Help Center> Web Application Firewall> User Guide> Website Settings> Adding a Website to WAF (Cloud Mode - ELB Access)
Updated on 2024-04-17 GMT+08:00
View PDF

Adding a Website to WAF (Cloud Mode - ELB Access)

If your service servers are deployed on Huawei Cloud, you can connect your web services to your cloud WAF instance in ELB access mode.

  • In this method, WAF is integrated into the gateway of an ELB load balancer through an SDK module. WAF extracts traffic through the SDK module embedded in the gateway for inspection.
  • WAF synchronizes the inspection result to the load balancer, and the load balancer determines whether to forward client requests to the origin server based on the inspection result.
  • In this method, WAF does not forward traffic. This reduces compatibility and stability problems.

If you have enabled enterprise projects, you can select an enterprise project from the Enterprise Project drop-down list and add websites to be protected in the project.

Prerequisites

  • You have purchased a cloud WAF instance.
    • To use ELB-access cloud WAF, you need to submit a service ticket to enable it for you first. ELB-access cloud WAF is available in some regions. For details, see Functions.
    • If you want to use the ELB access mode, make sure you are using standard, professional, or platinum cloud WAF. When you are using cloud WAF, the quotas for the domain name, QPS, and rule extension packages are shared between the ELB access and CNAME access modes.
  • You have purchased a dedicated load balancer with Specifications set to Application load balancing (HTTP/HTTPS). For more details, see Creating a Dedicated Load Balancer.

Constraints

  • Only dedicated load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
  • Only the professional and platinum editions allow you to specify a custom policy for Policy.

Collecting Domain Name/IP Address Details

Before adding a domain name or IP address, obtain the information listed in Table 1.

Table 1 Domain name or IP address details required

Parameter

Description

Example Value

Domain Name/IP Address
  • Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.
  • IP: IP address of the website.

www.example.com

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the upper left corner of the website list, click Add Website.
  5. Select Cloud - Load balancer and configure basic domain name information by referring to Table 2.

    Figure 1 Configuring basic settings of a website
    Table 2 Parameter description

    Parameter

    Description

    Example Value

    ELB (Load Balancer)

    Select ELB in the drop-down list.

    elb-waf-test

    ELB Listener
    • All listeners
    • Specific listener: Select a listener from the drop-down list.

    All listeners

    Website Name

    Name of the website you want to protect

    None

    Domain Name

    The domain name of a website to be protected. It can be a single domain name or a wildcard domain name.

    • Single domain name: Enter a single domain name, for example, www.example.com.
    • Wildcard domain name
      • If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
      • If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.

    Single domain name: www.example.com

    Wildcard domain name: *.example.com

    IP Address:

    XXX.XXX.1.1

    Website Remarks

    Brief description of the website

    -

    Policy

    The system-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.

    System-generated policies

    • Basic web protection (Log only mode and common checks)

      The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

    • Anti-crawler (Log only mode and Scanner feature)

      WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

    NOTE:
    • Log only: WAF only logs detected attack events instead of blocking them.
    • Only the professional and platinum editions allow you to specify a custom policy for Policy.

    System-generated policy

  6. Click OK.

    You can view the added websites in the protected website list.

Verification

The initial Access Status of a website is Inaccessible. If the access status of the website changes to Accessible, then the website is connected to WAF. When a request reaches the WAF instance for the website, the access status automatically changes to Accessible.

Parent Topic: Website Settings