Web Application Firewall：Add a domain name to WAF in CNAME record mode

How WAF protection works

After you add the domain name of a website to WAF in CNAME record mode, all the website traffic is redirected to WAF for inspection. WAF filters out malicious traffic and forwards normal traffic to the origin server. This ensures the service and data security of the website. In this case, WAF inspects and forwards traffic as a reverse proxy cluster.

Prerequisites

• A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

• If the domain name of your website is hosted on a server in the Chinese Mainland, make sure that an ICP filing is complete for the domain name and the ICP filing information is valid when your website is protected by WAF.

  Note

  WAF instances that are deployed in the Chinese Mainland regularly check whether the ICP filing information of your domain names is valid. If the ICP filing information of a domain name becomes invalid, WAF manages the domain name based on relevant laws and regulations. For example, WAF may stop forwarding requests for the domain name or delete the configurations of the domain name.

  • If your website is hosted on Alibaba Cloud, you can apply for an ICP filing for your domain name by using the Alibaba Cloud ICP Filing system. For more information, see Scenarios.

  • If your website is not deployed on Alibaba Cloud, you can contact Alibaba Cloud or another cloud service provider to apply for an ICP filing.

Procedure

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. On the CNAME Record tab, click Add.

4. In the Configure Listener step, configure the parameters and click Next. The following table describes the parameters.

   Parameter	Description
   Domain Name	Enter the domain name that you want to protect. You can enter an exact-match domain name, such as www.aliyundoc.com, or a wildcard domain name, such as *.aliyundoc.com. You can enter only one domain name. The first time you add a domain name to WAF, you must verify your ownership of the domain name. You can add the domain name to WAF only after your ownership passes the verification. For more information, see Verify the ownership of a domain name. Note You can use a wildcard domain name to cover all subdomains that are at the same level as the wildcard domain name. For example, *.aliyundoc.com can cover www.aliyundoc.com and example.aliyundoc.com but *.aliyundoc.com cannot cover www.example.aliyundoc.com. A second-level wildcard domain name can cover its second-level parent domain name. For example, *.aliyundoc.com can cover aliyundoc.com. A third-level wildcard domain name cannot cover its third-level parent domain name. For example, *.example.aliyundoc.com cannot cover example.aliyundoc.com. If you add an exact-match domain name and a wildcard domain name that covers the exact-match domain name, the protection rules that are configured for the exact-match domain name take precedence.
   Protocol Type	Select the protocol type and ports that are used by the website. Press the Enter key each time you enter a port number. Note The port number that you enter must be supported by WAF. To view the HTTP and HTTPS ports that are supported by WAF, click View Port Range. For more information, see View supported ports. If you select HTTPS, configure the HTTPSUpload Type parameter to specify the method that you want to use to upload an SSL certificate. Then, upload the SSL certificate bound to the domain name to WAF. This way, WAF can monitor the HTTPS traffic of the website. Specify the method that you want to use to upload an SSL certificate. Note WAF (version_share_vm) does not support HTTPS. Manual Upload Select Manual Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter must be in the -----BEGIN CERTIFICATE-----......-----END CERTIFICATE----- format, and the value of the Private Key parameter must be in the -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY----- format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in a format other than the preceding formats, such as PFX or P7B, you must convert the file into the PEM format and use a text editor to open the file and copy the text content. You can log on to the Certificate Management Service console and use the provided tool to convert the file format. For more information, see Convert the format of a certificate. If a domain name is bound to multiple SSL certificates or a certificate chain, you must combine the text content of the certificate files and upload the combined content to WAF. Select Existing Certificate If your certificate meets one of the following conditions, you can select the certificate that you want to upload to WAF from the certificate list: The certificate is issued by Alibaba Cloud Certificate Management Service (Original SSL Certificate). The certificate is a third-party certificate that is uploaded to Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and re-upload the certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate. Purchase Certificate Select Purchase Certificate and click Apply. In the Certificate Management Service console, apply for a certificate for the domain name. Note You can apply for only a paid domain validated (DV) certificate. If you want to apply for a different type of certificate, you must purchase a certificate from Certificate Management Service. For more information, see Purchase SSL certificates. After you configure a certificate for your domain name in the Certificate Management Service console, the certificate is automatically uploaded to WAF. If you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements: If your website supports HTTP/2, select HTTP2 to protect HTTP/2 requests. Note The HTTP/2 ports are the same as the HTTPS ports. Advanced Settings Enable HTTPS Routing By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves security. After this feature is enabled, HTTP Strict Transport Security (HSTS) is enabled by default and the Strict-Transport-Security header is included in responses to ensure that your website can be accessed only by using HTTPS. Important You can enable this feature only if you do not select HTTP. TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses an unsupported TLS version, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you specify the TLS versions based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for requests that are sent by using TLS 1.3. HTTPSCipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses cipher suites that are not supported, WAF blocks the requests from the client. Default value: All Cipher Suites (High Compatibility and Low Security). We recommend that you set this parameter to a different value only if your website supports only specific cipher suites. Valid values: All Cipher Suites (High Compatibility and Low Security). Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website. For more information, see View supported cipher suites. Clients that use other cipher suites cannot access your website.
   Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy or Alibaba Cloud CDN, is deployed in front of WAF. Valid values: No (default): No Layer 7 proxy is deployed in front of WAF. WAF receives requests from clients. The requests are not forwarded by a proxy. WAF uses the IP address that is used by a client to establish a connection to WAF as the IP address of the client. WAF obtains the IP address based on the value of the REMOTE_ADDR field. Yes: A Layer 7 proxy is deployed in front of WAF. WAF receives requests from a Layer 7 proxy. To ensure that WAF can obtain the actual IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF scans the header fields in sequence until it obtains the IP address of the client. If WAF cannot obtain the IP address of a client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
   More Settings	IPv6 By default, WAF processes only IPv4 traffic. If your website supports IPv6, you can turn on IPv6 to enable WAF protection for IPv6 traffic. After you turn on IPv6, WAF assigns a WAF IP address to the domain name to process IPv6 traffic. This feature is available only for pay-as-you-go WAF instances and subscription WAF instances of the Enterprise and Ultimate editions in the Chinese Mainland. Exclusive IP Address By default, all domain names that are added to WAF are protected by using the same WAF IP address. If you turn on Exclusive IP Address, WAF assigns an exclusive IP address to monitor the requests of your domain name. A domain name that is protected by using an exclusive IP address can be accessed even if volumetric DDoS attacks occur on other domain names. For more information, see Exclusive IP addresses. If you want to use an exclusive IP address to protect your domain name, you can turn on Exclusive IP Address. Important You can turn on Exclusive IP Address for subscription WAF instances of the Pro, Enterprise, and Ultimate editions. You are charged for this feature. If you use a pay-as-you-go WAF instance, you are charged based on the number of exclusive IP addresses that you use. For more information, see Billing overview. Protection Resource Select the type of protection resources that you want to use. Valid values: Shared Cluster (default) Shared Cluster-based Intelligent Load Balancing After you enable shared cluster-based intelligent load balancing for a WAF instance, at least three protection nodes that are deployed in different regions are allocated to the WAF instance to support automatic disaster recovery. The WAF instance uses the intelligent Domain Name System (DNS) resolution capability and the least-time back-to-origin algorithm to minimize the latency of traffic that is sent from protection nodes to origin servers. For more information, see Use the intelligent load balancing feature. Important You can enable Shared Cluster-based Intelligent Load Balancing for subscription WAF instances of the Pro, Enterprise, and Ultimate editions. You are charged for this feature. To enable Shared Cluster-based Intelligent Load Balancing, click Upgrade Now in the Protected Assets section of the Overview page and set the Intelligent Load Balancing parameter to Enable. For more information, see Upgrade or downgrade a WAF instance. If you use a pay-as-you-go WAF instance, you are charged based on whether you enable Shared Cluster-based Intelligent Load Balancing. For more information, see Billing overview. After you enable Shared Cluster-based Intelligent Load Balancing, you cannot turn on IPv6 or Exclusive IP Address.
   Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

5. In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

   Parameter	Description
   Load Balancing Algorithm	If you specify multiple origin server addresses, select the Load Balancing Algorithm that you want WAF to use to forward back-to-origin requests to the origin servers. Valid values: IP hash (default) Requests that are sent from a specific IP address are forwarded to the same origin server. Round-robin Requests are distributed to origin servers in turn. Least time WAF uses the intelligent DNS resolution capability and the least-time back-to-origin algorithm to minimize the path and latency when requests are forwarded to origin servers. Important You can set the Load Balancing Algorithm parameter to Least time only if you set the Protection Resource parameter to Shared Cluster-based Intelligent Load Balancing in the Configure Listener step. For more information, see the description of the Protection Resource parameter in this topic.
   Origin Server Address	Specify the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF. Valid values: IP Make sure that the IP address can be accessed over the Internet. You can enter up to 20 IP addresses. Press the Enter key each time you enter an IP address. Note If you enter multiple IP addresses, WAF distributes workloads across the IP addresses to achieve load balancing. You can enter both IPv4 and IPv6 addresses, only IPv4 addresses, or only IPv6 addresses. If you enter both IPv4 and IPv6 addresses, WAF forwards requests from IPv4 addresses to origin servers that use IPv4 addresses and requests from IPv6 addresses to origin servers that use IPv6 addresses. Important If you want to enter IPv6 addresses, turn on IPv6 in the Configure Listener step. For more information, see the description of the IPv6 parameter in this topic. Domain Name (Such as CNAME) If you set the Origin Server Address parameter to Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address and WAF forwards back-to-origin requests to the IPv4 address.
   Advanced HTTPS Settings	Enable HTTP Routing If you turn on Enable HTTP Routing, WAF forwards requests over HTTP. The default port is 80. After you turn on Enable HTTP Routing, WAF forwards requests to the origin server on port 80, regardless of whether the client accesses WAF on port 80 or port 443. All requests can be forwarded to the origin server over HTTP, and you do not need to modify the settings of the origin server. This reduces the impact of traffic on the performance of the website. Important If your website does not support HTTPS, turn on Enable HTTP Routing. Origin SNI Specify the domain name to which an HTTPS connection must be established at the start of the Transport Layer Security (TLS) handshake process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must select Origin SNI. After you select Origin SNI, you can configure a Server Name Indication (SNI) field. Valid values: Use Domain Name in Host Header (default) The value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. For example, if the domain name that you configure is *.aliyundoc.com and the client requests the www.aliyundoc.com domain name in the Host header field, the value of the SNI field in WAF back-to-origin requests is www.aliyundoc.com. Custom You can enter a custom value for the SNI field in WAF back-to-origin requests. In most cases, you do not need to specify a custom value for the SNI field. However, if you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you can specify a custom value for the SNI field.
   Other Advanced Settings	Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field The X-Forwarded-Proto header field is automatically added to HTTP requests. The X-Forwarded-Proto header field is used to identify the original protocol used by the client. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur and your business may be affected. To prevent such issues, clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field. Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are marked. This helps origin servers obtain the originating IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark to intercept malicious traffic. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, you must configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the origin server to check whether requests passed through WAF, collect statistics, and analyze data. For example, you can add the ALIWAF-TAG: Yes custom header field to mark the requests that pass through WAF. In this example, the name of the header field is ALIWAF-TAG and the value of the header field is Yes. Originating IP Address You can specify a header field that records the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For more information about how WAF obtains the originating IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic. Source Port You can specify a header field that records the originating ports of clients. This way, your origin server can obtain the ports of clients. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field. You can click Add Mark to add a header field. You can specify up to five header fields. Specify the timeout periods for back-to-origin requests Connection Timeout Period: the maximum amount of time that WAF can wait to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: the maximum amount of time that WAF can wait to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: the maximum amount of time that WAF can wait to forward a request to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Retry Back-to-origin Requests After you turn on Retry Back-to-origin Requests, WAF retries up to three times when it fails to forward requests to the origin server. If you do not turn on Retry Back-to-origin Requests, WAF does not retry forwarding requests if it fails the first time. Back-to-origin Keep-alive Requests If you turn on Back-to-origin Keep-alive Requests, you must configure the following parameters: Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period for idle keep-alive requests. Valid values: 1 to 60. Unit: seconds. Default value: 15. Note If you turn off Back-to-origin Keep-alive Requests, back-to-origin keep-alive requests do not support WebSocket.

6. In the Add Completed step, obtain the CNAME assigned to the domain name. Modify the DNS record to point the domain name to the CNAME that is provided by WAF. For more information, see Modify the DNS record of a domain name.

   Important

   Before you modify the DNS record, make sure that the following conditions are met:

   • The forwarding configurations for your website are correct and have taken effect. If you modify the DNS record before the forwarding configurations for your website take effect, service interruptions may occur. For more information, see Verify domain name settings.

   • The back-to-origin CIDR blocks of WAF are added to the IP address whitelist of the third-party firewall used by the origin server on which the domain name is hosted. This prevents normal requests that are forwarded by WAF from being blocked. On the CNAME Record tab, you can click Back-to-origin CIDR Blocks above the domain name list to view and copy the back-to-origin CIDR blocks of WAF. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

   

   After you complete the preceding configurations, you can perform the following operations to check whether the domain name is protected by WAF:

   • Enter the domain name in your browser. If you can access the website, the domain name is protected by WAF.

   • Enter the domain name and malicious code such as <Protected domain name>/alert(xss) and alert(xss). If a 405 error page appears, the attack is blocked and the domain name is protected by WAF.

More operations

View the DNS resolution status of a domain name

WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. You can view the DNS resolution status of the domain names that you added to WAF in the domain name list and modify the DNS records based on the error messages that are displayed in the WAF console.

Add tags to or remove tags from domain names

You can add tags to domain names that are added to WAF and search for specific domain names by tag.

• Add tags to or remove tags from a domain name

  1. Find the domain name whose tags you want to manage and move the pointer over the icon in the Tag column. If no tags are added to the domain name, click Add. If a tag is added to the domain name, click Edit.

  2. In the Edit Tag dialog box, configure the Tag Key and Tag Value parameters.

     Note

     • You can add up to 20 tag keys below the Tag Key parameter and leave the Tag Value parameter empty.

     • When you specify a value for the Tag Key or Tag Value parameter, make sure that the value is 1 to 128 characters in length, does not contain http:// or https://, and does not start with acs: or aliyun.

     • You can add tags on the Website Configuration page when you add domain names to WAF or on the Protected Objects page when you configure protection rules for protected objects. The latest tag settings are synchronized between the two pages. The tags that are added to a domain name are automatically added to the domain name-related protected object.

     After you add tags to the domain name, you can select the tags from the Select Label drop-down list to search for the domain name.

  3. Optional. If you no longer need a tag, find the domain name, open the Edit Tag dialog box, and then click the icon to the right of the tag. Then, the tag is removed from the domain name.

• Add tags to or remove tags from multiple domain names at a time

  Select the domain names whose tags you want to manage and click Add Tag or Remove Tag below the domain name list.

Modify or remove a domain name that is added to WAF

Find the domain name that you want to manage and click Edit or Delete in the Actions column.

Configure default SSL or TLS settings

If you add multiple domain names to the same WAF instance, a shared WAF virtual IP address (VIP) is used to monitor the traffic of the domain names.

To meet the security compliance and compatibility requirements of HTTPS in different scenarios, WAF allows you to configure SSL or TLS settings for IPv4 VIPs. Before you perform compliance scan and detection, you can upload an HTTPS certificate for the VIP and disable or enable specific TLS protocol versions and cipher suites.

1. Click Default SSL/TLS Settings above the domain name list.

2. In the Default SSL/TLS Settings dialog box, configure the parameters and click OK. The following table describes the parameters.

   Parameter	Description
   HTTPSUpload Type	Specify the method used to upload the SSL certificate. For more information, see the HTTPSUpload Type parameter in this topic.
   TLS Version	Specify the TLS protocol versions that are supported for HTTPS communication. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) TLS 1.2 and Later (High Compatibility and Best Security) If you want to enable TLS 1.3, select Support TLS 1.3.
   HTTPSCipher Suite	Specify the cipher suites that are supported for HTTPS communication. Valid values: All Cipher Suites (High Compatibility and Low Security) (default) Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.) For more information about custom cipher suites, see View supported cipher suites.

Update the SSL certificate bound to a domain name

If the SSL certificate that is bound to a domain name is about to expire or the certificate is changed, such as when the certificate is revoked, you must update the certificate.

To update an SSL certificate that is bound to a domain name, perform the following steps:

1. Renew the certificate or upload a third-party certificate to Certificate Management Service. For more information, see Certificate renewal or Upload and share an SSL certificate.

2. Synchronize the certificate to WAF.

   • In the Certificate Management Service console, deploy the certificate to WAF. For more information, see Deploy certificates to Alibaba Cloud services.

   • Upload the certificate in the WAF console.

     1. On the CNAME Record tab of the Website Configuration page, find the domain name whose certificate you want to update and click Edit in the Actions column.

     2. Set the HTTPSUpload Type parameter to Select Existing Certificate and select the new certificate.

What to do next

References

• For more information about protected objects, protection rules, and protection processes, see Protection configuration overview.

• For more information about how to add a domain name to WAF by calling an API operation, see CreateDomain.

• For more information about how to query the details of a domain name that is added to WAF in CNAME record mode, see DescribeDomainDetail.