Before you can use Web Application Firewall (WAF) to protect your web services, you must add your website to WAF. If you do not add your website to WAF, WAF does not protect your website.

Add your website to WAF

After you activate WAF, you can add your website to WAF in CNAME record mode.

After you add the domain name of your website in the WAF console, you must change the DNS record to redirect the requests that are destined for your website to WAF. Then, WAF filters the requests and forwards normal requests to the origin server of the domain name. You can manually add your website or configure WAF to automatically add your website.

In CNAME record mode, perform the following operations to add your website to WAF:
  1. Add a domain name: This topic describes how to manually add a website to WAF or configure WAF to automatically add a website.
    Note
    • If your website uses HTTPS, you must upload a valid HTTPS certificate in the WAF console to make sure that WAF processes HTTPS requests as expected. For more information, see Upload an HTTPS certificate.
    • If the origin server uses a port other than HTTP port 80 and HTTPS port 443, you can specify the port and check whether the port is within the port range that is supported by WAF. For more information, see View the ports supported by WAF.
  2. Allow access from back-to-origin CIDR blocks of WAF: WAF uses specified back-to-origin CIDR blocks to forward normal requests to the origin server. To allow inbound requests from the back-to-origin CIDR blocks, you must configure security software or access control policies on the origin server when you add a website to WAF.
  3. Verify domain name settings: This topic describes how to set up a staging environment after a domain name is added to WAF and how to check whether the settings to forward requests are in effect. We recommend that you do not change the DNS record before the settings take effect. If you change the DNS record before the settings take effect, access failures may occur.
  4. Change a DNS record: This topic describes how to manually change the DNS record to redirect the requests that are destined for your website to WAF.

After you add the website, WAF filters the requests that are destined for the website and forwards normal requests to the origin server. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. To use other features, you must manually enable the features and configure protection rules. For more information, see Overview.

Best practices

  • Configure protection for an origin server: If the origin server is deployed on an Elastic Compute Service (ECS) instance, you can configure security group policies for the ECS or Server Load Balancer (SLB) instance to allow inbound requests only from WAF to the origin server. This way, attackers cannot bypass WAF to attack the origin server.
  • Retrieve actual IP addresses of clients: After you configure WAF, all requests that are destined for your website are forwarded to WAF, and then WAF forwards the normal requests to the origin server. The origin server can use the X-Forwarded-For header to retrieve the originating IP addresses of these requests.

Add cloud services to WAF