To add a website to Web Application Firewall (WAF) in CNAME record mode, add the domain name of the website to WAF. This topic describes how to add a domain name to WAF.
Prerequisites
A WAF instance is purchased, and the number of domain names that are added to the WAF instance is less than the upper limit.
NoteThe maximum number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of extra domain names that you purchase. For more information, see Extra domain package.
If the domain name of your website is hosted on a server in the Chinese Mainland, make sure that an ICP filing is complete for the domain name and the ICP filing information is valid when your website is protected by WAF.
NoteWAF instances that are deployed in the Chinese Mainland region regularly check whether the ICP filing information of your domain names is valid. If the ICP filing information of a domain name becomes invalid, WAF manages the domain name based on relevant laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.
If your website is hosted on Alibaba Cloud, you can apply for an ICP filing for your domain name by using the Alibaba Cloud ICP Filing system. For more information, see Scenarios.
If your website is not deployed on Alibaba Cloud, you can contact Alibaba Cloud or another cloud service provider to apply for an ICP filing.
Add a domain name to WAF
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, click Website Access.
NoteOn the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default.
Configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Domain Name
Enter the domain name of your website. You can enter an exact match domain name such as www.aliyundoc.com or a wildcard domain name such as *.aliyundoc.com. You can enter only one domain name.
The first time you add the domain name to WAF, you must verify your ownership of the domain name. After you prove your ownership of the domain name, you can add the domain name to WAF. For more information, see Verify the ownership of a domain name.
NoteYou can use a wildcard domain name to cover all subdomains at the same level as and a different level from the wildcard domain name. For example, you can use
*.aliyundoc.com
to coverwww.aliyundoc.com
,example.aliyundoc.com
, andwww.example.aliyundoc.com
.You can use a second-level wildcard domain name to cover the second-level parent domain name of the wildcard domain name. For example, you can use
*.aliyundoc.com
to coveraliyundoc.com
.You cannot use a third-level wildcard domain name to cover the third-level parent domain name of the wildcard domain name. For example, you cannot use
*.example.aliyundoc.com
to coverexample.aliyundoc.com
.If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
Protection Resource
Select the type of protection resource that you want to use. Valid values:
Shared Cluster: This is the default value.
Exclusive Cluster: This option is available only if you use a WAF instance of the Exclusive edition. You can use an exclusive cluster to provide service-specific protection. For more information, see Best practices for WAF exclusive clusters.
Hybrid Cloud Cluster: If you use Hybrid Cloud WAF, select this option. For more information, see Add a website to Hybrid Cloud WAF.
Protocol Type
Select the protocol of your website. Valid values:
HTTP
HTTPS
ImportantIf your website supports HTTPS, select HTTPS. If you select HTTPS, upload the required certificate and private key files after you add your domain name to WAF. For more information, see the "Upload an HTTPS certificate" section in this topic.
If you select HTTPS, you can enable the following features:
HTTP2: You can select this option only after you select HTTPS.
If your domain name supports HTTP/2, select HTTP2. HTTP/2 ports and HTTPS ports are the same. After you select HTTP2, you need to only specify the HTTPS ports. For more information, see Is the origin server affected after HTTP/2 services are added to WAF?
NoteYou can select HTTP2 only if your WAF instance is of the Business, Enterprise, or Exclusive edition.
Origin Server Address
Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters out malicious requests and forwards normal requests to this address. To enter the address of the origin server, take note of the following items:
IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet.
Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses.
NoteIf you enter multiple IP addresses, WAF automatically performs health checks and load balancing on the IP addresses.
If your WAF instance resides outside the Chinese mainland, you can enter only IPv4 addresses. If your WAF instance resides in the Chinese mainland, you can enter IPv4 or IPv6 addresses, or both.
Specify IPv4 addresses and IPv6 addresses
If you select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4 and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF randomly forwards requests to the origin server over IPv4 or IPv6.
ImportantIf you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.
Specify only IPv4 addresses
WAF forwards all requests to the origin server over IPv4.
Specify only IPv6 addresses
WAF forwards all requests to the origin server over IPv6.
Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.
The domain name can be resolved to an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address.
ImportantThe domain name of the origin server must be different from the domain name that you want to protect.
If you enter a domain name of an OSS bucket, map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
Destination Server Port
Specify the port that you want to use to forward requests.
WAF uses only the port that you specified to receive and forward requests. This way, the origin server is protected against security threats regardless of whether you enable ports that are not specified.
ImportantYou must set the Protocol Type and Destination Server Port parameters to the protocol and port that are used by the origin server to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, set the Protocol Type parameter to HTTP and the Destination Server Port parameter to 80.
Default ports:
80: By default, this port is used when you select HTTP.
443: By default, this port is used when you select HTTPS. HTTP2 uses the same port as HTTPS.
Custom ports: Enter port numbers in the HTTP Port and HTTPS Port fields. Press the Enter key each time you enter a port number. Click View Port Range to query all supported ports.
NoteA WAF instance of the Enterprise or Exclusive edition supports up to 50 ports, including ports 80, 8080, 443, and 8443. A WAF instance of the Pro or Business edition supports up to 10 ports, including ports 80, 8080, 443, and 8443.
For more information about the ports that are supported by shared clusters, see View the ports supported by WAF.
If you use a WAF instance of the Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Cluster Configurations page. For more information, see Configure an exclusive cluster.
Load Balancing Algorithm
If you enter multiple addresses of origin servers, configure this parameter. Valid values:
IP hash: Requests from an IP address are forwarded to the same origin server. This is the default value.
NoteIf you select IP hash but the IP addresses of origin servers are not scattered across different network segments, workloads may be unbalanced.
Round-robin: All requests are distributed to origin servers in turn.
Least time: WAF uses the intelligent Domain Name System (DNS) resolution feature and the upgraded least-time back-to-origin algorithm to reduce latency when requests are forwarded to origin servers.
NoteYou can select Least time only if intelligent load balancing is enabled. For more information, see Intelligent load balancing.
After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF
Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Proxy and Alibaba Cloud CDN. Valid values:
No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from clients. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the
REMOTE_ADDR
field.Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy. To ensure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Source IP Address parameter.
By default, WAF uses the first IP address in the
X-Forwarded-For
field as the IP address of a client.If you use a proxy that requires the actual IP addresses to be included in a custom header field, such as X-Client-IP or X-Real-IP, select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.
NoteWe recommend that you use custom header fields to store the IP addresses of clients and configure the custom header fields in WAF. This prevents attackers from forging X-Forwarded-For fields to bypass WAF protection and improves the security of your business.
You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Enable Traffic Mark
Specify whether to enable the traffic marking feature.
The feature adds custom header fields to WAF back-to-origin requests. You can configure or modify the custom header fields to mark the requests that are forwarded by WAF or record the actual IP addresses or ports of clients.
If you select Enable Traffic Mark, add custom header fields.
ImportantWe recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field.
If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark and specify custom header fields. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed.
You can add the following types of header fields:
Click + Add Mark to add a header field. You can add up to five header fields.
Back-to-origin Timeout Configuration
Resource Group
Select the resource group to which you want to add the domain name from the drop-down list.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
If the wildcard domain name that matches the domain name that you specified in Step 4 is configured by another user, configure the TXT record based on the record type, domain name, and record value that are displayed in the Tips dialog box.
For example, if you use Alibaba Cloud DNS, you can log on to the Alibaba Cloud DNS console and configure the TXT record based on information that is displayed in the Tips dialog box. For more information, see Add a DNS record.
Modify the DNS record.
Follow the on-screen instructions to modify the DNS record and map your domain name to WAF. Then, click Next. For more information, see Modify a DNS record.
Complete the settings.
Follow the on-screen instructions to configure the back-to-origin CIDR blocks of WAF and click Complete. Return to Domain Name List. The Website Access page appears. For more information, see Allow requests from the back-to-origin CIDR blocks of WAF.
Upload an HTTPS certificate
If you select HTTPS for the Protocol Type parameter in Step 4 when you add a domain name, upload a valid HTTPS certificate that is associated with the domain name in the WAF console. Otherwise, WAF cannot protect HTTPS requests.
To upload an HTTPS certificate, you can use one of the following methods:
Upload a certificate.
Before you upload a certificate, you must prepare the following files and make sure that the certificate chain is valid:
The certificate file in the CRT or PEM format
The private key file in the KEY format
Select an existing certificate: You can select the certificate that is associated with the domain name in the Certificate Management Service console. For more information, see What is Certificate Management Service.
Purchase a certificate.
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, find the domain name that you want to manage and click the icon in the Origin Server column.
NoteThe icon appears in the Origin Server column only if you select HTTPS for the Protocol Type parameter.
In the Upload Certificate or Update Certificate dialog box, configure the Upload Method parameter to upload an HTTPS certificate.
NoteIf you uploaded a certificate, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.
Manual Upload: Configure the Certificate Name parameter, copy and paste the content of the certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key File field.
For more information about the certificate file, see the following descriptions:
If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content.
If the certificate file is in a different format such as PFX or P7B, convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy the text content. For more information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?
Make sure that the certificate chain is valid. If the domain name is associated with multiple certificate files, combine the text content of the certificate files and then copy and paste the combined content to the Certificate File field.
Select Existing Certificate: Select a certificate from the Certificate drop-down list.
The Certificate drop-down list contains certificates that are issued in the Certificate Management Service console. Select the certificate that is associated with the domain name. Click Certificate Management Service to go to the Certificate Management Service console and manage certificates.
Purchase Certificate: Click Purchase Now to go to the Purchase Certificate page of the Certificate Management Service console. Then, purchase a certificate for your domain name.
After you purchase and configure the certificate, the certificate is automatically uploaded to WAF.
NoteYou can purchase only a domain validated (DV) certificate on the Purchase Certificate page. If you want to purchase a different type of certificate, go to the buy page of Certificate Management Service. For more information, see Purchase SSL certificates.
Click OK.
Subsequent configurations
After you add the domain name, the requests that are sent to the domain name are protected by WAF. You can modify domain name configurations to improve website security.
Type | Description | References |
Website protection configuration | WAF provides multiple features to protect your website against different types of attacks. By default, only the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects your website against common web attacks such as SQL injections, Cross-Site Scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. Enable other features and configure protection rules. | |
Alert configuration | You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business at the earliest opportunity. | |
Simple Log Service configurations | After you enable the Simple Log Service for WAF feature, WAF can collect and store the log data of your domain name. You can query and analyze the log data. By default, the Simple Log Service for WAF feature stores full logs for 180 days to meet Multi-Level Protection Scheme (MLPS) requirements. |
Related operations
View and manage the domain names that are added to WAF
On the Domain Names tab of the Website Access page, you can view the domain names that are added to WAF and perform the following operations:
Upload an HTTPS certificate: If your domain name supports HTTPS, make sure that valid certificate and private key files are uploaded to WAF to ensure that WAF protects HTTPS requests. To upload the certificate and private key files for the domain name, click the icon in the Origin Server column.
For more information, see Upload an HTTPS certificate.
Enable IPv6 traffic protection: If you want to protect IPv6 traffic that is sent to your domain name, turn on IPV6 for the domain name in the Quick Access column.
For more information, see Enable IPv6 traffic protection.
Enable Simple Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Simple Log Service for WAF feature. You can use this feature to collect the logs of your domain name. Then, you can use the logs for query, analysis, dashboard data visualization, and alerting. For more information, see Get started with the Simple Log Service for WAF feature.
NoteThe Simple Log Service for WAF feature is a value-added feature of WAF. Before you can use the feature, you must enable the feature. For more information, see Step 1: Enable the Simple Log Service for WAF feature.
Configure protection resources: Click the icon to the right of Protection Resource in the Quick Access column. Then, configure the protection resource for the domain name.
The following types of protection resources are supported:
Shared Cluster and Shared IP Address: This is the default value.
Shared Cluster and Exclusive IP Address: For more information about exclusive IP addresses, see Exclusive IP addresses.
Shared Cluster and Intelligent Load Balancing: For more information about global load balancing, see Intelligent load balancing.
Exclusive Cluster: For more information about exclusive clusters, see Create an exclusive cluster.
View attack reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View security reports.
Configure protection policies: Click Configure Protection in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Overview of website protection configuration.
Modify domain name configurations: Click Modify in the Actions column to modify domain name configurations such as the protocol type, server address, and server port. You cannot modify the domain name.
Delete a domain name: Click Delete in the Actions column.
WarningBefore you delete a domain name, you must modify the DNS record to map the domain name to the IP address of the origin server. If you do not modify the DNS record, the requests that are sent to the domain name cannot be forwarded after the domain name is deleted.
After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the validity of the added domain names. Domain names whose ICP filing information is invalid are not protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:
Update the ICP filing information of your domain name.
Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.
Check the validity of ICP filing information
After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the added domain names. Domain names whose ICP filling information is invalid cannot be protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:
Update the ICP filing information of your domain name.
Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.
View the DNS resolution status of a domain name
WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. You can view the DNS resolution status of the domain names that you added to WAF in the domain name list and modify the DNS records based on the error messages that are displayed in the WAF console.
DNS Verification Status | Description | Operation |
The DNS resolution is normal. | The domain name is pointed to the CNAME that is provided by WAF. | None. |
The DNS resolution is abnormal. An A record is used. | An A record is used and service interruptions may occur. | Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name. |
The DNS resolution is abnormal. An invalid IP address of your WAF instance is used. | An A record is used and the domain name is pointed to an invalid WAF IP address. Service interruptions may occur. | Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name. |
The DNS resolution is abnormal. An invalid CNAME is used. | A CNAME record is used and the domain name is pointed to an invalid CNAME. Service interruptions may occur. | Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name. |
The issue of unknown DNS resolution occurs. A proxy is deployed. | A Layer 7 proxy is used in front of WAF and the back-to-origin address is not the CNAME that is provided by WAF. | Check whether the back-to-origin address is the CNAME that is provided by WAF. |
The verification timed out. | None. | Click the icon to recheck the DNS resolution status. |
No DNS resolution records are found. No DNS records are configured. | No DNS records are configured for the domain name. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF. | Add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name. |
Failed to point to WAF. No DNS records are configured. | The domain name is not pointed to the CNAME provided by WAF. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF. | Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name. |
FAQ
For more information, see FAQ about website access configuration in FAQ.