All Products
Search
Document Center

Web Application Firewall:Transparent proxy mode

Last Updated:May 11, 2024

You can add your website to Web Application Firewall (WAF) in transparent proxy mode by entering your website information without the need to modify the Domain Name System (DNS) record. If your origin server is deployed on an Alibaba Cloud Elastic Compute Service (ECS) or Internet-facing Server Load Balancer (SLB) instance, you can add your website to WAF in transparent proxy mode. This topic describes how to add a website to WAF in transparent proxy mode.

Note

If you migrated your WAF 2.0 instance to WAF 3.0, you can add your cloud service instances, such as ECS, Classic Load Balancer (CLB), and Application Load Balancer (ALB) instances, to WAF in cloud native mode. For more information, see Cloud native mode.

Limits

Item

Description

Types of cloud services

Internal-facing SLB instances and Internet-facing SLB instances that use IPv6 do not support the transparent proxy mode.

Regions in which the transparent proxy mode is available

The transparent proxy mode is available in the following regions:

  • Chinese mainland: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), and China (Shenzhen).

  • Outside the Chinese mainland: China (Hong Kong), Malaysia (Kuala Lumpur), and Indonesia (Jakarta).

Specific Internet-facing SLB instances do not support the transparent proxy mode due to network architecture issues.

Number of traffic redirection ports

The number of ports on which traffic can be redirected to WAF varies based on the WAF edition.

  • Pro Edition: up to 20 traffic redirection ports.

  • Business Edition: up to 50 traffic redirection ports.

  • Enterprise Edition: up to 100 traffic redirection ports.

You can add specific ports to WAF in transparent proxy mode. After a port is added to WAF, traffic on the port is redirected to WAF.

For example, if you add ports 80 and 443 of an SLB instance and ports 80 and 443 of another SLB instance to WAF in transparent proxy mode, traffic on the four ports is redirected to WAF.

Supported ports

Ports 0 to 65535 are supported, including standard and non-standard ports. For more information, see View the ports supported by WAF.

Note

Only subscription WAF instances of Business Edition, Enterprise Edition, or Exclusive Edition support non-standard ports.

Services protected by Anti-DDoS Proxy and WAF

If you add your services to Anti-DDoS Proxy by adding a domain name, you can add the services to WAF in transparent proxy mode and protect the services by using Anti-DDoS Proxy together with WAF.

If you add your services to Anti-DDoS Proxy by configuring port forwarding rules, you cannot add the services to WAF in transparent proxy mode. In this case, we recommend that you add your services to WAF in CNAME record mode. For more information, see Add a domain name to WAF in CNAME record mode.

Prerequisites

  • A WAF instance is purchased.

  • An Internet-facing SLB instance that uses IPv4 and is bound to a public IP address is created, and mutual authentication is disabled for the ports of the instance.

    Note

    If you use an internal-facing SLB instance that is associated with an elastic IP address (EIP), you can add your website to WAF in transparent proxy mode.

  • If the domain name of your website is hosted on a server in the Chinese mainland, apply for an Internet Content Provider (ICP) filing for the domain name. When you apply for an ICP filing by using the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you enter. For more information, see ICP filing scenarios.

  • The following operations are performed in sequence on the SSL certificate for the listener port:

    1. The certificate is uploaded to or issued in the Certificate Management Service console.

    2. The certificate is selected and configured when listeners are configured in the SLB console.

    Note

    Before you use WAF to protect a Layer 7 SLB instance, make sure that the preceding prerequisite is met.

  • WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Step 1: Add a domain name

Important
  • The first time you add an instance to WAF, web services may be interrupted for several seconds. If clients can be automatically reconnected, the web services automatically resume. Configure reconnection mechanisms and back-to-origin settings based on your business requirements.

  • If you perform the following operations after you add an instance to WAF, the traffic redirection ports are automatically removed from WAF. If you do not re-add the traffic redirection ports to WAF, traffic on the ports is not forwarded to WAF.

    • Change the public IP address, replace the certificate that is bound to a traffic redirection port with a third-party certificate, or enable mutual authentication for a Layer 7 CLB instance

    • Change the public IP address or enable mutual authentication for an ECS instance or Layer 4 CLB instance

  • If you add an ECS instance to WAF, traffic of the public IP address or EIP that is associated with the instance is redirected to WAF.

  • After you disassociate an EIP from the ECS instance, traffic of the EIP is not redirected to WAF.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Asset Center > Website Access.

  3. On the Domain Names tab, click Website Access.

  4. On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.

  5. In the Add Domain Name step, enter the domain name of your website and add a port. The following table describes the parameters.

    Parameter

    Description

    Domain Name

    Enter the domain name of the website that you want to add to WAF for protection. The domain name can be an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. When you enter a domain name, take note of the following items:

    • A wildcard domain name can cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover subdomains such as www.aliyundoc.com and test.aliyundoc.com.

      Important

      If you enter a wildcard domain name, WAF does not match the parent domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com. If you want to use WAF to protect aliyundoc.com, you must separately add the domain name to WAF.

    • If you enter a wildcard domain name and an exact-match domain name, WAF uses the forwarding and protection rules of the exact-match domain name.

    Origin server port

    Select the origin server ports that you want to add to WAF.

    The following instances can be added to WAF in transparent proxy mode: ALB instances, Layer 7 SLB instances, Layer 4 SLB instances, and ECS instances. Click the corresponding tab based on the type of the instance that you want to add to WAF. If your origin server is deployed on an ALB instance and you want to enable WAF protection for traffic on the listener ports of the instance, click the ALB-based Domains tab.

    You can perform the following operations on the corresponding tab:

    • Add ports

      • The ports of ALB instances and Layer 7 SLB instances are automatically synchronized to WAF. You need to only select the ports that you want to add to WAF.

      • If you want to add Layer 4 SLB or ECS instances to WAF, manually add the ports to WAF. You can click Add to enable traffic redirection for the ports.

        After you add an origin server port, you can select the port in the instance list. You can also remove the port or disable traffic redirection on the Servers tab. For more information, see View origin servers and manage traffic redirection ports.

    • Enable WAF protection for the listener ports of the instance. For more information, see Configure a traffic redirection port for an ALB instance.

    Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF

    Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy and Alibaba Cloud CDN, is deployed in front of WAF. Valid values:

    • No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from clients. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the REMOTE_ADDR field.

    • Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy. To make sure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Source IP Address parameter.

      By default, WAF uses the first IP address in the X-Forwarded-For field as the IP address of a client.

      If you use a proxy that requires the actual IP addresses to be included in a custom header field, such as X-Client-IP or X-Real-IP, select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.

      Note

      We recommend that you use custom header fields to store the IP addresses of clients and configure the custom header fields in WAF. This prevents attackers from forging X-Forwarded-For fields to bypass WAF protection and improves the security of your business.

      You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

    Enable Traffic Mark

    Specify whether to enable the traffic marking feature.

    The feature adds custom header fields to WAF back-to-origin requests. You can specify or modify the custom header fields to label the requests that are forwarded by WAF or record the actual IP addresses or ports of clients.

    If you select Enable Traffic Mark, specify custom header fields.

    Important
    • We recommend that you do not configure a standard HTTP header field such as User-Agent. If you configure a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.

    • If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. After the origin server receives the requests, we recommend that you check the header fields. If the specified custom header fields exist in a request, the request is allowed.

    You can add the following types of header fields:

      Click Add Mark to add a header field. You can add up to five header fields.

      Resource Group

      Select a resource group to which you want to add the domain name.

      Note

      You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

    • In the Check and Confirm Added Information step, check and confirm the configurations and click Next.

    • In the Add Completed step, click Completed. Return to the website list.

      After you add the domain name, you can view the configurations and origin server of the domain name on the Domain Names tab. You can modify or delete the domain name configurations based on your business requirements.

      By default, WAF detects traffic on the port that is enabled in the Add Domain Name step and forwards normal traffic to the origin server. On the Servers tab, you can change the traffic protection status of a port based on your business requirements.

    Step 2: View and manage traffic redirection ports

    View origin servers and manage traffic redirection ports

    After you add a domain name to WAF, you can view information about the origin server. You can forcibly disable traffic redirection or remove traffic redirection ports in emergency disaster recovery scenarios.

    1. On the Website Access page, click the Servers tab.

    2. You can click the 展开 icon on the left side of an instance name to view the ports that are added to WAF.

      防护状态

      Note

      The ports of Layer 4 SLB and ECS instances cannot be automatically synchronized to WAF. You must manually add the ports to WAF. For more information, see Add ports.

      Description of Traffic Status:

      • Traffic Status (labeled as 1 in the preceding figure) indicates whether traffic on the port is protected by WAF. Valid values: Enabled and Disabled. In the Actions column, you can click Enable Traffic Redirection to enable traffic redirection or Disable Traffic Redirection to disable traffic redirection.

        Note

        If you disable traffic redirection, traffic on the port is no longer redirected to WAF.

      • Traffic Status (labeled as 2 in the preceding figure) indicates the overall WAF protection status of the ports of the instance. Valid values: Unprotected, Partially Protected, and Fully Protected.

    3. Optional. If your instance is a Layer 4 SLB instance or an ECS instance, click Delete in the Actions column. In the Tips message, click Confirm to remove the port that no longer requires WAF protection.

    Update the certificates of traffic redirection ports

    • If the instance is an ALB instance or a Layer 7 SLB instance, you do not need to upload another certificate.

      • If the certificate configured for the listener port of the instance is updated, you need to update the certificate only in the SLB console. The updated certificate is automatically synchronized to WAF. The time required to synchronize a certificate to WAF is approximately 30 minutes.

        Important
        • If the certificate that is bound to a traffic redirection port is replaced with a certificate that is not purchased by using Alibaba Cloud Certificate Management Service, update the certificate and re-add the instance to WAF.

        • If an SLB instance is associated with a certificate that has expired, the certificate cannot be automatically synchronized to WAF. Delete the certificate and then synchronize the new certificate.

      • If the certificate that is automatically synchronized to WAF does not take effect, click the 更新 icon on the Servers tab to manually update the certificate.

    • If the instance is an ECS instance or a Layer 4 SLB instance, you must re-upload a certificate in the WAF console.

      On the Servers tab, find the instance whose certificate you want to update and click Edit in the Actions column. In the dialog box that appears, set the Upload Type parameter to Manual Upload or Select Existing Certificate and then upload a certificate. 上传证书

    What to do next

    After you add a website to WAF, all traffic to the website is detected and filtered by WAF. WAF provides multiple features to protect websites against different types of attacks. By default, the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injection attacks, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. You can enable other features and configure protection rules for the features based on your business requirements. For more information, see Overview of website protection configuration.

    References