Enable WAF protection for an accelerated domain name added to Alibaba Cloud CDN - Web Application Firewall

Alibaba Cloud CDN and Web Application Firewall (WAF) are widely used in cloud computing scenarios. Alibaba Cloud CDN is used to accelerate the delivery of static content such as HTML, CSS, and JavaScript files. WAF is used to protect servers and reduce security threats to web applications. You can deploy WAF together with Alibaba Cloud CDN and content delivery network (CDN) services that are provided by other vendors, such as Wangsu, Qiniu, and Upyun. This topic describes how to enable WAF protection for an accelerated domain name added to Alibaba Cloud CDN.

Background information

URIs are typically used to separate static and dynamic traffic for a domain name, especially in heavy-traffic website and complex web application scenarios. This type of network architecture can significantly improve website performance, optimize resource usage, and enhance user experience. In most cases, static resources such as images, CSS files, and JavaScript files are cached by Alibaba Cloud CDN and then distributed to global CDN nodes. Users can request the resources from the nearest CDN nodes, which significantly reduces the time of loading. Requests for dynamic resources are routed to a reverse proxy or a load balancer such as NGINX, HAProxy, AWS Elastic Load Balancing (ELB), and Alibaba Cloud Server Load Balancer (SLB). Then, the load balancer distributes the requests to a group of web application servers in the backend based on predefined policies such as round-robin, least connection, and IP address hashing. The following figure shows the network architecture for a website to implement static-dynamic separation.

Request for static resources:

The user device sends a request for xxx.xxx.xxx/static/logo.png.
The request is routed to the nearest CDN node. If no resources are cached on the node, the request is forwarded to the origin server.
The origin server responds to the request and returns data.
Alibaba Cloud CDN caches the data returned by the origin server and returns the data to the client.
The user device sends a request for xxx.xxx.xxx/static/logo.png again.
The CDN node checks whether resources are cached. If yes, the CDN node returns data.

Request for dynamic resources:

The user device sends a request for xxx.xxx.xxx/getInfo. The request is routed to the nearest CDN node.
The CDN node forwards the request to the origin server based on the specified conditions.
The origin server processes dynamic traffic and returns data to the client.

Prerequisites

A website is built, and static-dynamic separation is implemented on a domain name of the website.
Alibaba Cloud CDN is activated, and the domain name is added to Alibaba Cloud CDN. For more information, see CDN beginer's guide.
A WAF instance is purchased.

Solution overview

You can use the following network architecture to deploy WAF together with Alibaba Cloud CDN for a website. Deploy Alibaba Cloud CDN at the ingress layer to accelerate content distribution. Deploy WAF at the intermediate layer to protect applications. Deploy an origin server on an Elastic Compute Service (ECS) instance, on an SLB instance, in a virtual private cloud (VPC), or in a data center. The traffic of your website reaches Alibaba Cloud CDN first, and is then forwarded to WAF for filtering. Only normal traffic is forwarded to the origin server. This ensures the service and data security of the website.

The following figure shows the network architecture in which WAF works together with Alibaba Cloud CDN to protect web services and accelerate data access.

Step 1: Add a domain name to WAF

Add the domain name of the website that you want to protect to WAF in CNAME record or cloud native mode.

Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Onboarding.

Add the domain name to WAF.

CNAME record mode

After you add a domain name to WAF in CNAME record mode, WAF automatically generates a CNAME for the domain name.

On the CNAME Record tab, click Add.

In the Configure Listener step, configure the parameters and click Next.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
Protocol Type	Select the protocol that is supported by the website. Then, enter the port of the origin server. In this example, enter 8080.
Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF	Select Yes. Then, set the Obtain Actual IP Address of Client parameter to [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.

In the Configure Forwarding Rule step, configure the Origin Server Address parameter and click Submit.
On the Onboarding page, find the added domain name and click the copy icon next to the CNAME of the domain name.
Note
For more information about how to configure other parameters such as HTTPS certificates and load balancing algorithms, see Enable WAF protection for your website using a CNAME record.
After the domain name is added, configure security software or access control policies for the origin server to allow inbound traffic from the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

Cloud native mode

On the Cloud Native tab, click the required type in the left-side cloud service list. In this example, click CLB(HTTP/HTTPS). If your dynamic traffic is destined for a Layer 7 Classic Load Balancer (CLB) instance, you can click CLB(HTTP/HTTPS). Click Add.

In the Configure Instance- Layer 7 CLB panel, view your existing CLB instances and select a CLB instance to add traffic redirection ports. Set the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter to Yes and the Obtain Actual IP Address of Client parameter to [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery. Then, enter custom header fields.

Note

In this example, add a Layer 7 CLB instance to WAF. For more information about how to add other cloud service instances to WAF, see Cloud native mode.

Parameter	Operation
Select the instance and port to be added.	Find the instance that you want to add and click Actions in the Add Port column. Select the HTTP or HTTPS port that you want to add to WAF and click OK. Note If the instance that you want to add to WAF is not in the instance list, click Synchronize Instances to refresh the instance list.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Select Yes. Then, set the Obtain Actual IP Address of Client parameter to [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery.

In this example, add the listener port 8080 of the CLB instance and specify header in the Header Field field.

Click OK. On the Cloud Native tab, you can view the added CLB instance.

View the protected object on the Protection Configuration > Protected Objects page and configure protection rules for the protected object. After you add your domain name or instance to WAF, WAF automatically generates a protected object. By default, protection rules of the core protection rule module are enabled for the protected object.

Important

If no default protection template exists in the Core Protection Rule section of the Protection Configuration > Core Web Protection page, you must manually enable the protection rules of the core protection rule module for the protected object.

Step 2: Enable WAF protection for the protected object

To manually enable protection rules for a protected object, you must select the protected object in the Apply To section of the protection template to which the protection rules belong.

Log on to the WAF console. In the left-side navigation pane, choose Protection Configuration > Core Web Protection. In the Core Protection Rule section of the Core Web Protection page, find an existing protection template that you want to manage and click Edit in the Actions column.
Note
If you want to use a new protection template, create a protection template. For more information, see Create a custom protection template.
In the Edit panel, set the Rule Action parameter to Block and select the protected object generated in Step 1 in the Apply To section.
Click OK to save the settings.

Step 3: Modify back-to-origin addresses in Alibaba Cloud CDN

Static resources may be stored in Object Storage Service (OSS) or backend services. The origin server information of Alibaba Cloud CDN varies based on the location in which static resources are stored. Therefore, the operations required to modify back-to-origin addresses vary.

Static resources stored in OSS

If static resources are stored in OSS and Alibaba Cloud CDN is used for acceleration, you can view the Basic Origin Server Information and Conditional Origin sections in the Origin Information section of your domain name. You need to only modify settings in the Conditional Origin section.

Log on to the Alibaba Cloud CDN console. In the left-side navigation pane, click Domain Names. In the domain name list, find the domain name for which you want to enable WAF protection and click Manage in the Actions column.

Configure a conditional origin. In the left-side navigation tree that appears, click Basics. On the page that appears, find the required rule in the Conditional Origin section and click Modify in the Actions column. Then, modify the parameters in the Conditional Origin dialog box.

Parameter	Description
Rule Condition	Rule conditions can identify parameters in a request to determine whether a rule takes effect on the request. In this example, configure a rule to forward requests whose URIs do not contain /static/* to the origin server address that you specify.
Origin Address	If your domain name is added to WAF in CNAME record mode, enter the address specified by the Origin Server parameter in WAF. If your domain name is added to WAF in cloud service mode, enter the public IP address of the related cloud service instance. Important The Conditional Origin dialog box does not provide port options. By default, HTTP requests are forwarded to port 80 of the origin server, and HTTPS requests are forwarded to port 443 of the origin server. If you want to specify a port when you configure the Origin Address parameter, you can specify an IP address together with a port.

Click OK. You can view the new back-to-origin address in the Conditional Origin section.

Static resources stored in backend services

If static resources are stored in a backend service and Alibaba Cloud CDN is used for acceleration, you need to only modify settings in the Basic Origin Server Information section in the Origin Information section.

Log on to the Alibaba Cloud CDN console. In the left-side navigation pane, click Domain Names. In the domain name list, find the domain name for which you want to enable WAF protection and click Manage in the Actions column.
In the left-side navigation tree that appears, click Basics. In the Origin Information section, click Add Origin Server. In the Add Origin Server dialog box, configure the parameters and click OK.

Parameter	Description
Origin Info	If your domain name is added to WAF in CNAME record mode, select Site Domain and enter the CNAME that is generated for the domain name. If your domain name is added to WAF in cloud service mode, select IP and enter the public IP address of the related cloud service instance.
Priority	Specify the priority of the origin server. A primary origin server has a higher priority than a secondary origin server.
Weight	Specify the weight of the origin server. If multiple origin servers have the same priority, Alibaba Cloud CDN forwards requests to the origin servers based on the weights.
Port	Enter the number of the port on which Alibaba Cloud CDN forwards back-to-origin requests. In this example, enter 8080.

Important

If you add your domain name to WAF in CNAME record mode in Step 1, you must delete the original origin server address.

Note

The configuration in Alibaba Cloud CDN does not immediately take effect. The time that is required for the configuration to take effect is affected by factors such as the effective time of Domain Name System (DNS) records, synchronization of Alibaba Cloud CDN configuration, and cache refresh and prefetch. To ensure that the configuration takes effect in a timely manner, we recommend that you refresh and prefetch your cache after you complete the configuration. This way, users can obtain the latest configuration during access.

Step 4: Configure an SSL certificate

Deploy an SSL certificate to Alibaba Cloud CDN to enable HTTPS secure acceleration and encrypt data transmission between clients and CDN nodes.

In the left-side navigation pane, click Domain Names. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree that appears, click HTTPS. In the HTTPS Certificate section, click Modify.

In the Modify HTTPS Settings dialog box, turn on HTTPS Secure Acceleration and configure certificate-related parameters.

If you use a certificate that is purchased from Alibaba Cloud Certificate Management Service, set the Certificate Source parameter to SSL Certificates Service and select the purchased certificate from the Certificate Name drop-down list. You can view existing certificates on the SSL Certificate Management page of the Certificate Management Service console.
Note
Check whether the domain name bound to the purchased certificate is your website domain name.

If you use a certificate that is issued from a third-party certificate service provider, set the Certificate Source parameter to Custom Certificate (Certificate+Private Key). After you configure the Certificate Name parameter, configure the Certificate (Public Key) and Private Key parameters. Then, the certificate is uploaded to Certificate Management Service. You can view the certificate on the SSL Certificate Management page of the Certificate Management Service console.

Parameter	Description
Certificate Name	Enter a name for the certificate that you want to upload. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-). Note A certificate name must be unique. You can view existing certificates on the SSL Certificate Management page. If the system prompts that the certificate name already exists, change the certificate name and re-upload the certificate.
Certificate (Public Key)	Enter the content of the PEM-encoded certificate file. You can use a text editor to open the certificate file in the PEM format. Then, copy the content to the Certificate (Public Key) field. You can click PEM Encoding Reference below the field to obtain sample code.
Private Key	Enter the content of the PEM-encoded private key file. You can use a text editor to open the private key file in the KEY format. Then, copy the content to the Private Key field. You can click PEM Encoding Reference below the field to obtain sample code. Note If your private key starts with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----", you must use the OpenSSL tool to convert the format of the private key. Then, copy the content of the `new_server_key.pem` file to the Private Key field. OpenSSL command: `openssl rsa -in old_server_key.pem -out new_server_key.pem`

Click OK.

Verify the configuration

Enter a URI of xxx.xxx.xxx/123.php in a browser to initiate a request. The request is blocked, which indicates that dynamic traffic destined for the origin server is protected by WAF.
Log on to the WAF console. In the left-side navigation pane, choose Detection and Response > Security Reports. On the page that appears, view the attack records on the Core Protection Rule tab. In this example, the request whose URI is xxx.xxx.xxx/123.php is blocked based on a webshell rule.
Access the static resource path of xxx.xxx.xxxx/static/1.png. On the page that appears, press the F12 key or right-click the page and select Inspect to open the developer tool. In the panel that appears, click the Network tab. You can view that acceleration is enabled by Alibaba Cloud CDN in the code.
Note
The X-Cache field indicates whether the cache is hit. The value MISS indicates no, and the value HIT indicates yes.

The verification results show that static traffic is accelerated by Alibaba Cloud CDN and dynamic traffic destined for the origin server is protected by WAF.

References

For more information about how to add a domain name to WAF in CNAME record mode, see Enable WAF protection for your website using a CNAME record.
For more information about how to add a domain name to Alibaba Cloud CDN, see Add a domain name:
For more information about Dynamic Content Delivery Network (DCDN), see What is DCDN?
If you want to enable WAF protection for a domain name added to DCDN, you can enable WAF in the DCDN console. Then, you can use WAF to protect your web services on DCDN nodes. For more information, see Getting started with WAF (new).
Note
For more information about the differences between Alibaba Cloud CDN and DCDN, see What is Alibaba Cloud CDN?
For more information about how to obtain the originating IP address of clients whose requests are forwarded, see Retrieve the originating IP addresses of clients.