Connecting Your Website to WAF (Cloud Mode - CNAME Access)
No matter where your service servers are deployed, on Huawei Cloud, other clouds, or on-premises data centers, you can use WAF cloud load balancer access mode. After WAF is enabled, you need to connect your website to WAF to enable protection. In CNAME access mode, WAF works as a reverse proxy. WAF checks website traffic and forwards only normal traffic back to origin servers of your website over specific back-to-source IP addresses.
If you have enabled enterprise projects, you can select an enterprise project from the Enterprise Project drop-down list and add websites to be protected in the project.
Solution Overview
In the cloud CNAME access mode, connecting a website to WAF is to point the website traffic to WAF. WAF checks received traffic and forwards only legitimate traffic to your origin server. Figure 1 shows how your website traffic is forwarded when WAF is used.
- After a visitor enters a domain name in the browser, the client sends a request to the DNS service to query the domain name resolution address.
- DNS returns the domain name resolution address to the client.
- If no proxies (such as CDN or AAD) are used, the domain name resolution address returned by DNS is the WAF IP address. The client accesses WAF through the WAF IP address. If a proxy is used:
- The domain name resolution address returned by DNS is the IP address of the proxy. The client accesses the proxy through the proxy IP address.
- The proxy then accesses WAF over a WAF IP address.
- WAF checks the traffic, blocks abnormal traffic, and uses WAF back-to-source IP addresses to forward normal traffic to the origin server.
Access Process
You need to perform the following operations based on whether your website uses a proxy (such as AAD, CDN, and cloud acceleration products).
Procedure |
Description |
---|---|
Add a domain name and origin server details to WAF. |
|
Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server |
Obtain and allow back-to-source IP addresses. |
Test website connectivity. |
|
|
|
Describes how to check whether a domain name is accessible after being connected to WAF and whether basic protection takes effect. |
Prerequisites
- You have purchased a cloud WAF instance and understood details about how to connect a website to WAF.
- Make sure your domain names have Internet Content Provider (ICP) licenses, or they cannot be added to WAF.
Step 1. Add Your Domain Name to WAF
To connect your services to WAF, you need to add the domain name and origin server information to WAF.
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner of the page and choose .
- In the navigation pane, click Website Settings.
- In the upper left corner of the website list, click Add Website.
- Select Cloud Mode - CNAME and click Configure Now.
- Configure the basic settings by referring to Table 1.
Table 1 Parameter description Parameter
Description
Example Value
Domain Name
The domain name you want WAF to protect. You can enter a top-level single domain name, like example.com, a second-level domain name, like www.example.com, or a wildcard domain name, like *.example.com.
NOTICE:- The starter edition does not support adding wildcard domain names to WAF.
- The following are the rules for adding wildcards to domain names:
- If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
- Each combination of a domain name and a port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota.
- Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.
-
Website Name (Optional)
Website name you specify.
WAF
Website Remarks (Optional)
Remarks of the website.
waftest
Protected Port
Port to be protected.
- To protect port 80 or 443, select Standard port from the drop-down list.
- To protect other ports, select the one WAF supports. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF.
NOTE:If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?
81
Server Configuration
Information about the website server, including the client protocol, server protocol, server address, and server port.
- Client Protocol: the protocol used by the client to access the server. The option can be HTTP or HTTPS.
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). HTTPS is widely used to protect privacy and integrity of data in transit and to authenticate website identities. So, if HTTPS is selected, you need to configure a certificate.
NOTE:If Standard port is selected for Protected Port, by default, port 443 is protected for HTTPS, and port 80 for HTTP.
- Server Protocol: the protocol supported by your website server. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
NOTE:
If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests.
- Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME of the domain name configured on the DNS) of the web server that a client accesses.
- Server Port: service port over which the WAF instance forwards client requests to the origin server.
Client Protocol: HTTP
Server Protocol: HTTP
Server Address: XXX.XXX.1.1
Server Port: 80
Certificate
If you set Client Protocol to HTTPS, an SSL certificate is required.
- If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate.
The newly imported certificates will be listed on the Certificates page as well.
- If a certificate has been created, select a valid certificate from the Existing certificates drop-down list.
- If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM.
NOTICE:- Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into PEM first. For details, see How Do I Convert a Certificate into PEM Format?
- A record is automatically generated for the selected SSL certificate on the Certificates page. You can change the certificate name on this page, but the certificate name displayed in CCM will not be changed accordingly.
- If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.
WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications.
- Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.
-
Specify Minimum TLS Version and Cipher Suite.
After selecting a certificate, you need to select the minimum TLS version and cipher suite.
In WAF, the minimum TLS version configured is TLS v1.0, and the cipher suite is cipher suite 1 by default. For more details, see Configuring PCI DSS/3DS Compliance Check and TLS.
Minimum TLS version: TLS v1.0
Cipher suite: Cipher suite 1
Proxy Your Website Uses
- Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services.
- Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS.
- No proxy: No proxy products are deployed in front of WAF.
NOTICE:- If a proxy is deployed before WAF on your website, the WAF working mode cannot be switched to Bypassed. For details about how to switch the working mode, see Switching WAF Working Mode.
- If your website uses a proxy, select Layer-7 proxy. Then WAF obtains the actual access IP address from the related field in the configured header. For details, see Configuring a Traffic Identifier for a Known Attack Source.
No proxy
- Complete advanced settings.
Table 2 Advanced settings Parameter
Description
Example Value
Policy
Select the protection policy you want to use for the website.
- System-generated policy (default): For details, see Table 3. If the number of added protection policies reaches the quota, this option will be grayed out.
- Custom protection policy: a policy you create based on your security requirements. For more details, see Configuring a Protection Policy.
System-generated policy
Table 3 Parameters for system-generated policies Policy
Description
Basic web protection (Log only mode and common checks)
The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
Basic web protection (Log only mode and common checks)
The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
Anti-crawler (Log only mode and Scanner feature)
WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.
Log only: WAF only logs detected attacks instead of blocking them.
- Click Next.
Whitelist WAF back-to-source IP addresses, test WAF, and modify DNS record for the domain name as prompted.Figure 2 Domain name added to WAF.
Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server
A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF, and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field.
If the origin server uses other firewalls, network ACLs, security groups, or antivirus software, they are more likely to block WAF back-to-source IP address as malicious ones. So, you need to configure an access control policy on your origin server to allow only WAF back-to-source IP addresses to access the origin server. This prevents hackers from bypassing WAF to attack origin servers.
- There will be more WAF IP addresses due to scale-out or new clusters. For your legacy domain names, WAF IP addresses usually fall into several class C IP addresses (192.0.0.0 to 223.255.255.255) of two to four clusters.
- Generally, these IP addresses do not change unless clusters in use are changed due to DR switchovers or other scheduling switchovers. Even when WAF cluster is switched over on the WAF background, WAF will check the security group configuration on the origin server to prevent service interruptions.
- Obtain WAF back-to-source IP addresses.
After Step 1. Add Your Domain Name to WAF is complete, expand Step 1: (Optional) Whitelist WAF back-to-source IP addresses and click to copy all back-to-source IP addresses. Alternatively, go to the Website Settings page, locate the target domain name, and click Whitelist WAF in the Access Status column. Then, click to copy all back-to-source IP addresses.
- Open the security software on the origin server and add the copied IP addresses to the whitelist.
- If origin servers are deployed on ECSs, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Are Deployed on ECSs.
- If origin servers are added to backend servers of an ELB load balancer, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Use Load Balancers.
- If your website is deployed on servers on other cloud vendors, whitelist the WAF back-to-source IP addresses in the corresponding security group and access control rules.
- If only the personal antivirus software is installed on the origin server, the software does not have the interface for whitelisting IP addresses. If the origin server provides external web services, install the enterprise security software on or use Huawei Cloud Host Security Service (HSS) for the server. These products identify the sockets of some IP addresses with a large number of requests and occasionally disconnect the connections. Generally, the IP addresses of WAF are not blocked.
- After the preceding operations are complete, click Finished.
Step 3: Test WAF
You can modify the hosts file on the local server, set the domain name addressing mapping (DNS resolution records that take effect only on the local computer), and point the website domain name to the WAF IP address on the local computer. In this way, you can access the protected domain name from the local computer to verify whether the domain name is accessible after it has been added to WAF, preventing website access exceptions caused by abnormal domain name configurations.
Before performing this operation, ensure that:
- The protocol, address, and port used by the origin server (for example, www.example5.com) are correctly configured when adding a domain name to WAF. If Client Protocol is set to HTTPS, ensure that the uploaded certificate and private key are correct.
- Operations in Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server have been finished.
- Obtain the CNAME record.
- Method 1: After Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server is complete, expand Step 2: Test WAF and copy the CNAME record on the displayed page. Alternatively, go to the Website Settings page, locate the target domain name, and click Test WAF in the Access Status column. On the page displayed, copy the CNAME record.
- Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.
- Ping the CNAME record and record the corresponding IP address.
Use www.example5.com as an example and its CNAME record is xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com.
Open cmd in Windows or bash in Linux and run the ping xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com command to obtain the WAF access IP addresses. As shown in Figure 3, the WAF access IP address is displayed.If no WAF access IP addresses are returned after you ping the CNAME record, your network may be unstable. You can ping the CNAME record again when your network is stable.
- Add the domain name and WAF access IP addresses pointed to CNAME to the hosts file.
- Use a text editor to edit the hosts file. In Windows, the location of the hosts file is as follows:
- Windows: C:\Windows\System32\drivers\etc
- Linux: /etc/hosts
- Add a record like Figure 4 to the hosts file. The IP address is the WAF access IP address obtained in Step 2 and the domain name is the protected domain name.
- Save the hosts file and ping the protected domain name on the local PC.
Figure 5 Pinging the domain name
It is expected that the resolved IP address is the access IP address of WAF obtained in 3.b. If the origin server address is returned, refresh the local DNS cache. (Run ipconfig/flushdns in Windows cmd or systemd-resolved in Linux Bash.)
- Use a text editor to edit the hosts file. In Windows, the location of the hosts file is as follows:
- Verify the access.
- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
If the domain name has been resolved to WAF back-to-source IP addresses and WAF configurations are correct, the website is accessible.
- Simulate simple web attack commands.
- Set the mode of Basic Web Protection to Block. For details, see Enabling Basic Web Protection.
- Clear the browser cache, enter the test domain name in the address bar, and check whether WAF blocks the simulated SQL injection attack against the domain name.
Figure 6 Request blocked
- In the navigation pane, choose Events to view test data.
- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- Verify that the preceding steps are complete and click Finished.
Step 4: Modify the DNS Records of the Domain Name
After a domain name is added to WAF, WAF functions as a reverse proxy between the client and server. The real IP address of the server is hidden, and only the IP address of WAF is visible to web visitors. You must point the DNS resolution of the domain name to the CNAME record provided by WAF. In this way, access requests can be resolved to WAF. After your website connectivity with WAF is tested locally, you can go to the DNS platform hosting your domain name and resolve the domain name to WAF. Then WAF protection can work.
Before modifying the DNS records of a domain name, ensure that:
- Operations in Step 1. Add Your Domain Name to WAF, Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server, and Step 3: Test WAF have been completed.
- You have the permission to modify domain name resolution settings on the DNS platform hosting your domain name.
No proxies used
- Obtain the CNAME record of WAF.
- Method 1: After Step 3: Test WAF is complete, expand Step 3: Change DNS Resolution, and copy the CNAME record on the displayed page. Alternatively, go to the Website Settings page, locate the target domain name, and click Modify DNS in the Access Status column. Then, copy the CNAME record on the page displayed.
- Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.
- Change the DNS records of the domain name to the WAF CNAME record.
Configure the CNAME record at your DNS provider. For details, contact your DNS provider.
The following uses Huawei Cloud DNS as an example to show how to configure a CNAME record. If the following configuration is inconsistent with your configuration, use information provided by the DNS providers.
- Click in the upper left corner of the page and choose Networking > Domain Name Service.
- In the navigation pane on the left, choose Public Zones.
- In the Operation column of the target domain name, click Manage Record Set. The Record Sets tab page is displayed.
Figure 7 Record sets
- In the row containing the desired record set, click Modify in the Operation column.
- In the displayed Modify Record Set dialog box, change the record value.
- Name: Domain name configured in WAF
- Type: Select CNAME-Map one domain to another.
- Line: Select Default.
- TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
- Value: Change it to the WAF CNAME record copied from WAF.
- Keep other settings unchanged.
Figure 8 Modify Record Set
About modifying the resolution record:
- The CNAME record must be unique for the same host record. You need to change the existing CNAME record of your domain name to WAF CNAME record.
- Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with other records such as A record, MX record, and TXT record. If the record type cannot be directly changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail.
For details about the restrictions on domain name resolution types, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?
- Click OK.
Proxy used
- Obtain the WAF CNAME record.
- Method 1: After Step 3: Test WAF is complete, click Step 3: Change the back-to-source IP address of the proxy.. On the displayed page, copy the CNAME record. Alternatively, go to the Website Settings page, click Change Proxy IP Address in the Access Status column, and copy the CNAME record on the displayed page.
- Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.
- Make sure the domain name has been pointed to the proxy and change the back-to-source IP address of the used proxy, such as anti-DDoS and CDN services, to the copied CNAME record.
To prevent other users from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), add the subdomain name and TXT record on your DNS management platform.
- Obtain the subdomain name and TXT record: On the top of the domain name basic information page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.
- Add Subdomain Name at the DNS provider and configure TXT Record for the subdomain name.
WAF determines which user owns the domain name based on the configured Subdomain Name and TXT Record.
Configuration verification
After completing the preceding configurations, you need to check the CNAME record of the domain name.
- In Windows, choose Start > Run. Then enter cmd and press Enter.
- Run a nslookup command to query the CNAME record.
If the configured CNAME record is returned, the configuration is successful. An example command response is displayed in Figure 9.
Using www.example.com as an example, the output is as follows:
nslookup www.example.com
- After the preceding steps are complete, select Finished.
Step 5: Verify Website Access
- Check the access status.
Generally, if you have performed domain connection and Access Status is Accessible, the domain name is connected to WAF.
If the domain name has been connected to WAF but its Access Status is still Inaccessible, click to refresh the status. If the status is still Inaccessible, fix the issue by referring to Why My Domain Name Is Inaccessible?
- Check the website accessibility.
- Enter the domain name in the address bar of your browser and check whether the website is accessible.
If a non-standard port is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?
- Simulate simple web attack commands and check whether WAF protection takes effect. For details, see 4.b.
- Enter the domain name in the address bar of your browser and check whether the website is accessible.
Follow-up Operations
After adding a domain name to WAF, you need to:
- Complete Recommended Configurations
- Adjust the protection policy configured for the protected domain name based on protection requirements. For details, see Protection Configuration Overview.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.