Enable the web application firewall (WAF 3.0) to protect your public-facing website from web attacks. This mode requires no changes to your network architecture. Simply add your website's domain to WAF and update your DNS records to route traffic through WAF. WAF then inspects and filters the traffic, forwarding legitimate requests to your origin server. This mode is ideal for any public-facing website deployed on a cloud provider or in an on-premises data center.
How it works
CNAME-based access uses DNS resolution for traffic scheduling. You achieve this by changing your domain's DNS record to point to the CNAME target provided by WAF, which forwards all public traffic through WAF for inspection.
Origin server: The server that hosts your website. If a load balancer (such as Application Load Balancer (ALB), Classic Load Balancer (CLB), or Network Load Balancer (NLB)) or a NAT Gateway is deployed in front of the server, the origin server is the next-hop device that receives traffic from WAF.
Back-to-origin: After WAF completes its security inspection, it forwards legitimate traffic to your origin server. WAF sends these back-to-origin requests from its public IP address ranges. You must add these IP address ranges to the allowlist of your origin server's firewall or security group to ensure this traffic is delivered.
WAF has 11 protection nodes in China (Beijing), China (Hangzhou), China (Shenzhen), China (Hong Kong), Singapore, Malaysia (Kuala Lumpur), US (Silicon Valley), Germany (Frankfurt), Indonesia (Jakarta), UAE (Dubai), and Japan (Tokyo). When your service is protected by the public cluster, WAF automatically routes your traffic to the optimal protection node based on your origin server's geolocation.
Prerequisites
Ensure you meet the following requirements:
Domain ownership: You must be able to modify your domain name's DNS records.
SSL certificate: To protect HTTPS traffic, you must have an SSL certificate for your domain name.
ICP filing: If your server is located in the Chinese mainland, your domain name must have an ICP filing. For more information, see How do I check the ICP filing information for a domain name?
Quick start
Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region of the WAF instance (Chinese Mainland or Outside Chinese Mainland). In the left navigation bar, click Onboarding, and then on the CNAME Record tab, click Add.
Step 1: configure listener
Enter the single Domain Name to protect. The domain can be an exact domain name (such as
www.aliyundoc.com) or a wildcard domain name (such as*.aliyundoc.com).Wildcard domain name matching rules:
A wildcard can match only subdomains at the same level. For example,
*.aliyundoc.commatcheswww.aliyundoc.comandexample.aliyundoc.com, but notwww.example.aliyundoc.com.When a wildcard is applied to a second-level domain name such as
*.aliyundoc.com, it also matches the second-level domain name itself,aliyundoc.com.When a wildcard is applied to a third-level domain name such as
*.example.aliyundoc.com, it does not match the third-level domain name itself,example.aliyundoc.com.
Priority rule: If a request matches both an exact and a wildcard domain name, the rules for the exact domain name take precedence.
You must complete ownership verification to confirm that you own the domain name. If the system prompts you to verify ownership after you enter the domain name, choose one of the following methods.
DNS validation (recommended): Manually add the TXT record provided by WAF at your domain's DNS provider.
File validation: Upload the verification file provided by WAF to a specified root directory on your origin server. You must have permission to access the origin server and configure a security group policy that allows access from all IP addresses. This ensures that WAF can access the verification file from the internet.
DNS validation
In the verification prompt area, click the Method 1: DNS Record tab.
At your DNS provider, add a TXT record by using the Record Type, Hostname, and Record Value provided in the WAF console.
If you use Alibaba Cloud DNS, follow these steps. If you use a different DNS provider, follow the procedures for their system.
Wait for the TXT record to take effect. A new TXT record takes effect immediately. If you modify an existing TXT record, the modification typically takes about 10 minutes to take effect. The exact time depends on the TTL (Time to Live) that is configured in your domain's DNS settings. The default TTL is 10 minutes.
Return to the WAF console and click Verify.
If Verification successful is displayed, your domain ownership is verified.
If Verification failed is displayed, perform the following steps to troubleshoot the issue:
Check the TXT record: Ensure the hostname and record value match the information in the WAF console. If they do not match, delete the incorrect record, add the record again, and then run the verification again.
Wait for the DNS record to take effect: A DNS record may not take effect immediately after it is configured. The time it takes for the record to take effect depends on the TTL set on the domain name server. Wait 10 minutes and then verify again.
Change the verification method: If the verification fails multiple times, we recommend that you use Method 2: File Validation.
File validation
In the verification prompt area, click the Method 2: Verification File tab.
Click the link to download the verification file.
ImportantThe verification file is valid for three days after you download it. If you do not complete the file validation within this period, you must download the file again.
Do not modify the verification file. For example, do not edit or rename the file.
WAF accesses the origin server based on the protocol type that you select. Ensure your origin server's security group or firewall rules allow the corresponding traffic:
If you select HTTP, allow inbound TCP traffic on port 80 from 0.0.0.0/0.
If you select HTTPS, allow inbound TCP traffic on port 443 from 0.0.0.0/0.
Upload the verification file to the root directory of your website on the origin server. The origin server can be an ECS (Elastic Compute Service) instance, an OSS (Object Storage Service) bucket, a CVM (Cloud Virtual Machine) instance, a COS (Cloud Object Storage) bucket, or an EC2 (Elastic Compute Cloud) instance.
NoteIf you add a wildcard domain name such as
*.aliyun.com, you must upload the verification file to the root directory ofaliyun.com.Default root directory of an Nginx server:
/usr/share/nginx/htmlDefault root directory of an IIS server:
C:\inetpub\wwwroot
Return to the WAF console and click Verify.
If Verification successful is displayed, your domain ownership is verified.
If Verification failed is displayed, troubleshoot the issue based on the error message:
Problem
Solution
Cannot access the domain name
Check the DNS resolution of the domain name to make sure that a DNS record points to the origin server. For Alibaba Cloud DNS, see Add a DNS record.
Check the security group or firewall rules of the origin server to make sure that requests from the internet are allowed. For ECS security groups, see Add a security group rule.
Verification file does not exist
Upload the verification file to the origin server again.
Incorrect file content
On your domain's origin server, delete the incorrect verification file.
Upload the verification file again.
A security group rule that allows access from all IP addresses (0.0.0.0/0) poses a security risk. After the ownership is verified, we recommend that you remove the temporary rule for 0.0.0.0/0 to maintain your server's security.
Select a Protocol Type for your website (HTTP or HTTPS) and enter the required configuration information. You can configure both protocols.
NoteThe WAF subscription plan for shared virtual hosts does not support HTTPS.
HTTP
HTTP Port
Enter the port that users use to access your website. We recommend that you use port 80 for the HTTP protocol. To specify a custom port, select a port from the allowed port range. Press Enter after you enter each port number.
HTTPS
HTTPS Port
Enter the port that users use to access your website. We recommend that you use port 443 for the HTTPS protocol. To specify a custom port, select a port from the allowed port range. Press Enter after you enter each port number.
HTTPS Upload Type
To protect your website's HTTPS traffic, you must upload its SSL certificate to WAF. The options are:
Manual Upload: Use this method if your certificate is not uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate).
Select Existing Certificate: Select a certificate that has been issued or uploaded in Alibaba Cloud Certificate Management Service (Original SSL Certificate).
Apply for New Certificate: If you do not have an SSL certificate for the domain name, you must purchase one and wait for it to be issued before you add the domain name to WAF.
Manual upload
Certificate Name: Enter a unique name for the certificate. The name must be unique.
Certificate File: Use a text editor to open and paste the certificate content in PEM, CER, or CRT format.
Example format:
-----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----Format conversion: If the certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.
Certificate chain: If your certificate includes an intermediate certificate, paste the server certificate content followed by the intermediate certificate content.
Private Key: Use a text editor to open and paste the content of the private key in PEM format.
RSA:
-----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----ECC:
-----BEGIN EC PRIVATE KEY-----......-----END EC PRIVATE KEY-----
Select existing certificate
From the certificate drop-down list, select the certificate to upload to WAF.
NoteIf the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", it indicates that the certificate chain is incomplete. Check the correctness and completeness of the certificate content and upload it again in the Certificate Management Service console. For more information, see Upload, sync, and share SSL certificates.
Apply for new certificate
If you have not purchased a certificate, you must see Purchase a commercial certificate to purchase one. You can click Apply to read the documentation about applying for a certificate.
ImportantIf your origin server is not configured to use or does not support HTTPS (that is, no SSL/TLS certificate is deployed), you must enable HTTP back-to-origin. Otherwise, back-to-origin requests fail, and your website becomes inaccessible.
To customize settings such as SM-based HTTPS, HTTP/2, forced HTTPS redirect, TLS version, HTTPS cipher suite, whether a Layer 7 proxy (such as a CDN) is deployed in front of WAF, IPv6, exclusive IP, shared cluster-based intelligent load balancing, or resource group, see Advanced settings. If no customization is needed, you can leave the other settings at their default values and click Next.
Step 2: configure forwarding
In the Server Address section, enter the IP address or domain name of the origin server based on its type. WAF uses this configuration to forward legitimate requests to the origin server. If you are unsure of the origin server's address, see FAQ.
ImportantThe Domain Name (Such as CNAME) specified here is for the origin server, not the protected domain name from Step 1. This option is used when the origin server address is a domain name (such as a CNAME). For example, if the origin server is an ALB (Application Load Balancer) instance, enter its DNS name, such as
alb-xxx.cn-shanghai.alb.aliyuncsslb.com.After you determine the origin server type, complete the following configuration.
IP
Origin Port: The port that the origin server uses. Users access your website through the HTTP/HTTPS port that you configured in Step 1. WAF then uses the Origin Port specified here to access the origin server. If you are unsure which port your website uses, see FAQ.
By default, this port is the same as the HTTP/HTTPS port specified for the Protocol Type in the previous step. You can customize the origin port within the allowed port range. This is useful for scenarios where you need WAF to use a specific port for back-to-origin requests.
Origin IP Address: Enter the IP address of the origin server.
The IP address must be a public IP address.
You can enter multiple IP addresses. Press Enter after you enter each IP address. You can add up to 20 origin IP addresses. If you enter multiple IP addresses, WAF forwards back-to-origin requests based on the load balancing algorithm that you select.
You can configure IPv4 and IPv6 addresses, either separately or at the same time. If you want to configure an IPv6 address, you must first enable IPv6 protection in the Configure Listener step.
Domain Name (Such as CNAME)
Origin Port: The port that your origin server uses. Users access your website through the HTTP/HTTPS port configured in Step 1. WAF then uses the Origin Port specified here to forward requests to the origin server. If you do not know which port your website uses, see FAQ.
By default, this port is the same as the port specified for the Protocol Type in the previous step. If you need WAF to use a specific port for back-to-origin requests, you can customize the port within the allowed port range.
Origin Domain Name: Enter the domain name of the origin server.
WAF supports forwarding client requests only to the IPv4 address that is resolved from this domain name. For websites that use IPv6, select the IP method to add the website to WAF.
ImportantIf your origin server address changes, update it here immediately.
To customize settings such as load balancing algorithm, standby back-to-origin link, HTTP back-to-origin, origin SNI, Request Header Configuration, traffic tag, back-to-origin timeout, back-to-origin retry, or back-to-origin keep-alive, see Advanced settings. If no customization is needed, leave the other settings at their default values and click Submit.
Step 3: switch traffic (onboarding complete)
After completing the configuration in the WAF console, you must switch traffic to WAF to activate protection.
Allow the WAF back-to-origin IP address range: If you have configured access control policies, such as security group rules or firewall rules, on your origin server, or if you use security software like Safedog or Yunsuo, you must add the WAF back-to-origin IP address range to the allowlist on the origin server. Otherwise, back-to-origin traffic from WAF may be blocked, which causes service interruptions.
NoteWe recommend that you configure your origin server to allow only the WAF back-to-origin IP address range. This prevents attackers from bypassing WAF to attack your origin server directly.
In the upper-right corner of the Add Completed wizard page, click WAF IP Address.
In the Back-to-origin CIDR Block dialog box, click Copy to copy all WAF back-to-origin IP addresses to the clipboard.
NoteThe copied back-to-origin IP address ranges are separated by commas (,). They include addresses such as 2408:400a:3c:xxxx::/56, which are IPv6 address ranges.
Allow these IP address ranges in your server's firewall. For example, if your origin server is an Alibaba Cloud ECS instance, you must add the IP address ranges to a security group of the ECS instance. For more information about security groups, see Add a security group rule.
On the ECS instance details page, go to the tab, and then select the target security group to go to its details page.
On the Security Group Details > Inbound tab, click Add Rule.
You must create separate rules for IPv4 and IPv6 addresses, as a single security group rule cannot contain both.
Add an IPv4 rule: In the Create Security Group Rule panel, paste the IP address ranges that you copied into the Source field and manually delete the IPv6 addresses. Set Destination to the origin port that you configured in Step 2. Leave other parameters at their default values and click OK.
Add an IPv6 rule: Click Add Rule again. Follow the previous step to add the IPv6 address range, and select IPv6 in the Source field.
Locally verify the WAF configuration: Before you change the DNS resolution for your domain name, we recommend that you verify the configuration by modifying the local
hostsfile to map the domain name. This helps prevent service interruptions from incorrect configurations.On the Add Completed wizard page, click Copy CNAME to copy the CNAME address that WAF provides.
Go to Network Diagnostic Analysis, select Network Diagnostic Analysis, enter the copied CNAME address (for example,
xxx.c.yundunwaf2.com), and click Start Test.Copy the IP address from the DNS Provider Resolution Result. Modify your local computer's
hostsfile.Windows
Use a text editor to open the
C:\Windows\System32\drivers\etc\hostsfile. Add the following record to the end of the file and save the file.<IP address copied in step c> <Domain name added to WAF>Open
cmdand run theping <Domain name added to WAF>command. If the output IP address matches the one that you added, the hosts file modification has taken effect. If not, runipconfig /flushdnsto flush the DNS cache and then run the ping command again.Open a browser and enter your protected domain name in the address bar.
If the website loads normally, the WAF domain configuration is correct. You can proceed to modify the DNS resolution.
If the website is inaccessible, the WAF domain configuration may be incorrect. We recommend that you check the configuration, fix any issues, and then verify locally again.
After you complete the local verification, restore the hosts file to its original state.
macOS
Press
Command+Spaceto search for and openTerminal.Enter
sudo vim /etc/hoststo open thehostsfile.Add the following line to the end of the file and save the file.
<IP address copied in step c> <Domain name added to WAF>Run the
ping <Domain name added to WAF>command. If the output IP address matches the one that you added, the hosts file modification has taken effect. If not, runsudo killall -HUP mDNSResponderto flush the DNS cache and try pinging again.Open a browser and enter your protected domain name in the address bar.
If the website loads normally, the WAF domain configuration is correct. You can proceed to modify the DNS resolution.
If the website is inaccessible, the WAF domain configuration may be incorrect. We recommend that you check the configuration, fix any issues, and then verify locally again.
After the local verification is complete, restore the hosts file to its original state.
Modify the DNS resolution for your domain name: Point the DNS resolution for your domain name to the CNAME address that WAF provides. This routes your domain's web traffic through WAF for protection.
NoteWe recommend that you perform this operation during off-peak hours to minimize the impact on your business.
On the Add Completed wizard page, click Copy CNAME to obtain the CNAME address from WAF.
Change the DNS resolution address of your domain name to the address that you copied in the previous step. If your domain name is hosted with Alibaba Cloud DNS, follow these steps. If you use a different DNS provider, perform similar steps in their system.
On the Public Zone page, find the domain name that you want to configure, and click Settings in the Actions column.
On the Settings page, find the Hostname that you want to modify, and click Edit in the Actions column. For example, if the domain name added to WAF is
www.aliyundoc.com, you must find and modify the entry with the hostnamewwwunder the primary domain namealiyundoc.com.In the Edit Record panel, set Record Type to CNAME and change Record Value to the CNAME address that WAF provides. Leave other settings unchanged.
When you modify DNS records:
For the same hostname, you can only have one CNAME record value. You must change it to the WAF CNAME address.
For the same hostname, a CNAME record conflicts with other record types such as A, MX, and TXT. You must delete the conflicting records before you add the new CNAME record.
WarningTo minimize service interruptions during the DNS change, add the new CNAME record immediately after you delete the old one.
Click OK to save the DNS settings. The updated DNS record will then take effect.
NoteDNS records take time to propagate. If the website is inaccessible after the change, wait 10 minutes and try again.
Step 4: Verify WAF protection
After you complete the setup, follow these steps to verify that the domain name was added successfully.
In a web browser, enter the domain name you added. If the website loads correctly, the domain was added successfully.
NoteAccess your website via its domain name, not the CNAME provided by WAF. The CNAME is used for DNS resolution only and cannot be accessed directly.
In a web browser, enter the domain name you added and a web attack code, for example,
<protected domain name>/alert(xss), wherealert(xss)is a test code for a cross-site scripting attack. If a 405 block page appears, WAF has successfully intercepted the attack.
After you complete the CNAME setup, consider the following:
Custom protection rules: WAF applies default protection rules to any domain name that you add. You can view these rules on the page. If the default rules do not meet your business requirements, you can create or modify protection rules. For example, you can add a specific ip address to the whitelist to allow all requests from that address. For more information, see Mitigation Settings Overview.
Obtaining real client IP addresses: By default, all requests to the origin server appear to originate from WAF ip addresses. To obtain the real client IP address, see Obtain the originating IP address of a client.
Advanced configuration
You can configure the following advanced settings during the quick start to enhance security, improve performance, and simplify management. To modify these settings after setup, go to the CNAME Record tab, find the domain, and click Edit in the Actions column.
Security with HTTPS
Parameter | Description |
Uses the HTTP/2 protocol to improve page load speed, reduce latency, and enhance user experience. If your origin server supports HTTP/2, you can enable HTTP/2 for both the listener and back-to-origin connections. When enabled, HTTP/2 and HTTPS use the same port. When you enable HTTP/2 for back-to-origin connections, WAF uses HTTP/2 to send requests to the origin server and enforces persistent connections. If the origin server does not support HTTP/2, WAF automatically falls back to HTTP/1.1 for back-to-origin connections. | |
Forces all HTTP traffic to redirect to HTTPS and lets you customize the HSTS security policy. This option is available only when the listener is not configured for the HTTP protocol. | |
Defines the allowed TLS versions for connections between the client and WAF. Higher versions provide stronger security but lower compatibility with legacy clients. For high-security scenarios, we recommend TLS 1.2 or later. | |
Defines the allowed cipher suites for connections between the client and WAF. Strong cipher suites provide better security but lower compatibility with legacy clients. For high-security scenarios, we recommend a strong cipher suite. | |
Enables WAF to connect to the origin server over HTTP if the origin server does not support HTTPS. You must enable this feature if your origin server does not have an SSL certificate; otherwise, your website will be inaccessible. | |
Enable this feature to ensure correct routing when your origin server hosts multiple HTTPS domains on a single IP address. |
HTTP/2
On the Configure Listener page, select HTTP/2.
HSTS Configuration Enable HTTPS Routing
On the Configure Listener page, expand Advanced Settings and click Enable HTTPS Routing. Once enabled, you can configure the following HSTS parameters:
Expired At: Specifies how long, in seconds, the HSTS policy remains in effect. The default is 31,536,000 seconds (1 year).
Include Subdomains: If enabled, the HSTS policy applies to all subdomains of the domain. Ensure that all subdomains support HTTPS before you enable this option. Otherwise, they may become inaccessible.
Preload: This option is available only after you enable Include Subdomains. If you enable this option, you can submit your domain to the browser's HSTS preload list for enhanced global security.
TLS Version
On the Configure Listener page, expand Advanced Settings and select the desired TLS Version:
TLS 1.0 and Later (Best Compatibility and Low Security): Supports all legacy clients.
TLS 1.1 and Later (High Compatibility and High Security): Prevents clients that use only TLS 1.0 from accessing the website.
TLS 1.2 and Later (High Compatibility and Best Security): Meets the latest security compliance requirements but prevents clients that use only TLS 1.0 or TLS 1.1 from accessing the website.
Support TLS 1.3: Select this option if your website supports TLS 1.3. By default, WAF does not accept client requests over TLS 1.3.
HTTPS Cipher Suite
On the Configure Listener page, expand Advanced Settings and select the desired HTTPS Cipher Suite:
All Cipher Suites (High Compatibility and Low Security)
Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): If your website supports only specific cipher suites, select this option and choose from the list of supported suites.
Strong cipher suites
Weak cipher suites
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-CHACHA20-POLY1305
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA
AES256-SHA
DES-CBC3-SHA
ECDHE-RSA-RC4-SHA
NoteCipher suite security recommendations: The ECDHE-RSA-AES128-SHA256 and ECDHE-RSA-AES256-SHA384 cipher suites use ECDHE for key exchange, RSA for authentication, and AES-CBC encryption mode. Compared to cipher suites that use authenticated encryption modes such as AES-GCM, these suites offer lower security and performance. Some security scanning tools may identify them as weak cipher suites. If this occurs, select custom cipher suites and manually exclude these two suites.
Cipher suite naming conventions: Because cipher suite naming conventions differ, WAF displays cipher suites in OpenSSL format, while some scanning tools may use the IANA standard. For example, ECDHE-ECDSA-AES256-SHA384 in OpenSSL corresponds to TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 in IANA. To quickly look up the mapping, visit ciphersuite.info or use other TLS lookup tools.
Enable HTTP Back-to-Origin
On the Configure Forwarding Rule page, expand Advanced HTTPS Settings and click Enable HTTP Back-to-Origin. The default back-to-origin port is 80, which you can customize as needed.
Origin SNI
On the Configure Forwarding Rule page, expand Advanced HTTPS Settings and select Origin SNI. After you enable this option, you can specify the SNI value. The options are:
Match request host
The back-to-origin SNI value matches the Host field in the HTTP request header. For example, if the added domain is
*.aliyundoc.comand the client request Host iswww.aliyundoc.com, the back-to-origin SNI iswww.aliyundoc.com.Custom
Specify a fixed SNI value, which can be different from the Host field. Use this option only when the origin server has special configuration requirements, such as directing requests from multiple domains to a specific backend service.
Enable HTTP/2 to Origin
If you selected HTTP/2 on the Configure Listener page, you can Enable HTTP/2 to Origin on the Configure Forwarding Rule page.
Once enabled, you can configure the Max Concurrent Streams to Origin. The default is 128, and the configurable range is 1 to 512. You typically do not need to change this value. However, if you experience intermittent 502 errors after setup, check the relevant parameters on your origin server. We recommend that you set this value to be less than or equal to the corresponding parameter on the origin server. For example, if your origin server uses Nginx, this parameter corresponds to the Nginx parameter
http2_max_concurrent_streams. For more information, see the Nginx documentation.
IPv6 network access
Enable IPv6
Description:
If your website supports IPv6, you can enable this feature to route IPv6 traffic through WAF. WAF will then assign an IPv6 WAF IP address to your domain.
WAF routes requests from IPv4 clients to the IPv4 origin server. For IPv6 clients, WAF routes requests to a configured IPv6 origin server or, if none is configured, to the IPv4 origin server.
ImportantThis feature is available only for the pay-as-you-go, subscription Enterprise, and Ultimate editions of WAF in Chinese Mainland.
This feature is incompatible with Shared Cluster-based Intelligent Load Balancing.
Procedure: On the Configure Listener page, expand More Settings and click IPv6.
Improve service availability and performance
Parameter | Description |
By default, all domain names added to the same WAF instance share a WAF IP address. When enabled, this feature assigns the domain an exclusive IP address. This isolates the domain from the impact of DDoS attacks on other domains. For more information, see exclusive IP. Important Subscription Basic Edition instances do not support this feature. | |
This feature combines intelligent DNS resolution and a least-time back-to-origin algorithm to route traffic from protection nodes to the origin server along the shortest, lowest-latency path. It requires you to configure at least three protection nodes in different regions. For more information, see intelligent load balancing. Important Subscription Basic Edition instances do not support this feature. | |
If an origin server has multiple addresses, you can configure a load balancing policy. WAF then uses this policy to distribute back-to-origin requests across these addresses. | |
Allows you to configure a secondary origin server to ensure high availability. If all primary back-to-origin addresses become unreachable and request traffic is at least 100 QPS, the system automatically switches to the secondary link within 30 seconds. The system automatically switches traffic back once the primary link is restored. |
Exclusive IP
ImportantFor a pay-as-you-go instance, billing is based on the number of enabled exclusive IP addresses. For more information, see Pay-as-you-go billing description.
Exclusive IP addresses are not static. To ensure service stability, you must modify your domain's DNS settings by strictly following the steps in this topic. For more information, see Can I change the DNS record to point to the WAF VIP?
After you enable this feature, Shared Cluster-based Intelligent Load Balancing is not supported.
On the Configure Listener page, expand More Settings and click Exclusive IP Address. For a subscription instance, if this option is unavailable, follow the on-screen prompts to upgrade your instance and purchase the Exclusive IP Addresses value-added service.
Shared Cluster-based Intelligent Load Balancing
ImportantA pay-as-you-go instance is billed based on whether Shared Cluster-based Intelligent Load Balancing is enabled. For more information, see Pay-as-you-go billing description.
After you enable Shared Cluster-based Intelligent Load Balancing, IPv6 and exclusive IP are not supported.
On the Configure Listener page, expand More Settings, and in the Protection Resource section, select Shared Cluster-based Intelligent Load Balancing to enable this feature. For a subscription instance, if this option is unavailable, follow the on-screen prompts to upgrade your instance and enable the Intelligent Load Balancing value-added service.
Load Balancing Algorithm
On the Configure Forwarding Rule page, select a Load Balancing Algorithm. The available options are:
Round-robin
This algorithm forwards client requests sequentially to each server in the origin server address list. This algorithm is suitable for scenarios with multiple origin servers that require even traffic distribution.
IP hash
This algorithm forwards requests from the same client to the same origin server. This algorithm is suitable for scenarios that require session persistence but may result in an unbalanced traffic distribution.
Least time
This algorithm uses intelligent DNS resolution and a least-time back-to-origin algorithm to ensure the shortest path and lowest latency for traffic from the protection node to the origin server.
ImportantTo use the least time algorithm, you must set Protection Resource to Shared Cluster-based Intelligent Load Balancing on the Configure Listener page. For more information, see Shared cluster intelligent load balancing.
Standby Link Back-to-origin
On the Configure Forwarding Rule page, click Standby Link Back-to-origin to configure this feature. You can enter up to 20 addresses in IP or domain name format. Press Enter after you enter each address. If you enter multiple addresses, WAF forwards back-to-origin requests based on your selected load balancing algorithm.
IP: The address must be a public IP address.
You can configure IPv4 and IPv6 addresses, either individually or simultaneously.
To configure an IPv6 address, you must first enable IPv6 protection on the Configure Listener page. For more information, see Enable IPv6 Protection.
Domain name: WAF can forward client requests only to the IPv4 addresses resolved from the specified domain name. For websites that use IPv6, you must specify the origin server by its IP address.
ImportantIf your origin server's address changes, update it here immediately.
Real client information
Parameter | Description |
Is there a Layer 7 proxy (Anti-DDoS/CDN, etc.) in front of WAF? | If a Layer 7 proxy such as a CDN is deployed in front of WAF, you must set the Obtain Actual IP Address of Client to ensure WAF can obtain the real client IP for security analysis (for example, the Attacker IP Address in a Security Reports). |
Allows the origin server to identify requests that have passed through WAF and retrieve the client's source IP or source port. | |
By default, WAF inserts specific request headers into the HTTP requests it processes. If your web application needs to handle these request headers, you can configure them as needed. If a request header already exists, WAF overwrites its value; otherwise, WAF adds the new header. | |
WAF passes the Proxy Protocol header to the origin server. This allows origin servers that support Proxy Protocol to retrieve the original client's IP address. |
Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF
On the Configure Listener page, configure this setting in the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF section. The available options are:
No other proxy
Indicates that requests are sent directly from clients to WAF.
Other proxies
Indicates that requests are forwarded to WAF from another layer 7 proxy. You must also specify the Obtain Actual IP Address of Client.
Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client
If you select this option, WAF obtains the source IP in the following order of precedence:
The value of the X-Real-IP request header.
If the X-Real-IP header does not exist, the first IP address in the X-Forwarded-For (XFF) header.
[Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery
NoteWe recommend that you configure the upstream proxy service to write the source IP address to a specified header field, such as X-Real-IP or X-Client-IP. Using a specified header prevents attackers from bypassing WAF by spoofing the XFF header.
In the Header Field box, enter one or more header fields. Press Enter after each field. WAF obtains the source IP in the following order of precedence:
The specified Header Field, in the order entered.
If none of the specified headers exist, the value of the X-Real-IP header.
If the X-Real-IP header also does not exist, the first IP address in the XFF header.
Use the Client IP from the Proxy Protocol header as the client's source IP.: If an upstream proxy has Proxy Protocol enabled, you can select this option to extract the original client IP. This method transmits the source IP at the transport layer, so it cannot be spoofed at the HTTP layer. This method is ideal for scenarios that require a high degree of trust in the source IP. If the Proxy Protocol does not contain the client IP, WAF uses the IP address of the upstream proxy as the source IP.
Enable Traffic Tagging
On the Configure Forwarding Rule page, expand Other Advanced Settings, select Enable Traffic Tagging, and then configure the following types of tag fields:
Custom Header: By specifying a Header Name and Header Value, you can instruct WAF to add this header information to back-to-origin requests to identify requests that have passed through WAF. For example, you can configure the tag
WAF-TAG: Yes, whereWAF-TAGis the header name andYesis the header value. Your origin server can then use this field to create validation or access control policies, to enhance security and identify requests.ImportantDo not use standard HTTP header fields, such as User-Agent. Otherwise, WAF overwrites the original header value with your custom value.
Originating IP Address: Specify the name of the header field that contains the originating IP address. WAF records and forwards this header field to the origin server. For more information about how WAF determines the originating IP address, see the description of the Is a layer 7 proxy (such as Anti-DDoS Proxy or CDN) deployed in front of WAF parameter.
Source Port: Specify the name of the header field that contains the source port. WAF records and forwards this header field to the origin server.
Request Header Forwarding
On the Configure Forwarding Rule page, expand Other Advanced Settings. In the Request Header Forwarding section, select the header fields you want WAF to insert.
Insert X-Client-IP to get the real client IP: Forwards the client's originating IP address.
Add X-True-IP with Real Client IP: Forwards the IP address used to establish the connection.
Insert Web-Server-Type to get the server type: An upstream proxy typically adds this header to inform the origin server about the type of frontend web server or proxy processing the request.
Add WL-Proxy-Client-IP with Real Client IP: This header provides the same functionality as X-Client-IP and is specific to Oracle WebLogic Server.
Insert X-Forwarded-Proto to get the frontend protocol: The protocol used for the connection between the client and the upstream proxy.
Proxy Protocol Pass-through
On the Configure Forwarding Rule page, expand Other Advanced Settings, and enable Proxy Protocol Pass-through.
ImportantBefore you enable this feature, confirm that your origin server supports the Proxy Protocol. Otherwise, back-to-origin requests may fail.
Enabling this feature reduces the reuse rate of Origin Keep-alive. If you need to use Origin Keep-alive, enable this feature with caution.
This feature cannot be enabled when Enable HTTP/2 to Origin is also enabled.
Back-to-origin link optimization
Parameter | Description |
If your origin server responds slowly and causes timeouts, configure the timeout for establishing connections and performing read/write operations. | |
By default, WAF retries a failed back-to-origin request up to three times per origin server. Disabling this feature prevents WAF from retrying these requests. | |
Configures persistent (keep-alive) connections between WAF and the origin server. If you encounter intermittent 502 errors after adding your service, ensure the WAF keep-alive value does not exceed the keep-alive value on your origin server. |
Back-to-origin timeouts
On the Configure Forwarding Rule page, expand Other Advanced Settings and configure the following:
Connection Timeout Period: Defines the timeout for WAF to establish a connection with an origin server. Generally, you do not need to adjust this parameter. Increase this value only if establishing a connection is slow due to high network latency or a heavy load on the origin server. The default value is 5s, and the configurable range is 1s to 3600s.
Read Timeout: Defines the timeout for receiving a response from the origin server. Increase this parameter for APIs with long response times, such as those for report exports or batch data processing. The default value is 120s, and the configurable range is 1s to 3600s.
Write Timeout: Defines the timeout for WAF to send a request to the origin server. Generally, you do not need to adjust this parameter. Increase this value only if the origin server processes requests slowly due to a heavy load. The default value is 120s, and the configurable range is 1s to 3600s.
Back-to-origin retry
On the Configure Forwarding Rule page, expand Other Advanced Settings and configure the settings for Retry on 5XX Error.
Back-to-origin keep-alive connection
ImportantWhen this feature is disabled, back-to-origin keep-alive connections do not support the WebSocket protocol.
On the Configure Forwarding Rule page, expand Other Advanced Settings. Enable Origin Keep-alive and configure the following:
Max Requests per Connection: The default value is 1,000. The configurable range is 60 to 1,000. For example, if the origin server uses Nginx, this parameter corresponds to the Nginx
keepalive_requestsparameter. For more information, see the Nginx documentation.Idle Timeout: The default value is 15s and the configurable range is 10s to 3600s. For example, when an origin server uses Nginx, this parameter corresponds to the Nginx
keepalive_timeoutparameter.
Upload file size
Max Body Size (Enterprise Edition only)
Feature: By default, WAF supports a maximum file upload size of 2 GB. The WAF Ultimate Edition lets you increase this limit for large file uploads.
Procedure: On the Configure Forwarding Rule page, expand Other Advanced Settings and configure the Max Body Size. The value defaults to 2 GB and can be increased up to 10 GB. After configuring this setting, you must also increase the Read Timeout and Write Timeout.
Streamline resource management
Resource Group
Description: Simplifies resource management and permission configuration, improving administrative efficiency. If you do not specify a resource group, the domain defaults to the Default Resource Group. For more information, see resource groups.
Steps: On the Configure Listener page, in the Resource Group area, select the resource group for the domain from the drop-down list.
Maintenance
Update a domain certificate
Update the certificate for a domain name if it is about to expire or has been changed, for example, if it is revoked.
Alibaba Cloud certificate
In the Certificate Management Service (Original SSL Certificate) console, renew your SSL certificate. For more information, see Renew an SSL certificate.
In the WAF console, on the list of domains added via CNAME, locate the target domain and click Edit in the Actions column.
In the HTTPS Upload Type section, select Select Existing Certificate and choose the new certificate. Then, click .
Third-party certificate
Download the certificate file from the provider.
In the WAF console, on the list of domains added via CNAME, locate the target domain and click Edit in the Actions column.
In the HTTPS Upload Type section, select Upload and enter the following information.
Certificate Name: Enter a unique name for the certificate. The name must not match an existing certificate name.
Certificate File: Paste the content from the certificate file. The content must be in PEM, CER, or CRT format.
Example format:
-----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----Certificate chain: If your certificate file includes an intermediate certificate, concatenate the server certificate and the intermediate certificate in that order, and then paste the combined content.
Format conversion: If your certificate is in a format such as PFX or P7B, use the certificate tool to convert it to the PEM format.
Private Key: Paste the content from the private key file. The content must be in PEM format.
Example format:
RSA:
-----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----ECC:
-----BEGIN EC PRIVATE KEY-----......-----END EC PRIVATE KEY-----
If a certificate expires in less than 30 days, WAF displays an
icon in the list of domains to indicate that it is about to expire. Update the certificate promptly to avoid service disruptions.You can set up notifications for SSL certificates to receive expiration alerts by email, SMS, and other methods. For more information, see Set up message notifications for SSL certificates.
To prevent service disruptions from an expired certificate, enable the certificate hosting service in Alibaba Cloud's Certificate Management Service (Original SSL Certificate). This service automatically applies for certificates before they expire. For more information, see What is Certificate Hosting Service?.
Re-adding a domain after ICP expiration
After you add a domain using a CNAME record, WAF periodically checks its ICP filing status. If the filing expires, WAF automatically stops forwarding traffic for the domain. If your domain's ICP filing expires, re-apply for it. Once approved, go to the CNAME onboarding page and click Add Again.
Roll back onboarding
If you encounter issues such as a high number of false positives after adding your domain name, you can temporarily disable WAF protection by going to the Protected Objects page in the WAF console and turning off the WAF Protection Status switch. For more information, see Disable WAF protection with one click.
To stop protecting a domain name with WAF, follow these steps.
Change the domain name's DNS record to point back to your origin server address. For example, set it to the IP address of your origin server.
In the WAF console, find the domain name and click Delete under the Actions column.
Important: Before deleting the domain name, you must change its DNS record to point back to the origin server address. If you do not, the domain name's CNAME address becomes invalid, and your website will be inaccessible.
Billing: For a pay-as-you-go WAF instance, you are charged a feature fee in addition to request processing fees. The feature fee covers the instance and protection rules. To stop using WAF and avoid further charges, see Disable WAF.
Bulk manage WAF domains by API
If you manage multiple domains with WAF, use the API to quickly add them or view their configuration details.
To add a domain to a WAF instance, see the CreateDomain API operation.
To query the configuration details of a domain added via CNAME, see the DescribeDomain API operation.
Applying to production
To ensure security and stability in your production environment, follow these best practices when adding a production domain name.
HTTPS configuration: We recommend that you deploy certificates on both your origin server and in WAF, and use the following settings for efficient certificate management.
Upload your certificate files to Certificate Management Service (Original SSL Certificate).
When you add the domain name to WAF, set the Protocol Type to HTTPS. In the TLS version section, we recommend configuring TLS 1.2 or later. In the HTTPS cipher suite section, configure a custom strong cipher suite.
Set up notifications for SSL certificates to update them promptly before they expire.
Phased rollout: First, add a non-production domain name during off-peak hours. After confirming that services are operating normally, add your production domain name.
Service validation: After setup, verify normal service operation in the following ways:
Review logs: Check for significant fluctuations in the percentage of 200 status codes and for sudden spikes or drops in QPS. If you enabled the WAF log service, review the WAF log.
Application monitoring: Ensure core application functions, such as user access and transactions, are working correctly.
Origin server hardening: We recommend configuring your origin server to allow traffic only from the WAF back-to-source IP block. This ensures only WAF can communicate with your origin server, preventing attackers from bypassing WAF to access its public IP address directly.
Ongoing maintenance: After you add your domain name to the production environment, continuously monitor for attacks and false positives.
Incident response: We recommend monitoring Security Reports and configuring CloudMonitor notifications to stay informed about attacks and security events.
Rule tuning: Continuously monitor attack logs to identify mistakenly blocked business requests, and optimize your protection rules accordingly.
FAQ
Onboarding
WAF back-to-origin CIDR and CNAME
You can find the WAF back-to-origin CIDR block and the CNAME address for each added domain in the onboarding list, as shown in the following figure. For instructions on how to allow the WAF back-to-origin CIDR block, see Allow the WAF back-to-origin CIDR block.
DNS status of a domain
You can check the DNS status of a domain name in the onboarding list to identify domains at risk of DNS anomalies and adjust DNS resolution settings as prompted by the console.
DNS status
Actions
DNS resolution normal
The domain name resolves to WAF as expected. No action is required.
DNS resolution abnormal, connecting via A record
Delete the domain's A record, add a CNAME record, and set its record value to the WAF-provided CNAME address. For more information, see Modify the DNS settings for a domain name.
DNS resolution abnormal, using an incorrect WAF IP
Delete the A record for the added domain name, add a CNAME record, and set the record value to the CNAME address provided by WAF. For more information, see Modify the DNS settings for a domain name.
DNS resolution abnormal, using an incorrect CNAME address
Update the CNAME record's value to the CNAME address provided by WAF. For more information, see Modify the DNS settings for a domain name.
DNS resolution unknown, proxy enabled for the domain
A Layer 7 proxy is enabled in front of WAF. Check if the proxy's configured origin is the WAF-provided CNAME address. If the address is correct, you can ignore this alert.
DNS check timed out
Click the
icon to re-run the DNS status check.No DNS record, please connect to WAF
Add a CNAME record and set the record value to the CNAME address provided by WAF. For more information, see Modify the DNS settings for a domain name.
DNS not resolved to WAF, please connect to WAF
Update the CNAME record's value to the CNAME address provided by WAF. For more information, see Modify the DNS settings for a domain name.
DNS resolution normal (proxy incorrectly enabled)
The domain name resolves to WAF as expected, but the frontend proxy feature is enabled by mistake. If no Layer 7 proxy such as a CDN or Anti-DDoS is deployed in front of WAF, set Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF to No.
ICP filing information
Open the Network Diagnostic Analysis tool, select Network Diagnostic Analysis, and enter the domain name. Confirm that the Filing Inspection status is The website has been filed. If the message "The website has not been filed. Please consult your website server provider" is displayed, you must complete the ICP filing before adding the domain name to WAF.
If your server is hosted on Alibaba Cloud, use the Alibaba Cloud ICP Filing system to complete the ICP filing. For more information, see ICP filing process.
If your server is not on Alibaba Cloud, apply for ICP filing through your provider's system or the official MIIT website.
Origin server address
In the Configure Forwarding Rule > Server Address section, if you are unsure about the origin server address, go to the Network Diagnostic Analysis page, enter the domain name, and check the DNS Provider Resolution Results area. If an IP record, such as an A or AAAA record, is returned, enter the corresponding IP. If a domain record, such as a CNAME record, is returned, enter the corresponding Domain Name (Such as CNAME).
Website port
In the Configure Forwarding Rule > Server Address section, you need to configure the back-to-origin port. This is the port your website uses. Use the following information to identify the port.
Standard ports (default): Web services use standard ports by default, so you do not need to specify them in the domain name to access the service.
HTTP: For example,
http://yourdomain.comuses port 80.HTTPS: For example,
https://yourdomain.comuses port 443.
Non-standard ports: If a website uses a non-standard port, the port number appears immediately after the domain name in the format
domain:port.HTTP: For example,
http://yourdomain.com:8080uses port 8080.HTTPS: For example,
https://yourdomain.com:8443uses port 8443.
NoteTo ensure accuracy, check your web server's configuration file (such as
nginx.conffor Nginx) to find the exact port.
WAF VIP
Understanding and viewing WAF VIPs
After you add a domain name to WAF, WAF assigns a dedicated virtual IP address (VIP) to receive business requests. This VIP is not shared with other tenants. To ensure high availability, this VIP is part of the Alibaba Cloud WAF cluster and is not bound to a specific physical device. Within the same WAF instance:
If domain exclusive IP or intelligent load balancing is not enabled, all domain names share one VIP.
After you enable domain exclusive IP, each domain is assigned an independent VIP.
After you configure intelligent load balancing, all domain names share multiple VIPs.
You cannot view the WAF VIP directly in the console. You must use the
pingornslookupcommand to query a domain protected by WAF.ping example.com # Replace with a domain protected by WAFImportantThis VIP is the WAF ingress IP address, not the WAF back-to-origin IP address range. You must configure your origin server as described in Allow the WAF back-to-origin IP address range.
Default SSL/TLS policy for compliance
To meet compliance requirements, you can customize the SSL certificates and TLS policies for your WAF VIPs. Before you run a compliance scan on a WAF VIP, follow these steps to upload a compliant HTTPS certificate and enable or disable specific TLS protocol versions and cipher suites.
NoteIf the Exclusive IP Address feature is enabled, this configuration also applies to the exclusive IP address.
Above the list of added domains, click Default SSL/TLS Settings.
In the Default SSL/TLS Settings dialog box, configure the following settings and click OK.
Parameter
Description
HTTPS Upload Type
Upload an SSL certificate. The procedure is the same as for uploading a domain certificate. For details, see Upload a certificate.
TLS Version
Valid values:
TLS 1.0 and Later (Best Compatibility and Low Security)
TLS 1.1 and Later (High Compatibility and High Security): Prevents legacy clients that use the TLS 1.0 protocol from accessing your website.
TLS 1.2 and Later (High Compatibility and Best Security): Meets the latest security compliance requirements but prevents legacy clients that use the TLS 1.0 and 1.1 protocols from accessing your website.
Support TLS 1.3: Select this option if your website supports the TLS 1.3 protocol.
HTTPS Cipher Suite
Select the cipher suite that you want to enable. Valid values:
All Cipher Suites (High Compatibility and Low Security)
Custom Cipher Suite (Select It based on protocol version. Proceed with caution.): Select this option if your website supports only specific cipher suites. Proceed with caution to avoid disrupting your services. For more information about the supported custom cipher suites, see WAF-supported cipher suites.
Port scan results and security risks
When you use a tool like Nmap to scan a domain added to WAF by using a CNAME record, the scan may report ports as open that are closed on your origin server. This is expected behavior because the domain resolves to the WAF VIP. The scan targets the WAF VIP's ports, not your origin server's.
WAF forwards traffic only for the ports that you configure in the console. On unconfigured ports, WAF completes the TCP three-way handshake but then immediately terminates the connection with an RST packet without forwarding any data. Therefore, these ports pose no security risk. VIP ports cannot be closed manually. For more information, see Explanation of non-standard ports in WAF.
DNS records and WAF VIPs
No. When you add a domain to WAF by using a CNAME record, you must point your DNS record to the CNAME address provided by WAF, not to the WAF VIP address. This is because the VIP address may change, for example, when you enable or disable an exclusive IP or intelligent load balancing, or in extreme cases of a WAF failure. Pointing your domain directly to the VIP address can cause service interruptions. Using a CNAME record ensures that the backend IP address is automatically switched to guarantee business continuity.
Product capabilities
Can I use WAF with CDN and NAT Gateway?
Yes. If you use a layer 7 proxy such as a CDN or Anti-DDoS in front of WAF, you must configure the Is a Layer 7 proxy (such as Anti-DDoS or CDN) deployed in front of WAF? setting when you add the domain to WAF. For more information, see Provide WAF security protection for domain names with CDN content acceleration enabled.
When you add a domain to WAF, the origin server address you specify is where WAF forwards traffic after inspection. WAF supports origin servers such as NAT Gateway, Server Load Balancer, servers, and OSS.
What cipher suites does WAF support?
In CNAME record mode, you can specify custom cipher suites to restrict WAF to accepting connections only from clients that support those suites. For a list of supported cipher suites, see HTTPS cipher suite.