The hybrid cloud mode is a web application protection and management solution that is provided by Alibaba Cloud to protect web services that are deployed outside Alibaba Cloud. If your web services are deployed on third-party clouds and data centers, you can add your web services to Web Application Firewall (WAF) in hybrid cloud mode. This way, you can manage and protect the services in a centralized manner. This topic describes the hybrid cloud mode and how to add web services to WAF in this mode.

Introduction

The hybrid cloud mode uses the protection components of Alibaba Cloud to protect web applications that are deployed on third-party clouds and data centers.

Scenarios

  • The web services that you want to protect have special security requirements and cannot be migrated to a public cloud.
  • The web services that you want to protect in a centralized manner are deployed across Alibaba Cloud, third-party clouds, data centers, and virtual private clouds (VPCs).
  • The web services that you want to protect are latency-sensitive and require high reliability, active geo-redundancy, and centralized protection across multiple network environments.

Benefits

  • Assets on clouds and in data centers and protection policies can be managed in a centralized manner.
  • Web services can be protected by the nearest protection nodes.
  • Protection rules and threat intelligence on clouds can be synchronized in real time.
  • Both Internet-facing services and internal services can be protected.
  • Service traffic can be redirected at the unified access layer and detected in bypass mode. Manual bypass and automatic bypass are supported. This way, service traffic can be detected and the detection results can be returned even if the hybrid cloud cluster fails.

Access modes

Access mode Description Scenario
Reverse proxy mode If you want to add a website to WAF in reverse proxy mode, you must add the domain name or the IP address of the website to WAF and modify the Domain Name System (DNS) record to point the domain name or IP address of the website to the IP address of the hybrid cloud cluster. A hybrid cloud cluster detects all requests on websites that are added to WAF in reverse proxy mode. The reverse proxy mode is designed to protect websites whose network architecture may be modified frequently and that do not have large traffic. For example, the reverse proxy mode is suitable for the Internet, retail, government, finance, and media industries.
SDK-based traffic mirroring mode In SDK-based traffic mirroring mode, SDKs are deployed on your unified access gateway to allow WAF to detect your service traffic by using traffic mirroring. This way, the hybrid cloud cluster does not forward traffic and traffic forwarding is separated from traffic detection. The SDK-based traffic mirroring mode is designed to protect websites that use an NGINX gateway, have large service traffic and strict requirements for low latency and high stability, and are managed by specialized O&M personnel. For example, the SDK-based traffic mirroring mode is suitable for large Internet enterprises and users who have special requirements for traffic forwarding.

Prerequisites

  • Before you add a website to WAF in hybrid cloud mode, Join the DingTalk group (group ID: 34657699) to obtain technical support.
  • A subscription WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance.
    Note You cannot add a website to a pay-as-you-go WAF instance in hybrid cloud mode.
  • All resources are prepared. For information about the numbers of servers and load balancers that you must prepare, see Prepare hybrid cloud cluster resources.
    Note A hybrid cloud cluster consists of management, storage, and protection components. To ensure cluster stability, we recommend that you deploy each type of component on different nodes. If a component is deployed on multiple nodes, we recommend that you deploy a load balancer for the nodes.

Step 1: Install the WAF client

WAF client introduction

If you want to deploy hybrid cloud clusters, you must prepare on-premises servers. Before you deploy hybrid cloud clusters, you must install the WAF agent (vagent) on your on-premises servers that you want to use as protection nodes.

vagent provides the following capabilities:
  • Communicates with Alibaba Cloud WAF and pulls the installation and update images of Hybrid Cloud WAF.
  • Monitors and reports the status of hybrid cloud protection components to ensure the availability of WAF.
  • Synchronizes the configurations of your WAF instance in real time, including forwarding configurations, protection rules, and threat intelligence.
vagent can be installed on Linux servers only by running the rpm command. Only the following Linux distributions are supported:
  • 64-bit CentOS 7 and 8
  • Spark 3.10 to 4.10
Note If your server version is not supported, Join the DingTalk group (group ID: 34657699) to obtain technical support.

Procedure

  1. Log on to your on-premises server.
  2. Obtain the latest version of vagent and download vagent to your on-premises server.
    You can obtain the latest version of vagent by using the following method: Join the DingTalk group (group ID: 34657699) to obtain technical support.
  3. Install vagent.
    1. Run the following command to install vagent on your on-premises server:
      sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpm
      Note Before you run the command, replace xxxxxxx.xxxxx with the version number of vagent that you downloaded.
    2. After the installation is complete, run the following command to view the version number of vagent. Make sure that you use the latest version of vagent.
      rpm -qa|grep vagent
  4. Modify the access configuration of vagent.
    After you install vagent, you must modify the vagent configuration file to enable communication between vagent and Alibaba Cloud WAF. Make sure that the configuration is suitable for the access mode of Hybrid Cloud WAF. Perform the following operations:
    1. Run the following command to open the vagent configuration file:
      sudo vi /home/admin/vagent/conf/vagent.toml
    2. Press the i key to enter the edit mode. Then, modify or add the following content to the configuration file:
      domain="wafopenapi.cn-hangzhou.aliyuncs.com" // The endpoint of Hybrid Cloud WAF. For more information, see Value of the domain parameter. 
      access_key_id="yourAccessKeyId" // The AccessKey ID of your Alibaba Cloud account. 
      access_key_secret="yourAccessKeySecret" // The AccessKey secret of your Alibaba Cloud account. 
      Table 1. Value of the domain parameter
      Region of WAF Access mode Value of the domain parameter
      In the Chinese mainland Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet) wafopenapi.cn-hangzhou.aliyuncs.com
      Internal network access by using Express Connect circuits (If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect)
      Note This mode is available only for VPCs that reside in the China (Hangzhou), China (Shanghai), and China (Beijing) regions. If your VPC resides in other regions in the Chinese mainland, Join the DingTalk group (group ID: 34657699) to obtain technical support.
      wafopenapi.vpc-proxy.aliyuncs.com
      Outside the Chinese mainland Internet access (If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet) wafopenapi.ap-southeast-1.aliyuncs.com
      Internal network access by using Express Connect circuits (If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you have deployed Express Connect)
      Note If your VPC resides outside the Chinese mainland, Join the DingTalk group (group ID: 34657699) to obtain technical support.
      wafopenapi-intl.vpc-proxy.aliyuncs.com
    3. Press the ESC key to exit the edit mode.
    4. Enter :wq and press the Enter key to save and exit the edit mode.
  5. Start vagent.
    1. Run the following command to start vagent:
      sudo systemctl start vagent
    2. Run the following command to configure the automatic startup of vagent:
      sudo systemctl enable vagent
      If the configuration is successful, the system displays the following information:
      Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service 
      to /usr/lib/systemd/system/vagent.service.
    If the startup of vagent fails, you can use one of the following methods to query the logs of vagent for troubleshooting:
    • Run the following command to use the systemd tool to query the logs of vagent:
      sudo journalctl -u vagent
    • Run the following command to use the vagent log file to query the logs of vagent:
      tail /home/admin/vagent/logs/vagent.log
    Run the following command to view the status of vagent or stop vagent:
    • Run the following command to stop vagent:
      sudo systemctl stop vagent
    • Run the following command to view the status of vagent:
      sudo systemctl status vagent
  6. Check whether vagent is installed.
    In Linux operating system, you can run the following command to check whether vagent is installed:
    ps aux | grep AliYunDunWaf
    • If the AliYunDunWaf process appears in the command output, it indicates that vagent is installed and running on the on-premises server and can communicate with Alibaba Cloud WAF. Then, you can configure a cluster to add the servers to the cluster as on-premises protection nodes.
    • If the AliYunDunWaf process does not appear in the command output, check whether you correctly performed the installation steps. Then, reinstall and restart vagent. If the reinstallation fails, Join the DingTalk group (group ID: 34657699) to obtain technical support.

Step 2: Deploy a hybrid cloud cluster

  1. On the Web Application Firewall buy page, select Enable for the Hybrid Cloud Protection parameter and configure the Additional Protection Nodes parameter.
    Note
    • Only subscription WAF instances support the hybrid cloud mode.
    • Each protection cluster has at least two protection nodes. Each node provides protection for up to 5,000 queries per second (QPS) for HTTP requests or up to 3,000 QPS for HTTPS requests. We recommend that you specify the number of protection nodes based on the QPS of the web services that are protected by the hybrid cloud cluster to improve protection capabilities.
  2. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  3. In the left-side navigation pane, choose Systems > Hybrid Cloud Cluster Management.
  4. On the Hybrid Cloud Cluster Management page, click Add.
  5. In the Basic Information Configuration step, configure the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Cluster Name Enter a name for the hybrid cloud cluster.
    Cluster Type Select the type of the hybrid cloud cluster that you want to create. Valid values:
    • Reverse Proxy Mode: If you select this type, WAF serves as a reverse proxy cluster during traffic forwarding and protection.
    • SDK-based Traffic Mirroring Mode: If you select this type, you must deploy SDKs on your unified access gateway to allow WAF to detect your service traffic by using traffic mirroring. This way, the hybrid cloud cluster does not forward traffic.

      If the hybrid cloud cluster is in an abnormal state, you can turn on Enable Bypass State. After you turn on Enable Bypass State, WAF enters the bypass state and no longer protects traffic.

    Important The type of the hybrid cloud cluster cannot be modified after the cluster is created. We recommend that you determine the type of the hybrid cloud cluster before you configure this parameter.
    Protection Nodes Specify the number of protection nodes for the hybrid cloud cluster.
    Note The value of this parameter cannot be greater than the number of additional protection nodes that you purchased on the Web Application Firewall (Subscription) buy page.
    Server Port Specify the server ports for the hybrid cloud cluster. Make sure that the server ports include all ports that are used by the web services that you want to protect. When you associate the web services with the hybrid cloud cluster, you can select the ports for the web services only from the ports specified for the cluster.
    • By default, ports 80, 8080, 443, and 8443 are enabled. If you do not have special requirements, you do not need to modify the port settings.
    • If you want to add other ports, enter the ports manually. Press the Enter key each time you enter a port number.
      Important
      • You cannot enter the following ports: port 22, port 53, port 9100, port 4431, port 4646, port 8301, port 6060, port 8600, port 56688, port 15001, port 4985, port 4986, and port 4987. You can click View the range of ports that are not supported. to view the ports that you cannot enter.
      • For security purposes, we recommend that you specify only the ports that are required for your web services.
    Cluster Access Mode Select the network access mode for the hybrid cloud cluster. Valid values:
    • Internet: If you select this option, the WAF console allows access from the hybrid cloud cluster only over the Internet.
    • Internal Network: If you select this option, the WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit.
      Important You can select Internal Network only if you deployed Express Connect circuits. For more information, see What is Express Connect?
    Remarks Enter a description for the hybrid cloud cluster.
  6. In the Node Group Configuration step, click Add Node Group. In the Add Node Group dialog box, click Next.
    Note You must create multiple node groups in the cluster before you can add nodes to the node groups. Each node group must have a load balancer to prevent unbalanced services and single points of failure. If you do not have a load balancer, Join the DingTalk group (group ID: 34657699) to obtain technical support.
    Parameter Description
    Node Group Name Enter a name for the node group.
    Server IP Address for Load Balancing Enter the public IP address of the load balancer that is associated with the node group.
    Node Group Type Select the type of the node group. Valid values:
    • Protection: a node group that consists of protection components. You can add multiple Protection node groups to a hybrid cloud cluster for disaster recovery.
    • Management: a node group that consists of management components. You can add multiple Management node groups to a hybrid cloud cluster for disaster recovery.
    • Storage: a node group that consists of storage components. You can add only one Storage node group to a hybrid cloud cluster.
    • Management and Storage: a node group that consists of management components and storage components. You can add only one Management and Storage node group to a hybrid cloud cluster for disaster recovery.
    You must add the node groups in sequence based on the method that you use.
    • Method 1: Add at least three node groups

      Add one Storage node group and at least one Management node group and one Protection node group.

    • Method 2: Add at least two node groups

      Add one Management and Storage node group and at least one Protection node group.

    Region If you set the Node Group Type parameter to Protection, you must select the region where the node group is located. If you set the Node Group Type parameter to a different value, you do not need to configure this parameter.
    Remarks Enter a description for the node group.
  7. In the Initial Node Configuration step, click Add Node, configure the parameters, and then click Save. The following table describes the parameters.
    Parameter Description
    Server IP Address Enter the public IP address of the on-premises server.
    Node Name Enter a name for the node.
    Region Select the region of the node.
    Server Configuration The system automatically displays the configuration of the on-premises server.
    Protection Node Group Select the node group to which you want to add the node.
    • The number of nodes that you can add to the hybrid cloud cluster cannot exceed the number of nodes that you specified for the cluster.
    • We recommend that you add at least two nodes to the Protection node group to allow WAF to implement online active-active disaster recovery.
    After you create a hybrid cloud cluster, you can click Switch Cluster, select a cluster that you want to query, and perform the following operations:
    • In the Basic Information section, view the basic information about the cluster. Click Edit to modify the cluster name, number of protection nodes, service ports, or remarks.
    • Click Node Group Configuration to add or modify a node group. For more information, see Step6.
    • Click Add Node to add a node. For more information, see Step7.
    • View the node status of the hybrid cloud cluster.
      • Node Status indicates whether the server is running as expected. The value Normal indicates that the server is running as expected. The value Stopped indicates that the server is shut down.

        If the server is shut down, the node cannot provide protection services. We recommend that you check the cause of the server shutdown and fix the issue at the earliest opportunity.

      • Application Status indicates whether vagent is running as expected on a node. The value Normal indicates that vagent is running as expected. The value Stopped indicates that vagent stopped running.

        If vagent stops running, the node may be unable to provide protection services. We recommend that you log on to your computer, check the installation and running status of vagent, and fix the issue at the earliest opportunity. For more information, see Step 1: Install the WAF client.

Prepare cluster resources

You can select a deployment method based on your business requirements. The numbers of the required servers and load balancers vary based on the deployment method.
Protection scenario Deployment method Required resource Description
Services that require high stability and powerful protection capabilities Disaster recovery deployment for protection and management components
  • Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. Resources required to provide the default protection capacity:

    (Recommended) Five servers and two load balancers.

  • Beyond the default protection capacity:

    Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.

  • Storage component: one server.
  • Management component: two or more servers and one load balancer.
  • Protection component: two or more servers and one load balancer.
Services that require high stability Disaster recovery deployment for protection components
  • Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. Resources required to provide the default protection capacity:

    (Recommended) Three servers and one load balancer.

  • Beyond the default protection capabilities:

    Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.

  • Management and storage components: one server.
  • Protection component: two or more servers and one load balancer.
Proof of concept (POC) tests for basic protection capabilities Minimum cluster deployment.
  • Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. Resources required to provide the default protection capacity:

    Two or more servers.

  • Beyond the default protection capacity:

    Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.

  • Management and storage components: one server.
  • Protection component: one or more server.

Step 3: Add a website to WAF

Reverse proxy mode

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, click Website Configuration.
  3. On the Hybrid Cloud tab, click Reverse Proxy and then click Add.
  4. In the Configure Listener step of the Add Domain Name wizard, configure the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Domain Name/IP Enter the domain name or IP address that you want to protect. Configure the parameters based on the following requirements:
    • You can enter an exact match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com.
      Note
      • If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com.
      • WAF does not match the wildcard domain name with domain names at different levels. For example, if you enter *.aliyundoc.com, WAF does not match www.example.aliyundoc.com.
      • WAF automatically matches the wildcard domain name with all domain names at the same level. For example, if you enter *.aliyundoc.com, WAF matches subdomain names such as www.aliyundoc.com and example.aliyundoc.com.
      • If you enter an exact match domain name and a wildcard domain name, the protection rules of the exact match domain name take precedence.
    • You can enter an IP address, such as 192.168.XX.XX.XX.
    Protocol Type The protocol type and ports that are used by the website.
    Select HTTP or HTTPS and enter the ports that you want to use to forward traffic. Press the Enter key each time you enter a port number.
    Note The ports that you enter must be within the port range that you specified for the hybrid cloud cluster. If the ports that you want to enter are out of range, modify the port range for the hybrid cloud cluster. For more information, see Step 2: Deploy a hybrid cloud cluster.
    • If you select HTTP, you do not need to configure the Upload Type parameter.
    • If you select HTTPS, you must upload the associated SSL certificate to allow WAF to monitor and protect HTTPS traffic.
      • Upload: Click Upload Certificate and configure the Certificate Name, Certificate File, and Certificate Key parameters. For example, the value of the Certificate File parameter is in the -----BEGIN CERTIFICATE-----...-----END CERTIFICATE----- format, and the value of the Certificate Key parameter is in the -----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY----- format.
        Important
        • If the certificate file is in the PEM format, CER format, or CRT format, you can use a text editor to open the certificate file and copy the text content.
        • If the certificate file is in other formats such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?.
        • If a domain name is associated with multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content.
      • Select Existing Certificate: Select a certificate that you want to upload to WAF from the existing certificate list. The certificate list displays certificates that are issued by using Alibaba Cloud Certificate Management Service and third-party certificates that are uploaded to the Certificate Management Service console.

        You can click Alibaba Cloud Security - Certificate Management Service to go to the Certificate Management Service console to view the existing certificates.

      • Purchase Certificate

        Click Apply to go to the Purchase Certificate page of the Certificate Management Service console to apply for a certificate.

        You can apply only for a paid domain validated (DV) certificate. After you apply for a certificate, the certificate is automatically uploaded to WAF.
        Note If you want to apply for other types of certificates, you must purchase a certificate by using Certificate Management Service. For more information, see Purchase an SSL certificate.
    • After you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements:
      • HTTP2
        If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests.
        Note HTTP/2 uses the same port as HTTPS.
      • Advanced Settings
        • Enable HTTPS Routing
          By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected as HTTPS requests to port 443. This feature improves access security.
          Important You can enable this feature only if HTTP is not selected.
        • TLS Version

          Specify the TLS versions that are supported for HTTPS communication. If a client uses a TLS version that does not meet the requirements, WAF blocks the requests that are sent from the client. A later version of TLS provides higher security but lower compatibility.

          We recommend that you select the TLS version for the traffic for which WAF listens based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you retain the default value.

          Valid values:
          • TLS 1.0 and Later (Best Compatibility and Low Security). This is the default value.
          • TLS 1.1 and Later (High Compatibility and High Security).

            If you select this value, a client that uses TLS 1.0 cannot access the website.

          • TLS 1.2 and Later (High Compatibility and Best Security)

            If you select this value, a client that uses TLS 1.0 or TLS 1.1 cannot access the website.

          If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for traffic that is sent by using TLS 1.3.
        • Cipher Suite

          Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that do not meet the requirements, WAF blocks the requests that are from the client.

          The default value is All Cipher Suites (High Compatibility and Low Security). We recommend that you modify this parameter only if your website supports only specific cipher suites.

          Valid values:
          • All Cipher Suites (High Compatibility and Low Security).
          • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, select this value. Then, select the cipher suites that are supported by your website from the drop-down list. For more information, see View supported cipher suits.

            The clients that use other cipher suites cannot access the website.

    Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.
    • If no Layer 7 proxies are deployed in front of WAF, select No.
      By default, No is selected. This value indicates that WAF receives requests directly from clients. The requests are not forwarded by a proxy.
      Note WAF uses the IP address that is used to establish connections to WAF as the actual IP address of a client. WAF obtains the actual IP address from the REMOTE_ADDR field of a request.
    • If a Layer 7 proxy is deployed in front of WAF, select Yes.

      If you select Yes, WAF receives requests from other Layer 7 proxies. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values:

      Valid values:
      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client: This is the default value.

        By default, WAF uses the first IP address in the X-Forwarded-For field as the actual IP address of a client.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.
        If you use proxies that contain the actual IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, specify the custom header field in the Header Field field.
        Note We recommend that you use custom header fields to store the actual IP addresses of clients and configure the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection rules. This helps improve the security of your business.

        You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF attempts to obtain the actual IP address of a client from the fields in sequence. WAF scans the header fields in sequence until the actual IP address of the client is obtained. If WAF cannot obtain the originating IP address of the client from header fields, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of the client.

  5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.
    Parameter Description
    Node Settings Select a node group from the Protected Node Group drop-down list and add the origin server address that you want to add to the protection node group. The origin server address is the IP address of the origin server of the website. The origin server address is used to receive the back-to-origin requests that are forwarded by WAF. Valid values:
    • IP
      • You can enter multiple IP addresses. Press the Enter key each time you enter an IP address. You can enter up to 20 origin IP addresses.
        Note If you enter multiple origin IP addresses, WAF automatically distributes workloads across the origin IP addresses.
      • You can enter IPv4 addresses, IPv6 addresses, or both.
        • If you enter IPv4 addresses and IPv6 addresses, WAF forwards requests that are sent from IPv6 addresses to origin servers that use IPv6 addresses and requests that are sent from IPv4 addresses to origin servers that use IPv4 addresses.
        • If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4.
        • If you enter only IPv6 addresses, WAF forwards all requests to the origin server over IPv6.
    • Domain Name (Such as CNAME)

      If you select Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address. WAF forwards back-to-origin requests to the IPv4 address.

    If your website is deployed on multiple protection nodes, you can click + Add Protection Node to add the protection nodes to WAF.

    Public Cloud Disaster Recovery After you enable this feature, service traffic can be redirected to a public cloud cluster for disaster recovery. When the hybrid cloud cluster fails, the domain name is resolved to the CNAME that is provided by the public cloud cluster for disaster recovery. This way, traffic is redirected to the public cloud cluster and then forwarded to the origin server. If you enable Public Cloud Disaster Recovery, you must configure the Origin Server Address parameter. The configuration requirements of the origin server address are the same as the requirements that are described in the description of the Note Settings parameter. For more information, see Origin server address.
    Load Balancing Algorithm If multiple origin server addresses are specified, select the load balancing algorithm for WAF to forward back-to-origin requests to the origin servers. Valid values:
    • IP hash (default)
      Requests that are sent from a specific IP address are forwarded to the same origin server.
      Important If you select IP hash but the IP addresses of origin servers are not distributed among different CIDR blocks, workloads may be unbalanced.
    • Round-robin

      All requests are distributed to origin servers in turn.

    Advanced HTTPS Settings
    • Enable HTTP Routing

      If you enable this feature, WAF forwards requests over HTTP. The default port is 80. In this case, WAF forwards requests that are sent to port 80 to the origin server, regardless of whether the client accesses WAF on port 80 or port 443. After you enable this feature, you can use WAF to redirect HTTPS requests that are sent to your website to HTTP requests. This way, the workload of the origin server is reduced. Clients can access your website over HTTPS without the need to configure settings on the origin server.

      Important If the domain name does not support HTTPS, turn on Enable HTTP Routing.
    • Origin SNI.

      Origin Server Name Indication (SNI) specifies the domain name to which an HTTPS connection must be established at the start of the TLS handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must enable this feature.

      After you select Origin SNI, you can configure the SNI field. Valid values:
      • Use Domain Name in Host Header (default)

        This value specifies that the value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field.

        For example, if the domain name that you configured is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. The www.aliyundoc.com domain name is the value of the Host header field.

      • Custom

        This value specifies that you can enter a custom value for the SNI field in WAF back-to-origin requests.

        If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you must specify a custom value for the SNI field.

    Other Advanced Settings
    • Enable Traffic Mark
      WAF modifies or adds the custom header fields that you specify to the headers of back-to-origin requests. If you select Enable Traffic Mark, you must add custom header fields.
      Important We recommend that you do not configure a standard HTTP header field such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
      You can add the following types of header fields:
      • Custom Header: If you want to add a header field of this type, you must configure the Header Name field and the Header Value field. WAF adds the header field to the back-to-origin requests. This helps the backend service identify whether requests pass through WAF, collect statistics, and analyze data.

        For example, you can use the ALIWAF-TAG: Yes header field to mark the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name and Yes is the header field value.

      • Originating IP Address: You can configure a custom header to record the originating IP address of a client. This way, your origin server can obtain the originating IP address of the client. For information about how WAF obtains the IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter.
      • Source Port: You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client.

      Click + Add Mark to add a header field. You can add up to five header fields.

    • Specify the timeout period of a request that is forwarded by WAF to the origin server.
      • Connection Timeout Period: the timeout period that is required for WAF to establish a connection to the origin server. Valid values: 5 to 120. Unit: seconds. Default value: 5.
      • Read Connection Timeout Period: the timeout period that is required to wait for responses from the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.
      • Write Connection Timeout Period: the timeout period that is required for WAF to forward requests to the origin server. Valid values: 5 to 1800. Unit: seconds. Default value: 120.
    • Retry Back-to-origin Requests

      After you enable this feature, WAF retries to forward requests to the origin server three times if WAF fails to forward requests to the origin server. If you do not enable this feature, WAF forwards requests to the origin server only once.

    • Back-to-origin Keep-alive Requests
      If you enable this feature, you must configure the following parameters:
      • Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000.
      • Timeout Period of Idle Keep-alive Requests: the timeout period of idle keep-alive requests. Valid values: 1 to 60. Default value: 15. Unit: seconds
      Note If you do not enable this feature, back-to-origin keep-alive requests do not support WebSocket.
  6. Modify the DNS record of a domain name
    Important
    • Before you modify the DNS record, make sure that the forwarding configurations for your website take effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
    • When you add a domain name to WAF in reverse proxy mode, you must modify the DNS record. When you add an IP address to WAF in reverse proxy mode, skip this step.
    1. Modify the DNS A record of the domain name to point the domain name to the IP address of the node group.
    2. If you enable public cloud disaster recovery in Step5, you must modify the DNS CNAME record to point the domain name to the CNAME of the public cloud cluster.
      Note If you use Alibaba Cloud DNS, log on to the Alibaba Cloud DNS console and modify the DNS A record and DNS CNAME record of the domain name. For more information, see Change the DNS record of a domain name.

    After you add a domain name or IP address to WAF in hybrid cloud mode, the domain name or IP address is added as a protected object. Basic protection rules are enabled for the protected objects by default. In the left-side navigation pane, choose Protection Configuration > Protected Objects to go to the Protected Objects page. On the Protected Objects page, you can view the automatically added protected objects and configure protection rules for the protected objects. For more information, see Protection configuration overview.

SDK-based traffic mirroring mode

In SDK-based traffic mirroring mode, SDKs are deployed on your unified access gateway to allow WAF to detect your service traffic by using traffic mirroring. This way, traffic forwarding is separated from traffic detection. If you want to add a website to WAF in SDK-based traffic mirroring mode, Join the DingTalk group (group ID: 34657699) to obtain technical support.

After you deploy SDKs and hybrid cloud clusters, you can perform the following operations:
  • You can view the IP addresses of the forwarding nodes on which the SDKs are deployed and the corresponding hybrid cloud clusters and protection node groups. You can also view the status of the forwarding nodes.
    1. Log on to the WAF 3.0 console.
    2. In the left-side navigation pane, click Website Configuration.
    3. On the Hybrid Cloud tab, click SDK-based Traffic Mirroring.

      You can view the IP addresses of the forwarding nodes on which the SDKs are deployed and the corresponding hybrid cloud clusters and protection node groups. You can also view the status of the forwarding nodes.

  • Add a protected object

    After you add a website to WAF in SDK-based traffic mirroring mode, the domain name of the website is not automatically added as a protected object. You must manually add the domain name or URL of the website as a protected object on the Protected Objects page in the WAF console. For more information, see Protected objects and protected object groups.

  • Configure protection rules for a protected object

    After you add a protected object, you must configure protection rules for the protected object. For more information, see Protection configuration overview.