Updated on 2024-03-14 GMT+08:00

Process for Adding a Website to WAF (Cloud Mode)

This topic describes how to connect a domain name of a website to WAF in CNAME access mode so that the access traffic destined for the website can be forwarded to WAF for protection.

Constraints

  • In CNAME access method, a cloud WAF instance can protect web applications and websites deployed on a cloud or on-premises data center as long as they are accessible through domain names.
  • After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

Prerequisites

The following describes how WAF works when there is a proxy used or no proxy used in front of WAF:

  • Proxy used

    If your website has used proxies, such as anti-DDoS, Content Delivery Network (CDN), or cloud acceleration, Figure 1 shows how WAF works.

    • DNS resolves the domain name to the proxy IP address before your website is connected to WAF. In this case, the traffic passes through the proxy and then the proxy routes the traffic back to the origin server.
    • After you connect your website to WAF, change the back-to-source address of the proxy to the CNAME record of WAF. In this way, the proxy forwards the traffic to WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server.
      1. Change the back-to-source IP address of the proxy to the CNAME record of WAF.
      2. (Optional) Add a WAF subdomain name and TXT record at your DNS provider.
    Figure 1 WAF configuration when a proxy is used
  • No proxy used

    If no proxy is used before the website is connected to WAF, Figure 2 shows how WAF works.

    • DNS resolves your domain name to the origin server IP address before your website is connected to WAF. Therefore, web visitors can directly access the server.
    • After your website is connected to WAF, DNS resolves your domain name to the CNAME record of WAF. In this way, the traffic passes through WAF. WAF then filters out illegitimate traffic and only routes legitimate traffic back to the origin server.
    Figure 2 No proxy used

Processes of Connecting a Website to WAF

After purchasing a cloud WAF instance, complete the required configurations by following the process shown in Figure 3.

Figure 3 Process of connecting a website to WAF - Cloud Mode (CNAME Access)
Table 1 Process of connecting your website domain name to WAF

Procedure

Description

Step 1: Add a Domain Name to WAF (Cloud Mode)

Configure basic information, such as the domain name, protocol, and origin server.

Step 2: Whitelist WAF IP Addresses

If other security software or firewalls are installed on your origin server, whitelist only requests from WAF. This ensures normal access and protects the origin server from hacking.

Step 3: Test WAF

To ensure that your WAF instance forwards website traffic normally, test the WAF instance locally and then route traffic destined for the website domain name to WAF by modifying DNS record.

Step 4: Modify the DNS Records of the Domain Name

  • No proxy used

    Configure a CNAME record for the protected domain name on the DNS platform you use.

  • Proxy (such as advanced anti-DDoS and CDN) used

    Change the back-to-source IP address of the used proxy, such as advanced anti-DDoS and CDN, to the copied CNAME record.

After you connect a domain name to WAF, WAF works as a reverse proxy between the client and the server. The real IP address of the origin server is hidden and only the IP address of WAF is visible to web visitors.

Collecting Domain Name Details

Before adding a domain name, obtain the information listed in Table 2.

Table 2 Domain name information required

Information

Parameter

Description

Example

Whether a proxy is used for the domain name

Proxy Configured

If your website has used proxies, such as anti-DDoS, Content Delivery Network (CDN), or cloud acceleration, this parameter must be set to Yes.

-

Parameters

Domain Name

The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.

www.example.com

Protected Port

The service port corresponding to the domain name of the website you want to protect.

  • Standard Ports
    • 80: default port when the client protocol is HTTP
    • 443: default port when the client protocol is HTTPS
  • Non-standard ports

    Ports other than ports 80 and 443

    NOTICE:

    If your website uses a non-standard port, check whether the WAF edition you plan to buy can protect the non-standard port before you make a purchase. For details, see Ports Supported by WAF.

80

Client Protocol

Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS.

HTTP

Server Protocol

Protocol used by WAF to forward requests from the client (such as a browser). The options are HTTP and HTTPS.

HTTP

Server Address

Public IP address or domain name of the origin server for a client (such as a browser) to access. Generally, a public IP address maps to the A record of the domain name configured on the DNS, and a domain name to the CNAME record.

XXX.XXX.1.1

(Optional) Certificate

Certificate Name

If you set Client Protocol to HTTPS, you are required to configure a certificate on WAF and associate the certificate with the domain name.

NOTICE:

Only .pem certificates can be used in WAF. If a certificate is not in .pem, convert it by referring to How Do I Convert a Certificate into PEM Format?

-

Fixing Inaccessible Websites

If a domain name fails to be connected to WAF, its access status is Inaccessible. To fix this issue, see Why Is My Domain Name or IP Address Inaccessible?