If you enabled a content delivery network (CDN) for your domain name that is at risk of web attacks, we recommend that you use Web Application Firewall (WAF) together with a CDN service, such as Alibaba Cloud CDN, to protect your web services. This topic describes how to use WAF together with CDN to protect web services.

Network architecture

You can deploy WAF and CDN in the following sequence: CDN, WAF, and origin servers. CDN is deployed at the ingress layer to accelerate content distribution. WAF is deployed at the intermediate layer to protect applications. Origin servers can be deployed on Elastic Compute Service (ECS) instances or Server Load Balancer (SLB) instances in virtual private clouds (VPCs) or data centers. Then, traffic is accelerated by CDN and filtered by WAF. Only normal service traffic is forwarded to the origin server. This ensures service and data security.

Prerequisites

Step 1: Add a domain name to WAF

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Domain Names tab, click Website Access.
  4. Add the domain name that you want to protect to WAF.
    • CNAME record mode
      Note On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default. In CNAME record mode, you do not need to modify the value of the Access Mode parameter.
      1. In the Enter Your Website Information step, configure the parameters and click Next. The following table describes the parameters.
        ParameterDescription
        Domain NameEnter the domain name of the website that you want to protect.
        Protection ResourceSelect the type of protection resource that you want to use.
        Protocol TypeSelect the type of protocol that is supported by your website.
        Destination Server (IP Address)IP: Enter the public IP address of the SLB or ECS instance on which the origin server is deployed or the IP address of the origin server that is not deployed on Alibaba Cloud.
        Destination Server PortSpecify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services.
        Load Balancing AlgorithmIf you enter multiple addresses of origin servers, configure this parameter based on your business requirements.
        Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAFSet this parameter to Yes.
        Enable Traffic MarkSpecify whether to enable the traffic marking feature of WAF.
        Resource GroupIf you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.
      2. On the Domain Names tab of the Website Access page, find the domain name that you added to WAF and copy the CNAME that is assigned by WAF to the domain name. The CNAME that is assigned by WAF
    • Transparent proxy mode
      1. On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.
      2. In the Add Domain Name step, configure the parameters and click Next. The following table describes the parameters.
        ParameterDescription
        Domain NameEnter the domain name of the website that you want to protect.
        SLB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, and ECS-based DomainsSelect the type of the instance that you want to protect and the port that you want to use to redirect traffic.
        Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAFSet this parameter to Yes.
        Enable Traffic MarkSpecify whether to enable the traffic marking feature of WAF.
        Resource GroupIf you want to manage cloud resources by department or project, select the resource group to which the domain name belongs from the resource group drop-down list.
      3. In the Check and Confirm Added Information step, check and confirm the information and click Next.
      4. Click Completed. Return to the website list and go back to the Domain Names tab of the Website Access page. On the Servers tab, select Resource Instance ID from the Resource Instance ID drop-down list and enter the ID of a resource instance to search for the IP address and the port of the instance that you added to WAF.
  5. Modify the DNS record.
    After you add the domain name to WAF, you must modify the DNS record to resolve the domain name to WAF. For more information, see Change a DNS record.

Step 2: Enable WAF protection for a domain name that is added to Alibaba Cloud CDN

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name for which you want to enable WAF protection and click Manage in the Actions column.
  4. In the left-side navigation pane of the page that appears, click Basics. In the Origin Information section, click Add Origin Server. In the Add Origin Server dialog box, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Origin Info
    • If the domain name is added to WAF in CNAME record mode, select Site Domain and enter the CNAME that you obtained in CNAME record mode.
    • If the domain name is added to WAF in transparent proxy mode, select IP and enter the public IP address of the origin server that you obtained in Transparent proxy mode.
    PrioritySpecify the priority of the origin server. A primary origin server has a higher priority than a secondary origin server.
    WeightSpecify the weight of the origin server. If multiple origin servers have the same priority, Alibaba Cloud CDN redirects requests to the origin servers based on the weights.
    PortSpecify the port of the origin server that processes requests.
  5. In the left-side navigation pane of the Domain Names page, click Back-to-origin. On the Configurations tab, verify that Default Origin Host is disabled.
    Default Origin Host
After you complete the configuration, traffic passes through Alibaba Cloud CDN. WAF continues to detect and protect the dynamic content.
Note If you want to forward the traffic that is sent to a domain name named B to a domain name named A that is added to WAF, log on to the Alibaba Cloud DNS console and add a URL forwarding record to forward requests that are sent to domain name B to domain name A. For more information, see the "Add an explicit or implicit URL forwarding record" section in the Add a DNS record topic.

Related operations

If you want to enable WAF protection for a domain name for which Dynamic Route for CDN (DCDN) is enabled, you can enable WAF in the DCDN console. Then, you can use WAF to protect your web services on DCDN nodes. For more information, see Getting started with WAF (new edition).

References