Tutorial - Web Application Firewall - Alibaba Cloud Documentation Center

Access mode

You can add your website to WAF in CNAME record mode or transparent proxy mode based on your business requirements. HTTP 1.0, HTTP 1.1, and HTTP 2.0 are supported by default.


Comparison item	CNAME record mode	Transparent proxy mode
Description	The CNAME record mode allows you to add the domain name of a website that you want to protect to WAF and change the DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF.	The transparent proxy mode allows you to protect a website by adding its domain name to WAF, without the need to change its DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF.
Supported origin servers	Origin servers that are deployed in-cloud or on-premises	Origin servers that are Elastic Compute Service (ECS) instances or that are added to an Internet-facing Server Load Balancer (SLB) instance
The number of domain names that can be added	One domain name each time	All of the domain names that are included in the ECS or SLB instance
Whether back-to-origin rules must be configured	You must configure back-to-origin rules.	You do not need to configure back-to-origin rules.
Whether the DNS record must be changed	You must change the DNS record.	You do not need to change the DNS record.
Whether protection for origin servers must be configured	When you add your website to WAF in CNAME record mode, attackers can bypass WAF and launch direct-to-origin attacks. Therefore, you must configure protection for your origin server to prevent such attacks.	You do not need to configure protection for your origin server.
Limits	N/A	WAF instances in some regions do not support the transparent proxy mode due to network architecture limits. Internal-facing SLB instances do not support the transparent proxy mode. IPv6 Internet-facing SLB instances do not support the transparent proxy mode. The number of traffic redirection ports that are supported in transparent proxy mode is limited. Default protection rules cannot be changed. You must configure a domain name before you can configure protection rules for the domain name. For more information about the limits of the transparent proxy mode, see Limits.

Add a website in CNAME record mode

On the Add Domain Name page of the WAF console, set Access Mode to CNAME Record.

Add the domain name of the website that you want to protect to WAF and configure back-to-origin rules.


Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
Protection Resource	Select the type of protection resource that you want to use.
Protocol Type	Select the protocol that is supported by your website. If you set Protocol Type to HTTPS, you can select Enable Origin SNI. You can also click Advanced Settings and then select Enable HTTPS Routing and Enable HTTP.
Destination Server Port	Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services. Important If the origin server uses a port other than HTTP port 80 and HTTPS port 443, you can specify the port and check whether the port is within the port range that is supported by WAF. For more information, see View the ports supported by WAF.
Destination Server (IP Address)	Specify the type of the origin server address. Valid values: IP: Enter the public IP addresses of the SLB or ECS instances on which the origin servers are deployed, or the IP addresses of the origin servers that are not deployed on Alibaba Cloud. Domain Name (Such as CNAME): Enter the domain names of the origin servers. The domain names of the origin servers cannot be the same as the domain name of the website added to WAF. Only IPv4 addresses are supported.
Load Balancing Algorithm	If you enter multiple addresses for origin servers, configure this parameter based on your business requirements.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.
Enable Traffic Mark	Specify whether to enable the WAF traffic marking feature.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.

For more information, see Add a domain name.

Check whether the configurations take effect. If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
Change the DNS record. You must manually change the DNS record to redirect requests that are destined for your website to WAF.
The following example demonstrates how to change the DNS record in Alibaba Cloud DNS.
1. Obtain the CNAME or IP address of your WAF instance. For more information, see Obtain the CNAME or IP address of your WAF instance.
2. On the Domain Name Resolution page of the Alibaba Cloud DNS console, locate the domain name whose configurations you want to modify and click DNS Settings in the Actions column.
  - If the value of Record Type is CNAME, click Modify in the Actions column and set Record Value to the CNAME of your WAF instance.
  - If the value of Record Type is A, click Modify in the Actions column and set Record Value to the IP address of your WAF instance.
For more information, see Change a DNS record.
Check whether your website is protected by WAF. For more information, see Verify domain name settings.

After you perform the preceding operations, your website is protected by WAF. To enhance the protection capabilities of your WAF instance, we recommend that you perform the following operations:

Upload an HTTPS certificate
If your website uses HTTPS, you must upload a valid HTTPS certificate in the WAF console to make sure that WAF processes HTTPS requests as expected. For more information, see Upload an HTTPS certificate.
Allow access from the back-to-origin CIDR blocks of WAF
WAF uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. This way, the origin server receives requests from the back-to-origin CIDR blocks of WAF and requests are sent at a high rate. In this case, the firewall or security software hosted on the origin server may consider these CIDR blocks as attack IP addresses and block them. Therefore, you must add the back-to-origin CIDR blocks to the IP address whitelist of the security software. For more information, see Allow access from the back-to-origin CIDR blocks of WAF.
Configure protection for an origin server
For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server. For more information, see Configure protection for an origin server.
Configure custom TLS settings
If the website that you added to WAF uses HTTPS to transmit data, you can customize TLS version settings and cipher suites for the domain name of the website. For more information, see Configure custom TLS settings.

Add a website in transparent proxy mode

On the Add Domain Name page of the WAF console, set Access Mode to Transparent Proxy Mode.

Add the domain name of your website to WAF.


Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
Destination Server Port	Select the instance type and the port for the instance. WAF supports the following types of instances: ALB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, and ECS-based Domains.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.
Enable Traffic Mark	Specify whether to enable the WAF traffic marking feature.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.

For more information, see Add a website in transparent proxy mode.

Check whether your website is protected by WAF. For more information, see Verify domain name settings.

Add cloud services to WAF

You can use WAF together with other Alibaba Cloud security services such as Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN to improve the security of your website.

Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF: You can deploy Anti-DDoS Pro or Anti-DDoS Premium and WAF in sequence to protect your website against web application attacks and DDoS attacks.
Use WAF with CDN: You can deploy Alibaba Cloud CDN and WAF in sequence to protect your website against web application attacks and accelerate access to your website.

What to do next

After your website is added to WAF, WAF filters the requests that are destined for the website and forwards normal requests to the origin server. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. To use other features, you must manually enable the features and configure protection rules. For more information, see Overview of website protection features.