Combining CDN and WAF to Get Improved Protection and Load Speed

How the Combination Works

• When a user accesses a website that uses Huawei Cloud CDN, the local DNS server will redirect all domain requests to CDN using CNAME records. CDN uses a group of predefined policies (such as the content type, geographical location, and network load status) to respond visitors with the nearest CDN IP address so that visitors can obtain requested website content as quickly as possible.

  Objects supported by CDN: domain names of web applications on Huawei Cloud, other cloud platforms, or on-premises data centers

• Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
  When adding a website to WAF, you can select Cloud - CNAME, Cloud - Load balancer, or Dedicated for Protection. Before you start, get familiar with the following differences:

  • Cloud - CNAME: protects your web applications that have domain name and are deployed on any clouds or in on-premises data centers.
  • Cloud - Load balancer: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses.
  • Dedicated: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses.

The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises and improve website response time. Figure 1 shows the configuration diagram.

Figure 1 WAF configuration when a proxy is used

After you deploy CDN and WAF for your website, traffic is accelerated by CDN and then forwarded to WAF. WAF checks received traffic and forwards only the normal traffic to the origin server. The combination protects the website against attacks while improving the website response speed and availability.

Point your website domain name to CDN and then change the CDN back-to-source address to the WAF CNAME record. After that, you can also add a WAF subdomain name and TXT record on your DNS management platform in case others have connected the website domain name to WAF before you configure CDN.

The configurations are as follows:

• Cloud - CNAME

  Point your website domain name to CDN and then change the CDN back-to-source address to the WAF CNAME record. After that, you can also add a WAF subdomain name and TXT record on your DNS management platform in case others have connected the website domain name to WAF before you configure CDN.

• Cloud -Load balancer

  Point your website domain name to CDN and change the CDN back-to-source IP address to the EIP bound to the load balancer configured for your load-balancing WAF instance.

• Dedicated mode

  Point your website domain name to CDN and change the CDN back-to-source IP address to the EIP bound to the load balancer configured for your dedicated WAF instance.

Constraints

If your website uses proxies such as anti-DDoS, Content Delivery Network (CDN), and cloud acceleration services, select Per user for Rate Limit Mode and enable All WAF instances for your CC attack protection rules.

Prerequisites

• WAF has been purchased.
• You have added the website domain name to WAF and configured other details, including origin server IP address and port.
• You have connected the website domain name to CDN.
• You have obtained the permissions from the DNS service provider to add domain names.
• (Optional) You have whitelisted WAF back-to-source IP addresses. If non-Huawei Cloud security software is used on the origin server, whitelist the WAF back-to-source IP addresses to prevent normal traffic from being blocked. For details, see Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers.

Cloud WAF Configuration

The following uses Huawei Cloud CDN as an example to describe how to configure domain name resolution. If you use Huawei Cloud CDN, perform the following steps directly. If you use non-Huawei Cloud CDN, configure domain name resolution on non-Huawei Cloud CDN based on the instructions in the following steps.

1. Obtain settings of CNAME, Subdomain Name, and TXT Record.
   1. Log in to the management console.
   2. Click in the upper left corner of the management console and select a region or project.
   3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
   4. In the navigation pane on the left, choose Website Settings.
   5. In the row containing the desired domain name, click the domain name to go to the Basic Information page.
   6. On the basic information page for the domain information, click in the CNAME row to copy the CNAME records. On the top of the page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.

2. Change the origin server domain name of the primary origin server of CDN to the CNAME of WAF.
3. (Optional) Add a WAF subdomain name and TXT record at your DNS provider.
   

   To prevent others from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), this step is recommended.

   1. Access the DNS resolution page, as shown in Figure 2.
      Figure 2 DNS page
      
   2. In the upper right corner of the page, click Add Record Set. The Add Record Set page is displayed. Figure 3 shows an example.
      • Name: TXT record copied in 1.f.
      • Type: Select TXT – Specify text records.
      • Alias: Select No.
      • Line: Default
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Add quotation marks to the TXT record copied in 1.f and paste them in the text box, for example, TXT record.
      • Keep other settings unchanged.
      Figure 3 Adding a record set
      
   3. Click OK.

4. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.
   

   It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.

Configuring Dedicated/ELB WAF

Perform the following steps to complete configurations on Huawei Cloud CDN:

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > Content Delivery Network.
4. In the navigation pane on the left, choose Domains.
5. In the domain list, click the target domain name or click Configure in the Operation column.
6. Click the Basic Settings tab. In the Origin Server Settings area, click Edit.
   • If you use a dedicated WAF instance, in the Address text box, enter the EIP you bind to the load balancer.
   • If you use a cloud WAF instance and select the load balancer access mode, in the Address text box, enter the EIP bound to the load balancer selected in Add a Website to WAF (ELB Mode).

7. Click Save.

Verification

If Access Status is Accessible, the traffic destined for your website domain name or IP address is routed to WAF.

• WAF automatically checks the access status of protected websites every hour. If WAF detects that a protected website has received 20 access requests within 5 minutes, it considers that the website has been successfully connected to WAF.
• By default, WAF checks only the Access Status of domain names added or updated over the last two weeks. If a domain name was added to WAF two weeks ago and has not been modified in the last two weeks, you can click in the Access Progress column to refresh the progress.

If a domain name fails to be connected to WAF, its access status is Inaccessible. To fix this issue, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?