Connecting a Website Without a Proxy to WAF in CNAME Access Mode

Application Scenarios

With the deepening of digital applications, web applications are widely used by most enterprises. Many web applications, such as enterprise websites, online shopping malls, and remote office systems, are publicly accessible. They are becoming major targets of hackers. According to historical data analysis, about 75% of information security attacks target web applications. In addition, web applications and components have more vulnerabilities than others. The critical Log4j vulnerability affected most web applications adversely.

This topic walks you through on how to add your website to WAF in cloud CNAME access mode when no proxies, such as anti-DDoS or CDN products, are used in front of WAF for your website.

Architecture

If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic.

Figure 1 No proxy used

Advantages

After you enable cloud WAF for your website, the website traffic goes through WAF first. WAF examines HTTP/HTTPS requests to identify and block attacks such as SQL injections, cross-site scripting, web shells, command/code injections, file inclusion, sensitive file access, third-party application vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery. Then, WAF forwards only legitimate traffic origin servers. In this way, WAF helps keep your website services secure and stable.

Step 1: Buy the Standard Edition Cloud WAF

1. Log in to the WAF console.
2. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.
   • Region: Select the region nearest to your services WAF will protect.
   • Edition: Select Standard.
   • Expansion Package and Required Duration: Set them based on site requirements.

3. Confirm the product details and click Buy Now in the lower right corner of the page.
4. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
5. On the payment page, select a payment method and pay for your order.

   After the order is paid, click Access Console to go to the Dashboard page. Hover over the Product Details area to view the purchased instance edition and its specifications.

Step 2: Add Website Information to WAF

1. In the navigation pane on the left, choose Website Settings.
2. In the upper left corner of the website list, click Add Website.
3. Configure website information as prompted.
   Figure 2 Configuring basic information
   

   Table 1 Key parameters

   Parameter	Description	Example Value
   Domain Name	Domain name you want to add to WAF. The domain name has an ICP license. You can enter a single domain name (for example, top-level domain name example.com or level-2 domain name www.example.com) or a wildcard domain name (*.example.com).	www.example.com
   Protected Port	The port over which the website service traffic goes	Standard ports
   Server Configuration	Web server address settings. You need to configure the client protocol, server protocol, server weights, server address, and server port. Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. Server Address: public IP address (generally corresponding to the A record configured for the domain name on the DNS) or domain name (generally corresponding to the CNAME record configured for the domain name on the DNS) of the web server that a client accesses. Server Port: service port over which the WAF instance forwards client requests to the origin server. Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.	Client Protocol: Select HTTP. Server Protocol: HTTP Server Address: IPv4 XXX.XXX.1.1 Server Port: 80
   Proxy Your Website Uses	You need to configure whether you deploy other proxies in front of WAF. In this example, select No proxy.	No proxy

4. Click Next and complete the basic information about the website to be protected. Perform the following operations as prompted on the Add Website page:
   Figure 3 Domain name added to WAF
   
   1. .
   2. .

   After the preceding steps are complete, you can check the Access Status of the added domain name in the domain name list. The Access Status of the domain name is Inaccessible at first. You need to modify the DNS record.

Step 3: Modify the DNS Record

If the Type of the domain name host record added on DNS is CNAME - Map one domain to another, add the domain name to WAF by following the steps below.

The methods to change DNS records on different DNS platforms are similar. The following example is based on Huawei Cloud Domain Name Service (DNS).

1. Obtain the CNAME record.
   1. Log in to the WAF console.
   2. Click in the upper left corner and select a region or project.
   3. In the navigation pane on the left, click Website Settings.
   4. In the Domain Name column, click the target domain name to go to the Basic Information page.
      Figure 4 Basic Information
      
   5. In the CNAME row, click to copy the CNAME record.

2. Change the DNS settings.
   1. Access the DNS resolution page, as shown in Figure 5.
      Figure 5 DNS page
      
   2. In the Operation column of the target domain name, click Modify. The Modify Record Set page is displayed.
   3. In the displayed Modify Record Set dialog box, change the record value.
      Figure 6 Modify Record Set
      

      Table 2 Modifying a record set

      Parameter	Description	Example Value
      Type	Record set type. The record set type is CNAME. The CNAME record must be unique for the same host record. You need to change the existing CNAME record of your domain name to WAF CNAME record. Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with other records such as A record, MX record, and TXT record. If the record type cannot be directly changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail. For details about the restrictions on domain name resolution types, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?	CNAME
      Name	Prefix of the domain name to be resolved. By default, this parameter is left blank. For example, if the domain name is example.com, its prefix can be: www: used for website resolution. The domain name to be resolved is www.example.com. Left blank: used for website resolution. The domain name to be resolved is example.com. If the host record is left blank, it can also be used to add resolution for the empty domain name @. abc: used for subdomain name resolution. The domain name to be resolved is abc.example.com, which is a sub domain name of example.com. mail: used for email address resolution. The domain name to be resolved is mail.example.com. *: used for wildcard resolution. The domain name to be resolved is *.example.com, which matches all subdomain names of example.com.	www
      Line	Resolution line. The DNS server will return the IP address of the specified line, depending on where the visitor comes from. The default value is Default.	Default
      TTL (s)	The length of time (in seconds) for which a local DNS server caches a record set. Default value: 300. Value range: 1 to 2147483647. If your service address changes frequently, set a smaller TTL. Otherwise, set a larger value.	300
      Value	Enter the alias to which you want to point. Only one domain name can be entered. In this case, enter the WAF CNAME address copied in Step 1. Do not set the protected domain name to the IP address corresponding to the CNAME record.	xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com
      Advanced Settings (Optional)	Configure the alias, weight, and description of the record set. Retain the default value.	--

   4. Click OK.

      After the configuration is complete, you can view the modified domain name resolution record on the Record Sets tab.

3. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.

   It takes some time for the DNS resolution record to take effect. If the verification fails, wait for 5 minutes and check again.

Operation Result Verification

• Checking the access status

  After the preceding configurations are complete, WAF automatically checks the access status of new or updated domain names every 30 minutes based on whether the CNAME record is configured for the website domain name. If the domain name was created more than two weeks ago and has not been modified in the past two weeks, you can click in the Access Progress column to manually refresh the access status.

  Access status description:

  • Inaccessible: No CNAME record is configured for the website domain name. Fix the issue and connect the website to WAF again. For details, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?
  • Accessible: The domain name has been connected to WAF, that is, the CNAME record has been configured for the domain name.
• Check the website accessibility.

  You can enter the domain name in the address box of a browser to test whether the domain name can be accessed. You can also manually simulate simple web attack commands to check whether WAF protection takes effect.