Help Center/ Web Application Firewall/ Drawer/ Adding a Domain Name to WAF (Cloud Mode)/ Allowing WAF Back-to-Source IP Addresses to Access Origin Servers
Updated on 2025-07-04 GMT+08:00
Share

Allowing WAF Back-to-Source IP Addresses to Access Origin Servers

Description

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF, and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field. To make sure your cloud WAF work properly, configure ACL rules on your origin server to allow traffic only on all ports mapped to the WAF back-to-source IP addresses. This prevents hackers from directly attacking your origin server through its IP addresses.

  • There will be more WAF back-to-source IP addresses due to service scale-out or use of new clusters. For your legacy domain names, WAF back-to-source IP addresses usually fall into several class C IP addresses (192.0.0.0 to 223.255.255.255) of two to four clusters.
  • Generally, these IP addresses do not change unless clusters in use are changed due to disaster recovery switchovers or other scheduling switchovers. Even when WAF cluster is switched over on the WAF background, WAF will check the security group configuration on the origin server to prevent service interruptions.
Figure 1 Back-to-source IP addresses

Procedure

  1. Click to copy all back-to-source IP addresses.
  2. Open the security software on the origin server and add the copied IP addresses to its IP address whitelist.

    • If your origin servers are Huawei Cloud ECSs, see Whitelisting WAF IP Addresses on Origin Servers That Are Deployed on ECSs.
    • If your website uses Huawei Cloud ELB, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Use Huawei Cloud ELB.
    • If you also use Cloud Firewall (CFW) on Huawei Cloud, refer to Adding a Protection Rule.
    • If your website is deployed on servers on other cloud vendors, whitelist the WAF IP addresses in the corresponding security group and access control rules.
    • If only the personal edition antivirus software is installed on the origin server, the software does not have the interface for whitelisting IP addresses. If the origin server provides external web services, install the enterprise security software on or use Huawei Cloud Host Security Service (HSS) for the server. These products identify the sockets of some IP addresses with a large number of requests and occasionally disconnect the connections. Generally, the IP addresses of WAF are not blocked.

Whitelisting WAF IP Addresses on Origin Servers That Are Deployed on ECSs

If your origin server is deployed on a Huawei Cloud ECS, perform the following steps to configure a security group rule to allow only the WAF back-to-source IP addresses to access the origin server.

  1. Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
  2. Locate the row containing the ECS hosting your website. In the Name/ID column, click the ECS name to go to the ECS details page.
  3. Select the Security Groups tab and click the target security group.
  4. On the security group details page, select the Inbound Rules tab and click Add Rule.
  5. In the Add Inbound Rule dialog box, configuring the following parameters:

    Figure 2 Add Inbound Rule
    Table 1 Inbound rule parameters

    Parameter

    Description

    Priority

    Security group rule priority. Retain the default value.

    Action

    Security group rule policy. Set this parameter to Allow.

    Type

    Set the IP address type of the origin server.

    Protocol & Port

    Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), and leave Port empty or enter 1-65535 for it, traffic on all ports over the back-to-source IP addresses or IP address ranges is allowed.

    More details about protocols and ports are as follows:

    • Protocols are used to match traffic in a security group rule. TCP, UDP, GRE, and ICMP are supported.
    • Ports are destination ports used to match traffic in a security group rule. The value ranges from 1 to 65535.

      Enter ports in the following formats:

      • Individual port: Enter a port, such as 22.
      • Consecutive ports: Enter a port range, such as 22-30.
      • Non-consecutive ports: Enter ports and port ranges, such as 22,23-30. You can enter up to 20 port ranges. Each port range must be unique.
      • All ports: Leave it empty or enter 1-65535.

    Source

    Add IP Address/Mask of all WAF back-to-source IP addresses/ranges copied from 1 one by one.

    NOTE:

    One inbound rule can contain only one IP address. To configure an inbound rule for each IP address, click Add Rule to add more rules. You can add up to 10 rules.

  6. Click OK.

    Then, the security group rules allow all inbound traffic from the WAF back-to-source IP addresses.

Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Use Huawei Cloud ELB

If your origin server is deployed on backend servers of a Huawei Cloud ELB load balancer, perform the following steps to configure an access control list to allow only the WAF back-to-source IP addresses to access the origin server.

  1. Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
  2. Locate the load balancer you want. In the Listener column, click the listener name to go to its details page.
  3. In the Access Control row of the target listener, click Configure.
  4. In the displayed dialog box, select Whitelist for Access Control.

    1. Click Create IP Address Group and add the WAF back-to-source IP addresses copied in 1 to the group being created.
    2. Select the IP address group created in 4.a from the IP Address Group drop-down list.

  5. Click OK.
Parent Topic: Adding a Domain Name to WAF (Cloud Mode)