This topic provides answers to frequently asked questions about adding a website to Web Application Firewall (WAF) in transparent proxy mode.

Can a domain name be added to WAF in both Canonical Name (CNAME) record mode and transparent proxy mode?

No. You can choose only one access mode to add a domain name to WAF. If you want to add a domain name to WAF in transparent proxy mode but the domain name has been added in CNAME record mode, you must delete the CNAME record configurations of the domain name before you add it to WAF in transparent proxy mode.

Warning If this is your first time to add a website in transparent proxy mode, the web services of your website may encounter a transient disconnection in seconds. The transient disconnection ends automatically and does not affect your services.

What do I do if a domain name that has been added to WAF no longer requires the protection of WAF?

If you are sure that the domain name no longer requires the protection of WAF, you can click the Servers tab on the Website Access page and find the IP address of the origin server on which the domain name is hosted. Then, disable traffic redirection for the ports on which traffic is redirected to WAF. For more information, see the "Step 2: View server information" section of Adding a website in transparent proxy mode. After you disable traffic redirection, requests destined for the domain name are not forwarded to WAF.

Can the origin server of a domain name obtain the actual client IP addresses after the domain name is added to WAF in transparent proxy mode?

Yes. After a domain name is added to WAF in transparent proxy mode, WAF directly provides actual client IP addresses to the origin server on which the domain name is hosted and does not send the back-to-origin CIDR blocks of WAF to the origin server.

If the SSL certificate bound to a port is updated, do I need to re-upload the certificate in the WAF console?

It depends on the type of the origin server.
  • If the origin server is an Application Load Balancer (ALB) instance or a Layer 7 Server Load Balancer (SLB) instance, you do not need to re-upload the certificate in the WAF console. You only need to update the certificate in the SLB console and the updated certificate will be synchronized to WAF automatically.
  • If the origin instance is a Layer 4 SLB instance or an Elastic Compute Service (ECS) instance, you must re-upload the certificate in the WAF console.

If a domain name is hosted on multiple SLB instances, how can I add the domain name to WAF in transparent proxy mode?

You must add all the HTTP/HTTPS service ports of the SLB instances when you configure traffic redirection ports for the domain name. This way, traffic on the ports of the SLB instances is redirected to WAF.

If you add the HTTP/HTTPS service port of only one SLB instance, only the traffic on the added port will be forwarded to and protected by WAF. Traffic from the other SLB instances will not be forwarded to or protected by WAF.

When multiple domain names are hosted on an SLB instance, what happens if I add only one of the domain names to WAF in transparent proxy mode?

The other domain names that are added to the SLB instance are also protected by WAF based on the default protection rule, including Protection Rules Engine and HTTP Flood Protection. WAF detects and blocks attack traffic that is destined for the domain names.

Notice In transparent proxy mode, traffic that is protected by WAF is only related to the configurations of the traffic redirection ports of the ECS, SLB, or ALB instances. If multiple domain names are hosted on your SLB instance, and these domain names provide services through the same port (for example, HTTPS port 443), you need to configure HTTPS port 443 as the traffic redirection port when you add one of the domain names to WAF in transparent proxy mode. This way, all the traffic on the port is protected by WAF. For more information, see Step 1: Add the domain name.

Why am I unable to find the Layer 7 SLB instance that I want to add to WAF in transparent proxy mode?

The transparent proxy mode has some limits. For more information, see Add a website in transparent proxy mode.

When you add an SLB instance to WAF in transparent proxy mode, you may be unable to find the Internet-facing SLB instance that you want to add to WAF on the Layer 7 SLB-based Domains tab on the Add Domain Name page or fail to add the instance to WAF due to the following reasons:
Reason Description Solution
The region of your Internet-facing SLB instance is not supported by the transparent proxy mode. Only Internet-facing SLB instances and ECS instances that reside in the following regions can be added to WAF in transparent proxy mode: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
  • Select Chinese mainland as the region of your WAF instance if your Internet-facing SLB instance or ECS instance resides in any of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).
  • Select outside the Chinese mainland as the region of your WAF instance if your Internet-facing SLB instance or ECS instance resides in any of the following regions: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).
The Internet-facing SLB instance uses an IPv6 IP address. IPv6 Internet-facing SLB instances do not support the transparent proxy mode. Add an IPv4 Internet-facing SLB instance to WAF.
No listening protocol is configured for the Internet-facing SLB instance. You cannot add SLB instances with no listening port to WAF. Add a listening port for the SLB instance in the SLB console.
The Internet-facing SLB instance cannot be added to WAF due to network architecture limits. Currently, only SLB instances without network architecture limits can be added to WAF. You can add Internal-facing SLB instances that are associated with EIPs or newly purchased Internal-facing SLB instances to WAF.
The SSL certificate for the port of the Layer 7 Internet-facing SLB instance that you want to add to WAF is not uploaded to Alibaba Cloud SSL Certificates Service console. You must upload the certificates for HTTPS ports to Alibaba Cloud SSL Certificates Service when you add Layer 7 Internet-facing SLB instances to WAF in transparent proxy mode. Otherwise, the certificates cannot be synchronized to WAF and you cannot add the instances to WAF. Upload the certificate for the HTTPS port of your Layer 7 Internet-facing SLB instance to SSL Certificates Service console.
Mutual authentication is enabled on the listening port of the Internet-facing SLB instance when you enable traffic redirection for the port. Currently, Internet-facing SLB instances with HTTPS mutual authentication cannot be added to WAF. Disable mutual authentication in the SLB console and add the instance to WAF in Web Application Firewall console.
The Internet-facing SLB instance is a newly purchased instance. You may be unable to find newly purchased SLB instances on the Layer 7 SLB-based Domains tab of the Add Domain Name page due to data latency. After you purchase an SLB instance, we recommend that you wait for one to three minutes and refresh Web Application Firewall console before you add the instance to WAF.
The SLB instance port that you want to specify is not supported by the current edition of WAF. Subscription WAF instances of the Pro, Business, and Enterprise editions support the transparent proxy mode. If the port that you specify is not supported by WAF, you cannot save the configuration when you specify the port on the Layer 7 SLB-based Domains tab of the Add Domain Name page. Specify ports that are supported by the current WAF edition.
Note In transparent proxy mode, the ports that you can specify vary based on the edition of the WAF instance. WAF instances of the Enterprise edition allow you to specify any non-standard ports. For ports that are supported by WAF instances of the other editions, click View Allowed Port Range on the Layer 7 SLB-based Domains tab.

Can Internal-facing SLB instances that are associated with EIPs be added to WAF in transparent proxy mode?

Yes.