If you have created an Elastic Compute Service (ECS) instance, you can add the traffic redirection ports of the instance to Web Application Firewall (WAF). Then, the traffic on the ports is redirected to WAF. This topic describes how to add an ECS instance to WAF.

Limits

ItemDescription
Supported instances
If you want to add an instance to WAF, the instance must meet the following requirements:
  • The instance is an Internet-facing instance.
  • The instance does not use an IPv6 IP address.
  • Mutual authentication is disabled for the instance.
Supported regions
  • If your WAF instance resides in the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).
  • If your WAF instance resides outside the Chinese mainland, the instance that you want to add to WAF must reside in one of the following regions: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
Number of traffic redirection ports

You can specify up to 65 traffic redirection ports.

Supported ports

Standard or non-standard ports from port 0 to port 65535 are supported. For more information, see View supported ports.

Services that are protected by Anti-DDoS Pro or Anti-DDoS Premium and WAF

For example, you want to protect your services by using Anti-DDoS Pro or Anti-DDoS Premium and WAF. You can add the services to WAF in transparent proxy mode only if you add the services to Anti-DDoS Pro or Anti-DDoS Premium by adding a domain name.

Prerequisites

Procedure

Important
  • The first time you add a website to WAF, the web services of your website may be interrupted for several seconds. After your website is added to WAF, your web services are automatically resumed.
  • After you change the public IP address of an instance that is added to WAF, you must re-add the instance to WAF. If you do not re-add the instance to WAF, the service traffic is not protected by WAF.
  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. On the Cloud Native tab of the Website Configuration page, click ECS in the left-side product list.
  4. Click Add and configure the parameters. The following table describes the parameters.
    ParameterOperation
    Select the instance and port to be added.
    1. Synchronize Instances

      If the instance that you want to add to WAF is not displayed in the instance list, click Synchronize Instances to refresh the instance list.

    2. Add Port
      1. Find the instance that you want to add to WAF and click Add Port in the Actions column.
      2. Enter the port number that you want to add to WAF and press the Enter key.

        The port number that you enter must be in the range of ports that are supported by WAF. You can click View Port Range to view the HTTP and HTTPS ports that are supported by WAF. For more information, see View supported ports.

      3. Select the protocol type for the port that you want to add. Valid values: HTTP and HTTPS.
        If you select HTTPS, you must upload a certificate.
        • Default Certificate
          • Upload
            Click Upload Certificate and configure the following parameters: Certificate Name, Certificate File, and Certificate Key. For example, the value of the Certificate File parameter is in the -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- format, and the value of the Certificate Key parameter is in the -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- format.
            Important
            • If the certificate file is in the PEM format, CER format, or CRT format, you can use a text editor to open the certificate file and copy the text content.
            • If the certificate file is in other formats, such as PFX or P7B, convert the certificate file to the PEM format before you use a text editor to open the certificate file and copy the text content. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?
            • If a domain name is associated with multiple SSL certificates or a certificate chain, combine the text content of the certificate files and then upload the combined content.
          • Select Existing Certificate

            Select a certificate that you want to upload to WAF from the certificate list. The certificate list displays the certificates that are issued by using Alibaba Cloud Certificate Management Service and the third-party certificates that are uploaded to the Certificate Management Service console.

            Click Alibaba Cloud Security - Certificate Management Service to go to the Certificate Management Service console and view the existing certificates.

        • Additional Certificate

          If the instance is configured to allow traffic from multiple domain names over HTTPS, you can click + Additional Certificate to import the certificates of the domain names. The roles of the parameters that you can configure to upload an additional certificate are the same as the roles of the parameters that you can configure to upload a default certificate. For more information, see the description of the Default Certificate parameter in this topic.

        • If you select HTTPS, you can click Advanced Settings to configure the following advanced settings:
          • TLS Version

            Specify the versions of Transport Layer Security (TLS) that are supported for HTTPS communication. If a client uses a TLS version that does not meet the requirements, WAF blocks the requests that are sent from the client. A later version of TLS provides higher security but lower compatibility.

            We recommend that you select the TLS version for traffic to which WAF listens based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value.

            Valid values:
            • TLS 1.0 and Later (Best Compatibility and Low Security). This is the default value.
            • TLS 1.1 and Later (High Compatibility and High Security).

              If you select this value, a client that uses TLS 1.0 cannot access the website.

            • TLS 1.2 and Later (High Compatibility and Best Security)

              If you select this value, a client that uses TLS 1.0 or 1.1 cannot access the website.

            If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for traffic that is sent by using TLS 1.3.
          • Cipher Suite

            Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that do not meet the requirements, WAF blocks the requests that are from the client.

            Default value: All Cipher Suites (High Compatibility and Low Security). We recommend that you modify this parameter only if your website supports only specific cipher suites.

            Valid values:
            • All Cipher Suites (High Compatibility and Low Security).
            • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value. Then, select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suits.

              Clients that use other cipher suites cannot access the website.

    Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAFSpecify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Default value: No. Valid values: Yes and No.
    • No: No Layer 7 proxies are deployed in front of WAF.
      By default, No is selected. The value No indicates that WAF receives requests that are directly sent from clients. The requests are not forwarded by proxies.
      Note WAF uses the IP address that is used to establish connections to WAF as the actual IP address of a client. WAF obtains the actual IP address from the REMOTE_ADDR field of a request.
    • Yes: A Layer 7 proxy is deployed in front of WAF.

      If proxies are deployed, select Yes. The value Yes indicates that WAF receives requests that are forwarded to WAF by a Layer 7 proxy. The requests are not sent from clients. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter.

      Valid values:
      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value.

        By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.
        If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field.
        Note To store the actual IP addresses of clients and configure the header fields in WAF, we recommend that you use custom header fields. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This improves the security of your business.

        You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF obtains the actual IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the actual IP address of the client is obtained. If WAF cannot obtain the actual IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of the client.

    Enable Traffic MarkSpecify whether WAF adds or modifies the custom header fields that you specified for the headers of back-to-origin requests.
    • If you do not want to enable the traffic mark feature, skip this parameter.
    • If you want to enable the traffic mark feature, perform the following operations.
      If you select Enable Traffic Mark, you must add custom header fields.
      Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
      You can add the following types of header fields:
      • Custom Header

        If you want to add a custom header, you must configure the following fields: Header Name and Header Value. WAF adds the header field to the back-to-origin requests. This allows the backend service to check whether requests pass through WAF, collect statistics, and analyze data.

        For example, you can use the ALIWAF-TAG: Yes header field to mark the requests that pass through WAF. In this example, ALIWAF-TAG is the name of the header field and Yes is the value of the header field.

      • Originating IP Address

        You can specify a custom header to record the origin IP address of a client. This allows your origin server to obtain the actual port of the client. For more information about how WAF obtains the origin IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter.

      • Source Port

        You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client.

      Click + Add Mark to add a header field. You can add up to five header fields.

    Resource GroupSelect the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.
    Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
  5. Select the ECS instance that you want to add to WAF and click OK.
    After you add the ECS instance to WAF, the ECS instance is displayed on the Protected Objects page in the WAF console. To go to the Protected Objects page, you can click the ECS instance that you added to WAF on the Cloud Native tab of the Website Configuration page. The protected object name of the ECS instance is in the following format: Instance ID-Port-Asset type. Basic protection rules are automatically enabled for the ECS instance. You can also configure protection rules for the ECS instance on the Protected Objects page. For more information, see Protection configuration overview.