Connecting Your Website to WAF (Dedicated Mode)

Solution Overview

In dedicated mode, after a website is connected to WAF, the website traffic is sent to WAF through the ELB load balancer. WAF blocks abnormal requests and forwards normal requests to the origin server through the back-to-source IP address of the dedicated WAF engine. Figure 1 shows how your website traffic is forwarded when WAF is used.

Figure 1 Website access diagram

The details are as follows:

1. After a visitor enters a domain name in the browser, the client sends a request to the DNS service to query the domain name resolution address.
2. DNS returns the domain name resolution address to the client.
3. If no proxies (for example, CDN or AAD) are used, the domain name resolution address returned by the DNS service is the EIP of the load balancer, and the client accesses the load balancer through the EIP. If a proxy is used:
   1. The domain name resolution address returned by DNS is the IP address of the proxy. The client accesses the proxy through the proxy IP address.
   2. The proxy accesses the ELB load balancer over its EIP.
4. The ELB load balancer forwards the traffic to WAF.
5. WAF checks the traffic, blocks abnormal traffic, and forwards normal traffic to the origin server over the back-to-source IP address of the dedicated WAF engine.

Access Process

You need to perform the following operations based on whether your website uses a proxy (such as AAD, CDN, and cloud acceleration products).

Prerequisites

• You have purchased a dedicated load balancer. For details about load balancer types, see Differences Between Dedicated and Shared Load Balancers.
  

  Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.

• Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
  You can configure your security group as follows:

  • Inbound rules

    Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.

  • Outbound rules

    The value is Default. All outgoing network traffic is allowed by default.

  For more details, see Adding a Security Group Rule.

Step 1. Add a Website to WAF

To connect your services to WAF, you need to add the domain name and origin server information to WAF.

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.

4. In the navigation pane, choose Website Settings.
5. In the upper left corner of the website list, click Add Website.
6. Select Dedicated Mode and click Configure Now.
7. Configure basic information. For details about the parameters, see Table 1.
   Figure 2 Configuring basic information
   

   Table 1 Parameter description

   Parameter	Description	Example Value
   Protected Object	The domain name or IP address (public or private IP address) of the website you want to protect. You can enter a single domain name or a wildcard domain name. NOTE: The wildcard * can be added to WAF to let WAF protect any domain names. If wildcard (*) is added to WAF, only non-standard ports other than 80 and 443 can be protected. If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three. If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. WAF can protect both public and private IP addresses. If a private IP address is used, ensure that the corresponding network path is accessible so that WAF can correctly monitor and filter traffic.	-
   Website Name (Optional)	Website name you specify.	WAF
   Website Remarks (Optional)	Remarks of the website.	waftest
   Protected Port	Port to be protected. To protect port 80 or 443, select Standard port from the drop-down list. To protect other ports, select the one WAF supports. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF. NOTE: If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?	81
   Server Configuration	Address of the web server. The configuration contains the Client Protocol, Server protocol, VPC, Server Address, and Server Port. Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS. Server Protocol: Protocol supported by your website server. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. NOTE: If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests. WAF can check WebSocket and WebSockets requests, which is enabled by default. VPC: Select the VPC to which the dedicated WAF instance belongs. NOTE: To implement active-active services and prevent single points of failure (SPOFs), it is recommended that at least two WAF instances be configured in the same VPC. Server Address: private IP address of the website server. Log in to the ECS or ELB console and view the private IP address of the server in the instance list. NOTE: The origin server address cannot be the same as that of the protected object. The following IP address formats are supported: IPv4, for example, XX.XXX.1.1 IPv6, for example, fe80:0000:0000:0000:0000:0000:0000:0000 Server Port: service port of the server to which the dedicated WAF instance forwards client requests.	Client Protocol: HTTP Server Protocol: HTTP Server Address: XXX.XXX.1.1 Server Port: 80
   Certificate Name	If you set Client Protocol to HTTPS, an SSL certificate is required. If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate. The newly imported certificates will be listed on the Certificates page as well. If a certificate has been created, select a valid certificate from the Existing certificates drop-down list. If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM. NOTICE: Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into pem format first. For details, see How Do I Convert a Certificate into PEM Format? Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF. WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications. Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.	--
   Use Layer-7 Proxy	Yes: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services. No: No layer-7 proxies are used. NOTICE: If your website uses a proxy, select Yes. Then WAF obtains the actual access IP address from the related field in the configured header. For details, see Configuring a Traffic Identifier for a Known Attack Source.	Layer-7 proxy

8. Configure the advanced settings.

   Policy: The System-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.

   System-generated policies include:

   • Basic web protection (Log only mode and common checks)

     The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

   • Anti-crawler (Log only mode and Scanner feature)

     WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

     

     Log only: WAF only logs detected attack events instead of blocking them.

9. Click OK.

   To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting back-to-source IP addresses of your dedicated instance. You can click Later in this step. Then, follow the instructions and finish those steps by referring to Step 2: Configure a Load Balancer for a Dedicated WAF Instance, Step 3: Bind an EIP to a Load Balancer, and Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances.

Step 2: Configure a Load Balancer for a Dedicated WAF Instance

To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

Huawei Cloud ELB is billed by traffic. For details, see ELB Pricing Details.

1. Add a listener to the load balancer. For details, see Adding an HTTP Listener or Adding an HTTPS Listener.
   

   When adding a listener, set the parameters as follows:

   • Frontend Port: the port that will be used by the load balancer to receive requests from clients. You can set this parameter to any port. The origin server port configured in WAF is recommended.
   • Frontend Protocol: Select HTTP or HTTPS.
   • If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.
   • If Health Check is configured, the health check result must be Healthy, or the website requests cannot be pointed to WAF. For details about how to configure health check, see Configuring a Health Check.

2. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
3. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
4. In the row containing the instance you want to upgrade, click More > Add to ELB in the Operation column.
5. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group based on 1.
   Figure 3 Add to ELB
   
   

   The Health Check result must be Healthy, or the website requests cannot be pointed to WAF. For details about troubleshooting, see How Do I Troubleshoot an Unhealthy Backend Server?

6. Click Confirm. Then, configure service port for the WAF instance, and Backend Port must be set to the port configured in Step 1. Add a Website to WAF.

Step 3: Bind an EIP to a Load Balancer

If you configure a load balancer for your dedicated WAF instance, unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see Configuring a Load Balancer. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

This topic describes how to unbind an EIP from your origin server and bind the EIP to a load balancer configured for a dedicated WAF instance.

1. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
2. On the Load Balancers page, unbind the EIP from the origin server.
   • Unbinding an IPv4 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv4 EIP.
   • Unbinding an IPv6 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv6 Address.
   Figure 4 Unbinding an EIP
   

3. In the displayed dialog box, click Yes.
4. On the Load Balancers page, locate the load balancer configured for the dedicated WAF instance and bind the EIP unbound from the origin server to the load balancer.
   • Binding an IPv4 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv4 EIP.
   • Binding an IPv6 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv6 Address.

5. In the displayed dialog box, select the EIP unbound in 2 and click OK.

Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances

In dedicated mode, website traffic is pointed to the load balancer configured for your dedicated WAF instances and then to dedicated WAF instances. The latter will filter out malicious traffic and route only normal traffic to the origin server. In this way, the origin server only communicates with WAF back-to-source IP addresses. By doing so, WAF protects the origin server IP address from being attacked. In dedicated mode, the WAF back-to-source IP addresses are the subnet IP addresses of the dedicated WAF instances.

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. Your website may become unavailable or respond very slowly. So, you need to configure ACL rules on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

The way to whitelist an IP address varies depending on where your origin servers are provisioned. You can follow the way suitable for you.

Step 5: Test Dedicated WAF Instances

After adding a website to a dedicated WAF instance, verify that it can forward traffic properly and ELB load balancers work well.

Follow-up Operations

• The initial Access Status of a website is Unaccessed. When a request reaches the WAF instance configured for the website, the access status automatically changes to Accessed. To address access failure, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?
• Complete Recommended Configurations
  • If HTTPS is selected for Client Protocol, you can configure PCI DSS/3DS compliance check and TLS, enable HTTP/2, and enable cookies.
  • Enabling WAF IPv6 Protection: You can use WAF to protect IPv6 origin servers.
  • Configuring a Timeout for Connections Between WAF and a Website Server: The default timeout for a connection between WAF and the origin server is 30 seconds. You can customize the connection timeout, read timeout, and write timeout.
  • Configuring a Traffic Identifier for a Known Attack Source: Configure an identifier for the client IP address, session, or user to block malicious requests based on the IP address, cookie, or params for a duration you specify.
  • Forwarding Custom Header Fields: After you add a header field, WAF inserts it into the request before forwarding the requests to the origin server to mark the requests.
  • Modifying the Alarm Page: Customize the page you want to return to visitors when WAF blocks a website request.
• Adjust the protection policy configured for the protected domain name based on protection requirements. For details, see Protection Configuration Overview.