In CNAME record mode, Web Application Firewall (WAF) uses specific back-to-origin CIDR blocks to forward normal traffic back to an origin server. After you add a website to WAF in CNAME record mode, you must configure security software or access control policies for the origin server to allow inbound traffic from the back-to-origin CIDR blocks of WAF.
Scenarios
In CNAME record mode, if you use security software such as SafeDog or Yunsuo for your origin server, you must add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software. This way, the security software does not block the normal traffic forwarded by WAF to the origin server.
FAQ
Obtain the back-to-origin CIDR blocks of WAF
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
Click the CNAME Record tab.
Click Back-to-origin CIDR Blocks above the domain name list.
In the Back-to-origin CIDR Block message, click Copy to copy all back-to-origin CIDR blocks to the clipboard.
NoteThe back-to-origin CIDR blocks that you copy are separated by commas (,).
What to do next
After you obtain the back-to-origin CIDR blocks of WAF, you must add them to the IP address whitelist of the security software on the origin server. You can also configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF.
If you do not add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software on the origin server, normal requests forwarded by WAF may be blocked. This may cause service interruptions.
For security purposes, we recommend that you configure access control policies for the origin server to allow inbound traffic only from the back-to-origin CIDR blocks of WAF. This way, attackers cannot bypass WAF to attack the origin server.