All Products
Search
Document Center

Web Application Firewall:Add a domain name to WAF in CNAME record mode

Last Updated:Dec 02, 2024

To use Web Application Firewall (WAF) to protect a website, you must add the domain name of the website to WAF. This topic describes how to add a domain name to WAF in CNAME record mode and check whether the domain name is successfully added to WAF.

How WAF protection works

After you add the domain name of a website to WAF in CNAME record mode, all the website traffic is redirected to WAF for inspection. WAF filters out malicious traffic and forwards normal traffic to the origin server. This ensures the service and data security of the website. In this case, WAF inspects and forwards traffic as a reverse proxy cluster.

image

Prerequisites

  • A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

  • If the domain name of your website is hosted on a server in the Chinese Mainland, make sure that an ICP filing is complete for the domain name and the ICP filing information is valid when your website is protected by WAF.

    Note

    WAF instances that are deployed in the Chinese Mainland region regularly check whether the ICP filing information of your domain names is valid. If the ICP filing information of a domain name becomes invalid, WAF manages the domain name based on relevant laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.

    • If your website is hosted on Alibaba Cloud, you can apply for an ICP filing for your domain name by using the Alibaba Cloud ICP Filing system. For more information, see Scenarios.

    • If your website is not deployed on Alibaba Cloud, you can contact Alibaba Cloud or another cloud service provider to apply for an ICP filing.

Procedure

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, click Website Configuration.

  3. On the CNAME Record tab, click Add.

  4. In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.

    Parameter

    Description

    Domain Name

    Enter the domain name that you want to protect. You can enter an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name.

    The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after your ownership passes the verification. For more information, see Verify the ownership of a domain name.

    Note
    • You can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover www.aliyundoc.com and example.aliyundoc.com but *.aliyundoc.com cannot cover www.example.aliyundoc.com.

    • A second-level wildcard domain name can cover its second-level parent domain name. For example, *.aliyundoc.com can cover aliyundoc.com.

    • A third-level wildcard domain name cannot cover its third-level parent domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com.

    • If you add an exact-match domain name and a wildcard domain name that covers the exact-match domain name, the protection rules that are configured for the exact-match domain name take precedence.

    Protocol Type

    Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number.

    Note

    The port number that you enter must be supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports.

    • If you select HTTPS, configure the HTTPSUpload Type parameter to specify the method that you want to use to upload an SSL certificate. Then, upload the SSL certificate bound to the domain name to WAF. This way, WAF can monitor the HTTPS traffic of the website.

      Specify the method that you want to use to upload an SSL certificate.

      Note

      WAF (version_share_vm) does not support HTTPS.

      Manual Upload

      Select Manual Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter must be in the -----BEGIN CERTIFICATE-----......-----END CERTIFICATE----- format, and the value of the Private Key parameter must be in the -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY----- format.

      Important
      • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in a format other than the preceding formats, such as PFX or P7B, you must convert the file into the PEM format and use a text editor to open the file and copy the text content. You can log on to the Certificate Management Service console and use the provided tool to convert the file format. For more information, see Convert the format of a certificate.

      • If a domain name is bound to multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content to WAF.

      Select Existing Certificate

      If your certificate meets one of the following conditions, you can select the certificate that you want to upload to WAF from the certificate list:

      • The certificate is issued by Alibaba Cloud Certificate Management Service (Original SSL Certificate).

      • The certificate is a third-party certificate that is uploaded to Certificate Management Service.

      • Important

        If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and re-upload the certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate.

      Purchase Certificate

      Select Purchase Certificate and click Apply. In the Certificate Management Service console, apply for a certificate for the domain name.

      Note
      • You can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase SSL certificates.

      • After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF.

    • If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements:

      • If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests.

        Note

        The HTTP/2 ports are the same as the HTTPS ports.

      • Advanced Settings

        • Enable HTTPS Routing

          By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves security. After this feature is enabled, HTTP Strict Transport Security (HSTS) is enabled by default and the Strict-Transport-Security header is included in responses to ensure that your website can be accessed only by using HTTPS.

          Important

          You can enable this feature only if you do not select HTTP.

        • TLS Version

          Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses an unsupported TLS version, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility.

          We recommend that you specify the TLS versions based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value.

          Valid values:

          • TLS 1.0 and Later (Best Compatibility and Low Security) (default)

          • TLS 1.1 and Later (High Compatibility and High Security)

            If you select this value, a client that uses TLS 1.0 cannot access your website.

          • TLS 1.2 and Later (High Compatibility and Best Security)

            If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website.

          If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for requests that are sent by using TLS 1.3.

        • HTTPSCipher Suite

          Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks the requests from the client.

          Default value: All Cipher Suites (High Compatibility and Low Security). We recommend that you set this parameter to a different value only if your website supports only specific cipher suites.

          Valid values:

          • All Cipher Suites (High Compatibility and Low Security): The following strong cipher suites and weak cipher suites are supported.

            • Strong cipher suites

              • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

              • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

              • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

              • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

              • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

              • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

              • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

              • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

              • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

              • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

              Note

              TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: The two cipher suites may be classified into weak cipher suites by specific security detection tools because the two cipher suites use the RSA encryption algorithm and the AES-CBC encryption mode and offer lower security than the cipher suites that use the ECDSA encryption algorithm or the AES-GCM encryption mode.

            • Weak cipher suites

              • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

              • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

              • TLS_RSA_WITH_AES_128_GCM_SHA256

              • TLS_RSA_WITH_AES_256_GCM_SHA384

              • TLS_RSA_WITH_AES_128_CBC_SHA256

              • TLS_RSA_WITH_AES_256_CBC_SHA256

              • TLS_RSA_WITH_AES_128_CBC_SHA

              • TLS_RSA_WITH_AES_256_CBC_SHA

              • SSL_RSA_WITH_3DES_EDE_CBC_SHA

          • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website. For more information, see View supported cipher suites.

            Clients that use other cipher suites cannot access your website.

    Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF

    Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy or Alibaba Cloud CDN, is deployed in front of WAF. Valid values:

    • No (default): No Layer 7 proxy is deployed in front of WAF.

      WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection to WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field.

    • Yes: A Layer 7 proxy is deployed in front of WAF.

      WAF receives requests from a Layer 7 proxy. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter.

      Valid values:

      • Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default)

        By default, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of a client.

      • [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery

        If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field.

        Note

        We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business.

        You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF scans the header fields in sequence until it obtains the IP address of the client. If WAF cannot obtain the IP address of a client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.

    More Settings

    • IPv6

      By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can turn on IPv6 to enable WAF protection for IPv6 traffic. After you turn on IPv6, WAF assigns a WAF IP address to the domain name to process IPv6 traffic. This feature is available only for pay-as-you-go WAF instances and subscription WAF instances of the Enterprise and Ultimate editions in the Chinese Mainland.

    • Exclusive IP Address

      By default, all domain names that are added to WAF are protected by using the same WAF IP address. If you turn on Exclusive IP Address, WAF assigns an exclusive IP address to monitor the requests of your domain name. A domain name that is protected by using an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names. For more information, see Exclusive IP addresses.

      If you want to use an exclusive IP address to protect your domain name, you can turn on Exclusive IP Address.

      Important
      • You can turn on Exclusive IP Address for subscription WAF instances of the Pro, Enterprise, and Ultimate editions. You are charged for this feature.

      • If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Billing overview.

    • Protection Resource

      Select the type of protection resources that you want to use. Valid values:

      • Shared Cluster (default)

      • Shared Cluster-based Intelligent Load Balancing

        After you enable shared cluster-based intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to support automatic disaster recovery. The WAF instance uses the intelligent Domain Name System (DNS) resolution capability and the least-time back-to-origin algorithm to minimize the latency of traffic that is sent from protection nodes to origin servers. For more information, see Use the intelligent load balancing feature.

        Important
        • You can enable Shared Cluster-based Intelligent Load Balancing for subscription WAF instances of the Pro, Enterprise, and Ultimate editions. You are charged for this feature. To enable Shared Cluster-based Intelligent Load Balancing, click Upgrade Now in the Protected Assets section of the Overview page and set the Intelligent Load Balancing parameter to Enable. For more information, see Upgrade or downgrade a WAF instance.

        • If you use a pay-as-you-go WAF instance, you are charged based on whether you enable Shared Cluster-based Intelligent Load Balancing. For more information, see Billing overview.

        • After you enable Shared Cluster-based Intelligent Load Balancing, you cannot turn on IPv6 or Exclusive IP Address.

    Resource Group

    Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.

    Note

    You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

  5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

    Parameter

    Description

    Load Balancing Algorithm

    If you specify multiple origin server addresses, select the Load Balancing Algorithm that you want WAF to use to forward back-to-origin requests to the origin servers. Valid values:

    • IP hash (default)

      Requests that are sent from a specific IP address are forwarded to the same origin server.

    • Round-robin

      Requests are distributed to origin servers in turn.

    • Least time

      WAF uses the intelligent DNS resolution capability and the least-time back-to-origin algorithm to minimize the path and latency when requests are forwarded to origin servers.

      Important

      You can set the Load Balancing Algorithm parameter to Least time only if you set the Protection Resource parameter to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see the description of the Protection Resource parameter in this topic.

    Origin Server Address

    Specify the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values:

    • IP

      • Make sure that the IP address can be accessed over the Internet.

      • You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address.

        Note

        If you enter multiple IP addresses, WAF distributes workloads across the IP addresses to achieve load balancing.

      • You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses.

        If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses.

        Important

        If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see the description of the IPv6 parameter in this topic.

      Important

      If the public IP address of the origin server changes, you need to manually add the new back-to-origin IP address.

    • Domain Name (Such as CNAME)

      If you set the Origin Server Address parameter to Domain Name (Such as CNAME), the domain name that you enter can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.

    Standby Link Back-to-origin

    If the primary address of the origin server is unreachable, the system automatically switches to the secondary address, which requires up to 30 seconds to take effect. After the primary address is restored, the system automatically switches back to it.

    • IP

      • Make sure that the IP address can be accessed over the Internet.

      • You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address.

        Note

        If you enter multiple IP addresses, WAF distributes workloads across the IP addresses to achieve load balancing.

      • You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses.

        If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses.

        Important

        If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see the description of the IPv6 parameter in this topic.

      Important

      If the public IP address of the origin server changes, you need to manually add the new back-to-origin IP address.

    • Domain Name (Such as CNAME)

      If you set the Origin Server Address parameter to Domain Name (Such as CNAME), the domain name that you enter can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.

    Advanced HTTPS Settings

    • Enable HTTP Routing

      If you turn on Enable HTTP Routing, WAF forwards requests over HTTP. The default port is 80. After you turn on Enable HTTP Routing, WAF forwards requests to the origin server on port 80, regardless of whether the client accesses WAF on port 80 or port 443. All requests can be forwarded to the origin server over HTTP, and you do not need to modify the settings of the origin server. This reduces the impact of traffic on the performance of the website.

      Important

      If your website does not support HTTPS, turn on Enable HTTP Routing.

    • Origin SNI

      Specify the domain name to which an HTTPS connection must be established at the start of the Transport Layer Security (TLS) handshake process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must select Origin SNI.

      After you select Origin SNI, you can configure a Server Name Indication (SNI) field. Valid values:

      • Use Domain Name in Host Header (default)

        The value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field.

        For example, if the domain name that you configure is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name in the Host header field, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com.

      • Custom

        You can enter a custom value for the SNI field in WAF back-to-origin requests.

        In most cases, you do not need to specify a custom value for the SNI field. However, if you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you can specify a custom value for the SNI field.

    Other Advanced Settings

    • Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field

      The X-Forwarded-Proto header field is automatically added to HTTP requests. The X-Forwarded-Proto header field is used to identify the original protocol used by the client. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur and your business may be affected. To prevent such issues, clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field.

    • Enable Traffic Mark

      If you select Enable Traffic Mark, requests that pass through WAF are marked. This helps origin servers obtain the originating IP addresses or ports of clients.

      If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark to intercept malicious traffic. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked.

      You can configure the following types of header fields:

      • Custom Header

        If you want to add a custom header field, you must configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the origin server to check whether requests passed through WAF, collect statistics, and analyze data.

        For example, you can add the ALIWAF-TAG: Yes custom header field to mark the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes.

      • Originating IP Address

        You can specify a header field that records the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For more information about how WAF obtains the originating IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic.

      • Source Port

        You can specify a header field that records the originating ports of clients. This way, your origin server can obtain the ports of clients.

      Important

      We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field.

      You can click Add Mark to add a header field. You can specify up to five header fields.

    • Specify the timeout periods for back-to-origin requests

      • Connection Timeout Period: the maximum amount of time that WAF can wait to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5.

      • Read Connection Timeout Period: the maximum amount of time that WAF can wait to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.

      • Write Connection Timeout Period: the maximum amount of time that WAF can wait to forward a request to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.

    • Retry Back-to-origin Requests

      After you turn on Retry Back-to-origin Requests, WAF retries up to three times when it fails to forward requests to the origin server. If you do not turn on Retry Back-to-origin Requests, WAF does not retry forwarding requests if it fails the first time.

    • Back-to-origin Keep-alive Requests

      If you turn on Back-to-origin Keep-alive Requests, you must configure the following parameters:

      • Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000.

      • Timeout Period of Idle Keep-alive Requests: the timeout period for idle keep-alive requests. Valid values: 1 to 60. Unit: seconds. Default value: 15.

      Note

      If you turn off Back-to-origin Keep-alive Requests, back-to-origin keep-alive requests do not support WebSocket.

  6. In the Add Completed step, obtain the CNAME assigned to the domain name. Modify the DNS record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

    Important

    Before you modify the DNS record, make sure that the following conditions are met:

    • The forwarding configurations for your website are correct and have taken effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

    • The back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the third-party firewall used by the origin server on which the domain name is hosted. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, you can click Back-to-origin CIDR Blocks above the domain name list to view and copy the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

    复制CNAME

    After you complete the preceding configurations, you can perform the following operations to check whether the domain name is protected by WAF:

    • Enter the domain name in your browser. If you can access the website, the domain name is protected by WAF.

    • Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

    Important

    If you add a domain name to WAF in CNAME record mode, WAF checks whether ICP filing is complete for the domain name and whether the ICP filing information is valid on a regular basis. If the ICP filing information of the domain name becomes invalid, WAF stops forwarding requests for the domain name.

    If the ICP filing information of a domain name that is added to WAF becomes invalid, you must re-apply for an ICP filing for the domain name. After the application is successful, you can go to the CNAME Record tab of the Website Configuration page and click Add Again in the Actions column to re-add the domain name to WAF.

More operations

View the DNS resolution status of a domain name

WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. You can view the DNS resolution status of the domain names that you added to WAF in the domain name list and modify the DNS records based on the error messages that are displayed in the WAF console.

DNS状态

DNS Verification Status

Description

Operation

The DNS resolution is normal.

The domain name is pointed to the CNAME that is provided by WAF.

None.

The DNS resolution is abnormal. An A record is used.

An A record is used and service interruptions may occur.

Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The DNS resolution is abnormal. An invalid IP address of your WAF instance is used.

An A record is used and the domain name is pointed to an invalid WAF IP address. Service interruptions may occur.

Delete the A record and add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The DNS resolution is abnormal. An invalid CNAME is used.

A CNAME record is used and the domain name is pointed to an invalid CNAME. Service interruptions may occur.

Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

The issue of unknown DNS resolution occurs. A proxy is deployed.

A Layer 7 proxy is used in front of WAF and the back-to-origin address is not the CNAME that is provided by WAF.

Check whether the back-to-origin address is the CNAME that is provided by WAF.

The verification timed out.

None.

Click the update icon to recheck the DNS resolution status.

No DNS resolution records are found. No DNS records are configured.

No DNS records are configured for the domain name. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF.

Add a CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

Failed to point to WAF. No DNS records are configured.

The domain name is not pointed to the CNAME provided by WAF. A CNAME record must be added to point the domain name to the CNAME that is provided by WAF.

Modify the CNAME record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

Add tags to or remove tags from domain names

You can add tags to domain names that are added to WAF and search for specific domain names by tag.

  • Add tags to or remove tags from a domain name

    1. Find the domain name whose tags you want to manage and move the pointer over the 编辑 icon in the Tag column. If no tags are added to the domain name, click Add. If a tag is added to the domain name, click Edit.

    2. In the Edit Tag dialog box, configure the Tag Key and Tag Value parameters.

      Note
      • You can add up to 20 tag keys below the Tag Key parameter and leave the Tag Value parameter empty.

      • When you specify a value for the Tag Key or Tag Value parameter, make sure that the value is 1 to 128 characters in length, does not contain http:// or https://, and does not start with acs: or aliyun.

      • You can add tags on the Website Configuration page when you add domain names to WAF or on the Protected Objects page when you configure protection rules for protected objects. The latest tag settings are synchronized between the two pages. The tags that are added to a domain name are automatically added to the domain name-related protected object.

      After you add tags to the domain name, you can select the tags from the Select Label drop-down list to search for the domain name.

    3. Optional. If you no longer need a tag, find the domain name, open the Edit Tag dialog box, and then click the 删除 icon to the right of the tag. Then, the tag is removed from the domain name.

  • Add tags to or remove tags from multiple domain names at a time

    Select the domain names whose tags you want to manage and click Add Tag or Remove Tag below the domain name list.

Modify or remove a domain name that is added to WAF

Warning

Before you remove a domain name, you must change the DNS record configuration back to the original configuration. For example, you can modify the DNS record to resolve the domain name to the IP address of the origin server. If you do not change the DNS record configuration, WAF cannot forward the requests that are sent to the domain name to the origin server and your website cannot be accessed.

Find the domain name that you want to manage and click Edit or Delete in the Actions column.

Configure default SSL or TLS settings

If you add multiple domain names to the same WAF instance, a shared WAF virtual IP address (VIP) is used to monitor the traffic of the domain names.

To meet the security compliance and compatibility requirements of HTTPS in different scenarios, WAF allows you to configure SSL or TLS settings for IPv4 VIPs. Before you perform compliance scan and detection, you can upload an HTTPS certificate for the VIP and disable or enable specific TLS protocol versions and cipher suites.

Note

If you purchase and enable an exclusive IP address, the configuration takes effect for the exclusive IP address. For more information about exclusive IP addresses, see Exclusive IP addresses.

  1. Click Default SSL/TLS Settings above the domain name list.image.png

  2. In the Default SSL/TLS Settings dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    HTTPSUpload Type

    Specify the method used to upload the SSL certificate. For more information, see the HTTPSUpload Type parameter in this topic.

    TLS Version

    Specify the TLS protocol versions that are supported for HTTPS communication. Valid values:

    • TLS 1.0 and Later (Best Compatibility and Low Security) (default)

    • TLS 1.1 and Later (High Compatibility and High Security)

    • TLS 1.2 and Later (High Compatibility and Best Security)

    If you want to enable TLS 1.3, select Support TLS 1.3.

    HTTPSCipher Suite

    Specify the cipher suites that are supported for HTTPS communication. Valid values:

    • All Cipher Suites (High Compatibility and Low Security) (default)

    • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.)

      For more information about custom cipher suites, see View supported cipher suites.

Update the SSL certificate bound to a domain name

If the SSL certificate that is bound to a domain name is about to expire or the certificate is changed, such as when the certificate is revoked, you must update the certificate.

Note
  • If the remaining validity period of the certificate is less than 30 days, the image.png icon is displayed in the domain name list. This indicates that your certificate is about to expire. In this case, you must update the certificate at the earliest opportunity.

  • If you want to receive notifications by using methods such as email or text message when the certificate is about to expire, you can configure notifications for the certificate. For more information, see Configure notifications for SSL certificates.

  • To prevent service interruptions due to certificate expiration, enable the certificate hosting feature of Certificate Management Service. If you enable this feature for a certificate, the system automatically applies for a new certificate when the hosted certificate is about to expire. For more information, see Introduction to the certificate hosting feature.

To update an SSL certificate that is bound to a domain name, perform the following steps:

  1. Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload and share an SSL certificate.

  2. Synchronize the certificate to WAF.

    • In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.

    • Upload the certificate in the WAF console.

      1. On the CNAME Record tab of the Website Configuration page, find the domain name whose certificate you want to update and click Edit in the Actions column.

      2. Set the HTTPSUpload Type parameter to Select Existing Certificate and select the new certificate.

What to do next

After you add a domain name to WAF, the domain name is automatically added as a protected object of WAF and the protection rules of the basic protection rule module are automatically enabled for the protected object. The name of the protected object is in the Domain name-waf format. You can view the protected object and configure protection rules for the protected object on the Protection Configuration > Protected Objects page.防护对象

References

  • For more information about protected objects, protection rules, and protection processes, see Protection configuration overview.

  • For more information about how to add a domain name to WAF by calling an API operation, see CreateDomain.

  • For more information about how to query the details of a domain name that is added to WAF in CNAME record mode, see DescribeDomainDetail.