FAQ about web service addition - Web Application Firewall

This topic provides answers to some frequently asked questions about how to add web services to Web Application Firewall (WAF) 3.0.

Overview

Issues that may occur when web services are added to WAF
- I cannot find the CLB, NLB, or ECS instance to add on the Website Configuration page. What do I do?
- When I add an HTTPS listener port of a CLB instance to WAF, the system prompts that the certificate required for instance is incomplete. What do I do?
Issues that may occur on origin servers after web services are added to WAF
- WAF returns HTTP 502 status codes after web services are added to WAF. What do I do?

I cannot find the CLB, NLB, or ECS instance to add on the Website Configuration page. What do I do?

Problem description

You cannot find the Classic Load Balancer (CLB), Network Load Balancer (NLB), or Elastic Compute Service (ECS) instance that you want to add to WAF on the Website Configuration page.

Solution

Cause	Operation
The CLB, NLB, or ECS instance does not meet the requirements.	Check whether the CLB, NLB, or ECS instance meets the requirements specified in the "Limits" section in the following topics: Enable WAF protection for a Layer 7 CLB instance, Enable WAF protection for a Layer 4 CLB instance, Enable WAF protection for an NLB instance, and Enable WAF protection for an ECS instance.
The required listener is not added to the CLB instance.	Add a listener to a Layer 7 CLB instance. For more information, see Add an HTTP listener and Add an HTTPS listener. Add a listener to a Layer 4 CLB instance. For more information, see Add a TCP listener.
The CLB, NLB, or ECS instance is not synchronized to WAF.	Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland. In the left-side navigation pane, click Website Configuration. Select the required cloud service and click Add. In the panel that appears, click Synchronize Instances.

When I add an HTTPS listener port of a CLB instance to WAF, the system prompts that the certificate required for instance is incomplete. What do I do?

Problem description

When you add an HTTPS listener port of a CLB instance to WAF, WAF checks the source of the certificate configured for the port. The following error message appears: The CLB certificate whose port number is {port} is incomplete. Go to the SLB console and select a certificate that is from Certificate Management Service.

Cause

The certificate is not purchased by using Alibaba Cloud Certificate Management Service (Original SSL Certificate) and is not uploaded to Certificate Management Service (Original SSL Certificate).
The certificate configured for the HTTPS listener port of the CLB instance is uploaded in the CLB instance. In this case, the certificate cannot be automatically synchronized to Certificate Management Service. However, WAF obtains certificate information only from Certificate Management Service. As a result, WAF cannot obtain the complete information of the certificate and the error message appears.
The certificate was uploaded to Certificate Management Service but was manually deleted. In this case, WAF cannot obtain the information about the certificate from Certificate Management Service (Original SSL Certificate).

Solution

Upload your certificate to Certificate Management Service (Original SSL Certificate). For more information, see Upload an SSL certificate.
Add the certificate in the CLB console and select Alibaba Cloud Certificates for Select Certificate Source. For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
In the CLB console, select the added certificate for your port. For more information, see Step 2: Configure an SSL certificate.

WAF returns HTTP 502 status codes after web services are added to WAF. What do I do?

Problem description

When you access the web services that are added to WAF, WAF returns HTTP 502 status codes. Logs are queried, and the results include requests for which WAF returns HTTP 502 status codes.

Cause and solution

Scenario 1: HTTP 502 status codes are occasionally returned after you enable WAF protection for a Layer 7 CLB instance

Current network architecture

Cause analysis

The timeout period of idle connections from WAF to CLB is 3,600 seconds, equivalent to 1 hour.

If no data is transmitted over a connection from WAF to CLB within 1 hour, WAF automatically closes the connection.

The timeout period of idle connections from CLB to WAF is 15 seconds.

In this case, WAF serves as the clients of CLB. If no data is transmitted over a connection from CLB to WAF within 15 seconds, CLB automatically closes the connection.

In extreme cases, WAF returns a back-to-origin request to CLB over a persistent connection at the point in time when the connection is aged. CLB ages a persistent connection if no data is transmitted over the connection within 15 seconds. In this case, CLB does not store information about the persistent connection and sends an RST packet to terminate the connection. In this case, WAF logs the request by using an HTTP 502 status.

Solution

Change the value of the Timeout Period of Idle Keep-alive Requests parameter in the configuration of the CLB instance to a value that is shorter than the timeout period of idle connections from CLB to WAF. For example, you can change the value to 14 seconds.

Scenario 2: HTTP 502 status codes are returned if URIs are excessively long

Current network architecture

Cause analysis

Layer 7 CLB serves as the next hop when WAF forwards traffic. However, CLB supports only requests whose Uniform Resource Identifiers (URIs) are up to 32 KB in length. If the URI length of requests exceeds the upper limit, CLB rejects the requests. In this case, CLB records HTTP 414 status codes in logs, and WAF returns HTTP 502 status codes.

Solution

Reduce the URI length. For large amounts of data, use the POST method to transmit data.