Introduction to the hybrid cloud mode and how to add web services to WAF in hybrid cloud mode - Web Application Firewall

The hybrid cloud mode is a web application protection and management solution provided by Alibaba Cloud to protect web services that are deployed outside Alibaba Cloud. If your web services are deployed on third-party clouds, private clouds, or data centers, you can add your web services to Web Application Firewall (WAF) in hybrid cloud mode. This way, you can manage and protect your web services in a centralized manner. This topic describes the hybrid cloud mode and how to add web services to WAF in this mode.

Introduction

The hybrid cloud mode uses the protection components of Alibaba Cloud to protect web applications that are deployed on third-party clouds and data centers.

Scenarios

The web services that you want to protect have special security requirements and cannot be migrated to a public cloud.
Your web services are deployed across Alibaba Cloud, third-party clouds, data centers, and virtual private clouds (VPCs), and you want to protect them in a centralized manner.
The web services that you want to protect are latency-sensitive and require high reliability, active geo-redundancy, and centralized protection across multiple network environments.

Benefits

Assets that are deployed on clouds and data centers and protection policies can be managed in a centralized manner.
Web services can be protected by using the nearest protection nodes.
Protection rules and threat intelligence in clouds can be synchronized in real time.
Internet-facing services and internal-facing services can be protected.
Service traffic can be redirected at the unified access layer and detected in bypass mode. Manual bypass and automatic bypass are supported. This way, service traffic can be detected and the detection results can be returned even if the hybrid cloud cluster fails.

Access modes

Mode	Description	Scenario
Reverse proxy mode	If you want to add a website to WAF in reverse proxy mode, you must add the domain name or the IP address of the website to WAF and modify the Domain Name System (DNS) record to point the domain name or IP address of the website to the address of the hybrid cloud cluster. A hybrid cloud cluster detects all requests for websites that are added to WAF in reverse proxy mode.	The reverse proxy mode is designed to protect websites whose network architecture can be modified and that do not have high traffic. For example, the reverse proxy mode is suitable for the Internet, retail, public service sector, finance, and media industries.
SDK integration	In SDK integration mode, SDKs are deployed on a unified access gateway to allow WAF to detect service traffic by using traffic mirroring. This way, the hybrid cloud cluster does not forward traffic and traffic forwarding is separated from traffic detection.	The SDK integration mode is designed to protect websites that use an NGINX gateway, have high service traffic, requires low latency and high stability, and are managed by specialized O&M personnel. For example, the SDK integration mode is suitable for large Internet enterprises and users who have special requirements for traffic forwarding.

Limits

The website tamper-proofing feature is not supported for web services that are added to WAF in hybrid cloud mode.

Prerequisites

Before you add web services to WAF in hybrid cloud mode, join the DingTalk group 34657699 to obtain technical support.
A subscription WAF instance that runs the Enterprise or Ultimate edition is purchased. For more information, see Purchase a subscription WAF 3.0 instance.
Note
Only subscription WAF Enterprise Edition and Ultimate Edition instances support hybrid cloud mode.
All required resources are prepared. For more information, see Prepare cluster resources.
Note
A hybrid cloud cluster consists of management, storage, and protection components. To ensure cluster stability, we recommend that you separate the different types of components by deploying them on different nodes. If a component is deployed on multiple nodes, we recommend that you deploy a load balancer for the nodes.

Step 1: Install the WAF agent

WAF agent introduction

If you want to deploy hybrid cloud clusters, you must prepare on-premises servers. Before you deploy hybrid cloud clusters, you must install the WAF agent (vagent) on the on-premises servers that you want to use as protection nodes.

vagent provides the following capabilities:

Communicates with Alibaba Cloud WAF and pulls the installation and update images of Hybrid Cloud WAF.
Monitors and reports the status of hybrid cloud protection components to ensure the availability of WAF.
Synchronizes the configurations of WAF instances in real time, including forwarding configurations, protection rules, and threat intelligence.

To install vagent on Linux servers, you must run the rpm command. Only the following Linux distributions are supported: 64-bit AliOS 3.2104, 64-bit TencentOS 3.1, 64-bit CentOS 7, 64-bit Red Hat 7, and x86 Kylin 10. Make sure that the kernel version is 4.10 or later.

Note

CentOS 7 reached end of life. Alibaba Cloud no longer provides support for this distribution. Existing CentOS 7 users are not affected, but the related images are no longer updated.

If the operating system version of your server is not supported, join the DingTalk group 34657699 to obtain technical support.

Procedure

Log on to your on-premises server.
Obtain the latest version of vagent and download vagent to your on-premises server.
To obtain the latest version of vagent, join the DingTalk group 34657699 to obtain technical support.
Install vagent.
1. Run the following command to install vagent on your on-premises server:
```
sudo rpm -ivh t-yundun-vagent-xxxxxxx.xxxxx.rpm
```
  Note
  Before you run the command, replace xxxxxxx.xxxxx with the version number of vagent.
2. After the installation is complete, run the following command to view the version number of vagent. Make sure that you use the latest version of vagent.
```
rpm -qa|grep vagent
```

Modify the vagent configuration file.

After you install vagent, you must modify the vagent configuration file based on the access mode of Hybrid Cloud WAF to enable communication between vagent and Alibaba Cloud WAF. To modify the vagent configuration file, perform the following steps:

Run the following command to open the vagent configuration file:
```
sudo vi /home/admin/vagent/conf/vagent.toml
```

Press the i key to enter the insert mode, and modify or add the following settings:

domain="wafopenapi.cn-hangzhou.aliyuncs.com" // The endpoint of Hybrid Cloud WAF. For more information, see Table 1. 
access_key_id="yourAccessKeyId" // The AccessKey ID of your Alibaba Cloud account. 
access_key_secret="yourAccessKeySecret" // The AccessKey secret of your Alibaba Cloud account.

Table 1. Valid values of the domain parameter

WAF region	Cluster access mode	Valid value of the domain parameter
Chinese mainland	Internet access: The WAF console allows access from the hybrid cloud cluster only over the Internet.	`wafopenapi.cn-hangzhou.aliyuncs.com`
Chinese mainland	Internal network access by using Express Connect circuits: The WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you deployed Express Connect. Note Only VPCs that reside in the following regions are supported: China (Hangzhou), China (Shanghai), and China (Beijing). If your VPC resides in another region in the Chinese mainland, join the DingTalk group 34657699 to obtain technical support.	`wafopenapi.vpc-proxy.aliyuncs.com`
Outside the Chinese mainland	Internet access: The WAF console allows access from the hybrid cloud cluster only over the Internet.	`wafopenapi.ap-southeast-1.aliyuncs.com`
Outside the Chinese mainland	Internal network access by using Express Connect circuits: The WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. You can select this option only if you deployed Express Connect. Note If your VPC resides outside the Chinese mainland, join the DingTalk group 34657699 to obtain technical support.	`wafopenapi-intl.vpc-proxy.aliyuncs.com`

Press the Esc key to exit the insert mode.
Enter :wq and press the Enter key to save the configuration file and exit.

Start vagent.
1. Run the following command to start vagent:
```
sudo systemctl start vagent
```
2. Run the following command to configure automatic startup for vagent:
```
sudo systemctl enable vagent
```
  If the configuration is successful, the system displays the following information:
```
Created symlink from /etc/systemd/system/multi-user.target.wants/vagent.service 
to /usr/lib/systemd/system/vagent.service.
```
If vagent fails to start, you can use one of the following methods to query the logs of vagent for troubleshooting:
- Run the following command to use the systemd tool to query the logs of vagent:
```
sudo journalctl -u vagent
```
- Run the following command to use the vagent log file to query the logs of vagent:
```
tail /home/admin/vagent/logs/vagent.log
```
View the status of vagent or stop vagent:
- Run the following command to stop vagent:
  sudo systemctl stop vagent
- Run the following command to view the status of vagent:
  sudo systemctl status vagent
Check whether vagent is installed.
In a Linux operating system, run the following command to check whether vagent is installed:
```
ps aux | grep AliYunDunWaf
```
- If the AliYunDunWaf process appears in the command output, vagent is installed and running on the on-premises server and can communicate with Alibaba Cloud WAF. Then, you can configure a cluster to add the server to the cluster as an on-premises protection node.
- If the AliYunDunWaf process does not appear in the command output, check whether you correctly performed the installation steps. Then, reinstall and restart vagent. If the reinstallation fails, join the DingTalk group 34657699 to obtain technical support.

Step 2: Deploy a hybrid cloud cluster

On the WAF buy page, enable multi-cloud or hybrid cloud protection and configure the Additional Protection Nodes parameter.
Note
- Only subscription WAF Enterprise Edition and Ultimate Edition instances support the hybrid cloud mode. Subscription WAF Basic Edition and Pro Edition instances and pay-as-you-go WAF instances do not support the hybrid cloud mode.
- Each protection cluster has at least two protection nodes. Each node provides protection for up to 5,000 queries per second (QPS) for HTTP requests or up to 3,000 QPS for HTTPS requests. To improve protection capabilities, we recommend that you specify the number of protection nodes based on the QPS of your web services that are protected by the hybrid cloud cluster.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Hybrid Clouds.
On the Hybrid Clouds page, click Add Cluster.

In the Basic Information step, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Cluster Name	Specify a name for the hybrid cloud cluster.
Cluster Type	Select the type of hybrid cloud cluster that you want to create. Valid values: Reverse Proxy Mode: If you select this type, WAF is used as a reverse proxy cluster to forward and protect traffic. SDK Integration Mode: If you select this type, you must deploy SDKs on your unified access gateway to allow WAF to detect service traffic by using traffic mirroring. In this case, the hybrid cloud cluster does not forward traffic. If the hybrid cloud cluster is in an abnormal state, turn on Bypass State. After you turn on Bypass State, WAF enters the Bypass state and no longer protects traffic. Important After you create a hybrid cloud cluster, you cannot change the cluster type. Before you configure this parameter, we recommend that you confirm that the cluster type meets your business requirements.
Protection Nodes	Specify the number of protection nodes for the hybrid cloud cluster. Note The value of this parameter cannot be greater than the number of additional protection nodes that you purchased on the Web Application Firewall (Subscription) buy page.
Server Port	Specify the server ports for the hybrid cloud cluster. Make sure that the server ports include all ports that are used by the web services that you want to protect. When you associate web services with the hybrid cloud cluster, the ports you can select for the web services are limited to the ports that are specified for the cluster. By default, the following ports are enabled: 80, 8080, 443, and 8443. If you do not have special requirements, you do not need to modify the port settings. If you want to add other ports, specify the ports. Press the Enter key each time you enter a port number. Important You cannot specify the following ports: 22, 53, 9100, 4431, 4646, 8301, 6060, 8600, 56688, 15001, 4985, 4986, and 4987. You can click View the range of ports that are not supported to view the ports that you cannot specify. To ensure security, we recommend that you specify only the ports that are required for your web services.
Cluster Access Mode	Select the network access mode for the hybrid cloud cluster. Valid values: Internet: The WAF console allows access from the hybrid cloud cluster only over the Internet. Internal Network: The WAF console allows access from the hybrid cloud cluster only over an Express Connect circuit. Important You can select Internal Network only if you deployed Express Connect. For more information, see What is Express Connect?
Remarks	Specify a description for the hybrid cloud cluster.

In the Node Group Configuration step, click Add Node Group. In the Add Node Group dialog box, click Next.

Note

Before you add nodes to node groups, you must create multiple node groups in the hybrid cloud cluster. To prevent unbalanced service loads and single points of failure, you must configure a load balancer for each node group. If you do not have a load balancer, join the DingTalk group 34657699 to obtain technical support.

Parameter	Description
Node Group Name	Specify a name for the node group.
Server IP Address for Load Balancing	Specify the public IP address of the load balancer that is associated with the node group.
Node Group Type	Select the type of the node group. Valid values: Protection: a node group that consists of protection components. You can add multiple Protection node groups to a hybrid cloud cluster for disaster recovery. Management: a node group that consists of management components. You can add multiple Management node groups to a hybrid cloud cluster for disaster recovery. Storage: a node group that consists of storage components. You can add only one Storage node group to a hybrid cloud cluster. Management and Storage: a node group that consists of management components and storage components. You can add only one Management and Storage node group to a hybrid cloud cluster. You must add the node groups in sequence based on the method that you want to use. Method 1: Add at least three node groups Add one Storage node group, at least one Management node group, and at least one Protection node group. Method 2: Add at least two node groups Add one Management and Storage node group and at least one Protection node group.
Region	If you set the Node Group Type parameter to Protection, you must select a region for the node group. If you specify a different value for the Node Group Type parameter, you do not need to configure this parameter.
Remarks	Specify a description for the node group.

In the Initial Node Configuration step, click Add Node. Configure the parameters and click Save. The following table describes the parameters.

Parameter	Description
Server IP Address	Specify the public IP address of the on-premises server.
Node Name	Specify a name for the node.
Region	Select the region of the node.
Server Configuration	The system automatically displays the configurations of the on-premises server.
Protection Node Group	Select the node group to which you want to add the node. The number of nodes that can be added to the hybrid cloud cluster cannot exceed the number of nodes that you specified for the cluster. We recommend that you add at least two nodes to the Protection node group to allow WAF to perform online active-active disaster recovery.

After you create a hybrid cloud cluster, you can click Switch Cluster, select a cluster that you want to query, and then perform the following operations:

In the Basic Information section, view the basic information about the cluster. Click Edit to change the cluster name, number of protection nodes, service ports, or description.
Click Node Group Configuration to add or modify a node group. For more information, see Step 6.
Click Add Node to add a node. For more information, see Step 7.
View the node status of the hybrid cloud cluster.
- Node Status indicates whether the server runs as expected. The value Normal indicates that the server is running as expected. The value Stopped indicates that the server is shut down.
  If the server is shut down, the node cannot provide protection services. We recommend that you check the cause of the server shutdown and fix the issue at the earliest opportunity.
- Application Status indicates whether vagent runs as expected on a node. The value Normal indicates that vagent is running as expected. The value Stopped indicates that vagent stopped running.
  If vagent stops running, the node may be unable to provide protection services. We recommend that you log on to your on-premises server, check the installation status and running status of vagent, and fix the issue at the earliest opportunity. For more information, see Step 1: Install the WAF agent.

Important

We recommend that you do not delete the Resource Access Management (RAM) user or revoke the permissions of the RAM user that you used to deploy the hybrid cloud cluster. Otherwise, the node status check may fail. If you deleted the RAM user, join the DingTalk group 34657699 to obtain technical support.

Prepare cluster resources

You can select a deployment method based on your business requirements. The numbers of servers and load balancers that you must prepare vary based on the deployment method.

Protection scenario	Deployment method	Required resource	Description
Services that require high stability and powerful protection capabilities	Disaster recovery deployment for protection and management capabilities	Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. The following resources are required to provide the default protection capacity: (Recommended) Five servers and two load balancers. Beyond the default protection capacity: Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.	Storage component: one server. Management component: two or more servers and one load balancer. Protection component: two or more servers and one load balancer.
Services that require high stability	Disaster recovery deployment for protection capabilities	Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. The following resources are required to provide the default protection capacity: (Recommended) Three servers and one load balancer. Beyond the default protection capacity: Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.	Management and storage components: one server. Protection component: two or more servers and one load balancer.
Proof of concept (POC) tests for basic protection capabilities	Minimum cluster deployment	Default protection capacity: 10,000 QPS for HTTP requests or 6,000 QPS for HTTPS requests. The following resources are required to provide the default protection capacity: Two or more servers. Beyond the default protection capacity: Add protection nodes based on your business requirements. Each cluster node can handle 5,000 QPS for HTTP requests or 3,000 QPS for HTTPS requests.	Management and storage components: one server. Protection component: one or more servers.

Step 3: Add a website to WAF

Two methods for integrating WAF are provided: reverse proxy mode and SDK integration mode.

Reverse proxy mode

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the Hybrid Cloud tab, click Reverse Proxy and then click Add.

In the Configure Listener step of the Add Domain Name wizard, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Domain Name/IP	Specify the domain name or IP address that you want to protect. Configure the parameters based on the following requirements: You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* If you enter a wildcard domain name, WAF does not match the parent domain name of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `aliyundoc.com`. WAF does not match domain names at levels that are different from the level of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `www.example.aliyundoc.com`. WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter `*.aliyundoc.com`, WAF matches subdomain names such as `www.aliyundoc.com` and `example.aliyundoc.com`. If you add an exact-match domain name and a wildcard domain name that covers the exact-match domain name, the protection rules that are configured for the exact-match domain name take precedence. You can enter an IP address. Example: 192.168.XX.XX.
Protocol Type	Specify the protocol type and ports that are used by the website. Select HTTP or HTTPS and specify the ports that you want to use to forward traffic. Press the Enter key each time you enter a port number. Note The ports that you specify must be within the port range supported by the hybrid cloud cluster. If the ports that you want to specify are outside the supported port range, change the port range of the hybrid cloud cluster. For more information, see Step 2: Deploy a hybrid cloud cluster. If you select HTTP, you do not need to configure the Upload Type parameter. If you select HTTPS, you must upload the associated SSL certificate to WAF to monitor and protect HTTPS traffic of the website. Upload Click Upload and configure the Certificate Name, Certificate File, and Private Key parameters. The value of the Certificate File parameter must be in the `-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----` format. The value of the Private Key parameter must be in the `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` format. Important If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the file and copy the text content. If the certificate file is in another format, such as PFX or P7B, you must convert the certificate file to the PEM format before you can use a text editor to open the certificate file and copy the text content. You can log on to the Certificate Management Service console and use the provided tool to convert the file format. For more information, see Convert the format of a certificate. If a domain name is associated with multiple SSL certificates or has a certificate chain, you can combine the text content of the certificate files and upload the combined text content. Select Existing Certificate If your certificate meets one of the following conditions, click Select Existing Certificate and select the certificate from the certificate list: The certificate is issued by using Certificate Management Service. The certificate is a third-party certificate that is uploaded to Certificate Management Service. Important If you select a third-party certificate that is uploaded to Certificate Management Service and the Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected. error message appears, click Alibaba Cloud Security - Certificate Management Service and re-upload the certificate in the Certificate Management Service console. For more information, see Upload and share an SSL certificate. Purchase Certificate Click Apply to go to the Purchase Certificate page of the Certificate Management Service console to apply for a certificate. You can apply for only a paid domain validated (DV) certificate. After you apply for a certificate, the certificate is automatically uploaded to WAF. Note In this case, you can apply only for a paid domain validated (DV) certificate. If you want to apply for other types of certificates, you must purchase the certificates by using Certificate Management Service. For more information, see Purchase an SSL certificate. After you select HTTPS and upload a certificate, you can perform the following operations based on your business requirements: HTTP2 Select HTTP2 to protect HTTP/2 requests if your website supports HTTP/2. Note The HTTP/2 ports are the same as the HTTPS ports. Advanced Settings Enable HTTPS Routing By default, this feature is disabled. If you enable this feature, HTTP requests are automatically redirected to HTTPS requests on port 443. This feature improves security. After this feature is enabled, HTTP Strict Transport Security (HSTS) is enabled by default and the Strict-Transport-Security header is included in responses to ensure that the website can be accessed only by using HTTPS. Important You can enable this feature only if you select HTTP. TLS Version Specify the versions of the Transport Layer Security (TLS) protocol that are supported for HTTPS communication. If a client uses an unsupported TLS version, WAF blocks requests that are sent from the client. Later versions of the TLS protocol provide higher security but lower compatibility. We recommend that you specify the TLS versions based on the HTTPS settings of your website. If you cannot obtain the HTTPS settings of your website, we recommend that you use the default value. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security) (default) TLS 1.1 and Later (High Compatibility and High Security) If you select this value, a client that uses TLS 1.0 cannot access your website. TLS 1.2 and Later (High Compatibility and Best Security) If you select this value, a client that uses TLS 1.0 or 1.1 cannot access your website. If your website supports TLS 1.3, select Support TLS 1.3. By default, WAF does not listen for requests that are sent by using TLS 1.3. Cipher Suite Specify the cipher suites that are supported for HTTPS communication. If a client uses unsupported cipher suites, WAF blocks the requests that are sent from the client. The default value is All Cipher Suites (High Compatibility and Low Security). We recommend that you set this parameter to a different value only if your website supports specific cipher suites. Valid values: All Cipher Suites (High Compatibility and Low Security). Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.): If your website supports only specific cipher suites, we recommend that you select this value and then select the cipher suites that are supported by your website. For more information, see View supported cipher suites. Clients that use other cipher suites cannot access your website.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Specify whether a Layer 7 proxy, such as Anti-DDoS Proxy or Alibaba Cloud CDN, is deployed in front of WAF. Valid values: Yes and No. No: No Layer 7 proxies are deployed in front of WAF. This value indicates that WAF directly receives requests from clients. The requests are not forwarded by a proxy. Note WAF uses the IP address that is used to establish connections to WAF as the IP address of a client. WAF obtains the IP address from the `REMOTE_ADDR` field of a request. Yes: A Layer 7 proxy is deployed in front of WAF. This value indicates that WAF receives requests from another Layer 7 proxy. To ensure that WAF can obtain the originating IP address of a client for security analysis, you must configure the Obtain Actual IP Address of Client parameter. Valid values: Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the `X-Forwarded-For` field as the IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge the X-Forwarded-For field to bypass WAF inspection. This improves the security of your business. You can enter multiple header fields. Press the Enter key each time you enter a header field. If you enter multiple header fields, WAF reads the header fields in sequence until it obtains the IP address of a client. If WAF cannot obtain the IP address of a client from the header fields, WAF uses the first IP address in the X-Forwarded-For field as the IP address of the client.
Resource Group	Select the resource group to which you want to add the domain name or IP address. If you do not select a resource group, the domain name or IP address is added to the default resource group. Note You can use Resource Management to create resource groups and manage resources within your Alibaba Cloud account by department or project. For more information, see Create a resource group.

In the Configure Forwarding Rule step, configure the parameters and click Submit. The following table describes the parameters.

Parameter	Description
Node Settings	Select a node group from the Protection Node Group drop-down list and add the origin server address to the node group. The origin server address is the IP address of the origin server of the website. The origin server address is used to receive the back-to-origin requests that are forwarded by WAF. Valid values: IP You can enter up to 20 origin IP addresses. Press the Enter key each time you enter an IP address. Note If you enter multiple origin IP addresses, WAF automatically distributes workloads across the origin IP addresses. You can enter IPv4 addresses, IPv6 addresses, or both IPv4 and IPv6 addresses. If you enter both IPv4 and IPv6 addresses, WAF forwards requests that are sent from IPv6 addresses to origin servers that use IPv6 addresses and requests that are sent from IPv4 addresses to origin servers that use IPv4 addresses. If you enter only IPv4 addresses, WAF forwards all requests to the origin server over IPv4. If you enter only IPv6 addresses, WAF forwards all requests to the origin server over IPv6. Domain Name (Such as CNAME) If you select Domain Name (Such as CNAME), the domain name can be resolved only to an IPv4 address. In this case, WAF forwards back-to-origin requests to the IPv4 address. If your website is deployed on multiple protection nodes, you can click + Add Protection Node to add the protection nodes to WAF.
Public Cloud Disaster Recovery	After you enable this feature, service traffic can be redirected to a public cloud cluster for disaster recovery. When the hybrid cloud cluster fails, the domain name is resolved to the CNAME provided by the public cloud cluster for disaster recovery. This way, traffic is redirected to the public cloud cluster and then forwarded to the origin server. If you enable this feature, you must configure the Origin Server Address parameter. The configuration requirements of the origin server address are the same as the requirements in the description of the Node Settings parameter. For more information, see Origin server address.
Load Balancing Algorithm	If multiple origin server addresses are specified, select the load balancing algorithm that WAF uses to forward back-to-origin requests to the origin servers. Valid values: IP hash (default) Requests that are sent from a specific IP address are forwarded to the same origin server. Round-robin Requests are distributed to origin servers in turn.
Advanced HTTPS Settings	Enable HTTP Routing If you turn on Enable HTTP Routing, WAF forwards requests over HTTP. The default port is 80. After you turn on Enable HTTP Routing, WAF forwards requests to the origin server on port 80, regardless of whether the client accesses WAF on port 80 or port 443. All requests can be forwarded to the origin server over HTTP, and you do not need to modify the settings of the origin server. This reduces the impact of traffic on the performance of the website. Important If your website does not support HTTPS, turn on Enable HTTP Routing. Origin SNI Specify the domain name to which an HTTPS connection must be established at the start of the Transport Layer Security (TLS) handshake process when WAF forwards requests to the origin server. If the origin server hosts multiple domain names, you must select Origin SNI. After you select Origin SNI, you can configure a Server Name Indication (SNI) field. Valid values: Use Domain Name in Host Header (default) The value of the SNI field in WAF back-to-origin requests is the same as the value of the Host header field. For example, if the domain name that you configure is `.aliyundoc.com` and the client requests the `www.aliyundoc.com` domain name in the Host header field, the value of the SNI field in WAF back-to-origin requests is `www.aliyundoc.com`. Custom* You can enter a custom value for the SNI field in WAF back-to-origin requests. In most cases, you do not need to specify a custom value for the SNI field. However, if you want WAF to use an SNI field whose value is different from the value of the Host header field in back-to-origin requests, you can specify a custom value for the SNI field.
Other Advanced Settings	Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field The `X-Forwarded-Proto` header field is automatically added to HTTP requests. The X-Forwarded-Proto header field is used to identify the original protocol used by the client. If your website cannot correctly handle the X-Forwarded-Proto header field, compatibility issues may occur and your business may be affected. To prevent such issues, clear Obtain the listening protocol of WAF by using the X-Forwarded-Proto header field. Enable Traffic Mark If you select Enable Traffic Mark, requests that pass through WAF are marked. This helps origin servers obtain the originating IP addresses or ports of clients. If an attacker obtains information about your origin server before you add your domain name to WAF and uses another WAF instance to forward requests to the origin server, you can select Enable Traffic Mark to intercept malicious traffic. The origin server checks whether the requests passed through WAF. If the specified header fields exist in a request, the request passed through WAF and is allowed. If the specified header fields do not exist in a request, the request did not pass through WAF and is blocked. You can configure the following types of header fields: Custom Header If you want to add a custom header field, you must configure the Header Name and Header Value parameters. WAF adds the header field to the back-to-origin requests. This allows the origin server to check whether requests passed through WAF, collect statistics, and analyze data. For example, you can add the `ALIWAF-TAG: Yes` custom header field to mark the requests that pass through WAF. In this example, the name of the header field is `ALIWAF-TAG` and the value of the header field is `Yes`. Originating IP Address You can specify a header field that records the originating IP addresses of clients. This way, your origin server can obtain the originating IP addresses of clients. For more information about how WAF obtains the originating IP addresses of clients, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in this topic. Source Port You can specify a header field that records the originating ports of clients. This way, your origin server can obtain the ports of clients. Important We recommend that you do not configure a standard HTTP header field, such as User-Agent. Otherwise, the original value of the standard header field is overwritten by the value of the custom header field. You can click Add Mark to add a header field. You can specify up to five header fields. Specify the timeout periods for back-to-origin requests Connection Timeout Period: the maximum amount of time that WAF can wait to connect to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 5. Read Connection Timeout Period: the maximum amount of time that WAF can wait to receive a response from the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Write Connection Timeout Period: the maximum amount of time that WAF can wait to forward a request to the origin server. Valid values: 1 to 3600. Unit: seconds. Default value: 120. Retry Back-to-origin Requests After you turn on Retry Back-to-origin Requests, WAF retries up to three times when it fails to forward requests to the origin server. If you do not turn on Retry Back-to-origin Requests, WAF does not retry forwarding requests if it fails the first time. Back-to-origin Keep-alive Requests If you turn on Back-to-origin Keep-alive Requests, you must configure the following parameters: Reused Keep-alive Requests: the number of reused keep-alive requests. Valid values: 60 to 1000. Default value: 1000. Timeout Period of Idle Keep-alive Requests: the timeout period for idle keep-alive requests. Valid values: 1 to 60. Unit: seconds. Default value: 15. Note If you turn off Back-to-origin Keep-alive Requests, back-to-origin keep-alive requests do not support WebSocket.

Modify the DNS record of a domain name
Important
- Before you modify the DNS record, make sure that the forwarding configurations for your website are in effect. If you modify the DNS record before the forwarding configurations of your website take effect, service interruptions may occur. For more information, see Verify domain name settings.
- If you add a domain name to WAF in reverse proxy mode, you must modify the DNS record. If you add an IP address to WAF in reverse proxy mode, skip this step.
1. Modify the DNS A record of the domain name to point the domain name to the IP address of the node group.
2. Modify the DNS CNAME record to point the domain name to the CNAME provided by the public cloud cluster. If you enable Public Cloud Disaster Recovery in Step 5, you must perform this operation.
  Note
  If you use Alibaba Cloud DNS, log on to the Alibaba Cloud DNS console and modify the DNS A record and DNS CNAME record of the domain name. For more information, see Modify the DNS record of a domain name.
After you add a domain name or IP address to WAF in hybrid cloud mode, the domain name or IP address is automatically added as a protected object. By default, protection rules of the basic protection rule module are enabled for the protected object. You can view the protected object by choosing Protection Configuration > Protected Objects in the left-side navigation pane of the WAF console. You can also configure protection rules for the protected object. For more information, see Protection configuration overview.

SDK integration mode

In SDK integration mode, an SDK is deployed on the unified access gateway of your web services to allow WAF to detect service traffic by using traffic mirroring. This separates traffic forwarding from traffic detection. If you want to add web services to WAF in SDK integration mode, join the DingTalk group 34657699 to obtain technical support.

After you deploy SDKs and hybrid cloud clusters, you can perform the following operations:

View mappings between the IP addresses of forwarding nodes on which the SDKs are deployed, hybrid cloud clusters, and protection node groups. You can also view the status of the forwarding nodes.
1. Log on to the WAF 3.0 console.
2. In the left-side navigation pane, click Website Configuration.
3. On the Hybrid Cloud tab, click SDK Integration.
  You can view mappings between the IP addresses of forwarding nodes on which the SDKs are deployed, hybrid cloud clusters, and protection node groups. You can also view the status of the forwarding nodes.
Add a protected object.
After you add a website to WAF in SDK integration mode, WAF does not automatically add the domain name of the website as a protected object. You must manually add the domain name or URL of the website as a protected object on the Protected Objects page in the WAF console. For more information, see Configure protected objects and protected object groups.
Configure protection rules for a protected object.
After you add a protected object, you must configure protection rules for the protected object. For more information, see Protection configuration overview.