Help Center> Web Application Firewall> Best Practices> Configuring Origin Server Security> Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers

Updated on 2024-02-29 GMT+08:00

View PDF

Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers

After you connect your website to Web Application Firewall (WAF), configure an access control policy on your origin server to allow only the WAF back-to-source IP addresses. This prevents hackers from obtaining your origin server IP addresses and then bypassing WAF to attack origin servers.

This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on ECSs or have been added to backend servers of an ELB load balancer.

WAF will forward incoming traffic destined for the origin servers no matter whether you configure access control rules on the origin servers. However, if you have no access control rules configured on origin servers, bad actors may bypass WAF and directly attack your origin servers once they obtain your origin server IP addresses.
If you use an NAT gateway before an ECS for forwarding data, you also need to configure an inbound rule in the security group the ECS belongs to by referring to Configuring an Inbound Rule for an ECS. This rule allows only WAF IP addresses to access origin servers to keep them secure.

Precautions

Before configuring an access control policy on an origin server, ensure that you have connected all domain names of websites hosted on Elastic Cloud Server (ECS) or having Elastic Load Balance (ELB) deployed to WAF.
The following issued should be considered when you configure a security group:
- If you enable the WAF bypassed mode for your website but do not disable security group and network ACL configurations, the origin server may become inaccessible from the Internet.
- If new WAF back-to-source IP addresses are assigned to WAF after a security group is configured for your website, the website may respond 5xx errors frequently.

How Do I Check Whether the Origin Server IP Address Is Exposed?

In a non-Huawei Cloud environment, use a Telnet tool to establish a connection over the service port of the public IP address of your origin server (or enter the IP address of your web application in the browser). Then, check whether the connection is established.

Connection established
The origin server has exposed to the public. Once a hacker obtains the public IP address of the origin server, the hacker can bypass WAF and directly attack the origin server.
Connection not established
The origin server is hidden from the public and there is no exposure risk.

For example, to check whether the origin server is exposed, check whether the origin server IP address that has been protected by WAF can be connected over port 443. If information similar to that shown in Figure 1 is displayed, the connection is established and the origin server IP address is exposed.

Figure 1 Testing
Click to enlarge

Obtaining WAF Back-to-Source IP Addresses

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Choose Security > Web Application Firewall to go to the Dashboard page.
In the navigation pane on the left, choose Website Settings.
In the upper right corner above the website list, click the WAF Back-to-Source IP Addresses link.

WAF back-to-source IP addresses are periodically updated. Whitelist the new IP addresses in time to prevent those IP addresses from being blocked by origin servers.
In the displayed dialog box, click Copy to copy all the addresses.

Figure 2 WAF Back-to-Source IP Addresses dialog box

Configuring an Inbound Rule for an ECS

If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the WAF back-to-source IP addresses to access the origin server.

Ensure that all WAF back-to-source IP addresses are whitelisted by an inbound rule of the security group configured for the ECS. Otherwise, website may become inaccessible.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
Locate the row containing the ECS you want. In the Name/ID column, click the ECS name to go to the ECS details page.
Click the Security Groups tab. Then, click Change Security Group.
Click the security group ID and view the details.

Click the Inbound Rules tab and click Add Rule. Then, specify parameters in the Add Inbound Rule dialog box. For details, see Table 1.

**Table 1** Inbound rule parameters
Parameter	Description
Protocol & Port	Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), enter the origin server port number in the text box below the TCP box.
Source	Add all WAF back-to-source IP addresses copied in Step 6 one by one. NOTE: One IP address is configured in a rule. Click Add Rule to add more rules. A maximum of 10 rules can be added.

Click OK.
Then, the security group rules allow all inbound traffic from the WAF back-to-source IP addresses.

To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.

Enabling ELB Access Control

If your origin server is deployed on backend servers of an ELB load balancer, perform the following steps to configure an access control list to allow only the WAF back-to-source IP addresses to access the origin server.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
Locate the load balancer you want. In the Listener column, click the listener name to go to the details page.
In the Access Control row of the target listener, click Configure.

Figure 3 Listener list
Click OK.
To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.

Parent topic: Configuring Origin Server Security

Previous topic: Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections

Next topic: Configuring Collaborative Protection

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel