Combining CDN and WAF to Get Improved Protection and Load Speed

Application Scenarios

With the deepening of digital applications, web applications are widely used by most enterprises. Many web applications, such as enterprise websites, online shopping malls, and remote office systems, are publicly accessible. They are becoming major targets of hackers. According to historical data analysis, about 75% of information security attacks target web applications. In addition, web applications and components have more vulnerabilities than others. The critical Log4j vulnerability affected most web applications adversely.

If your website has used CDN already, you can use WAF as well to give extra protection to the website. For details about how to use CDN for a website, see .

Architecture

• When a user accesses a website that uses Huawei Cloud CDN, the local DNS server will redirect all domain requests to CDN using CNAME records. CDN uses a group of predefined policies (such as the content type, geographical location, and network load status) to respond visitors with the nearest CDN IP address so that visitors can obtain requested website content as quickly as possible.

  Objects supported by CDN: domain names of web applications on Huawei Cloud, other cloud platforms, or on-premises data centers

• Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injections, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises while accelerating website response. Figure 1 shows the configuration diagram.

Figure 1 A proxy used

After you deploy CDN and WAF for your website, traffic is accelerated by CDN and then forwarded to WAF. WAF checks received traffic and forwards only the normal traffic to the origin server. The combination protects the website against attacks while improving the website response speed and availability.

Point your website domain name to CDN and then change the CDN back-to-source address to the WAF CNAME record. After that, you can also add a WAF subdomain name and TXT record on your DNS management platform in case others have connected the website domain name to WAF before you configure CDN.

Advantages

With both CDN and WAF deployed, your website will be accelerated with CDN while being protected with WAF. This combination will shorten website content access delay, speed up website response, and improve website availability. You can stop worrying about low network bandwidth, large user access traffic, and uneven distribution of branches. Besides that, this combination will protect your website from web application attacks, such as SQL injections, cross-site scripting (XSS), web shells, command/code injections, file inclusion, sensitive file access, third-party application vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery.

Resource and Cost Planning

Constraints

If you select cloud mode CNAME access for protection and your website uses proxies such as anti-DDoS, Content Delivery Network (CDN), and cloud acceleration services before WAF, select Per user for Rate Limit Mode and enable All WAF instances for your CC attack protection rules.

Step 1: Buy the Standard Edition Cloud WAF

The following describes how to buy the standard edition cloud WAF.

1. Log in to the WAF console.
2. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.
   • Region: Select the region nearest to your services WAF will protect.
   • Edition: Select Standard.
   • Expansion Package and Required Duration: Set them based on site requirements.

3. Confirm the product details and click Buy Now in the lower right corner of the page.
4. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
5. On the payment page, select a payment method and pay for your order.

   After the order is paid, click Access Console to go to the Dashboard page. Hover over the Product Details area to view the purchased instance edition and its specifications.

Step 2: Add Website Information to WAF

The following example shows how to add a website to WAF in cloud CNAME access mode.

• For details about the cloud load balancer access mode, see .
• For details about the dedicated mode, see .

1. In the navigation pane on the left, choose Website Settings.
2. In the upper left corner of the website list, click Add Website.
3. Configure website information as prompted.
   Figure 2 Configuring basic information
   

   Table 2 Key parameters

   Parameter	Description	Example Value
   Domain Name	Domain name you want to add to WAF for protection. The domain name has an ICP license. You can enter a single domain name (for example, top-level domain name example.com or level-2 domain name www.example.com) or a wildcard domain name (*.example.com).	www.example.com
   Protected Port	The port over which the website traffic goes	Standard ports
   Server Configuration	Web server address settings. You need to configure the client protocol, server protocol, server weights, server address, and server port. Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME record of the domain name configured on the DNS) of the web server that a client accesses. Server Port: service port over which the WAF instance forwards client requests to the origin server. Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.	Client Protocol: Select HTTP. Server Protocol: HTTP Server Address: IPv4 XXX.XXX.1.1 Server Port: 80
   Proxy Your Website Uses	You need to configure whether you deploy other proxies in front of WAF. In this example, select Layer-4 proxy.	Layer-4 proxy

4. Click Next and complete the basic information about the website to be protected. Perform the following operations as prompted on the Add Website page:
   Figure 3 Domain name added to WAF
   
   1. .
   2. .

   After the preceding steps are complete, you can check the Access Status of the added domain name in the domain name list. The Access Status of the domain name is Inaccessible at first. You need to modify the DNS record.

Step 3: Resolve the Domain Name

On the CDN page, add the CNAME record of WAF to let the traffic pass through WAF.

How to Configure in Cloud Mode

The following uses Huawei Cloud CDN as an example to describe how to configure domain name resolution. If you use Huawei Cloud CDN, perform the following steps directly. If you use non-Huawei Cloud CDN, configure domain name resolution on non-Huawei Cloud CDN based on the instructions in the following steps.

1. Obtain settings of CNAME, Subdomain Name, and TXT Record.
   1. Log in to the WAF console.
   2. In the navigation pane on the left, click Website Settings.
   3. In the row containing the desired domain name, click the domain name to go to the Basic Information page.
   4. On the basic information page for the domain name, click in the CNAME row and copy the CNAME records. On the top of the page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.

2. Change the origin server domain name of the primary origin server of CDN to the CNAME of WAF.
3. (Optional) Add a WAF subdomain name and TXT record at your DNS provider. If a proxy is used for your website, WAF needs to check whether a TXT record is configured to identify the domain name access status. So, you are advised to add a subdomain name and TXT record.
   1. Access the DNS resolution page, as shown in Figure 4.
      Figure 4 DNS page
      
   2. In the upper right corner of the page, click Add Record Set. The Add Record Set page is displayed. Figure 5 shows an example.
      • Type: Select TXT – Specify text records.
      • Name: TXT record copied in 1.d.
      • Line: Default
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Add quotation marks to the TXT record copied in 1.d and paste them in the text box, for example, TXT record.
      • Keep other settings unchanged.
      Figure 5 Adding a record set
      
   3. Click OK.

      After the configuration is complete, you can view the added domain name resolution record on the Record Sets tab.

4. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.

   It takes some time for the DNS resolution record to take effect. If the verification fails, wait for 5 minutes and check again.

Configuration of Dedicated WAF

Perform the following steps to complete configurations on Huawei Cloud CDN:

1. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > Content Delivery Network.
2. In the navigation pane on the left, choose Domains.
3. In the domain list, click the target domain name or click Configure in the Operation column.
4. Click the Basic Settings tab. In the Origin Server Settings area, click Edit.
   • If you use a dedicated WAF instance, in the Server Address text box, enter the EIP you bind to the load balancer.

5. Click Save.

Operation Result Verification

• Checking the access status
  After the preceding configurations are complete, WAF automatically checks the access status of new or updated domain names every 30 minutes based on the following conditions: If the domain name was created more than two weeks ago and has not been modified in the past two weeks, you can click in the Access Progress column to manually refresh the access status.

  • Check whether a CNAME record or TXT record is configured for the website domain name if proxies are used.
  • Check whether the website has traffic. There are at least 20 requests to the website within 5 minutes, or no traffic can be detected.

  Figure 6 shows the logic for checking the access status.

  Figure 6 Access status check logic
  
  Access status description:

  • Inaccessible: No CNAME or TXT record has been configured for the domain name, and no traffic passes through the domain name. You can allow the back-to-source IP addresses, test WAF, or modify the DNS resolution based on the access status. If the domain name is still Inaccessible after you manually refresh the access status, connect the domain name to WAF again by referring to Why Is My Domain Name or IP Address Inaccessible?
  • Accessible: The domain name has been connected to WAF. A CNAME record or a TXT record has been configured for the domain name, and the website has traffic.
  • DNS error: The website domain name has a TXT record, but the website does not have traffic. You can access the website more than 20 times within 5 minutes, manually refresh the access status, and check whether the access status is updated to Accessible.
• Protection Verification

  Simulate simple web attack commands and check whether WAF protection takes effect.