Help Center> Web Application Firewall> Best Practices> Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers

Updated on 2022-11-11 GMT+08:00

View PDF

Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers

After you connect your website to Web Application Firewall (WAF), configure an access control policy on your origin server to allow only the WAF back-to-source IP addresses. This prevents hackers from obtaining your origin server IP addresses and then bypassing WAF to attack origin servers.

This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on Huawei Cloud ECSs or you use ELB load balancers for your website.

WAF will forward incoming traffic destined for the origin servers no matter whether you configure access control rules on the origin servers. However, if you have no access control rules configured on the origin servers, bad actors may bypass WAF and directly attack your origin servers once they obtain your origin server IP addresses.

Precautions

Before configuring an access control policy on an origin server, ensure that you have connected all domain names of websites hosted on Elastic Cloud Server (ECS) or having Elastic Load Balance (ELB) deployed to WAF.
The following issued should be considered when you configure a security group:
- If you enable the WAF bypassed mode for your website but do not disable security group and network ACL configurations, the origin server may become inaccessible from the Internet.
- If new WAF back-to-source IP addresses are assigned to WAF after a security group is configured for your website, the website may respond 5xx errors frequently.

How Do I Check Whether the Origin Server IP Address Is Exposed?

In a non-Huawei Cloud environment, use a Telnet tool to establish a connection over the service port of the public IP address of your origin server (or enter the IP address of your web application in the browser). Then, check whether the connection is established.

Connection established
The origin server has exposed to the public. Once a hacker obtains the public IP address of the origin server, the hacker can bypass WAF and directly attack the origin server.
Connection not established
The origin server is hidden from the public and there is no exposure risk.

For example, to check whether the origin server is exposed, check whether the origin server IP address that has been protected by WAF can be connected over port 443. If information similar to that shown in Figure 1 is displayed, the connection is established and the origin server IP address is exposed.

Figure 1 Testing
Click to enlarge

Obtaining WAF Back-to-Source IP Addresses

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field. For more details, see How Do I Whitelist the WAF Back-to-Source IP Address Ranges?

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
In the navigation pane on the left, choose Website Settings.
On the right of the website list, click the WAF Back-to-Source IP Addresses link.

WAF back-to-source IP addresses are periodically updated. Whitelist the new IP addresses in time to prevent those IP addresses from being blocked by origin servers.

Figure 2 WAF Back-to-Source IP Addresses
In the displayed dialog box, click Copy to copy all the addresses.

Figure 3 WAF Back-to-Source IP Addresses dialog box

Configuring an Inbound Rule for an ECS

If your origin server is deployed on a Huawei Cloud ECS, perform the following steps to configure a security group rule to allow only the WAF back-to-source IP addresses to access the origin server.

Ensure that all WAF back-to-source IP addresses are whitelisted by an inbound rule of the security group configured for the ECS. Otherwise, website may become inaccessible.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
Locate the row containing the ECS you want. In the Name/ID column, click the ECS name to go to the ECS details page.
Click the Security Groups tab. Then, click Change Security Group.
Click the security group name to view the details.

Click the Inbound Rules tab and then Add Rule to go to the Add Inbound Rule page. Figure 4 shows an example. Table 1 describes the parameters.

Figure 4 Add Inbound Rule
Click to enlarge

**Table 1** Inbound rule parameters
Parameter	Description
Protocol & Port	Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), enter the origin server port number in the text box below the TCP box.
Source	Add all WAF back-to-source IP addresses copied in Step 6 one by one. NOTE: One IP address is configured in a rule. Click Add Rule to add more rules. A maximum of 10 rules can be added.

Click OK.
Then, the security group rules allow all inbound traffic from the WAF back-to-source IP addresses.

To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.

Enabling ELB Access Control

If your origin server is deployed on backend servers of a Huawei Cloud ELB load balancer, perform the following steps to configure an access control list to allow only the WAF back-to-source IP addresses to access the origin server.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
Locate the load balancer you want. In the Listener column, click the listener name to go to the details page.
On the displayed page, click the Listeners tab. On the Basic Information tab, click Configure Access Control next to Access Control. Figure 5 shows an example.

Figure 5 Configuring Access Control
In the displayed dialog box, select Whitelist for Access Policy. Figure 6 shows an example.

Figure 6 Configuring whitelist access control
Select the IP address group including only WAF back-to-source IP addresses obtained in Step 6.

If no such an IP address group exists, click Create IP Address Group and add all WAF back-to-source IP addresses to the IP address group you are creating.
Click OK.
To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.

Previous topic: Configuring Anti-Crawler Rules to Prevent Crawler Attacks

Next topic: Configuring Basic Web Protection

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with GUI

Incorrect steps

Lack of examples

Missing parameter descriptions

Unclear descriptions

Function issues

Other

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot