If a custom domain name is bound to a web application in Function Compute, you can enable Web Application Firewall (WAF) protection for the custom domain name in the Function Compute console. This way, web traffic is forwarded to WAF. This topic describes how to enable WAF protection for a custom domain name bound to a web application in Function Compute.
Background information
Function Compute is an event-driven computing service that uses a serverless architecture. Function Compute allows you to write and upload code without the need to manage infrastructure resources. You can use Function Compute to create applications and services in an efficient manner. For more information, see What is Function Compute?
The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can enable WAF protection for custom domain names that are bound to web applications in Function Compute. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.
Limits
You can add web services to WAF in cloud native mode only if your web services use the following Alibaba Cloud services: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, Serverless App Engine (SAE), Classic Load Balancer (CLB), and Elastic Compute Service (ECS). If your web services do not use the preceding services, you can add the domain name of your website to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
The custom domain name for which you want to enable WAF protection must be in one of the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), and China (Shenzhen).
You cannot enable the following protection modules for custom domain names that are added to WAF: website tamper-proofing, data leakage prevention, bot management, and API security.
Prerequisites
A WAF 3.0 instance that is deployed in the Chinese mainland is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
If you use a subscription WAF instance, make sure that the number of protected objects that you add to WAF does not exceed the upper limit. If the number of protected objects that you add to WAF exceeds the upper limit, you can no longer add cloud service instances to WAF.
To view the number of protected objects that you can add to WAF, go to the Protected Objects page.
Procedure
You can enable WAF protection during or after creating a custom domain name for your web application.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group to which the WAF instance that you want to manage belongs, and then select Chinese Mainland for the region of the WAF instance.
In the left-side navigation pane, click Website Configuration.
On the Cloud Native tab, click FC in the left-side product type list. Then, click Add.
Click Authorize Now to authorize your WAF instance to access Function Compute.
Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role. To view the service-linked role, log on to the Resource Access Management (RAM) console and choose in the left-side navigation pane.
NoteIf you already authorized WAF to access Function Compute, skip this step.
Then, you are redirected to the Function Compute console.
On the Custom Domains page in the Function Compute console, enable WAF protection for custom domain names.
Create a custom domain name and enable WAF protection for the domain name
In the top navigation bar, select China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), or China (Shenzhen) and click Add Custom Domain Name.
On the Add Custom Domain Name page, configure the parameters and click Create. The following table describes the parameters.
Parameter
Description
Domain Name
Enter the custom domain name that obtained the Internet Content Provider (ICP) filing in the Alibaba Cloud ICP Filing system or the custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. Single domain names are supported. Example:
www.aliyun.com
. Wildcard domain names are also supported. Example:*.aliyun.com
.HTTPS
Select Enable or Disable to allow or deny access to the custom domain name over HTTPS.
Enable: allows access to the custom domain name over HTTPS. If you select this option, users can access the custom domain name over HTTP or HTTPS.
After you enable HTTPS, upload an Alibaba Cloud SSL certificate that is bound to the custom domain name.
Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate from the Certificate Name drop-down list. If the Certificate Name drop-down list is empty, you did not purchase an Alibaba Cloud SSL certificate. Log on to the Certificate Management Service console to purchase an Alibaba Cloud SSL certificate. For more information, see Purchase an SSL certificate.
Manual Upload: Configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.
NoteThe certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.
You can configure the following parameters based on your business requirements:
Disable: denies access to the custom domain name over HTTPS.
CDN Acceleration
Specify whether to enable or disable CDN acceleration for the custom domain name. For more information, see (Optional) Step 4: Enable CDN acceleration.
Web Application Firewall (WAF)
Specify whether to enable or disable WAF protection for the custom domain name. After you enable WAF protection for the custom domain name, WAF detects malicious traffic that is sent to the domain name and forwards normal traffic to the backend function to prevent intrusions.
Route
Configure the mapping between paths and functions to access the functions in a more efficient manner. Configure the following fields:
Path: the path from which a request can trigger the specified function in the specified service. For example, you created the custom domain name
example.com
and specified/a
as the path to access a function. The function can be triggered if the request Uniform Resource Identifier (URI) isexample.com/a
.Service Name: the name of the service to which the specified function belongs.
Function Name: the name of the specified function.
Version or Alias: the version or alias of the specified function.
Rewrite Policy: the rule based on which the URI of a request in a specified path is rewritten. For more information, see Configure rewrite policies.
You can configure multiple routes. For more information, see Routing rules.
Add a custom domain name to WAF
In the top navigation bar, select a region for the custom domain name. Find the custom domain name for which you want to enable WAF protection and click Modify in the Actions column.
On the Modify Custom Domain Name page, set the Web Application Firewall (WAF) parameter to Enable and click Save.
After you add a custom domain name to WAF, the custom domain name becomes a protected object of WAF. The protected object name of the custom domain name is in the following format: Domain name-fc. Basic protection rules are automatically enabled for the custom domain name. You can configure protection rules for the custom domain name on the Protected Objects page. To go to the Protected Objects page, click the custom domain name that you added to WAF on the Cloud Native tab of the Website Configuration page. For more information, see Protection configuration overview.