Web Application Firewall：Add a domain name to WAF

Prerequisites

• A WAF instance is purchased. The number of domain names that are added to the WAF instance does not reach the upper limit.

  Note

  The total number of domain names that can be added to a WAF instance varies based on the specifications of the instance and the number of additional domain names that you purchased. For more information, see Extra domain package.

• If you use a WAF instance in the Chinese mainland to protect your domain name, Internet Content Provider (ICP) filing is complete for the domain name.

  Important

  Make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF regularly removes domain names whose ICP filing information is invalid.

Add a domain name to WAF

1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Asset Center > Website Access.

3. On the Domain Names tab, click Website Access.

   Note

   On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default.

4. Configure the parameters and click Next. The following table describes the parameters.

   Parameter	Description
   Domain Name	Enter the domain name of your website. You can enter an exact match domain name such as www.aliyundoc.com or a wildcard domain name such as *.aliyundoc.com. You can enter only one domain name. The first time you add the domain name to WAF, you must verify your ownership of the domain name. After you prove your ownership of the domain name, you can add the domain name to WAF. For more information, see Verify the ownership of a domain name. Note You can use a wildcard domain name to cover all subdomains at the same level as the wildcard domain name. You cannot use a wildcard domain name to cover subdomains at levels that are different from the level of the wildcard domain name. For example, you can use *.aliyundoc.com to cover www.aliyundoc.com and example.aliyundoc.com. You cannot use *.aliyundoc.com to cover www.example.aliyundoc.com. You can use a second-level wildcard domain name to cover the second-level parent domain name of the wildcard domain name. For example, you can use *.aliyundoc.com to cover aliyundoc.com. You cannot use a third-level wildcard domain name to cover the third-level parent domain name of the wildcard domain name. For example, you cannot use *.example.aliyundoc.com to cover example.aliyundoc.com. If you add an exact match domain name and a wildcard domain name that covers the exact match domain name, the protection rules of the exact match domain name take precedence.
   Protection Resource	Select the type of protection resource that you want to use. Valid values: Shared Cluster: This is the default value. Exclusive Cluster: This option is available only if you use a WAF instance of the Exclusive edition. You can use an exclusive cluster to provide service-specific protection. For more information, see Best practices for WAF exclusive clusters. Hybrid Cloud Cluster: If you use Hybrid Cloud WAF, select this option. For more information, see Add a website to Hybrid Cloud WAF.
   Protocol Type	Select the protocol of your website. Valid values: HTTP HTTPS Important If your website supports HTTPS, select HTTPS. If you select HTTPS, upload the required certificate and private key files after you add your domain name to WAF. For more information, see the "Upload an HTTPS certificate" section in this topic. If you select HTTPS, you can enable the following features: (Advanced Settings) Enforce HTTPS Routing If you enable this feature, HTTP requests that are sent from the client are automatically redirected to HTTPS. The client sends HTTPS requests to WAF over port 443. Then, WAF forwards the HTTPS requests to the origin server over the same port. If you want clients to access your website by using HTTPS, enable this feature to improve the security of your website. Important You can enable this feature only if you do not select HTTP. Before you enable this feature, make sure that your domain name supports HTTPS. After you enable this feature, viewers who use specific browsers can access your content only if the viewers use HTTPS. (Advanced Settings) Enable HTTP If you enable this feature, WAF forwards requests to the origin server over HTTP. The default port is 80. In this case, WAF forwards requests to the origin server over port 80 regardless of whether clients access WAF over port 80 or port 443. If you enable this feature, clients can access your website over HTTPS. This helps reduce the workload of your website without the need to modify the settings of the origin server. Important If your website does not support HTTPS, you must turn on Enable HTTP. (Advanced Settings) Enforce HTTPS Routing and Enable HTTP: Both switches are turned off. If clients access WAF over port 80, WAF forwards requests to the origin server over port 80. If clients access WAF over port 443, WAF forwards requests to the origin server over port 443. Enable Origin SNI Origin Server Name Indication (SNI) specifies the domain name with which an HTTPS connection must be established at the start of the handshaking process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, enable this feature. After you select Enable Origin SNI, you can configure the SNI field. Valid values: Use Domain Name in Host Header: specifies that the value of the SNI field in back-to-origin requests is the same as the value of the Host header field. This is the default value. For example, if you entered the domain name *.aliyundoc.com and a client sends requests to the domain name www.aliyundoc.com, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. The www.aliyundoc.com domain name is the value of the Host header field. Custom: specifies that a custom value can be specified for the SNI field in WAF back-to-origin requests. If you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, specify a custom value for the SNI field. HTTP2: You can select this option only after you select HTTPS. If your domain name supports HTTP/2, select HTTP2. HTTP/2 ports and HTTPS ports are the same. After you select HTTP2, you need to only specify the HTTPS ports. For more information, see Is the origin server affected when HTTP/2 services are added to WAF? Note You can select HTTP2 only if your WAF instance is of the Business, Enterprise, or Exclusive edition.
   Destination Server (IP Address)	Enter the address of the origin server. Valid values: IP and Domain Name (Such as CNAME). WAF filters out malicious requests and forwards normal requests to this address. To enter the address of the origin server, take note of the following items: IP: Enter the public IP address of the origin server. The IP address must be accessible over the Internet. Press the Enter key each time you enter an IP address. You can enter up to 20 IP addresses. Note If you enter multiple IP addresses, WAF automatically performs health checks and load balancing on the IP addresses. If your WAF instance resides outside the Chinese mainland, you can enter only IPv4 addresses. If your WAF instance resides in the Chinese mainland, you can enter IPv4 or IPv6 addresses, or both. Specify IPv4 addresses and IPv6 addresses If you select Use the Same Protocol, WAF forwards requests from IPv4 addresses to the origin server over IPv4 and requests from IPv6 addresses to the origin server over IPv6. If you do not select Use the Same Protocol, WAF randomly forwards requests to the origin server over IPv4 or IPv6. Important If you want WAF to forward requests over IPv6, make sure that IPV6 is turned on for the domain name on the Website Access page. For more information, see Enable IPv6 traffic protection. Specify only IPv4 addresses WAF forwards all requests to the origin server over IPv4. Specify only IPv6 addresses WAF forwards all requests to the origin server over IPv6. The following list describes how to enter an IP address: If the origin server is an Alibaba Cloud Elastic Compute Service (ECS) instance, enter the public IP address of the ECS instance. If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance. If the origin server is not deployed on Alibaba Cloud, we recommend that you ping the domain name to query the public IP address of the origin server. Then, enter the public IP address of the origin server. Make sure that Enable Traffic Redirection is turned off for the IP address that you entered in transparent proxy mode. Domain Name (Such as CNAME): Enter the domain name of the origin server. For example, enter the CNAME of an Object Storage Service (OSS) bucket. The domain name can be resolved to an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address. Important The domain name of the origin server must be different from the domain name that you want to protect. If you enter a domain name of an OSS bucket, map the domain name that you want to protect to the bucket in the OSS console. For more information, see Map custom domain names.
   Destination Server Port	Specify the port that you want to use to forward requests. WAF uses only the port that you specified to receive and forward requests. This way, the origin server is protected against security threats regardless of whether you enable ports that are not specified. Important You must set the Protocol Type and Destination Server Port parameters to the protocol and port that is used by the origin server to provide web services. WAF does not support port translation. For example, if the origin server provides web services by using HTTP and port 80, set the Protocol Type parameter to HTTP and the Destination Server Port parameter to 80. Default ports: 80: By default, this port is used when you select HTTP. 443: By default, this port is used when you select HTTPS. HTTP2 uses the same port as HTTPS. Custom ports: Enter port numbers in the HTTP Port and HTTPS Port fields. Press the Enter key each time you enter a port number. Click View Allowed Port Range to query all supported ports. Note A WAF instance of the Enterprise or Exclusive edition supports up to 50 ports, including ports 80, 8080, 443, and 8443. A WAF instance of the Pro or Business edition supports up to 10 ports, including ports 80, 8080, 443, and 8443. For more information about the ports that are supported by shared clusters, see View the ports supported by WAF. If you use a WAF instance of the Exclusive edition, you can select ports only from the Destination Server Port section on the Exclusive Settings page. For more information, see Configure an exclusive cluster.
   Load Balancing Algorithm	If you enter multiple addresses of origin servers, configure this parameter. Valid values: IP hash: Requests from an IP address are forwarded to the same origin server. This is the default value. Note If you select IP hash but the IP addresses of origin servers are not scattered across different network segments, workloads may be unbalanced. Round-robin: All requests are distributed to origin servers in turn. Least time: WAF uses the intelligent DNS resolution feature and the upgraded least-time back-to-origin algorithm to reduce latency when requests are forwarded to origin servers. Note You can select Least time only if intelligent load balancing is enabled. For more information, see Intelligent load balancing. After the settings take effect, WAF distributes back-to-origin requests to multiple addresses of origin servers.
   Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF:	Specify whether a Layer 7 proxy is deployed in front of WAF. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. Valid values: No: No Layer 7 proxies are deployed in front of WAF. WAF receives requests from clients. WAF uses the IP address that is used by a client to establish a connection with WAF as the IP address of the client. WAF obtains the IP address from the REMOTE_ADDR field. Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from the Layer 7 proxy. To make sure that WAF can obtain the actual IP address of a client for security analysis, configure the Obtain Source IP Address parameter. By default, WAF uses the first IP address in the X-Forwarded-For field as the IP address of a client. If you use a proxy that requires the actual IP addresses to be included in a custom header field, such as X-Client-IP or X-Real-IP, select [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery and enter a custom header field in the Header Field field. Note We recommend that you use custom header fields to store the IP addresses of clients and configure the custom header fields in WAF. This prevents attackers from forging X-Forwarded-For fields to bypass WAF protection and improves the security of your business. You can enter multiple header fields. Separate multiple header fields with commas (,). If you enter multiple header fields, WAF scans the header fields in sequence until the IP address of the client is obtained. If WAF cannot obtain the IP address of the client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
   Enable Traffic Mark	Specify whether to enable the traffic marking feature. The feature adds custom header fields to WAF back-to-origin requests. You can configure or modify the custom header fields to tag the requests that are forwarded by WAF or record the actual IP addresses or ports of clients. If you select Enable Traffic Marking, add custom header fields. Important We recommend that you do not specify a standard HTTP header field, such as User-Agent. If you specify a standard HTTP header field, the value of the standard header field is overwritten by the value of the custom header field. If an attacker obtains the IP address of the origin server before you add the domain name to WAF and purchases another WAF instance to forward requests to the origin server, we recommend that you select Enable Traffic Mark and add custom header fields. We recommend that you verify the header fields after the origin server receives the requests. If the specified header fields exist, the requests are allowed. You can add the following types of header fields: Custom Header If you want to add a custom header, configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests to allow the backend service to check whether requests pass through WAF, collect statistics, and analyze data. For example, you can specify the ALIWAF-TAG: Yes header field to mark the requests that pass through WAF. In this example, ALIWAF-TAG is the header field name and Yes is the header field value. Originating IP Address You can configure a custom header to record the actual IP address of a client. This way, your origin server can obtain the actual IP address of the client. For more information about how WAF obtains the actual IP addresses of clients, see the description of the Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF parameter. Source Port You can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client. Click + Add Mark to add a header field. You can add up to five header fields.
   Back-to-origin Timeout Configuration	Specify the timeout periods for back-to-origin requests. Connection Timeout Period: The maximum amount of time that WAF waits while WAF attempts to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: The maximum amount of time that clients wait for responses from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: The maximum amount of time that WAF waits while WAF forwards requests to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Note You can configure the timeout period settings only if you use an on-cloud WAF instance of the Pro, Business, Enterprise, or Exclusive edition. You cannot configure the timeout period settings for Hybrid Cloud WAF instances.
   Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

5. If the wildcard domain name that matches the domain name that you specified in Step 4 is configured by another user, configure the TXT record based on the record type, domain name, and record value that are displayed in the Tips dialog box.

   For example, if you use Alibaba Cloud DNS, you can log on to the Alibaba Cloud DNS console and configure the TXT record based on information that is displayed in the Tips dialog box. For more information, see Add a DNS record.

6. Modify the DNS record.

   Follow the on-screen instructions to modify the DNS record and map your domain name to WAF. Then, click Next. For more information, see Change a DNS record.

7. Complete the settings.

   Follow the on-screen instructions to configure the back-to-origin CIDR blocks of WAF and click Completed. Return to the website list.. The Website Access page appears. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

Upload an HTTPS certificate

If you select HTTPS for the Protocol Type parameter in Step 4 when you add a domain name, upload a valid HTTPS certificate that is associated with the domain name in the WAF console. Otherwise, WAF cannot protect HTTPS requests.

To upload an HTTPS certificate, you can use one of the following methods:

• Upload a certificate.

  Before you upload a certificate, you must prepare the following files and make sure that the certificate chain is valid:

  • The certificate file in the CRT or PEM format

  • The private key file in the KEY format

• Select an existing certificate: You can select the certificate that is associated with the domain name in the Certificate Management Service console. For more information, see What is Certificate Management Service.

• Purchase a certificate.

1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Asset Center > Website Access.

3. On the Domain Names tab, find the domain name that you want to manage and click the icon in the Origin Server column.

   Note

   The icon appears in the Origin Server column.

4. In the Upload Certificate or Update Certificate dialog box, configure the Upload Type parameter to upload an HTTPS certificate.

   Note

   After you upload the certificate, the Update Certificate dialog box appears. The Update Certificate and Upload Certificate dialog boxes have the same configuration items.

   • Manual Upload: Configure the Certificate Name parameter, copy and paste the content of the certificate file to the Certificate File field, and then copy and paste the content of the private key file to the Private Key File field.

     For information about the certificate file, see the following descriptions:

     • If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the text content.

     • If the certificate file is in a different format such as PFX or P7B, convert the certificate file format to PEM. Then, you can use a text editor to open the certificate file and copy the text content. For information about how to convert file formats, see How do I convert an HTTPS certificate to the PEM format?

     • Make sure that the certificate chain is valid. If the domain name is associated with multiple certificate files, combine the text content of the certificate files and then copy and paste the combined content to the Certificate File field.

   • Select Existing Certificate: Select a certificate from the Certificate drop-down list.

     The Certificate drop-down list contains certificates that are issued in the Certificate Management Service console. Select the certificate that is associated with the domain name. Click Cloud Security - Certificates Service to go to the Certificate Management Service console and manage certificates.

   • Purchase Certificate: Click Buy Now to go to the Purchase Certificate page in the Certificate Management Service console. Then, purchase a certificate for your domain name.

     After you purchase and configure the certificate, the certificate is automatically uploaded to WAF.

     Note

     You can purchase only a domain validated (DV) certificate on the Purchase Certificate page. If you want to purchase a different type of certificate, go to the buy page of Certificate Management Service. For more information, see Purchase an SSL certificate.

5. Click OK.

Subsequent configurations

After you add the domain name, the requests that are sent to the domain name are protected by WAF. You can modify domain name configurations to improve website security.

Related operations

View and manage the domain names that are added to WAF

On the Domain Names tab of the Website Access page, you can view the domain names that are added to WAF and perform the following operations:

• Upload an HTTPS certificate: If your domain name supports HTTPS, make sure that a valid certificate and private key files are uploaded to WAF to ensure that WAF protects HTTPS requests. To upload the HTTPS certificate and private key files for the domain name, click the icon in the Origin Server column.

  For more information, see Upload an HTTPS certificate.

• Enable IPv6 traffic protection: If you want to protect IPv6 traffic that is sent to your domain name, turn on IPV6 for the domain name in the Quick Access column.

  For more information, see Enable IPv6 traffic protection.

• Enable Log Service for WAF: Turn on Log Service in the Quick Access column to enable the Log Service for WAF feature. You can use this feature to collect the logs of your domain name. Then, you can use the logs for query, analysis, dashboard data visualization, and alerting. For more information, see Get started with the Log Service for WAF feature.

  Note

  The Log Service for WAF feature is a value-added feature of WAF. Before you can use the feature, you must enable the feature. For more information, see Step 1: Enable the Log Service for WAF feature.

• Configure protection resources: Click the icon to the right of Protection Resource in the Quick Access column. Then, configure the protection resource for the domain name.

  The following types of protection resources are supported:

  • Shared Cluster and Shared IP: This is the default value.

  • Shared Cluster and Exclusive IP : For information about exclusive IP addresses, see Exclusive IP addresses.

  • Shared Cluster and Load Balancing Among Multiple WAF Nodes: For information about global load balancing, see Intelligent load balancing.

  • Exclusive Cluster: For information about exclusive clusters, see Create an exclusive cluster.

• View attack reports: Click View Report in the Attack Monitoring column to go to the Security Report page. On the page that appears, you can view a protection report of the domain name. For more information, see View security reports.

• Configure protection policies: Click Config in the Actions column to go to the Website Protection page. On the page that appears, you can configure the Web Security, Bot Management, and Access Control/Throttling modules. For more information, see Overview of website protection configuration.

• Modify domain name configurations: Click Edit in the Actions column to modify domain name configurations such as the protocol type, server address, and server port. You cannot modify the domain name.

• Delete a domain name: Click Delete in the Actions column.

  Warning

  Before you delete a domain name, you must modify the DNS record to map the domain name to the IP address of the origin server. If you do not modify the DNS record, the requests that are sent to the domain name cannot be forwarded after the domain name is deleted.

• After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the validity of the added domain names. Domain names whose ICP filing information is invalid are not protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:

  1. Update the ICP filing information of your domain name.

  2. Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.

Check the validity of the ICP filing information

After you add the domain name to WAF, make sure that the ICP filing information is valid. To comply with relevant laws and regulations, WAF instances regularly check the added domain names. Domain names whose ICP filling information is invalid cannot be protected by WAF. If the ICP filing information of your domain name is invalid, perform the following operations:

1. Update the ICP filing information of your domain name.

2. Click the Domain Names tab on the Website Access page. Find the domain name whose ICP filing information is updated and click Add Again in the Actions column.

FAQ

For more information, see FAQ about website access configuration in FAQ.