Getting Started with Common Practices
WAF provides a series of common practices for you. These practices can help you start WAF protection for your workloads quickly.
Practice |
Description |
|
|---|---|---|
Connecting a domain name to WAF |
Connecting a Domain Name to WAF for Websites with no Proxy Used |
If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic. This section describes how to change DNS settings for WAF to take effect. |
Combining CDN and WAF to Get Improved Protection and Load Speed |
The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises and make websites respond more fast. |
|
Protecting websites with WAF policies |
This section describes in what scenarios you can use WAF to defend against web attacks, including how to configure and verify WAF rules and policies. |
|
This section guides you through configuring IP address-based rate limiting and cookie-based protection rules against Challenge Collapsar (CC) attacks. |
||
WAF provides three anti-crawler policies, bot detection by identifying User-Agent, website anti-crawler by checking browser validity, and CC attack protection by limiting the access frequency, to help mitigate crawler attacks against your websites. |
||
If you enable WAF basic web protection, WAF detects and blocks requests that match the rules based on the basic web protection types you configure. If a normal request matches a basic web protection rule and is blocked by WAF, you can handle the event as false alarm. In this way, WAF will no longer block the same type of request. |
||
Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman |
After your website is connected to WAF, you can use an API test tool to send HTTP/HTTPS requests to the website and verify that WAF protection rules take effect. This topic uses Postman as an example to describe how to verify a global protection whitelist (formerly false alarm masking) rule. |
|
With HSS and WAF in place, you can stop worrying about web page tampering. |
||
Using WAF for web vulnerability protection |
Spring Framework is a lightweight open-source application framework for developing enterprise Java applications. A remote code execution (RCE) vulnerability was disclosed in the Spring framework and classified as critical. This vulnerability can be exploited to attack Java applications running on JDK 9 or later versions. |
|
On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, Huawei Cloud WAF provides protection against this vulnerability. |
||
On September 3, 2019, the HUAWEI CLOUD security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. HUAWEI CLOUD WAF provides protection against this vulnerability. |
||
On July 12, 2019, the HUAWEI CLOUD Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage. |
||
On April 17, 2019, the Huawei Cloud Emergency Response Center detected that China National Vulnerability Database (CNVD) released a security bulletin for the Oracle WebLogic wls9-async component. This component has a defect in deserializing input information. Attackers can send well-constructed malicious HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. CNVD rates the vulnerability as "high-risk." |
||
Upgrading dedicated WAF instances |
You can upgrade your dedicated WAF instances on the WAF console to obtain the latest protection performance. To ensure business availability during the upgrade, upgrade your dedicated WAF instances by following the procedure below. |
|
Configuring TLS encryption |
Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections |
HTTPS is a network protocol constructed based on Transport Layer Security (TLS) and HTTP for encrypted transmission and identity authentication. When you add a domain name to WAF, set Client Protocol to HTTPS. Then, you can configure the minimum TLS version and cipher suite to harden website security. |
Protecting origin servers |
Configuring ECS and ELB Access Control Policies to Protect Origin Servers |
This topic describes how to protect origin servers deployed on ECSs or added to ELB backend server groups. It helps you:
|
Obtaining real client IP addresses |
This topic describes how to obtain the client IP address from WAF and how to configure different types of web application servers, including Tomcat, Apache, Nginx, IIS 6, and IIS 7, to obtain the client IP address. |
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
