Web Application Firewall:Enable WAF protection for a custom domain name bound to a web application in Function Compute

Background information

Function Compute is an event-driven computing service that uses a serverless architecture. Function Compute allows you to write and upload code without the need to manage infrastructure resources. You can use Function Compute to create applications and services in an efficient manner. For more information, see What is Function Compute?

The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can enable WAF protection for a custom domain name that is bound to a web application in Function Compute. WAF identifies and filters out malicious web traffic, and then forwards normal traffic to the backend function.

Limits

Web services that use one of the following Alibaba Cloud services can be added to WAF in cloud native mode: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Classic Load Balancer (CLB), Elastic Compute Service (ECS), and Network Load Balancer (NLB).. If you want to use WAF to protect web services that do not use the preceding Alibaba Cloud services, add the domain names of the web services to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

• Before you enable WAF protection for a custom domain name, make sure that Function Compute resides in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), and China (Shenzhen).

• After you enable WAF protection for a custom domain name, you cannot enable the following protection modules for the protected object that is automatically generated for the domain name: website tamper-proofing, data leakage prevention, bot management, and API security.

Prerequisites

• A WAF 3.0 instance that resides in the Chinese Mainland is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

• If you use a subscription WAF instance, make sure that the number of protected objects that you added to WAF does not exceed the upper limit. If the number exceeds the upper limit, you can no longer add cloud service instances to WAF.

  To view the number of protected objects that you can add to WAF, go to the Protected Objects page.

Procedure

You can enable WAF protection when or after you add a custom domain name for a web application in Function Compute.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You must select Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. Click the Cloud Native tab. In the left-side cloud service list, click FC.

4. On the authorization page, click Authorize Now to authorize your WAF instance to access the required cloud service.

   Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose Identities > Roles in the left-side navigation pane.

   Note

   If the authorization is complete, the authorization page is not displayed. You can proceed to the next step.

5. Click Add. You are navigated to the Function Compute console.

6. On the Custom Domains page, enable WAF protection for your custom domain name.

   • Add a custom domain name and enable WAF protection for the domain name

     1. In the top navigation bar, select China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), or China (Shenzhen) from the region drop-down list. Then, click Add Custom Domain Name.

     2. On the Add Custom Domain Name page, configure the parameters and click Create. The following table describes the parameters.

        Parameter	Description
        Domain Name	Enter a custom domain name for which an ICP filing has been obtained in the Alibaba Cloud ICP Filing system or the custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. You can enter a specific domain name such as www.aliyun.com or a wildcard domain name such as *.aliyun.com.
        HTTPS	Select Enable or Disable to allow or disallow the custom domain name to be accessed over HTTPS. Valid values: Enable: allows the custom domain name to be accessed over HTTPS. If you select Enable, you can access the custom domain name over HTTP or HTTPS. Note You can also select the Redirects HTTP Requests to HTTPS check box to allow only HTTPS requests. Function Compute redirects requests that are accessed over HTTP to HTTPS. Disable: disallows the custom domain name to be accessed over HTTPS. If you select Disable, you can access the custom domain name only over HTTP.
        Certificate Type	Select the type of certificate that you want to upload. This parameter is required only if you select Enable for the HTTPS parameter. Valid values: Alibaba Cloud SSL Certificate: Select an Alibaba Cloud Secure Sockets Layer (SSL) certificate from the Certificate Name drop-down list. If no values are available in the Certificate Name drop-down list, you do not have an Alibaba Cloud SSL certificate. In this case, log on to the Certificate Management Service console to purchase an SSL certificate. Manual Upload: Manually configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters. Note The certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.
        TLS Version	Select the transport layer security (TLS) protocol version that the function uses from the drop-down list. Note After you select a TLS version, you can also select Enable Support for TLS1.3. This way, TLS 1.3 is supported.
        Cipher Suite	Select TLS cipher algorithm suites. If you leave this parameter empty, all cipher suites are selected. Valid values: All Cipher Suites (High Compatibility and Low Security): All cipher suites. For the list of cipher suites supported by Function Compute, see Strong and weak cipher suites. Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the icon to the right of a cipher suite to deselect the cipher suite. This way, you can delete weak cipher suites and retain only the cipher suites that are supported by the TLS versions that you specify. Important Select custom cipher suites with caution. Ensure that the cipher suites that are used by clients match the cipher suites that are used by servers. For more information about the mapping between TLS versions and supported cipher suites, see Mappings between TLS versions and cipher suites. Function Compute names cipher suites based on the RFC naming convention. Names of cipher suites vary based on the naming convention. For more information about the differences between RFC and OpenSSL cipher suites, see Mappings between names of RFC cipher suites and OpenSSL cipher suites.
        CDN Acceleration	Specify whether to enable CDN acceleration for the custom domain name. If you enable CDN acceleration for the custom domain name, end users can use the CDN-accelerated domain name to read the content with high efficiency. Valid values: Enable: enables CDN acceleration. If you set the CDN Acceleration parameter to Enable, you must enter an accelerated domain name in the CDN-Accelerated Domain Name field. Then, log on to the CDN console and configure a CNAME record for the accelerated domain name. For more information, see (Optional) Step 4: Enable CDN acceleration. Disable: disables CDN acceleration.
        Web Application Firewall (WAF)	Specify whether to enable WAF for the custom domain name. This feature identifies malicious traffic in functions and applications, scrubs and filters out malicious traffic, and returns normal traffic to backend functions to protect your functions against malicious intrusions. For more information, see Enable WAF protection. Valid values: Enable Disable
        Route	Configure the mapping between paths and functions. This way, requests from different paths can trigger different functions. You must configure the following fields: Path: the request path from which the specified function in the specified service can be triggered. Service Name: the name of the service to which the function that is triggered by a request from a specified path belongs. Function Name: the name of the function that is triggered by a request from the specified path. Version or Alias: the version or alias of the service to which the function that is triggered by a request from the specified path belongs. Rewrite Policy: the rule based on which the Uniform Resource Identifier (URI) of a request in a specified path is rewritten. For more information, see Procedure. You can configure multiple routes based on your business requirements. For more information, see Routing rules.

   • Enable WAF protection for an existing custom domain name

     1. In the top navigation bar, select the required region. Then, find the custom domain name for which you want to enable WAF protection and click Modify in the Actions column.

     2. On the Modify Custom Domain Name page, set the Web Application Firewall (WAF) parameter to Enable and click Save.

   After you add a custom domain name to WAF, the custom domain name becomes a protected object of WAF. The protected object is named in the following format: Domain name-fc. WAF automatically enables the protection rules of the basic protection rule module for the protected object. You can also manually configure protection rules for the protected object on the Protected Objects page. To go to the Protected Objects page, click the custom domain name that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.

   

References

• Configure a custom domain name

• Enable WAF