Before you can use Web Application Firewall (WAF) to protect your web services, you must add your website to WAF. This topic describes how to add a website to WAF.
Access mode
You can add your website to WAF in CNAME record mode or transparent proxy mode based on your business requirements. HTTP 1.0, HTTP 1.1, and HTTP 2.0 are supported by default.
Comparison item | CNAME record mode | Transparent proxy mode |
---|---|---|
Description | The CNAME record mode allows you to add the domain name of a website that you want to protect to WAF and change the DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF. | The transparent proxy mode allows you to protect a website by adding its domain name to WAF, without the need to change its DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF. |
Supported origin servers | Origin servers that are deployed in-cloud or on-premises | Origin servers that are Elastic Compute Service (ECS) instances or that are added to an Internet-facing Server Load Balancer (SLB) instance |
The number of domain names that can be added | One domain name each time | All of the domain names that are included in the ECS or SLB instance |
Whether back-to-origin rules must be configured | You must configure back-to-origin rules. | You do not need to configure back-to-origin rules. |
Whether the DNS record must be changed | You must change the DNS record. | You do not need to change the DNS record. |
Whether protection for origin servers must be configured | When you add your website to WAF in CNAME record mode, attackers can bypass WAF and launch direct-to-origin attacks. Therefore, you must configure protection for your origin server to prevent such attacks. | You do not need to configure protection for your origin server. |
Limits | N/A |
For more information about the limits of the transparent proxy mode, see Limits. |
Add a website in CNAME record mode
- Upload an HTTPS certificate
If your website uses HTTPS, you must upload a valid HTTPS certificate in the WAF console to make sure that WAF processes HTTPS requests as expected. For more information, see Upload an HTTPS certificate.
- Allow access from the back-to-origin CIDR blocks of WAF
WAF uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. This way, the origin server receives requests from the back-to-origin CIDR blocks of WAF and requests are sent at a high rate. In this case, the firewall or security software hosted on the origin server may consider these CIDR blocks as attack IP addresses and block them. Therefore, you must add the back-to-origin CIDR blocks to the IP address whitelist of the security software. For more information, see Allow access from the back-to-origin CIDR blocks of WAF.
- Configure protection for an origin server
For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server. For more information, see Configure protection for an origin server.
- Configure custom TLS settings
If the website that you added to WAF uses HTTPS to transmit data, you can customize TLS version settings and cipher suites for the domain name of the website. For more information, see Configure custom TLS settings.
Add a website in transparent proxy mode
Add cloud services to WAF
You can use WAF together with other Alibaba Cloud security services such as Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN to improve the security of your website.
- Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF: You can deploy Anti-DDoS Pro or Anti-DDoS Premium and WAF in sequence to protect your website against web application attacks and DDoS attacks.
- Use WAF with CDN: You can deploy Alibaba Cloud CDN and WAF in sequence to protect your website against web application attacks and accelerate access to your website.
What to do next
After your website is added to WAF, WAF filters the requests that are destined for the website and forwards normal requests to the origin server. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. To use other features, you must manually enable the features and configure protection rules. For more information, see Overview of website protection features.