How Do I Route Website Traffic to My Cloud WAF Instance?
In cloud CNAME access mode, after you add your website to WAF, resolve the website domain name to WAF so that the traffic can pass through WAF. Then, WAF will filter out malicious requests and forward only legitimate requests to the origin server.
How WAF Works
- No proxy used
DNS resolves your domain name to the origin server IP address before the site is connected to WAF. DNS resolves your domain name to the CNAME of WAF after the site is connected to WAF. Then WAF inspects the incoming traffic and filters out malicious traffic.
- A proxy (such as anti-DDoS service) used
If a proxy such as anti-DDoS service is used on your site before it is connected to WAF, DNS resolves the domain name of your site to the anti-DDoS IP address. The traffic goes to the anti-DDoS service and the anti-DDoS service then routes the traffic back to the origin server. After you connect your website to WAF, change the back-to-source address of the proxy (such as anti-DDoS service) to the CNAME of WAF. In this way, the proxy forwards the traffic to WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server.
- To ensure that WAF can properly forward requests, perform local verification by referring to Testing WAF before modifying the DNS configuration.
- To prevent other users from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), add the subdomain name and TXT record on your DNS management platform. WAF can determine which user owns the domain name based on the subdomain name and TXT record.
Operation Guide
After a domain name is added, WAF generates a CNAME record, or CNAME, subdomain name, and TXT record for DNS to resolve the domain name to WAF so that website traffic can pass through WAF for detection. For details, see Table 1.
Scenario |
Generated Parameter Value |
Operation Related to Domain Name Resolution |
---|---|---|
No proxy used |
CNAME |
The DNS obtains the CNAME of WAF. |
Proxy used |
CNAME, subdomain name, and TXT record |
|
Procedure
For details, see Connecting a Domain Name to WAF.
Domain Name and Port Configuration FAQs
- How Do I Add a Domain Name/IP Address to WAF?
- Which Non-Standard Ports Does WAF Support?
- How Do I Use a Dedicated WAF Instance to Protect Non-Standard Ports That Are Not Supported by the Dedicated Instance?
- How Do I Configure Domain Names to Be Protected When Adding Domain Names?
- Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF?
- How Do I Configure Non-standard Ports When Adding a Protected Domain Name?
- What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection?
- What Data Is Required for Connecting a Domain Name/IP Address to WAF?
- How Do I Safely Delete a Protected Domain Name?
- Can I Change the Domain Name That Has Been Added to WAF?
- What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?
- Does WAF Support Wildcard Domain Names?
- How Do I Route Website Traffic to My Cloud WAF Instance?
- What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
- Why Am I Seeing That My Domain Quota Is Insufficient When There Is Still Remaining Quota?
- Can I Configure Multiple Load Balancers for a Dedicated WAF Instance?
- Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
more