All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::WAF3::TGW

更新時間:Sep 10, 2024

ALIYUN::WAF3::TGW is used to add a resource to Web Application Firewall (WAF) in transparent proxy mode.

Syntax

{
  "Type": "ALIYUN::WAF3::TGW",
  "Properties": {
    "InstanceId": String,
    "Listen": Map,
    "ResourceGroupId": String,
    "Redirect": Map
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

InstanceId

String

Yes

No

The ID of the WAF instance.

None.

Listen

Map

Yes

Yes

The listener configurations.

For more information, see the "Listen properties" section of this topic.

ResourceGroupId

String

No

Yes

The ID of the resource group.

None.

Redirect

Map

No

Yes

The forwarding configurations.

None.

Listen syntax

"Listen": {
  "CustomCiphers": List,
  "TLSVersion": String,
  "Http2Enabled": Boolean,
  "CipherSuite": Integer,
  "EnableTLSv3": Boolean,
  "Port": Integer,
  "ResourceProduct": String,
  "Certificates": List,
  "Protocol": String,
  "ResourceInstanceId": String
}

Listen properties

Property

Type

Required

Editable

Description

Constraint

Port

Integer

Yes

No

The listening port.

None.

Protocol

String

Yes

No

The protocol type.

None.

ResourceProduct

String

Yes

No

The cloud service to which the resource belongs.

None.

ResourceInstanceId

String

Yes

No

The ID of the resource that you want to add to WAF.

None.

CustomCiphers

List

No

Yes

The custom cipher suites.

You can use this property only when CipherSuite is set to 99. You can specify up to five custom cipher suites.

CipherSuite

Integer

No

Yes

The type of the cipher suites that you want to add.

Valid values:

  • 1: all cipher suites

  • 2: strong cipher suites

  • 99: custom cipher suites

Certificates

List

No

Yes

The domain names that you want to bind to certificates.

You can bind up to 10 certificates.

EnableTLSv3

Boolean

No

Yes

Specifies whether to support Transport Layer Security (TLS) 1.3.

Valid values:

  • true

  • false

Http2Enabled

Boolean

No

Yes

Specifies whether to enable HTTP/2.

Valid values:

  • true

  • false

TLSVersion

String

No

Yes

The TLS version.

Valid values:

  • tlsv1

  • tlsv1.1

  • tlsv1.2

Certificates syntax

"Certificates": [
  {
    "AppliedType": String,
    "CertificateId": String
  }
]

Certificates properties

Property

Type

Required

Editable

Description

Constraint

AppliedType

String

No

Yes

The type of the HTTPS certificate.

Valid values:

  • default: default certificate

  • extension: additional certificate

CertificateId

String

No

Yes

The ID of the added certificate.

None.

Redirect syntax

"Redirect": {
  "XffHeaders": List,
  "WriteTimeout": Integer,
  "XffHeaderMode": Integer,
  "Keepalive": Boolean,
  "RequestHeaders": List,
  "KeepaliveRequests": Integer,
  "KeepaliveTimeout": Integer,
  "ReadTimeout": Integer,
  "XffProto": Boolean
}

Redirect properties

Property

Type

Required

Editable

Description

Constraint

Keepalive

Boolean

No

Yes

Specifies whether to enable the persistent connection feature.

Valid values:

  • true (default)

  • false

KeepaliveRequests

Integer

No

Yes

The number of reused persistent connections.

Valid values: 60 to 1000.

KeepaliveTimeout

Integer

No

Yes

The timeout period for an idle persistent connection.

Valid values: 1 to 60. Default value: 15. Unit: seconds.

RequestHeaders

List

No

Yes

The header fields in the key-value format.

You can use this property to label traffic that is processed by WAF.

ReadTimeout

Integer

No

Yes

The timeout period for a read connection.

Unit: seconds. Valid values: 1 to 3600.

WriteTimeout

Integer

No

Yes

The timeout period for a write connection.

Unit: seconds. Valid values: 1 to 3600.

XffHeaders

List

No

Yes

The custom header fields that are used to obtain the actual IP address of a client.

Value format: ["header1", "header2", ...]. You can specify up to 20 custom header fields.

XffHeaderMode

Integer

No

Yes

The method that WAF uses to obtain the actual IP address of a client.

Valid values:

  • 0: Traffic from the client is not forwarded by Layer 7 proxies before the traffic reaches WAF.

  • 1: WAF reads the first value of the X-Forwarded-For (XFF) header field as the actual IP address of the client.

  • 2: WAF reads the value of a custom header field as the actual IP address of the client.

XffProto

Boolean

No

Yes

Specifies whether to use the X-Forward-For-Proto header to identify the protocol used by WAF to forward requests to the origin server.

Valid values:

  • true (default)

  • false

RequestHeaders syntax

"RequestHeaders": [
  {
    "Value": String,
    "Key": String
  }
]

RequestHeaders properties

Property

Type

Required

Editable

Description

Constraint

Key

String

No

Yes

The key of the custom header field.

None.

Value

String

No

Yes

The value of the custom header field.

None.

Return values

Fn::GetAtt

  • InstanceId: the ID of the WAF instance.

  • Port: the port of the cloud service to which the resource belongs.

  • ResourceProduct: the cloud service to which the resource belongs.

  • TgwId: the ID of the resource that is added to WAF in transparent proxy mode.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      InstanceId:
        Type: String
        Description:
          en: The ID of the WAF instance.
        Required: true
      Listen:
        AssociationPropertyMetadata:
          Parameters:
            CustomCiphers:
              Type: Json
              Description:
                en: Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99.
              Required: false
              MinLength: 0
              MaxLength: 5
            TLSVersion:
              Type: String
              Description:
                en: |-
                  The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
                  tlsv1
                  tlsv1.1
                  tlsv1.2
              AllowedValues:
                - tlsv1
                - tlsv1.1
                - tlsv1.2
              Required: false
            Http2Enabled:
              Type: Boolean
              Description:
                en: |-
                  Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
                  true: Enable HTTP2.
                  false (default): Disable HTTP2.
              Required: false
            CipherSuite:
              Type: Number
              Description:
                en: |-
                  The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
                  1: Indicates adding all encryption suites.
                  2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.
                  99: Indicates adding a custom encryption suite.
              Required: false
            EnableTLSv3:
              Type: Boolean
              Description:
                en: |-
                  Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:
                  true: indicates that TSL1.3 version is supported.
                  false: indicates that TSL1.3 version is not supported.
              Required: false
            Port:
              Type: Number
              Description:
                en: Access the cloud product port of WAF.
              Required: true
            ResourceProduct:
              Type: String
              Description:
                en: Access to WAF cloud products.
              Required: true
            Certificates:
              AssociationPropertyMetadata:
                Parameters:
                  AppliedType:
                    Type: String
                    Description:
                      en: |-
                        The certificate type for the HTTPS protocol. Valid values:
                        default: Indicates the default certificate.
                        extension: Indicates an extended certificate.
                    AllowedValues:
                      - default
                      - extension
                    Required: false
                  CertificateId:
                    Type: String
                    Description:
                      en: The ID of the certificate that was added.
                    Required: false
              AssociationProperty: List[Parameters]
              Type: Json
              Description:
                en: The domain name bound to the certificate.
              Required: false
              MinLength: 0
              MaxLength: 10
            Protocol:
              Type: String
              Description:
                en: Protocol type
              Required: true
            ResourceInstanceId:
              Type: String
              Description:
                en: The instance ID of the cloud product connected to WAF.
              Required: true
        Type: Json
        Description:
          en: Listening information.
        Required: true
    Resources:
      ExtensionResource:
        Type: ALIYUN::WAF3::TGW
        Properties:
          InstanceId:
            Ref: InstanceId
          Listen:
            Ref: Listen
    Outputs:
      InstanceId:
        Description: The ID of the WAF instance.
        Value:
          Fn::GetAtt:
            - ExtensionResource
            - InstanceId
      Port:
        Description: Access the cloud product port of WAF.
        Value:
          Fn::GetAtt:
            - ExtensionResource
            - Port
      ResourceProduct:
        Description: Access to WAF cloud products.
        Value:
          Fn::GetAtt:
            - ExtensionResource
            - ResourceProduct
      TgwId:
        Description: The protection object ID of the transparent access resource.
        Value:
          Fn::GetAtt:
            - ExtensionResource
            - TgwId
    
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "InstanceId": {
          "Type": "String",
          "Description": {
            "en": "The ID of the WAF instance."
          },
          "Required": true
        },
        "Listen": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "CustomCiphers": {
                "Type": "Json",
                "Description": {
                  "en": "Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99."
                },
                "Required": false,
                "MinLength": 0,
                "MaxLength": 5
              },
              "TLSVersion": {
                "Type": "String",
                "Description": {
                  "en": "The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntlsv1\ntlsv1.1\ntlsv1.2"
                },
                "AllowedValues": [
                  "tlsv1",
                  "tlsv1.1",
                  "tlsv1.2"
                ],
                "Required": false
              },
              "Http2Enabled": {
                "Type": "Boolean",
                "Description": {
                  "en": "Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntrue: Enable HTTP2.\nfalse (default): Disable HTTP2."
                },
                "Required": false
              },
              "CipherSuite": {
                "Type": "Number",
                "Description": {
                  "en": "The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\n1: Indicates adding all encryption suites.\n2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.\n99: Indicates adding a custom encryption suite."
                },
                "Required": false
              },
              "EnableTLSv3": {
                "Type": "Boolean",
                "Description": {
                  "en": "Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:\ntrue: indicates that TSL1.3 version is supported.\nfalse: indicates that TSL1.3 version is not supported."
                },
                "Required": false
              },
              "Port": {
                "Type": "Number",
                "Description": {
                  "en": "Access the cloud product port of WAF."
                },
                "Required": true
              },
              "ResourceProduct": {
                "Type": "String",
                "Description": {
                  "en": "Access to WAF cloud products."
                },
                "Required": true
              },
              "Certificates": {
                "AssociationPropertyMetadata": {
                  "Parameters": {
                    "AppliedType": {
                      "Type": "String",
                      "Description": {
                        "en": "The certificate type for the HTTPS protocol. Valid values:\ndefault: Indicates the default certificate.\nextension: Indicates an extended certificate."
                      },
                      "AllowedValues": [
                        "default",
                        "extension"
                      ],
                      "Required": false
                    },
                    "CertificateId": {
                      "Type": "String",
                      "Description": {
                        "en": "The ID of the certificate that was added."
                      },
                      "Required": false
                    }
                  }
                },
                "AssociationProperty": "List[Parameters]",
                "Type": "Json",
                "Description": {
                  "en": "The domain name bound to the certificate."
                },
                "Required": false,
                "MinLength": 0,
                "MaxLength": 10
              },
              "Protocol": {
                "Type": "String",
                "Description": {
                  "en": "Protocol type"
                },
                "Required": true
              },
              "ResourceInstanceId": {
                "Type": "String",
                "Description": {
                  "en": "The instance ID of the cloud product connected to WAF."
                },
                "Required": true
              }
            }
          },
          "Type": "Json",
          "Description": {
            "en": "Listening information."
          },
          "Required": true
        }
      },
      "Resources": {
        "ExtensionResource": {
          "Type": "ALIYUN::WAF3::TGW",
          "Properties": {
            "InstanceId": {
              "Ref": "InstanceId"
            },
            "Listen": {
              "Ref": "Listen"
            }
          }
        }
      },
      "Outputs": {
        "InstanceId": {
          "Description": "The ID of the WAF instance.",
          "Value": {
            "Fn::GetAtt": [
              "ExtensionResource",
              "InstanceId"
            ]
          }
        },
        "Port": {
          "Description": "Access the cloud product port of WAF.",
          "Value": {
            "Fn::GetAtt": [
              "ExtensionResource",
              "Port"
            ]
          }
        },
        "ResourceProduct": {
          "Description": "Access to WAF cloud products.",
          "Value": {
            "Fn::GetAtt": [
              "ExtensionResource",
              "ResourceProduct"
            ]
          }
        },
        "TgwId": {
          "Description": "The protection object ID of the transparent access resource.",
          "Value": {
            "Fn::GetAtt": [
              "ExtensionResource",
              "TgwId"
            ]
          }
        }
      }
    }