Adding a Website to WAF (Cloud Mode - ELB Access)
If your service servers are deployed on Huawei Cloud, you can connect your web services to your cloud WAF instance in ELB access mode.
- In this method, WAF is integrated into the gateway of an ELB load balancer through an SDK module. WAF extracts traffic through the SDK module embedded in the gateway for inspection.
- WAF synchronizes the inspection result to the load balancer, and the load balancer determines whether to forward client requests to the origin server based on the inspection result.
- In this method, WAF does not forward traffic. This reduces compatibility and stability problems.
If you have enabled enterprise projects, you can select an enterprise project from the Enterprise Project drop-down list and add websites to be protected in the project.
Prerequisites
- You have purchased a cloud WAF instance.
- To use ELB-access cloud WAF, you need to submit a service ticket to enable it for you first. ELB-access cloud WAF is available in some regions. For details, see Functions.
- If you want to use the ELB access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule extension packages are shared between the ELB access and CNAME access modes.
- You have purchased a dedicated load balancer with Specifications set to Application load balancing (HTTP/HTTPS). For more details, see Creating a Dedicated Load Balancer.
Constraints
- Only dedicated load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
- Only the professional and platinum editions allow you to specify a custom policy for Policy.
Collecting Domain Name/IP Address Details
Before adding a domain name or IP address, obtain the information listed in Table 1.
Parameter |
Description |
Example Value |
---|---|---|
Domain Name/IP Address |
|
www.example.com |
Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
- In the upper left corner of the website list, click Add Website.
- Select Cloud - Load balancer and configure basic domain name information by referring to Table 2.
Figure 1 Configuring basic settings of a website
Table 2 Parameter description Parameter
Description
Example Value
ELB (Load Balancer)
Select ELB in the drop-down list.
elb-waf-test
ELB Listener
- All listeners
- Specific listener: Select a listener from the drop-down list.
All listeners
Website Name
Name of the website you want to protect
None
Domain Name
The domain name of a website to be protected. It can be a single domain name or a wildcard domain name.
- Single domain name: Enter a single domain name, for example, www.example.com.
- Wildcard domain name
- If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
Single domain name: www.example.com
Wildcard domain name: *.example.com
IP Address:
XXX.XXX.1.1
Website Remarks
Brief description of the website
-
Policy
The system-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.
System-generated policies
- Basic web protection (Log only mode and common checks)
The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
- Anti-crawler (Log only mode and Scanner feature)
WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.
NOTE:- Log only: WAF only logs detected attack events instead of blocking them.
- Only the professional and platinum editions allow you to specify a custom policy for Policy.
System-generated policy
- Click OK.
You can view the added websites in the protected website list.
Verification
The initial Access Status of a website is Inaccessible. If the access status of the website changes to Accessible, then the website is connected to WAF. When a request reaches the WAF instance for the website, the access status automatically changes to Accessible.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot