To add a website to Web Application Firewall (WAF) in CNAME record mode, add the domain name of the website to WAF. This topic describes how to add a domain name to WAF.
Prerequisites
A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.
NoteThe total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of additional domain names that you purchased. For more information, see Extra domain package.
If you use a WAF instance in the Chinese mainland to protect your domain name, Internet Content Provider (ICP) filing is complete for the domain name.
ImportantMake sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF regularly removes domain names whose ICP filing information is invalid.
Add a domain name to WAF
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, click Website Access.
NoteOn the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default.
Configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Domain Name
Enter the domain name of your website. You can enter an exact match domain name such as www.aliyundoc.com or a wildcard domain name such as *.aliyundoc.com. You can enter only one domain name.
The first time you add the domain name to WAF, you must verify your ownership of the domain name. After you prove your ownership of the domain name, you can add the domain name to WAF. For more information, see Verify the ownership of a domain name.
NoteYou can use a wildcard domain name to cover all subdomains at the same level as the wildcard domain name. You cannot use a wildcard domain name to cover subdomains at levels that are different from the level of the wildcard domain name. For example, you can use
*.aliyundoc.com
to coverwww.aliyundoc.com
andexample.aliyundoc.com
. You cannot use*.aliyundoc.com
to coverwww.example.aliyundoc.com
.You can use a second-level wildcard domain name to cover the second-level parent domain name of the wildcard domain name. For example, you can use
*.aliyundoc.com
to coveraliyundoc.com
.You cannot use a third-level wildcard domain name to cover the third-level parent domain name of the wildcard domain name. For example, you cannot use
*.example.aliyundoc.com
to coverexample.aliyundoc.com
.If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
Protection Resource
Select the type of protection resource that you want to use. Valid values:
Shared Cluster: This is the default value.
Exclusive Cluster: This option is available only if you use a WAF instance of the Exclusive edition. You can use an exclusive cluster to provide service-specific protection. For more information, see Best practices for WAF exclusive clusters.
Hybrid Cloud Cluster: If you use Hybrid Cloud WAF, select this option. For more information, see Add a website to Hybrid Cloud WAF.
Protocol Type
Select the protocol of your website. Valid values:
HTTP
HTTPS
ImportantIf your website supports HTTPS, select HTTPS. If you select HTTPS, upload the required certificate and private key files after you add your domain name to WAF. For more information, see the "Upload an HTTPS certificate" section in this topic.
If you select HTTPS, you can enable the following features:
HTTP2: You can select this option only after you select HTTPS.
If your domain name supports HTTP/2, select HTTP2. HTTP/2 ports and HTTPS ports are the same. After you select HTTP2, you need to only specify the HTTPS ports. For more information, see Is the origin server affected when HTTP/2 services are added to WAF?
NoteYou can select HTTP2 only if your WAF instance is of the Business, Enterprise, or Exclusive edition.
Destination Server (IP Address)
Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters out malicious requests and forwards normal requests to this address. To enter the address of the origin server, take note of the following items:
IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet.
Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses.
NoteIf you enter multiple IP addresses, WAF automatically performs health checks and load balancing on the IP addresses.
If your WAF instance resides outside the Chinese mainland, you can enter only IPv4 addresses. If your WAF instance resides in the Chinese mainland, you can enter IPv4 or IPv6 addresses, or both.
Specify IPv4 addresses and IPv6 addresses
If you select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4 and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF randomly forwards requests to the origin server over IPv4 or IPv6.
ImportantIf you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection.
Specify only IPv4 addresses
WAF forwards all requests to the origin server over IPv4.
Specify only IPv6 addresses
WAF forwards all requests to the origin server over IPv6.
Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket.
The domain name can be resolved to an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address.
ImportantThe domain name of the origin server must be different from the domain name that you want to protect.
If you enter a domain name of an OSS bucket, map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
Destination Server Port
Specify the port that you want to use to forward requests.
WAF uses only the port that you specified to receive and forward requests. This way, the origin server is protected against security threats regardless of whether you enable ports that are not specified.
ImportantYou must set the Protocol Type and Destination Server Port parameters to the protocol and port that is used by the origin server to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, set the Protocol Type parameter to HTTP and the Destination Server Port parameter to 80.
Default ports:
80: By default, this port is used when you select HTTP.
443: By default, this port is used when you select HTTPS. HTTP2 uses the same port as HTTPS.
Custom ports: Enter port numbers in the HTTP Port and HTTPS Port fields. Press the Enter key each time you enter a port number. Click View Allowed Port Range to query all supported ports.
NoteA WAF instance of the Enterprise or Exclusive edition supports up to 50 ports, including ports 80, 8080, 443, and 8443. A WAF instance of the Pro or Business edition supports up to 10 ports, including ports 80, 8080, 443, and 8443.
For more information about the ports that are supported by shared clusters, see View the ports supported by WAF.
If you use a WAF instance of the Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Settings page. For more information, see Configure an exclusive cluster.
Load Balancing Algorithm
If you enter multiple addresses of origin servers, configure this parameter. Valid values:
IP hash: Requests from an IP address are forwarded to the same origin server. This is the default value.
NoteIf you select IP hash but the IP addresses of origin servers are not scattered across different network segments, workloads may be unbalanced.
Round-robin: All requests are distributed to origin servers in turn.
Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to reduce latency when requests are forwarded to origin servers.
NoteYou can select Least time only if intelligent load balancing is enabled. For more information, see Intelligent load balancing.
After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF:
Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values:
No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from clients. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the
REMOTE_ADDR
field.Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy. To make sure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Source IP Address parameter.
By default, WAF uses the first IP address in the
X-Forwarded-For
field as the IP address of a client.If you use a proxy that requires the actual IP addresses to be included in a custom header field, such as X-Client-IP or X-Real-IP, select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field.
NoteWe recommend that you use custom header fields to store the IP addresses of clients and configure the custom header fields in WAF. This prevents attackers from forging X-Forwarded-For fields to bypass WAF protection and improves the security of your business.
You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Enable Traffic Mark
Specify whether to enable the traffic marking feature.
The feature adds custom header fields to WAF back-to-origin requests. You can configure or modify the custom header fields to tag the requests that are forwarded by WAF or record the actual IP addresses or ports of clients.
If you select Enable Traffic Marking, add custom header fields.
ImportantWe recommend that you do not specify a standard HTTP header field, such as User-Agent. If you specify a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field.
If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. We recommend that you verify the header fields after the origin server receives the requests. If the specified header fields exist, the requests are allowed.
You can add the following types of header fields:
Click + Add Mark to add a header field. You can add up to five header fields.
Back-to-origin Timeout Configuration
Specify the timeout periods for back-to-origin requests.
Connection Timeout Period: The maximum amount of time that WAF waits while WAF attempts to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5.
Read Connection Timeout Period: The maximum amount of time that clients wait for responses from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.
Write Connection Timeout Period: The maximum amount of time that WAF waits while WAF forwards requests to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120.
NoteYou can configure the timeout period settings only if you use an on-cloud WAF instance of the Pro, Business, Enterprise, or Exclusive edition. You cannot configure the timeout period settings for Hybrid Cloud WAF instances.
Resource Group
Select the resource group to which you want to add the domain name from the drop-down list.
NoteYou can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.
If the wildcard domain name that matches the domain name that you specified in Step 4 is configured by another user, configure the TXT record based on the record type, domain name, and record value that are displayed in the Tips dialog box.
For example, if you use Alibaba Cloud DNS, you can log on to the Alibaba Cloud DNS console and configure the TXT record based on information that is displayed in the Tips dialog box. For more information, see Add a DNS record.
Modify the DNS record.
Follow the on-screen instructions to modify the DNS record and map your domain name to WAF. Then, click Next. For more information, see Change a DNS record.
Complete the settings.
Follow the on-screen instructions to configure the back-to-origin CIDR blocks of WAF and click Completed. Return to the website list.. The Website Access page appears. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
Upload an HTTPS certificate
If you select HTTPS for the Protocol Type parameter in Step 4 when you add a domain name, upload a valid HTTPS certificate that is associated with the domain name in the WAF console. Otherwise, WAF cannot protect HTTPS requests.
To upload an HTTPS certificate, you can use one of the following methods:
Upload a certificate.
Before you upload a certificate, you must prepare the following files and make sure that the certificate chain is valid:
The certificate file in the CRT or PEM format
The private key file in the KEY format
Select an existing certificate: You can select the certificate that is associated with the domain name in the Certificate Management Service console. For more information, see What is Certificate Management Service.
Purchase a certificate.
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Domain Names tab, find the domain name that you want to manage and click the icon in the Origin Server column.
NoteThe icon appears in the Origin Server column.
In the Upload Certificate or Update Certificate dialog box, configure the Upload Type parameter to upload an HTTPS certificate.
NoteAfter you upload the certificate, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.
Manual Upload: Configure the Certificate Name parameter, copy and paste the content of the certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key File field.
For information about the certificate file, see the following descriptions:
If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content.
If the certificate file is in a different format such as PFX or P7B, convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy the text content. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?
Make sure that the certificate chain is valid. If the domain name is associated with multiple certificate files, combine the text content of the certificate files and then copy and paste the combined content to the Certificate File field.
Select Existing Certificate: Select a certificate from the Certificate drop-down list.
The Certificate drop-down list contains certificates that are issued in the Certificate Management Service console. Select the certificate that is associated with the domain name. Click Cloud Security - Certificates Service to go to the Certificate Management Service console and manage certificates.
Purchase Certificate: Click Buy Now to go to the Purchase Certificate page in the Certificate Management Service console. Then, purchase a certificate for your domain name.
After you purchase and configure the certificate, the certificate is automatically uploaded to WAF.
NoteYou can purchase only a domain validated (DV) certificate on the Purchase Certificate page. If you want to purchase a different type of certificate, go to the buy page of Certificate Management Service. For more information, see Purchase an SSL certificate.
Click OK.
Subsequent configurations
After you add the domain name, the requests that are sent to the domain name are protected by WAF. You can modify domain name configurations to improve website security.
Type | Description | References |
Website protection configuration | WAF provides multiple features to protect your website against different types of attacks. By default, only the Protection Rules Engine and HTTP Flood Protection features are enabled. The Protection Rules Engine feature protects your website against common web attacks such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. Enable other features and configure protection rules. | |
Alert configuration | You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business at the earliest opportunity. | |
Log Service configurations | After you enable the Log Service for WAF feature, WAF can collect and store the log data of your domain name. You can query and analyze the log data. By default, the Log Service for WAF feature stores full logs for 180 days to meet Multi-Level Protection Scheme (MLPS) requirements. |
Related operations
View and manage the domain names that are added to WAF
On the Domain Names tab of the Website Access page, you can view the domain names that are added to WAF and perform the following operations:
Upload an HTTPS certificate: If your domain name supports HTTPS, make sure that a valid certificate and private key files are uploaded to WAF to ensure that WAF protects HTTPS requests. To upload the HTTPS certificate and private key files for the domain name, click the icon in the Origin Server column.
For more information, see Upload an HTTPS certificate.
Enable IPv6 traffic protection: If you want to protect IPv6 traffic that is sent to your domain name, turn on IPV6 for the domain name in the Quick Access column.
For more information, see Enable IPv6 traffic protection.
Enable Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Log Service for WAF feature. You can use this feature to collect the logs of your domain name. Then, you can use the logs for query, analysis, dashboard data visualization, and alerting. For more information, see Get started with the Log Service for WAF feature.
NoteThe Log Service for WAF feature is a value-added feature of WAF. Before you can use the feature, you must enable the feature. For more information, see Step 1: Enable the Log Service for WAF feature.
Configure protection resources: Click the icon to the right of Protection Resource in the Quick Access column. Then, configure the protection resource for the domain name.
The following types of protection resources are supported:
Shared Cluster and Shared IP: This is the default value.
Shared Cluster and Exclusive IP : For information about exclusive IP addresses, see Exclusive IP addresses.
Shared Cluster and Load Balancing Among Multiple WAF Nodes: For information about global load balancing, see Intelligent load balancing.
Exclusive Cluster: For information about exclusive clusters, see Create an exclusive cluster.
View attack reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View security reports.
Configure protection policies: Click Config in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Overview of website protection configuration.
Modify domain name configurations: Click Edit in the Actions column to modify domain name configurations such as the protocol type, server address, and server port. You cannot modify the domain name.
Delete a domain name: Click Delete in the Actions column.
WarningBefore you delete a domain name, you must modify the DNS record to map the domain name to the IP address of the origin server. If you do not modify the DNS record, the requests that are sent to the domain name cannot be forwarded after the domain name is deleted.
After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the validity of the added domain names. Domain names whose ICP filing information is invalid are not protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:
Update the ICP filing information of your domain name.
Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.
Check the validity of the ICP filing information
After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the added domain names. Domain names whose ICP filling information is invalid cannot be protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:
Update the ICP filing information of your domain name.
Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.
FAQ
For more information, see FAQ about website access configuration in FAQ.