Accelerating Resources Protected by WAF

Prerequisites

• You have a domain name that complies with the requirements described in Domain Name Requirements and a HUAWEI ID.
• You have purchased a Web Application Firewall (WAF) instance.
• You have enabled CDN.

Background

CDN is an intelligent virtual network built on top of the Internet. By deploying PoP servers across the network and distributing content from origin servers to these PoP servers, CDN enables users to obtain desired content nearby. Websites connected to CDN can quickly respond to user requests.

WAF keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block attacks, including Structured Query Language (SQL) injection, cross-site scripting (XSS), webshells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

If your websites have high requirements on security and acceleration, you can associate Huawei Cloud CDN with WAF to accelerate websites and defend against web attacks.

Principles

When CDN and WAF are connected, the traffic flow is as follows: CDN > WAF > origin server. CDN forwards the traffic to WAF, and WAF filters out unauthorized traffic and routes only authorized traffic back to your origin server.

Scenarios

This section uses Huawei Cloud WAF as an example to describe how to enable the connection between CDN and WAF. If your WAF service is provided by other service providers, configure it by referring to this section.

Scenario 1: You have purchased a WAF instance and added a domain name to WAF.

Set Proxy Configured to Yes in the basic information about the domain name to ensure that WAF security policies take effect on the real origin IP address. Then add the domain name to CDN and set the CNAME of WAF as the origin server in CDN. In this way, CDN can forward the traffic to WAF for acceleration and web attack defense.

Restrictions

• CDN supports only domain names with the default ports. If the domain name is added to WAF using a non-standard port, the domain name cannot be added to CDN.
• If you have uploaded an HTTPS certificate for the domain name on WAF, upload the certificate to CDN. Otherwise, the domain name cannot be accessed.

Procedure

1. Modify the proxy settings of the domain name in WAF by following the instructions provided in Viewing Basic Information.
   • Proxy Configured: Select Yes.

   

2. Copy the CNAME record generated by WAF.
3. Add the domain name to CDN.
   1. Log in to the Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

      The CDN console is displayed.

   2. In the navigation pane, choose Domains.
   3. On the Domains page, click Add Domain Name. In the dialog box displayed, specify domain parameters.
      • When adding an origin server, set Type to Domain name and Address to the CNAME record generated by WAF.

        

   4. Click OK. CDN generates a dedicated CNAME record for the domain name.
4. (Optional) Test your domain name before adding a CNAME record to the domain's DNS records to ensure that your domain configurations are correct. For details, see (Optional) Testing the Domain Name.
5. Add the CNAME record provided by CDN to your domain's DNS records. For details, see Configuring a CNAME Record.
6. Verify that the CNAME record has taken effect.

   Open the Windows command line interface and run the following command:

   nslookup -qt=cname Domain name

   If the CNAME record is displayed, the CNAME record has taken effect. A typical command output is shown in the following figure.

   

   

   If your domain name has not been added to neither CDN nor WAF, you are advised to add the domain name to WAF and then configure the connection according to scenario 1.

Scenario 2: You have added a domain name to CDN for acceleration.

Add the domain name to WAF and set Proxy Configured to Yes. In this way, WAF can perform security defense for real IP addresses of clients. Then set the CNAME generated by WAF as the origin server in CDN to allow CDN to forward the traffic to WAF, achieving acceleration and web attack defense.

Restrictions

If you have uploaded an HTTPS certificate for the domain name on CDN, upload the certificate to WAF. Otherwise, the domain name cannot be accessed.

Procedure

1. Add the domain name information, including the IP address and port of your origin server, to WAF. For details, see Adding a Domain Name to WAF. Pay attention to the following key settings:
   • Non-standard Port: Deselect it.
   • Proxy Configured: Select Yes.

   

2. When the configuration is complete, WAF generates a dedicated CNAME for the domain name.

   

   

   You are advised to check whether services are normal after adding the domain name to WAF, and then modify the origin server configuration in CDN.

3. Change the origin server address of the domain name added to CDN to the CNAME generated by WAF.
   1. Log in to the Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

      The CDN console is displayed.

   2. In the navigation pane, choose Domains.
   3. In the domain list, click the target domain name or click Configure in the Operation column.
   4. Click the Basic Settings tab.
   5. In the Origin Server Settings area, click Edit in the Operation column of the origin server and modify the origin server settings.
      • Type: Select Domain name.
      • Address: Enter the CNAME generated by WAF.
      • Origin Port: Retain the default port.

   When the configuration is complete, CDN forwards traffic to WAF for acceleration and web attack defense.