How to use WAF together with CDN - Web Application Firewall

If you enabled a content delivery network (CDN) for your domain name that is at risk of web attacks, we recommend that you use Web Application Firewall (WAF) together with a CDN service, such as Alibaba Cloud CDN, to protect your web services. This topic describes how to use WAF together with Alibaba Cloud CDN to protect web services.

Network architecture

You can deploy WAF and CDN in the following sequence: CDN, WAF, and origin servers. CDN is deployed at the ingress layer to accelerate content distribution. WAF is deployed at the intermediate layer to protect applications. Origin servers can be deployed on Elastic Compute Service (ECS) instances, on Server Load Balancer (SLB) instances, in virtual private clouds (VPCs), or in data centers. Then, traffic is accelerated by CDN and filtered by WAF. Only normal service traffic is forwarded to the origin server. This ensures service and data security.

Prerequisites

Alibaba Cloud CDN is enabled and a domain name is added to Alibaba Cloud CDN. For more information, see Getting started with Alibaba Cloud CDN.
A WAF instance is purchased.

Step 1: Add a domain name to WAF

Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, click Website Access.

Add a domain name.

CNAME record mode

Note

On the Add Domain Name page, the Access Mode parameter is set to CNAME Record by default. You do not need to change the value of the Access Mode parameter in CNAME record mode.

In the Enter Your Website Information step, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
Protection Resource	Select the type of protection resource that you want to use.
Protocol Type	Select the type of the protocol that is supported by your website.
Origin Server Address	IP: Enter the public IP address of the SLB or ECS instance on which the origin server is deployed or the IP address of the origin server that is not deployed on Alibaba Cloud.
Destination Server Port	Specify the port based on the value of the Protocol Type parameter. The port is used by the origin server to provide services.
Load Balancing Algorithm	If you enter multiple addresses of origin servers, configure this parameter based on your business requirements.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Set this parameter to Yes.
Enable Traffic Mark	Specify whether to enable the traffic marking feature of WAF.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which you want to add the domain name from the resource group drop-down list.

On the Domain Names tab of the Website Access page, find the domain name that you added to WAF and copy the CNAME that is assigned by WAF to the domain name.

Transparent proxy mode

On the Add Domain Name page, set the Access Mode parameter to Transparent Proxy Mode.

In the Add Domain Name step, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Domain Name	Enter the domain name of the website that you want to protect.
SLB-based Domains, Layer 7 SLB-based Domains, Layer 4 SLB-based Domains, and ECS-based Domains	Select the type of the instance that you want to protect and the corresponding ports.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Set this parameter to Yes.
Enable Traffic Mark	Specify whether to enable the traffic marking feature of WAF.
Resource Group	If you want to manage cloud resources by department or project, select the resource group to which you want to add the domain name from the resource group drop-down list.

In the Check and Confirm Added Information step, check and confirm the information and click Next.
Click Completed. Return to the website list. and go back to the Domain Names tab of the Website Access page. On the Servers tab, select Resource Instance ID from the Resource Instance ID drop-down list and enter the ID of an instance to search for the IP address and the port of the instance that you added to WAF.

Step 2: Enable WAF protection for a domain name that is added to Alibaba Cloud CDN

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
Find the domain name for which you want to enable WAF protection and click Manage in the Actions column.

In the left-side navigation pane of the page that appears, click Basics. In the Origin Information section, click Add Origin Server. In the Add Origin Server dialog box, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Origin Info	If you added the domain name to WAF in CNAME record mode, select Site Domain and enter the CNAME that you obtained in Step 1. If you added the domain name to WAF in transparent proxy mode, select IP and enter the public IP address of the origin server that you obtained in Step 1.
Priority	Specify the priority of the origin server. A primary origin server has a higher priority than a secondary origin server.
Weight	Specify the weight of the origin server. If multiple origin servers have the same priority, Alibaba Cloud CDN forwards requests to the origin servers based on the weights.
Port	Specify the port of the origin server that processes requests.

In the left-side navigation pane of the Domain Names page, click Back-to-origin. On the Configurations tab, verify that Default Origin Host is disabled.
Modify the Domain Name System (DNS) record to map the domain name to the CNAME that is assigned by Alibaba Cloud CDN. For more information, see Add a CNAME record for a domain name.

After you complete the configurations, traffic passes through Alibaba Cloud CDN. WAF continues to detect and protect the dynamic content.

Note

If you want to forward traffic that is sent to Domain Name B to Domain Name A that is added to WAF, log on to the Alibaba Cloud DNS console and add a URL forwarding record to forward requests that are sent to Domain Name B to Domain Name A. For more information, see the "Add an explicit or implicit URL forwarding record" section in the Add a DNS record topic.

After you complete the preceding configurations, you can perform the following operations to check whether the domain name is added to WAF:

Enter the domain name in the browser. If you can access the website, the domain name is added to WAF.
Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

Other operations

If you want to enable WAF protection for a domain name for which Dynamic Route for CDN (DCDN) is enabled, you can enable WAF in the DCDN console. Then, you can use WAF to protect your web services on DCDN nodes. For more information, see Getting started with WAF (new edition).

References

Add a domain name to WAF: adds a domain name to WAF in CNAME record mode.
Transparent proxy mode: adds a domain name to WAF in transparent proxy mode.
Add a domain name: adds a domain name to Alibaba Cloud CDN.