Help Center/ Web Application Firewall/ User Guide/ Connecting a Website to WAF/ Connecting a Website to WAF (Dedicated Mode)
Updated on 2024-09-19 GMT+08:00
View PDF
Share

Connecting a Website to WAF (Dedicated Mode)

If your service servers are deployed on Huawei Cloud, you can use dedicated WAF instances to protect your website services as long as your website has domain names or IP addresses.

If you have enabled enterprise projects, you can select your enterprise project from the Enterprise Project drop-down list and add websites to be protected in the project.

Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

Solution Overview

After connecting your website to a dedicated WAF instance, your requests are resolved to the public IP address of the load balancer by DNS. The load balancer sends the requests to WAF. WAF blocks abnormal requests and forwards normal requests to the origin server through the back-to-source IP address of the dedicated WAF instance. If your website uses a proxy (such as AAD, CDN, or cloud acceleration), DNS resolves client requests to the proxy, and the proxy forwards the requests to the ELB load balancer.

Figure 1 Website access diagram

Prerequisites

  • You have purchased a dedicated load balancer. For details about load balancer types, see Differences Between Dedicated and Shared Load Balancers.

    Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.

  • Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
    You can configure your security group as follows:
    • Inbound rules

      Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.

    • Outbound rules

      The value is Default. All outgoing network traffic is allowed by default.

    For more details, see Adding a Security Group Rule.

Step 1. Add a Website to WAF

To connect your services to WAF, you need to add the domain name and origin server information to WAF.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  1. In the navigation pane, choose Website Settings.
  2. In the upper left corner of the website list, click Add Website.
  3. Select Dedicated Mode and click Configure Now.
  4. Configure basic information,. For details about the parameters, see Table 1.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Protected Object

    The domain name of the website you want to protect. It can be a single domain name or a wildcard domain name.

    NOTE:
    • The wildcard * can be added to WAF to let WAF protect any domain names. If wildcard (*) is added to WAF, only non-standard ports other than 80 and 443 can be protected.
    • If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
    • If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.

    -

    Website Name (Optional)

    Website name you specify.

    WAF

    Website Remarks (Optional)

    Remarks of the website.

    waftest

    Protected Port

    Port to be protected.

    • To protect port 80 or 443, select Standard port from the drop-down list.
    • To protect other ports, select the one WAF supports. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF.
    NOTE:

    If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?

    81

    Server Configuration

    Address of the web server. The configuration contains the Client Protocol, Server protocol, VPC, Server Address, and Server Port.

    • Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
    • Server Protocol: Protocol supported by your website server. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
      NOTE:
      • If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests.
      • WAF can check WebSocket and WebSockets requests, which is enabled by default.
    • VPC: Select the VPC to which the dedicated WAF instance belongs.
      NOTE:

      To implement active-active services and prevent single points of failure (SPOFs), it is recommended that at least two WAF instances be configured in the same VPC.

    • Server Address: private IP address of the website server.

      Log in to the ECS or ELB console and view the private IP address of the server in the instance list.

      NOTE:

      The origin server address cannot be the same as that of the protected object.

      The following IP address formats are supported:
      • IPv4, for example, XX.XXX.1.1
      • IPv6, for example, fe80:0000:0000:0000:0000:0000:0000:0000
    • Server Port: service port of the server to which the dedicated WAF instance forwards client requests.

    Client Protocol: HTTP

    Server Protocol: HTTP

    Server Address: XXX.XXX.1.1

    Server Port: 80

    Certificate Name

    If you set Client Protocol to HTTPS, an SSL certificate is required.

    • If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate.

      The newly imported certificates will be listed on the Certificates page as well.

    • If a certificate has been created, select a valid certificate from the Existing certificates drop-down list.
    • If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM.
    NOTICE:
    • Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into pem format first. For details, see How Do I Convert a Certificate into PEM Format?
    • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
    • If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF.

      WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications.

    • Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.

    --

    Proxy Your Website Uses
    • Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services.
    • Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS.
    • No proxy: No proxy products are used for the website.
    NOTICE:

    If your website uses a proxy, select Layer-7 proxy. Then WAF obtains the actual access IP address from the related field in the configured header. For details, see Configuring a Traffic Identifier for a Known Attack Source.

    Layer-7 proxy

  5. Configure the advanced settings.

    Policy: The System-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.

    System-generated policies include:

    • Basic web protection (Log only mode and common checks)

      The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

    • Anti-crawler (Log only mode and Scanner feature)

      WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

      Log only: WAF only logs detected attack events instead of blocking them.

  6. Click OK.

    To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting back-to-source IP addresses of your dedicated instance. You can click Later in this step. Then, follow the instructions and finish those steps by referring to Step 2: Configure a Load Balancer for a Dedicated WAF Instance, Step 3: Bind an EIP to a Load Balancer, and Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances.

Step 2: Configure a Load Balancer for a Dedicated WAF Instance

To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

Huawei Cloud ELB is billed by traffic. For details, see ELB Pricing Details.

  1. Add a listener to the load balancer. For details, see Adding an HTTP Listener or Adding an HTTPS Listener.

    When adding a listener, set the parameters as follows:

    • Frontend Port: the port that will be used by the load balancer to receive requests from clients. You can set this parameter to any port. The origin server port configured in WAF is recommended.
    • Frontend Protocol: Select HTTP or HTTPS.
    • If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.
    • If Health Check is configured, the health check result must be Healthy, or the website requests cannot be pointed to WAF. For details about how to configure health check, see Configuring a Health Check.

  2. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  3. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
  4. In the row containing the instance you want to upgrade, click More > Add to ELB in the Operation column.
  5. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group based on 1.

    Figure 2 Add to ELB

    The Health Check result must be Healthy, or the website requests cannot be pointed to WAF. For details about troubleshooting, see How Do I Troubleshoot an Unhealthy Backend Server?

  6. Click Confirm. Then, configure service port for the WAF instance, and Backend Port must be set to the port configured in Step 1. Add a Website to WAF.

Step 3: Bind an EIP to a Load Balancer

If you configure a load balancer for your dedicated WAF instance, unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see Configuring a Load Balancer. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

This topic describes how to unbind an EIP from your origin server and bind the EIP to a load balancer configured for a dedicated WAF instance.

  1. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
  2. On the Load Balancers page, unbind the EIP from the origin server.

    • Unbinding an IPv4 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv4 EIP.
    • Unbinding an IPv6 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the Operation column, click More > Unbind IPv6 Address.
    Figure 3 Unbinding an EIP

  3. In the displayed dialog box, click Yes.
  4. On the Load Balancers page, locate the load balancer configured for the dedicated WAF instance and bind the EIP unbound from the origin server to the load balancer.

    • Binding an IPv4 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv4 EIP.
    • Binding an IPv6 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind IPv6 Address.

  5. In the displayed dialog box, select the EIP unbound in 2 and click OK.

Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances

In dedicated mode, website traffic is pointed to the load balancer configured for your dedicated WAF instances and then to dedicated WAF instances. The latter will filter out malicious traffic and route only normal traffic to the origin server. In this way, the origin server only communicates with WAF back-to-source IP addresses. By doing so, WAF protects the origin server IP address from being attacked. In dedicated mode, the WAF back-to-source IP addresses are the subnet IP addresses of the dedicated WAF instances.

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. Your website may become unavailable or respond very slowly. So, you need to configure ACL rules on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

The way to whitelist an IP address varies depending on where your origin servers are provisioned. You can follow the way suitable for you.

If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the back-to-source IP address of the dedicated instance to access the origin server.

  1. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  2. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 4 Dedicated engine list

  3. In the IP Address column, obtain the IP address of each dedicated WAF instance under your account.
  4. Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
  5. Locate the row containing the ECS hosting your website. In the Name/ID column, click the ECS name to go to the ECS details page.
  6. Click the Security Groups tab. Then, click Change Security Group.
  7. In the Change Security Group dialog box displayed, select a security group or create a security group and click OK.
  8. Click the security group ID and view the details.
  9. Click the Inbound Rules tab and click Add Rule. Then, specify parameters in the Add Inbound Rule dialog box. For details, see Table 2.

    Figure 5 Add Inbound Rule
    Table 2 Inbound rule parameters

    Parameter

    Configuration Description

    Protocol & Port

    Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), enter the origin server port number in the text box below the TCP box.

    Server Address

    Subnet IP address of each dedicated WAF instance you obtain in 3. Configure an inbound rule for each IP address.

    NOTE:

    One inbound rule can contain only one IP address. To configure an inbound rule for each IP address, click Add Rule to add more rules. A maximum of 10 rules can be configured.

  10. Click OK.

    Now, the security group allows all inbound traffic from the back-to-source IP addresses of all your dedicated WAF instances.

    To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established.

    For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect.

    Telnet Origin server IP address443

If your origin server uses Huawei Cloud ELB to distribute traffic, perform the following steps to configure an access control policy to allow only the IP addresses of the dedicated WAF instances to access the origin server:

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 6 Dedicated engine list

  5. In the IP Address column, obtain the IP address of each dedicated WAF instance under your account.
  6. Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
  7. Locate the row containing the load balancer configured for your dedicated WAF instance and click the load balancer name in the Name column.
  8. In the Access Control row of the target listener, click Configure.

    Figure 7 Listener list

  9. In the displayed dialog box, select Whitelist for Access Control.

    1. Click Create IP Address Group and add the dedicated WAF instance access IP addresses obtained in 5 to the group being created.
    2. Select the IP address group created in 9.a from the IP Address Group drop-down list.

  10. Click OK.

    Now, the access control policy allows all inbound traffic from the back-to-source IP addresses of your dedicated WAF instances.

    To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established.

    For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect.

    Telnet Origin server IP address443

Step 5: Test Dedicated WAF Instances

After adding a website to a dedicated WAF instance, verify that WAF can forward traffic properly and ELB load balancers work well.

(Optional) Testing a Dedicated WAF Instance

  1. Create an ECS that is in the same VPC as the dedicated WAF instance for sending requests.
  2. Send requests to the dedicated WAF through the ECS created in 1.

    • Forwarding test 
      curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}

      For example:

      curl -kv -H "Host: a.example.com" http://192.168.0.1

      If the response code is 200, the request has been forwarded. If the request failed to be forwarded, rectify the fault by referring to How Do I Troubleshoot 404/502/504 Errors?

    • Attack blocking test
      1. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.

      2. Run the following command: 
        curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}--data "id=1 and 1='1"
        Example: 
        curl -kv -H "Host: a.example.com" http:// 192.168.X.X --data "id=1 and 1='1"

        If the response code is 418, the request has been blocked, indicating that the dedicated WAF works properly.

Testing the Dedicated WAF Instance and Dedicated ELB Load Balancer

  • Forwarding test 
    curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}

    If an EIP is bound to the load balancer, any publicly accessible servers can be used for testing.

    curl -kv -H "Host: {Protected object added to WAF}" {ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}

    Example:

    curl -kv -H "Host: a.example.com" http://192.168.X.Y
curl -kv -H "Host: a.example.com" http://100.10.X.X

    If the response code is 200, the request has been forwarded.

    If the dedicated WAF instance works but the request fails to be forwarded, check the load balancer settings first. If the load balancer health check result is unhealthy, disable health check and perform the preceding operations again.

  • Attack blocking test
    1. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.

    2. Run the following command: 
      curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"

      If an EIP has been bound to the load balancer, any publicly accessible servers can be used for testing.

      curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"

      Example:

      curl -kv -H "Host: a.example.com" http:// 192.168.0.2 --data "id=1 and 1='1"
curl -kv -H "Host: a.example.com" http:// 100.10.X.X --data "id=1 and 1='1"

      If the response code is 418, the request has been blocked, indicating that both dedicated WAF instance and ELB load balancer work properly.

Impact on the System

If a non-standard port is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?

Follow-up Operations

The initial Access Progress of a domain name is Inaccessible. When a certain number of requests for the website reach WAF, WAF changes the access status of the website to Accessible. To address access failure, see Why Is the Access Status of a Domain Name or IP Address Inaccessible?

After the domain name is connected to WAF, there is one step required to enable WAF protection. You need to configure WAF protection policy for the domain name. For details, see Configuring Protection.

Parent Topic: Connecting a Website to WAF