ALIYUN::WAF3::TGW - Resource Orchestration Service - Alibaba Cloud Documentation Center

ALIYUN::WAF3::TGW is used to add a resource to Web Application Firewall (WAF) in transparent proxy mode.

Syntax

{
  "Type": "ALIYUN::WAF3::TGW",
  "Properties": {
    "InstanceId": String,
    "Listen": Map,
    "ResourceGroupId": String,
    "Redirect": Map
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
InstanceId	String	Yes	No	The ID of the WAF instance.	None.
Listen	Map	Yes	Yes	The listener configurations.	For more information, see the "Listen properties" section of this topic.
ResourceGroupId	String	No	Yes	The ID of the resource group.	None.
Redirect	Map	No	Yes	The forwarding configurations.	None.

Listen syntax

"Listen": {
  "CustomCiphers": List,
  "TLSVersion": String,
  "Http2Enabled": Boolean,
  "CipherSuite": Integer,
  "EnableTLSv3": Boolean,
  "Port": Integer,
  "ResourceProduct": String,
  "Certificates": List,
  "Protocol": String,
  "ResourceInstanceId": String
}

Listen properties

Property	Type	Required	Editable	Description	Constraint
Port	Integer	Yes	No	The listening port.	None.
Protocol	String	Yes	No	The protocol type.	None.
ResourceProduct	String	Yes	No	The cloud service to which the resource belongs.	None.
ResourceInstanceId	String	Yes	No	The ID of the resource that you want to add to WAF.	None.
CustomCiphers	List	No	Yes	The custom cipher suites.	You can use this property only when CipherSuite is set to 99. You can specify up to five custom cipher suites.
CipherSuite	Integer	No	Yes	The type of the cipher suites that you want to add.	Valid values: 1: all cipher suites 2: strong cipher suites 99: custom cipher suites
Certificates	List	No	Yes	The domain names that you want to bind to certificates.	You can bind up to 10 certificates.
EnableTLSv3	Boolean	No	Yes	Specifies whether to support Transport Layer Security (TLS) 1.3.	Valid values: true false
Http2Enabled	Boolean	No	Yes	Specifies whether to enable HTTP/2.	Valid values: true false
TLSVersion	String	No	Yes	The TLS version.	Valid values: tlsv1 tlsv1.1 tlsv1.2

Certificates syntax

"Certificates": [
  {
    "AppliedType": String,
    "CertificateId": String
  }
]

Certificates properties

Property

Type

Required

Editable

Description

Constraint

AppliedType

String

Yes

The type of the HTTPS certificate.

Valid values:

default: default certificate
extension: additional certificate

CertificateId

String

Yes

The ID of the added certificate.

None.

Redirect syntax

"Redirect": {
  "XffHeaders": List,
  "WriteTimeout": Integer,
  "XffHeaderMode": Integer,
  "Keepalive": Boolean,
  "RequestHeaders": List,
  "KeepaliveRequests": Integer,
  "KeepaliveTimeout": Integer,
  "ReadTimeout": Integer,
  "XffProto": Boolean
}

Redirect properties

Property	Type	Required	Editable	Description	Constraint
Keepalive	Boolean	No	Yes	Specifies whether to enable the persistent connection feature.	Valid values: true (default) false
KeepaliveRequests	Integer	No	Yes	The number of reused persistent connections.	Valid values: 60 to 1000.
KeepaliveTimeout	Integer	No	Yes	The timeout period for an idle persistent connection.	Valid values: 1 to 60. Default value: 15. Unit: seconds.
RequestHeaders	List	No	Yes	The header fields in the key-value format.	You can use this property to label traffic that is processed by WAF.
ReadTimeout	Integer	No	Yes	The timeout period for a read connection.	Unit: seconds. Valid values: 1 to 3600.
WriteTimeout	Integer	No	Yes	The timeout period for a write connection.	Unit: seconds. Valid values: 1 to 3600.
XffHeaders	List	No	Yes	The custom header fields that are used to obtain the actual IP address of a client.	Value format: ["header1", "header2", ...]. You can specify up to 20 custom header fields.
XffHeaderMode	Integer	No	Yes	The method that WAF uses to obtain the actual IP address of a client.	Valid values: 0: Traffic from the client is not forwarded by Layer 7 proxies before the traffic reaches WAF. 1: WAF reads the first value of the X-Forwarded-For (XFF) header field as the actual IP address of the client. 2: WAF reads the value of a custom header field as the actual IP address of the client.
XffProto	Boolean	No	Yes	Specifies whether to use the X-Forward-For-Proto header to identify the protocol used by WAF to forward requests to the origin server.	Valid values: true (default) false

RequestHeaders syntax

"RequestHeaders": [
  {
    "Value": String,
    "Key": String
  }
]

RequestHeaders properties

Property	Type	Required	Editable	Description	Constraint
Key	String	No	Yes	The key of the custom header field.	None.
Value	String	No	Yes	The value of the custom header field.	None.

Return values

Fn::GetAtt

InstanceId: the ID of the WAF instance.
Port: the port of the cloud service to which the resource belongs.
ResourceProduct: the cloud service to which the resource belongs.
TgwId: the ID of the resource that is added to WAF in transparent proxy mode.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  InstanceId:
    Type: String
    Description:
      en: The ID of the WAF instance.
    Required: true
  Listen:
    AssociationPropertyMetadata:
      Parameters:
        CustomCiphers:
          Type: Json
          Description:
            en: Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99.
          Required: false
          MinLength: 0
          MaxLength: 5
        TLSVersion:
          Type: String
          Description:
            en: |-
              The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
              tlsv1
              tlsv1.1
              tlsv1.2
          AllowedValues:
            - tlsv1
            - tlsv1.1
            - tlsv1.2
          Required: false
        Http2Enabled:
          Type: Boolean
          Description:
            en: |-
              Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
              true: Enable HTTP2.
              false (default): Disable HTTP2.
          Required: false
        CipherSuite:
          Type: Number
          Description:
            en: |-
              The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
              1: Indicates adding all encryption suites.
              2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.
              99: Indicates adding a custom encryption suite.
          Required: false
        EnableTLSv3:
          Type: Boolean
          Description:
            en: |-
              Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:
              true: indicates that TSL1.3 version is supported.
              false: indicates that TSL1.3 version is not supported.
          Required: false
        Port:
          Type: Number
          Description:
            en: Access the cloud product port of WAF.
          Required: true
        ResourceProduct:
          Type: String
          Description:
            en: Access to WAF cloud products.
          Required: true
        Certificates:
          AssociationPropertyMetadata:
            Parameters:
              AppliedType:
                Type: String
                Description:
                  en: |-
                    The certificate type for the HTTPS protocol. Valid values:
                    default: Indicates the default certificate.
                    extension: Indicates an extended certificate.
                AllowedValues:
                  - default
                  - extension
                Required: false
              CertificateId:
                Type: String
                Description:
                  en: The ID of the certificate that was added.
                Required: false
          AssociationProperty: List[Parameters]
          Type: Json
          Description:
            en: The domain name bound to the certificate.
          Required: false
          MinLength: 0
          MaxLength: 10
        Protocol:
          Type: String
          Description:
            en: Protocol type
          Required: true
        ResourceInstanceId:
          Type: String
          Description:
            en: The instance ID of the cloud product connected to WAF.
          Required: true
    Type: Json
    Description:
      en: Listening information.
    Required: true
Resources:
  ExtensionResource:
    Type: ALIYUN::WAF3::TGW
    Properties:
      InstanceId:
        Ref: InstanceId
      Listen:
        Ref: Listen
Outputs:
  InstanceId:
    Description: The ID of the WAF instance.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - InstanceId
  Port:
    Description: Access the cloud product port of WAF.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Port
  ResourceProduct:
    Description: Access to WAF cloud products.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - ResourceProduct
  TgwId:
    Description: The protection object ID of the transparent access resource.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - TgwId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "InstanceId": {
      "Type": "String",
      "Description": {
        "en": "The ID of the WAF instance."
      },
      "Required": true
    },
    "Listen": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "CustomCiphers": {
            "Type": "Json",
            "Description": {
              "en": "Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99."
            },
            "Required": false,
            "MinLength": 0,
            "MaxLength": 5
          },
          "TLSVersion": {
            "Type": "String",
            "Description": {
              "en": "The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntlsv1\ntlsv1.1\ntlsv1.2"
            },
            "AllowedValues": [
              "tlsv1",
              "tlsv1.1",
              "tlsv1.2"
            ],
            "Required": false
          },
          "Http2Enabled": {
            "Type": "Boolean",
            "Description": {
              "en": "Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntrue: Enable HTTP2.\nfalse (default): Disable HTTP2."
            },
            "Required": false
          },
          "CipherSuite": {
            "Type": "Number",
            "Description": {
              "en": "The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\n1: Indicates adding all encryption suites.\n2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.\n99: Indicates adding a custom encryption suite."
            },
            "Required": false
          },
          "EnableTLSv3": {
            "Type": "Boolean",
            "Description": {
              "en": "Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:\ntrue: indicates that TSL1.3 version is supported.\nfalse: indicates that TSL1.3 version is not supported."
            },
            "Required": false
          },
          "Port": {
            "Type": "Number",
            "Description": {
              "en": "Access the cloud product port of WAF."
            },
            "Required": true
          },
          "ResourceProduct": {
            "Type": "String",
            "Description": {
              "en": "Access to WAF cloud products."
            },
            "Required": true
          },
          "Certificates": {
            "AssociationPropertyMetadata": {
              "Parameters": {
                "AppliedType": {
                  "Type": "String",
                  "Description": {
                    "en": "The certificate type for the HTTPS protocol. Valid values:\ndefault: Indicates the default certificate.\nextension: Indicates an extended certificate."
                  },
                  "AllowedValues": [
                    "default",
                    "extension"
                  ],
                  "Required": false
                },
                "CertificateId": {
                  "Type": "String",
                  "Description": {
                    "en": "The ID of the certificate that was added."
                  },
                  "Required": false
                }
              }
            },
            "AssociationProperty": "List[Parameters]",
            "Type": "Json",
            "Description": {
              "en": "The domain name bound to the certificate."
            },
            "Required": false,
            "MinLength": 0,
            "MaxLength": 10
          },
          "Protocol": {
            "Type": "String",
            "Description": {
              "en": "Protocol type"
            },
            "Required": true
          },
          "ResourceInstanceId": {
            "Type": "String",
            "Description": {
              "en": "The instance ID of the cloud product connected to WAF."
            },
            "Required": true
          }
        }
      },
      "Type": "Json",
      "Description": {
        "en": "Listening information."
      },
      "Required": true
    }
  },
  "Resources": {
    "ExtensionResource": {
      "Type": "ALIYUN::WAF3::TGW",
      "Properties": {
        "InstanceId": {
          "Ref": "InstanceId"
        },
        "Listen": {
          "Ref": "Listen"
        }
      }
    }
  },
  "Outputs": {
    "InstanceId": {
      "Description": "The ID of the WAF instance.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "InstanceId"
        ]
      }
    },
    "Port": {
      "Description": "Access the cloud product port of WAF.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Port"
        ]
      }
    },
    "ResourceProduct": {
      "Description": "Access to WAF cloud products.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "ResourceProduct"
        ]
      }
    },
    "TgwId": {
      "Description": "The protection object ID of the transparent access resource.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "TgwId"
        ]
      }
    }
  }
}