Help Center/ Web Application Firewall/ User Guide/ Connecting a Website to WAF/ Connecting Your Website to WAF (Dedicated Mode)
Updated on 2024-11-05 GMT+08:00

Connecting Your Website to WAF (Dedicated Mode)

If your service servers are deployed on Huawei Cloud, you can use dedicated WAF instances to protect your website services as long as your website has domain names or IP addresses.

If you have enabled enterprise projects, you can select your enterprise project from the Enterprise Project drop-down list and add websites to be protected in the project.

Solution Overview

In dedicated mode, after a website is connected to WAF, the website traffic is sent to WAF through the ELB load balancer. WAF blocks abnormal requests and forwards normal requests to the origin server through the back-to-source IP address of the dedicated WAF engine. Figure 1 shows how your website traffic is forwarded when WAF is used.

Figure 1 Website access diagram

The details are as follows:

  1. After a visitor enters a domain name in the browser, the client sends a request to the DNS service to query the domain name resolution address.
  2. DNS returns the domain name resolution address to the client.
  3. If no proxies (for example, CDN or AAD) are used, the domain name resolution address returned by the DNS service is the EIP of the load balancer, and the client accesses the load balancer through the EIP. If a proxy is used:
    1. The domain name resolution address returned by DNS is the IP address of the proxy. The client accesses the proxy through the proxy IP address.
    2. The proxy accesses the ELB load balancer over its EIP.
  4. The ELB load balancer forwards the traffic to WAF.
  5. WAF checks the traffic, blocks abnormal traffic, and forwards normal traffic to the origin server over the back-to-source IP address of the dedicated WAF engine.

Access Process

You need to perform the following operations based on whether your website uses a proxy (such as AAD, CDN, and cloud acceleration products).

Procedure

Description

Step 1. Add a Website to WAF

Add a domain name and origin server details to WAF.

Step 2: Configure a Load Balancer for a Dedicated WAF Instance

Configure a load balancer and health check for a dedicated WAF instance.

Step 3: Bind an EIP to a Load Balancer

Bind an EIP of the origin server to the load balancer configured for a dedicated WAF instance. So that the website request traffic can be forwarded to and checked by the dedicated WAF instance.

Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances

Allow the back-to-source IP address of a dedicated engine.

Step 5: Test Dedicated WAF Instances

Check WAF traffic forwarding, ELB load balancer, and WAF basic protection.

Prerequisites

  • You have purchased a dedicated WAF instance.
  • You have purchased a dedicated load balancer. For details about load balancer types, see Differences Between Dedicated and Shared Load Balancers.

    Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023).

  • Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
    You can configure your security group as follows:
    • Inbound rules

      Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.

    • Outbound rules

      The value is Default. All outgoing network traffic is allowed by default.

    For more details, see Adding a Security Group Rule.

Step 1. Add a Website to WAF

To connect your services to WAF, you need to add the domain name and origin server information to WAF.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security.
  1. In the navigation pane, choose Website Settings.
  2. In the upper left corner of the website list, click Add Website.
  3. Select Dedicated Mode and click Configure Now.
  4. , including domain name and origin server settings. For details about the parameters, see Table 1.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Protected Object

    The domain name or IP address (public or private IP address) of the website you want to protect. You can enter a single domain name or a wildcard domain name.

    NOTE:
    • The wildcard * can be added to WAF to let WAF protect any domain names. If wildcard (*) is added to WAF, only non-standard ports other than 80 and 443 can be protected.
    • If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
    • If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
    • WAF can protect both public and private IP addresses. If a private IP address is used, ensure that the corresponding network path is accessible so that WAF can correctly monitor and filter traffic.

    -

    Website Name

    Website name you specify.

    WAF

    Website Remarks

    Remarks of the website.

    waftest

    Protected Port

    Port to be protected.

    • To protect port 80 or 443, select Standard port from the drop-down list.
    • To protect other ports, select the one WAF supports. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF.
    NOTE:

    If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?

    81

    Server Configuration

    Address of the web server. The configuration contains the Client Protocol, Server protocol, VPC, Server Address, and Server Port.

    • Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
    • Server Protocol: Protocol supported by your website server. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
      NOTE:
      • If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests.
      • WAF can check WebSocket and WebSockets requests, which is enabled by default.
    • VPC: Select the VPC to which the dedicated WAF instance belongs.
      NOTE:

      To implement active-active services and prevent single points of failure (SPOFs), it is recommended that at least two WAF instances be configured in the same VPC.

    • Server Address: private IP address of the website server.

      Log in to the ECS or ELB console and view the private IP address of the server in the instance list.

      NOTE:

      The origin server address cannot be the same as that of the protected object.

    • Server Port: service port of the server to which the dedicated WAF instance forwards client requests.

    Client Protocol: HTTP

    Server Protocol: HTTP

    Server Address: XXX.XXX.1.1

    Server Port: 80

    Certificate Name

    If you set Client Protocol to HTTPS, an SSL certificate is required.

    • If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate.

      The newly imported certificates will be listed on the Certificates page as well.

    • If a certificate has been created, select a valid certificate from the Existing certificates drop-down list.
    • If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM.
    NOTICE:
    • Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into pem format first. For details, see How Do I Convert a Certificate into PEM Format?
    • If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.

      WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications.

    • Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.

    --

    Proxy Your Website Uses

    • Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services.
    • Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS.
    • No proxy: No proxy products are used for the website.
    NOTICE:

    If your website uses a proxy, select Layer-7 proxy. Then WAF obtains the actual access IP address from the related field in the configured header. For details, see Configuring a Traffic Identifier for a Known Attack Source.

    Layer-7 proxy

  5. Configure the advanced settings.

    Policy: The System-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.

    System-generated policies include:

    • Basic web protection (Log only mode and common checks)

      The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

    • Anti-crawler (Log only mode and Scanner feature)

      WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

      Log only: WAF only logs detected attack events instead of blocking them.

  6. Click OK.

    To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting back-to-source IP addresses of your dedicated instance. You can click Later in this step. Then, follow the instructions and finish those steps by referring to Step 2: Configure a Load Balancer for a Dedicated WAF Instance, Step 3: Bind an EIP to a Load Balancer, and Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances.

Step 2: Configure a Load Balancer for a Dedicated WAF Instance

To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

Huawei Cloud ELB is billed by traffic. For details, see ELB Pricing Details.

  1. Add a listener to the load balancer. For details, see Adding an HTTP Listener or Adding an HTTPS Listener.

    When adding a listener, set the parameters as follows:

    • Frontend Port: the port that will be used by the load balancer to receive requests from clients. You can set this parameter to any port. The origin server port configured in WAF is recommended.
    • Frontend Protocol: Select HTTP or HTTPS.
    • If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.
    • If Health Check is configured, the health check result must be Healthy, or the website requests cannot be pointed to WAF. For details about how to configure health check, see Configuring a Health Check.

  2. Click in the upper left corner and choose Web Application Firewall under Security.
  3. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
  4. In the row containing the instance you want to upgrade, click More > Add to ELB in the Operation column.
  5. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group based on Step 1.

    Figure 2 Add to ELB

    The Health Check result must be Healthy, or the website requests cannot be pointed to WAF.

  6. Click Confirm. Then, configure service port for the WAF instance, and Backend Port must be set to the port configured in Step 1. Add a Website to WAF.

Step 3: Bind an EIP to a Load Balancer

If you configure a load balancer for your dedicated WAF instance, unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see Configuring a Load Balancer. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

This topic describes how to unbind an EIP from your origin server and bind the EIP to a load balancer configured for a dedicated WAF instance.

  1. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
  2. On the Load Balancers page, unbind the EIP from the origin server.

    • Unbinding an IPv4 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv4 EIP.
    • Unbinding an IPv6 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv6 Address.
    Figure 3 Unbinding an EIP

  3. In the displayed dialog box, click Yes.
  4. On the Load Balancers page, locate the load balancer configured for the dedicated WAF instance and bind the EIP unbound from the origin server to the load balancer.

    • Binding an IPv4 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv4 EIP.
    • Binding an IPv6 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv6 Address.

  5. In the displayed dialog box, select the EIP unbound in Step 2 and click OK.

Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances

In dedicated mode, website traffic is pointed to the load balancer configured for your dedicated WAF instances and then to dedicated WAF instances. The latter will filter out malicious traffic and route only normal traffic to the origin server. In this way, the origin server only communicates with WAF back-to-source IP addresses. By doing so, WAF protects the origin server IP address from being attacked. In dedicated mode, the WAF back-to-source IP addresses are the subnet IP addresses of the dedicated WAF instances.

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. Your website may become unavailable or respond very slowly. So, you need to configure ACL rules on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

The way to whitelist an IP address varies depending on where your origin servers are provisioned. You can follow the way suitable for you.

Pointing Traffic to an ECS Hosting Your Website

If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the back-to-source IP address of the dedicated instance to access the origin server.

  1. Click in the upper left corner and choose Security > Web Application Firewall.
  2. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 4 Dedicated engine list

  3. In the IP Address column, obtain the IP address of each dedicated WAF instance under your account.
  4. Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
  5. Locate the row containing the ECS hosting your website. In the Name/ID column, click the ECS name to go to the ECS details page.
  6. Click the Security Groups tab. Then, click Change Security Group.
  7. In the Change Security Group dialog box displayed, select a security group or create a security group and click OK.
  8. Click the security group ID and view the details.
  9. Click the Inbound Rules tab and click Add Rule. Then, specify parameters in the Add Inbound Rule dialog box. For details, see Table 2.

    Figure 5 Add Inbound Rule
    Table 2 Inbound rule parameters

    Parameter

    Configuration Description

    Protocol & Port

    Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), enter the origin server port number in the text box below the TCP box.

    Server Address

    Subnet IP address of each dedicated WAF instance you obtain in Step 3. Configure an inbound rule for each IP address.

    NOTE:

    One inbound rule can contain only one IP address. To configure an inbound rule for each IP address, click Add Rule to add more rules. A maximum of 10 rules can be configured.

  10. Click OK.

    Now, the security group allows all inbound traffic from the back-to-source IP addresses of all your dedicated WAF instances.

    To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established.

    For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect.

    Telnet Origin server IP address443

Pointing Traffic to a Load Balancer

If your origin server uses ELB to distribute traffic, perform the following steps to configure an access control policy to allow only the IP addresses of the dedicated WAF instances to access the origin server:

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Security > Web Application Firewall.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 6 Dedicated engine list

  5. In the IP Address column, obtain the IP address of each dedicated WAF instance under your account.
  6. Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
  7. Locate the row containing the load balancer configured for your dedicated WAF instance and click the load balancer name in the Name column.
  8. In the Access Control row of the target listener, click Configure.

    Figure 7 Listener list

  9. In the displayed dialog box, select Whitelist for Access Control.

    1. Click Create IP Address Group and add the dedicated WAF instance access IP addresses obtained in Step 5 to the group being created.
    2. Select the IP address group created in 9.a from the IP Address Group drop-down list.

  10. Click OK.

    Now, the access control policy allows all inbound traffic from the back-to-source IP addresses of your dedicated WAF instances.

    To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established.

    For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect.

    Telnet Origin server IP address443

Step 5: Test Dedicated WAF Instances

After adding a website to a dedicated WAF instance, verify that it can forward traffic properly and ELB load balancers work well.

Follow-up Operations