CreateDomain - Web Application Firewall - Alibaba Cloud Documentation Center

Adds a domain name to a WAF instance to enable protection.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:CreateDomain

create

*DefenseResource

acs:yundun-waf:{#regionId}:{#accountId}:defenseresource/*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call the DescribeInstance operation to query the ID of the WAF instance.	waf_cdnsdf3****
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q
Domain	string	Yes	Specifies the domain name to query.	www.aliyundoc.com
Listen	object	Yes	The listener configuration.
HttpsPorts	array	No	The HTTPS listener ports.
	integer	No	The HTTPS listener ports. Use the [port1,port2,...,portN] format.	[443,8443]
HttpPorts	array	No	The HTTP listener ports.
	integer	No	The HTTP listener ports. Use the [port1,port2,...] format.	[80,81]
Http2Enabled	boolean	No	Specifies whether to enable HTTP/2. This parameter is available only when you specify the HttpsPorts parameter. Valid values: true: enables HTTP/2. false (default): disables HTTP/2.	true
CertId	string	No	The ID of the certificate. This parameter is available only when you specify the HttpsPorts parameter.	123
SM2Enabled	boolean	No	Specifies whether to enable the SM certificate.	true
SM2CertId	string	No	The ID of the SM certificate. This parameter is available only when you set SM2Enabled to true.	123-cn-hangzhou
SM2AccessOnly	boolean	No	Specifies whether to allow access only from clients that use SM certificates. This parameter is available only when you set SM2Enabled to true. true: Only clients that use SM certificates can access the domain name. false: All clients can access the domain name.	true
TLSVersion	string	No	The TLS version. This parameter is available only when you specify the HttpsPorts parameter. Valid values: tlsv1 tlsv1.1 tlsv1.2	tlsv1
EnableTLSv3	boolean	No	Specifies whether to enable TLS 1.3. This parameter is available only when you specify the HttpsPorts parameter. Valid values: true: enables TLS 1.3. false: disables TLS 1.3.	true
CipherSuite	integer	No	The type of the cipher suite. This parameter is available only when you specify the HttpsPorts parameter. Valid values: 1: all cipher suites. 2: strong cipher suites. You can select this value only when you set TLSVersion to tlsv1.2. 99: custom cipher suites.	2
CustomCiphers	array	No	The custom cipher suites.
	string	No	The custom cipher suites. This parameter is available only when you set CipherSuite to 99.	["xxx","ffas"]
FocusHttps	boolean	No	Specifies whether to enable an HTTPS force redirect. This parameter is available only when you specify the HttpsPorts parameter and leave the HttpPorts parameter empty. Valid values: true: enables an HTTPS force redirect. false: disables an HTTPS force redirect.	true
XffHeaderMode	integer	No	The method that WAF uses to obtain the real IP address of a client. Valid values: 0 (default): No Layer 7 proxies are deployed before WAF. 1: WAF reads the first value of the X-Forwarded-For (XFF) header field to obtain the real IP address. 2: WAF reads the value of a custom header field to obtain the real IP address.	1
XffHeaders	array	No	The custom header fields that are used to obtain the real IP address of a client.
	string	No	The custom header fields. Use the ["header1","header2",...] format. Note This parameter is required only when you set XffHeaderMode to 2.	["Client-ip","cip"]
IPv6Enabled	boolean	No	Specifies whether to enable IPv6. Valid values: true: enables IPv6. false (default): disables IPv6.	true
ProtectionResource	string	No	The type of the protection resource. Valid values: share (default): shared cluster. gslb: shared cluster-based intelligent load balancing.	share
ExclusiveIp	boolean	No	Specifies whether to enable the exclusive IP address feature. This parameter is available only when you set IPv6Enabled to false and ProtectionResource to share. Valid values: true: enables the exclusive IP address feature. false (default): disables the exclusive IP address feature.	true
Redirect	object	Yes	The forwarding configuration.
Backends	array	No	The back-to-origin IP addresses or domain names of the origin server.
	string	No	The back-to-origin IP addresses or domain names. You can specify only one type of back-to-origin address. If you use a domain name for back-to-origin, only IPv4 is supported. IPv6 is not supported. If you use IP addresses, use the ["ip1","ip2",...] format. You can add up to 20 IP addresses. If you use a domain name, use the ["domain"] format. You can add up to 20 domain names.	[ "1.1.XX.XX", "2.2.XX.XX" ]
Loadbalance	string	Yes	The load balancing algorithm for back-to-origin traffic. Valid values: iphash: the IP hash algorithm. roundRobin: the round-robin algorithm. leastTime: the least time algorithm. You can select this value only when you set ProtectionResource to gslb.	roundRobin
FocusHttpBackend	boolean	No	Specifies whether to enable a force redirect to HTTP for back-to-origin traffic. This parameter is available only when you specify the HttpsPorts parameter. Valid values: true: enables a force redirect to HTTP for back-to-origin traffic. false: disables a force redirect to HTTP for back-to-origin traffic.	true
SniEnabled	boolean	No	Specifies whether to enable back-to-origin Server Name Indication (SNI). This parameter is available only when you specify the HttpsPorts parameter. Valid values: true: enables back-to-origin SNI. false (default): disables back-to-origin SNI.	true
SniHost	string	No	The value of the custom SNI field. If you do not specify this parameter, the value of the Host field in the request header is used as the value of the SNI field. You do not need to specify a custom SNI unless your business requires WAF to use an SNI that is different from the Host field for back-to-origin requests. Note This parameter is required only when you set SniEnabled to true.	www.aliyundoc.com
RequestHeaders	array<object>	No	The custom header field and its value. The header is used to mark the traffic that is processed by WAF. When a request passes through WAF, WAF automatically adds the custom header field and its value to the request header. This helps the backend service identify and count the traffic.
	object	No	The value of this parameter is in the [*{"k":"key","v":"value"}] format. key* is the custom request header field. value is the value of the field.
Key	string	No	The custom request header field.	aaa
Value	string	No	The value of the custom request header field.	bbb
ConnectTimeout	integer	No	The connection timeout. Unit: seconds. Valid values: 1 to 3600. Default value: 5.	120
ReadTimeout	integer	No	The read timeout. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
WriteTimeout	integer	No	The write timeout. Unit: seconds. Valid values: 1 to 3600. Default value: 120.	200
CnameEnabled	boolean	No	Specifies whether to enable public cloud disaster recovery. Valid values: true: enables public cloud disaster recovery. false (default): disables public cloud disaster recovery.	true
RoutingRules	string	No	The forwarding rules for the hybrid cloud cluster. Specify the value as a string that consists of a JSON array. Each element in the array is a struct that contains the following fields: rs: an array of back-to-origin IP addresses or CNAMEs. backupRs: an array of backup back-to-origin IP addresses or CNAMEs. This field is required. Set the value to [] if you do not want to specify backup addresses. location: the name of the protection node. locationId: the ID of the protection node.	[ { "rs": [ "1.1.XX.XX" ], "backupRs": [ "2.2.XX.XX" ], "locationId": 535, "location": "test1111" } ]
Keepalive	boolean	No	Specifies whether to enable persistent connections. Valid values: true (default): enables persistent connections. false: disables persistent connections.	true
Retry	boolean	No	Specifies whether to retry a failed back-to-origin request. Valid values: true (default): retries a failed request. false: does not retry a failed request.	true
KeepaliveRequests	integer	No	The number of requests that can be reused in a persistent connection. Valid values: 60 to 1000. Default value: 1000. Note This parameter specifies the number of requests that can be reused after a persistent connection is established.	1000
KeepaliveTimeout	integer	No	The timeout period for an idle persistent connection. Valid values: 1 to 60. Default value: 15. Unit: seconds. Note This parameter specifies the duration after which an idle persistent connection is released.	15
XffProto	boolean	No	Specifies whether to use the X-Forward-For-Proto header to pass the protocol used by WAF. Valid values: true (default): passes the protocol used by WAF. false: does not pass the protocol used by WAF.	false
BackupBackends	array	No	The backup back-to-origin IP addresses or domain names of the origin server.
	string	No	The backup back-to-origin IP addresses or domain names. You can specify only one type of back-to-origin address. If you use a domain name for back-to-origin, only IPv4 is supported. IPv6 is not supported. If you use IP addresses, use the ["ip1","ip2",...] format. You can add up to 20 IP addresses. If you use a domain name, use the ["domain"] format. You can add up to 20 domain names.	[ "1.1.XX.XX", "2.2.XX.XX" ]
XClientIp	boolean	No	Specifies whether to allow WAF to overwrite the X-Client-IP header. Valid values: true (default): allows WAF to overwrite the header. false: does not allow WAF to overwrite the header.	true
XTrueIp	boolean	No	Specifies whether to allow WAF to overwrite the X-True-IP header. Valid values: true (default): allows WAF to overwrite the header. false: does not allow WAF to overwrite the header.	true
WebServerType	boolean	No	Specifies whether to allow WAF to overwrite the Web-Server-Type header. Valid values: true (default): allows WAF to overwrite the header. false: does not allow WAF to overwrite the header.	true
WLProxyClientIp	boolean	No	Specifies whether to allow WAF to overwrite the WL-Proxy-Client-IP header. Valid values: true (default): allows WAF to overwrite the header. false: does not allow WAF to overwrite the header.	true
MaxBodySize	integer	No	The maximum size of a request body. Valid values: 2 to 10. Default value: 2. Unit: GB. Note This parameter is supported only by the Ultimate edition.	2
Http2Origin	boolean	No	Specifies whether to enable HTTP/2 for back-to-origin traffic. Valid values: true: enables HTTP/2 for back-to-origin traffic. false: disables HTTP/2 for back-to-origin traffic.	true
Http2OriginMaxConcurrency	integer	No	The maximum number of concurrent HTTP/2 back-to-origin requests. Valid values: 1 to 512. Default value: 128.	128
BackendPorts	array<object>	No	The custom port configuration.
	object	No	The custom port configuration.
ListenPort	integer	No	The listener port.	80
BackendPort	integer	No	The back-to-origin port.	80
Protocol	string	No	The protocol of the listener port. Valid values: http: HTTP. https: HTTPS.	http
RegionId	string	Yes	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
AccessType	string	No	The access type of the WAF instance. Valid values: share (default): CNAME access. hybrid_cloud_cname: hybrid cloud CNAME access.	share
Tag	array<object>	No	A list of tags. You can add up to 20 tags.
	object	No	The tag of the resource. You can add up to 20 tags.
Key	string	No	The tag key.	Tagkey1
Value	string	No	The tag value.	TagValue1

Response elements

Element	Type	Description	Example
	object	The result of the request.
RequestId	string	The request ID.	D7861F61-5B61-46CE-A47C-6B19160D5EB0
DomainInfo	object	The information about the added domain name.
Cname	string	The CNAME that is assigned by WAF to the domain name.	xxxxxwww.****.com
Domain	string	The added domain name.	www.aliyundoc.com
DomainId	string	The domain name ID.	www.aliyundoc.com-waf

Examples

Success response

JSON format

{
  "RequestId": "D7861F61-5B61-46CE-A47C-6B19160D5EB0",
  "DomainInfo": {
    "Cname": "xxxxxwww.****.com",
    "Domain": "www.aliyundoc.com",
    "DomainId": "www.aliyundoc.com-waf"
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Pullin.ResourceExsit	Access resource already exists, resource:%s.	Access resource already exists, existing resource:%s.
400	Waf.Pullin.BusinessViolation	The web services are suspected of violating regulations. If you have any questions, please submit a work order. Violating resource: %s.
400	Waf.Pullin.Http2OriginMustOnHttp2Enable	When HTTP2 origin is enabled, HTTP2 listening must be enabled.	When HTTP2 back-to-source is enabled, HTTP2 listening must be enabled.
400	Waf.Pullin.Http2OriginMustOnKeepaliveEnable	When the HTTP2 origin is turned on, the keepalive must be turned on.	When the HTTP2 origin is turned on, the keepalive must be turned on.
400	Waf.Pullin.Http2OriginEnabledFocusHttpBackendForbidden	When HTTP2 origin is enabled, HTTP origin cannot be enabled.	When HTTP2 origin is enabled, HTTP origin cannot be enabled.
400	Waf.Pullin.BatchDnsScheduleCheckFailed	Batch dns scheduling is in progress, and access related operations are prohibited.	batch dns scheduling is in progress, and access-related operations are prohibited.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.