ALIYUN::WAF3::TGW is used to add a resource to Web Application Firewall (WAF) in transparent proxy mode.
Syntax
{
"Type": "ALIYUN::WAF3::TGW",
"Properties": {
"InstanceId": String,
"Listen": Map,
"ResourceGroupId": String,
"Redirect": Map,
"WAFInstanceRegion": String
}
}Properties
Property | Type | Required | Editable | Description | Constraint |
InstanceId | String | Yes | No | The ID of the WAF instance. | None. |
Listen | Map | Yes | Yes | The listener configurations. | For more information, see the "Listen properties" section of this topic. |
ResourceGroupId | String | No | Yes | The ID of the resource group. | None. |
Redirect | Map | No | Yes | The forwarding configurations. | None. |
WAFInstanceRegion | String | No | No | The regions in which WAF 3.0 is supported. | Valid values:
|
Listen syntax
"Listen": {
"CustomCiphers": List,
"TLSVersion": String,
"Http2Enabled": Boolean,
"CipherSuite": Integer,
"EnableTLSv3": Boolean,
"Port": Integer,
"ResourceProduct": String,
"Certificates": List,
"Protocol": String,
"ResourceInstanceId": String
}Listen properties
Property | Type | Required | Editable | Description | Constraint |
Port | Integer | Yes | No | The listening port. | None. |
Protocol | String | Yes | No | The protocol type. | None. |
ResourceProduct | String | Yes | No | The cloud service to which the resource belongs. | None. |
ResourceInstanceId | String | Yes | No | The ID of the resource that you want to add to WAF. | None. |
CustomCiphers | List | No | Yes | The custom cipher suites. | You can use this property only when CipherSuite is set to 99. You can specify up to five custom cipher suites. |
CipherSuite | Integer | No | Yes | The type of the cipher suites that you want to add. | Valid values:
|
Certificates | List | No | Yes | The domain names that you want to bind to certificates. | You can bind up to 10 certificates. |
EnableTLSv3 | Boolean | No | Yes | Specifies whether to support Transport Layer Security (TLS) 1.3. | Valid values:
|
Http2Enabled | Boolean | No | Yes | Specifies whether to enable HTTP/2. | Valid values:
|
TLSVersion | String | No | Yes | The TLS version. | Valid values:
|
Certificates syntax
"Certificates": [
{
"AppliedType": String,
"CertificateId": String
}
]Certificates properties
Property | Type | Required | Editable | Description | Constraint |
AppliedType | String | No | Yes | The type of the HTTPS certificate. | Valid values:
|
CertificateId | String | No | Yes | The ID of the added certificate. | None. |
Redirect syntax
"Redirect": {
"XffHeaders": List,
"WriteTimeout": Integer,
"XffHeaderMode": Integer,
"Keepalive": Boolean,
"RequestHeaders": List,
"KeepaliveRequests": Integer,
"KeepaliveTimeout": Integer,
"ReadTimeout": Integer,
"XffProto": Boolean
}Redirect properties
Property | Type | Required | Editable | Description | Constraint |
Keepalive | Boolean | No | Yes | Specifies whether to enable the persistent connection feature. | Valid values:
|
KeepaliveRequests | Integer | No | Yes | The number of reused persistent connections. | Valid values: 60 to 1000. |
KeepaliveTimeout | Integer | No | Yes | The timeout period for an idle persistent connection. | Valid values: 1 to 60. Default value: 15. Unit: seconds. |
RequestHeaders | List | No | Yes | The header fields in the key-value format. | You can use this property to label traffic that is processed by WAF. |
ReadTimeout | Integer | No | Yes | The timeout period for a read connection. | Unit: seconds. Valid values: 1 to 3600. |
WriteTimeout | Integer | No | Yes | The timeout period for a write connection. | Unit: seconds. Valid values: 1 to 3600. |
XffHeaders | List | No | Yes | The custom header fields that are used to obtain the actual IP address of a client. | Value format: ["header1", "header2", ...]. You can specify up to 20 custom header fields. |
XffHeaderMode | Integer | No | Yes | The method that WAF uses to obtain the actual IP address of a client. | Valid values:
|
XffProto | Boolean | No | Yes | Specifies whether to use the X-Forward-For-Proto header to identify the protocol used by WAF to forward requests to the origin server. | Valid values:
|
RequestHeaders syntax
"RequestHeaders": [
{
"Value": String,
"Key": String
}
]RequestHeaders properties
Property | Type | Required | Editable | Description | Constraint |
Key | String | No | Yes | The key of the custom header field. | None. |
Value | String | No | Yes | The value of the custom header field. | None. |
Return values
Fn::GetAtt
InstanceId: the ID of the WAF instance.
Port: the port of the cloud service to which the resource belongs.
ResourceProduct: the cloud service to which the resource belongs.
TgwId: the ID of the resource that is added to WAF in transparent proxy mode.
Examples
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
InstanceId:
Type: String
Description:
en: The ID of the WAF instance.
Required: true
Listen:
AssociationPropertyMetadata:
Parameters:
CustomCiphers:
Type: Json
Description:
en: Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99.
Required: false
MinLength: 0
MaxLength: 5
TLSVersion:
Type: String
Description:
en: |-
The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
tlsv1
tlsv1.1
tlsv1.2
AllowedValues:
- tlsv1
- tlsv1.1
- tlsv1.2
Required: false
Http2Enabled:
Type: Boolean
Description:
en: |-
Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
true: Enable HTTP2.
false (default): Disable HTTP2.
Required: false
CipherSuite:
Type: Number
Description:
en: |-
The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:
1: Indicates adding all encryption suites.
2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.
99: Indicates adding a custom encryption suite.
Required: false
EnableTLSv3:
Type: Boolean
Description:
en: |-
Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:
true: indicates that TSL1.3 version is supported.
false: indicates that TSL1.3 version is not supported.
Required: false
Port:
Type: Number
Description:
en: Access the cloud product port of WAF.
Required: true
ResourceProduct:
Type: String
Description:
en: Access to WAF cloud products.
Required: true
Certificates:
AssociationPropertyMetadata:
Parameters:
AppliedType:
Type: String
Description:
en: |-
The certificate type for the HTTPS protocol. Valid values:
default: Indicates the default certificate.
extension: Indicates an extended certificate.
AllowedValues:
- default
- extension
Required: false
CertificateId:
Type: String
Description:
en: The ID of the certificate that was added.
Required: false
AssociationProperty: List[Parameters]
Type: Json
Description:
en: The domain name bound to the certificate.
Required: false
MinLength: 0
MaxLength: 10
Protocol:
Type: String
Description:
en: Protocol type
Required: true
ResourceInstanceId:
Type: String
Description:
en: The instance ID of the cloud product connected to WAF.
Required: true
Type: Json
Description:
en: Listening information.
Required: true
Resources:
ExtensionResource:
Type: ALIYUN::WAF3::TGW
Properties:
InstanceId:
Ref: InstanceId
Listen:
Ref: Listen
Outputs:
InstanceId:
Description: The ID of the WAF instance.
Value:
Fn::GetAtt:
- ExtensionResource
- InstanceId
Port:
Description: Access the cloud product port of WAF.
Value:
Fn::GetAtt:
- ExtensionResource
- Port
ResourceProduct:
Description: Access to WAF cloud products.
Value:
Fn::GetAtt:
- ExtensionResource
- ResourceProduct
TgwId:
Description: The protection object ID of the transparent access resource.
Value:
Fn::GetAtt:
- ExtensionResource
- TgwId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"InstanceId": {
"Type": "String",
"Description": {
"en": "The ID of the WAF instance."
},
"Required": true
},
"Listen": {
"AssociationPropertyMetadata": {
"Parameters": {
"CustomCiphers": {
"Type": "Json",
"Description": {
"en": "Customize the encryption suite list. This parameter is used only when CipherSuite is set to 99."
},
"Required": false,
"MinLength": 0,
"MaxLength": 5
},
"TLSVersion": {
"Type": "String",
"Description": {
"en": "The TLS version to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntlsv1\ntlsv1.1\ntlsv1.2"
},
"AllowedValues": [
"tlsv1",
"tlsv1.1",
"tlsv1.2"
],
"Required": false
},
"Http2Enabled": {
"Type": "Boolean",
"Description": {
"en": "Whether to enable HTTP2. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\ntrue: Enable HTTP2.\nfalse (default): Disable HTTP2."
},
"Required": false
},
"CipherSuite": {
"Type": "Number",
"Description": {
"en": "The type of encryption suite to be added. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Values:\n1: Indicates adding all encryption suites.\n2: Indicates adding a strong encryption suite. This value can be selected only when the value of TLSVersion is tlsv1.2.\n99: Indicates adding a custom encryption suite."
},
"Required": false
},
"EnableTLSv3": {
"Type": "Boolean",
"Description": {
"en": "Whether to support TSL1.3 version. This parameter is used only when the value of HttpsPorts is not empty (indicating that the domain name uses the HTTPS protocol). Value:\ntrue: indicates that TSL1.3 version is supported.\nfalse: indicates that TSL1.3 version is not supported."
},
"Required": false
},
"Port": {
"Type": "Number",
"Description": {
"en": "Access the cloud product port of WAF."
},
"Required": true
},
"ResourceProduct": {
"Type": "String",
"Description": {
"en": "Access to WAF cloud products."
},
"Required": true
},
"Certificates": {
"AssociationPropertyMetadata": {
"Parameters": {
"AppliedType": {
"Type": "String",
"Description": {
"en": "The certificate type for the HTTPS protocol. Valid values:\ndefault: Indicates the default certificate.\nextension: Indicates an extended certificate."
},
"AllowedValues": [
"default",
"extension"
],
"Required": false
},
"CertificateId": {
"Type": "String",
"Description": {
"en": "The ID of the certificate that was added."
},
"Required": false
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "The domain name bound to the certificate."
},
"Required": false,
"MinLength": 0,
"MaxLength": 10
},
"Protocol": {
"Type": "String",
"Description": {
"en": "Protocol type"
},
"Required": true
},
"ResourceInstanceId": {
"Type": "String",
"Description": {
"en": "The instance ID of the cloud product connected to WAF."
},
"Required": true
}
}
},
"Type": "Json",
"Description": {
"en": "Listening information."
},
"Required": true
}
},
"Resources": {
"ExtensionResource": {
"Type": "ALIYUN::WAF3::TGW",
"Properties": {
"InstanceId": {
"Ref": "InstanceId"
},
"Listen": {
"Ref": "Listen"
}
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The ID of the WAF instance.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"InstanceId"
]
}
},
"Port": {
"Description": "Access the cloud product port of WAF.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"Port"
]
}
},
"ResourceProduct": {
"Description": "Access to WAF cloud products.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"ResourceProduct"
]
}
},
"TgwId": {
"Description": "The protection object ID of the transparent access resource.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"TgwId"
]
}
}
}
}