Description
      Action Select Deny.
      Priority Enter 100, which specifies the lowest priority.
      Protocol Type Select Custom TCP.
      Port Range Select HTTP (80) and HTTPS (443).
      Authorization Object Enter 0.0.0.0/0 in the Source field. 0.0.0.0/0 specifies all CIDR blocks.
      Description Enter a description for the security group rule. Example: Block all inbound traffic.
      After the security group rules are added, the ECS instance blocks inbound traffic from all CIDR blocks except the CIDR blocks that are specified in Step 6. This way, all service traffic passes through WAF before the traffic reaches the ECS instance.

Configure SLB access control policies

If your origin server is added to a SLB instance, you must obtain the WAF back-to-origin CIDR blocks and configure an access control policy (whitelist) for the SLB instance. The access control policy allows inbound traffic only from the WAF back-to-origin CIDR blocks.

The following example describes how to configure an access control policy. In this example, a Classic Load Balancer (CLB) instance is used. If you use an Application Load Balancer (ALB) instance, configure an access control policy based on the following steps and the description in Access Control.

  1. Log on to the SLB console.
  2. In the left-side navigation pane, choose CLB (FKA SLB) > Access Control. In the top navigation bar, select the resource group and the region to which the CLB instance belongs.
  3. Create an access control list (ACL) for WAF back-to-origin CIDR blocks.
    1. On the Access Control page, click Create Access Control List.
    2. In the Create Access Control List panel, configure the following parameters and click Create.
      Parameter Description
      Access Control List Name Enter the name of the ACL. Example: WAF back-to-origin CIDR blocks.
      Add Multiple Addresses and Descriptions Copy and paste all WAF back-to-origin CIDR blocks.

      Enter one CIDR block in each line. Press Enter to start a new line.

      Note All WAF back-to-origin CIDR blocks that are copied are separated by commas (,). Before you paste the CIDR blocks, we recommend that you use a text editor that supports extension replacement to replace the commas (,) with line breaks (\n).
  4. Configure the ACLs for listeners.
    1. In the left-side navigation pane, choose CLB (FKA SLB) > Instances.
    2. On the Instances page, find the instance that you want to manage and click the ID of the instance.
    3. On the Listener tab, find the listener that you want to configure, click the More icon in the Actions column, and then click Set Access Control.
      Select the listener based on the type of service that is protected by WAF:
      • If HTTP services are added to WAF, configure an HTTP listener.
      • If HTTPS services are added to WAF, configure an HTTPS listener.
      • If HTTP and HTTPS services are added to WAF, configure an HTTP listener and an HTTPS listener.
    4. In the Access Control Settings panel, turn on Enable Access Control and configure the following parameters.
      Parameter Description
      Access Control Method Select Whitelist to allow specified IP addresses to access the CLB instance.
      Access Control List

      Select the ACL that you created for the WAF back-to-origin CIDR blocks.

    After the preceding configurations are complete, the CLB instance allows inbound traffic from WAF back-to-origin CIDR blocks.

What to do next

After you configure ECS security group rules or SLB whitelist policies, we recommend that you check whether the origin server can be connected over ports 80 and 8080. This way, you can check whether the protection configurations are in effect.

If the origin server cannot be connected over port 80 or 8080, but the service runs as expected, the protection configurations are in effect.

How do I check whether the IP address of my origin server is exposed?

Use Telnet to establish a connection from a host that is not deployed on Alibaba Cloud to your origin server by using the service port and the public IP address of your origin server.
  • If the connection is successful, the IP address of your origin server is exposed. In this case, attackers that obtain the public IP address can bypass WAF and launch attacks on your origin server.
  • If the connection fails, the IP address of your origin server is not exposed.
Example: Check whether an origin server that is protected by WAF can be connected over ports 80 and 8080. If the origin server can be connected over ports 80 and 8080, the IP address of the origin server is exposed. Established connection