Web Application Firewall (WAF) can be used in combination with a content delivery network (CDN), such as Alibaba Cloud CDN, to protect domain names against web attacks. The domain names have content acceleration enabled.

Background information

You can deploy WAF and CDN in the following sequence: CDN, WAF, and origin servers. CDN is deployed at the ingress layer to accelerate the distribution of content. WAF is deployed at the intermediate layer to protect applications.

Use Alibaba Cloud CDN

  1. Add the domain name that you want to accelerate to Alibaba Cloud CDN. For more information, see CDN quick start.
  2. Add the domain name to WAF.
    • Domain Name: Enter the domain name that you want to protect.
    • Destination Server (IP Address): Enter the public IP address of the SLB instance, the public IP address of the ECS instance, or the IP address of the server that is not deployed on Alibaba Cloud.
    • Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select Yes.

    For more information, see Add websites.

  3. After the domain name is added to WAF, WAF generates a dedicated canonical name (CNAME) for the domain name.
    Note For more information about how to view the CNAME that is generated by WAF, see Change a DNS record.
  4. Change the DNS record of the origin server in the Alibaba Cloud CDN console to point to the CNAME.
    1. Log on to the Alibaba Cloud CDN console.
    2. Open the Domain Names page. On the page that appears, select the required domain name and click Manage.
    3. In the Origin Information section, click Modify, modify the information of the origin server.
      Parameter Description
      Origin Info

      Select the type of the origin server and enter the address of the origin server.

      • Address length: The address of an origin server cannot exceed 67 characters in length.
      • Maximum number of origin servers: You can set a maximum of 20 origin server addresses for each accelerated domain name.
      • OSS Domain Name
        • If you use an Object Storage Service (OSS) bucket as the origin server, you can enter the public endpoint of the OSS bucket, for example, ***.oss-cn-hangzhou.aliyundoc.com. Internal endpoints of OSS buckets are not supported.
        • To view the public endpoint of an OSS bucket, log on to the OSS console. You can also select the endpoint of an OSS bucket that belongs to the current Alibaba Cloud account from the Domain Name drop-down list.
        Note Discounts for data transfer between Alibaba Cloud CDN and OSS:
        • If you want OSS to identify network traffic sent from Alibaba Cloud CDN and apply for a discount on the data transfer, you must set the origin server type to OSS Domain in the Alibaba Cloud CDN console.
        • If you set the origin server type to Site Domain in the Alibaba Cloud CDN console, OSS identifies network traffic sent from Alibaba Cloud CDN as outbound data transfer over the Internet. In this case, the discounts do not apply.

        For more information, see Billing of OSS content acceleration.

      • IP: Enter the public IP addresses of one or more servers. Public IP addresses of Alibaba Cloud Elastic Compute Service (ECS) instances do not need to be reviewed.
      • Site Domain: Enter the domain names of one or more origin servers.
        Note
        • The origin domain name must be different from the accelerated domain name. Otherwise, a DNS resolution loop occurs, and requests cannot be redirected to the origin server.
        • The format of the origin domain name:
          • The domain name must be 1 to 67 characters in length,
          • and can contain lowercase letters, digits, and hyphens (-). Example: example.com.
          • The domain name cannot contain Chinese characters, uppercase letters, or characters other than hyphens (-). The domain name cannot be a hyphen (-). A hyphen (-) in a domain name cannot be followed by another hyphen (-). The domain name cannot start or end with a hyphen (-). If the domain name contains Chinese characters such as 阿里云.网址, you must apply for an ICP number for the domain name in Chinese characters, and use the tool Punycode to convert the domain name from Chinese characters to English letters, such as xn--fiq****.xn--eq****. Then, you can specify it as the domain name to be accelerated.
        • You cannot add the IP address of an Alibaba Cloud Application Load Balancer (ALB) instance, for example, example.hangzhou.alb.aliyuncs.com, as the IP address of an origin server. However, you can configure a CNAME record for an ALB instance to resolve a service domain name, for example, origin.example.com, to the address of an ALB instance. For more information, see Configure a CNAME record. Then, set the service domain name to domain name of the origin server that is accelerated by Alibaba Cloud CDN.
      • Function Compute Domain: Enter a Function Compute domain name that belongs to the current Alibaba Cloud account. You must set the Region and Domain Name parameters for the Function Compute domain name. For more information, see Configure a custom domain name.
      Priority

      You can set priorities to specify primary and secondary origin servers. The primary origin server has a higher priority than the secondary origin servers. Alibaba Cloud CDN preferentially redirects requests to the primary origin server. If a fault occurs on the primary origin server, requests are redirected to the secondary origin server. The priority ranges from 0 to 127. A smaller value indicates a higher priority. By default, the priority of the primary origin server is 20, and the priority of the secondary origin server is 30. If you want to set the priority to other values, Submit a ticket.

      For example, you have specified two origin servers: Origin Server A and Origin Server B. Origin Server A is the primary origin server and Origin Server B is the secondary origin server. In this case, Alibaba Cloud CDN preferentially redirects requests to Origin Server A. If Origin Server A fails, Alibaba Cloud CDN redirects user requests to Origin Server B. After Origin Server A recovers, Alibaba Cloud CDN redirects user requests to Origin Server A.

      Weight
      If origin servers have the same priority, Alibaba Cloud CDN redirects requests to the origin servers based on their weights. This balances loads among the origin servers. You can specify a weight based on your business requirements.
      • The valid values of origin server weights range from 1 to 100. A greater value indicates a higher weight. An origin server with a higher weight receives more user requests.
      • The default value is 10.

      For example, both Origin Server A and Origin Server B are specified as primary origin servers. The weight of Origin Server A is 80 and the weight of Origin Server B is 20. In this case, Alibaba Cloud CDN redirects user requests to both origin servers at a ratio of 8:2.

      Port
      Specify a port on the origin server to process requests. The default port is port 80. You can specify a port based on the settings of your origin server. Valid values are 1 to 65535.
      • Default value: 80.
      • If you specify port 443, requests are redirected to the origin server over HTTPS. If you specify port 80 or a custom port, requests are redirected to the origin server over HTTP.
      Note
      • If you want Alibaba Cloud CDN to redirect HTTPS requests to origin servers over custom ports, Submit a ticket.
      • If Origin Protocol Policy is enabled, custom ports do not take effect. For more information about how to disable the origin protocol policy, see Configure the origin protocol policy.
      • If the origin server is an Object Storage Service (OSS) bucket, OSS determines whether you can specify a custom port.
    4. Go to the Back-to-origin page. On the Configurations tab, verify that Origin Host is disabled.
      Configurations tab
    After the configuration is complete, traffic passes through Alibaba Cloud CDN. The dynamic content remains detected and protected by WAF.