WAF tutorial - Web Application Firewall - Alibaba Cloud Documentation Center

Before you can use Web Application Firewall (WAF) to protect your web services, you must add your website to WAF. This topic describes how to add a website to WAF.

Access modes

You can add your website to WAF in CNAME record mode or transparent proxy mode based on your business requirements. By default, HTTP 1.0, HTTP 1.1, and HTTP/2 are supported.

Note

If your website supports HTTP/2, you can select HTTP2 to enable HTTP/2 protection.

Comparison item	CNAME record mode	Transparent proxy mode
Introduction	In CNAME record mode, you must add the domain name of the website that you want to protect to WAF and update the Domain Name System (DNS) record of the domain name of the website.	In transparent proxy mode, you must add the cloud service instance on which your origin server is deployed to WAF. You do not need to update the DNS record of the domain name of the website.
Supported origin servers	Origin servers deployed on and outside Alibaba Cloud.	Origin servers deployed on Elastic Compute Service (ECS) instances or Internet-facing Server Load Balancer (SLB) instances.
Number of domain names that can be added	One domain name each time.	All domain names within an instance.
Whether back-to-origin settings must be configured	Yes	No
Whether the DNS record must be updated	Yes	No
Whether protection for origin servers must be configured	Yes	No
Limitations	None	ECS or SLB instances in some regions do not support the transparent proxy mode due to network architecture limits. Internal-facing SLB instances do not support the transparent proxy mode. IPv6 Internet-facing SLB instances do not support the transparent proxy mode. The number of traffic redirection ports is limited. Default protection rules cannot be changed. Before you can configure protection rules for a domain name, you must configure the domain name. For more information about the limits of the transparent proxy mode, see Transparent proxy mode.

CNAME record mode

Go to the Add Domain Name page of the WAF console.

Add the domain name of the website that you want to protect to WAF and configure back-to-origin settings.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
Protection Resource	Select the type of protection resource that you want to use.
Protocol Type	Select the protocol that is supported by your website. If you set the Protocol Type parameter to HTTPS, you can select Enable Origin SNI. You can also click Advanced Settings and then select Enable HTTPS Routing and Enable HTTP.
Destination Server Port	Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services. Important If the origin server uses a port other than HTTP port 80 and HTTPS port 443, you can specify the port and check whether the port is within the port range that is supported by WAF. For more information, see View the ports supported by WAF.
Destination Server (IP Address)	Specify the type of the origin server address. Valid values: IP: Enter the public IP addresses of the SLB or ECS instances on which the origin servers are deployed, or the IP addresses of the origin servers that are not deployed on Alibaba Cloud. Domain Name (Such as CNAME): Enter the domain names of the origin servers. The domain names of the origin servers cannot be the same as the domain name of the website added to WAF. Only IPv4 addresses are supported.
Load Balancing Algorithm	If you enter multiple addresses for origin servers, configure this parameter based on your business requirements.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy and Alibaba Cloud CDN, is deployed in front of WAF.
Enable Traffic Mark	Specify whether to enable the traffic marking feature.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which you want to add the domain name from the Resource Group drop-down list.

For more information, see Add a domain name to WAF.

Check whether the configurations take effect. If you update the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
Update the DNS record. You must manually update the DNS record to redirect requests that are destined for your website to WAF.
The following example demonstrates how to update the DNS record in Alibaba Cloud DNS.
1. Obtain the CNAME or IP address of your WAF instance. For more information, see Obtain the CNAME that is assigned by WAF to your domain name.
2. On the Domain Name Resolution page of the Alibaba Cloud DNS console, find the domain name whose configurations you want to modify and click DNS Settings in the Actions column. Modify the CNAME record to map the domain name to the CNAME that is provided by WAF.
For more information, see Modify a DNS record.
Check whether your website is protected by WAF. For more information, see Step 6.

After you perform the preceding operations, your website is protected by WAF. To enhance the protection capabilities of your WAF instance, we recommend that you perform the following operations:

Upload an HTTPS certificate
If your website uses HTTPS, you must upload a valid HTTPS certificate in the WAF console to ensure that WAF processes HTTPS requests as expected. For more information, see Add a domain name to WAF.
Allow access from the back-to-origin CIDR blocks of WAF
WAF uses specific back-to-origin CIDR blocks to forward normal traffic to an origin server. This way, the origin server receives requests from the back-to-origin CIDR blocks of WAF and requests are sent at a high rate. In this case, the security software hosted on the origin server may consider the back-to-origin CIDR blocks as attack IP addresses and block them. Therefore, you must add the back-to-origin CIDR blocks to the IP address whitelist of the security software. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
Configure protection for an origin server
For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server. For more information, see Configure protection for an origin server.
Configure custom TLS settings
If the website that you added to WAF uses HTTPS to transmit data, you can configure custom TLS settings and cipher suites for the domain name of the website. For more information, see Configure custom TLS settings.

Transparent proxy mode

On the Add Domain Name page of the WAF console, set the Access Mode parameter to Transparent Proxy Mode.

Add a domain name.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to add to WAF for protection.
Destination Server Port	Select the instance type and the port for the instance. The following instances can be added to WAF in transparent proxy mode: ALB instances, Layer 7 CLB instances, Layer 4 CLB instances, and ECS instances.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy and Alibaba Cloud CDN, is deployed in front of WAF.
Enable Traffic Mark	Specify whether to enable the traffic marking feature.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which you want to add the domain name from the Resource Group drop-down list.

For more information, see Transparent proxy mode.

Check whether your website is protected by WAF. For more information, see Step 6.

Add cloud services to WAF

You can use WAF together with other Alibaba Cloud security services, such as Anti-DDoS Proxy and Alibaba Cloud CDN, to improve the security of your website.

Protect a website service by using Anti-DDoS Proxy and WAF: You can deploy Anti-DDoS Proxy and WAF in sequence to protect your website against web application attacks and DDoS attacks.
Use WAF together with CDN: You can deploy Alibaba Cloud CDN and WAF in sequence to protect your website against web application attacks and accelerate access to your website.

What to do next

After your website is added to WAF, WAF filters the requests that are destined for the website and forwards normal requests to the origin server. WAF provides multiple features to protect your website against different types of attacks. By default, only the protection rules engine and HTTP flood protection features are enabled. The protection rules engine feature protects your website against common web attacks such as SQL injection attacks, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP flood protection feature protects your website against HTTP flood attacks. To use other features, you must manually enable the features and configure protection rules. For more information, see Protection configuration overview.