Help Center> Web Application Firewall> FAQs> Website Domain Name Access Configuration> Operations After Connecting Websites to WAF> How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?
Updated on 2024-02-01 GMT+08:00
View PDF

How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?

If you select Cloud - CNAME or Dedicated for Protection, take the following steps to route your website traffic to origin servers.
  • Cloud - CNAME

    Switch the WAF working Mode to Bypassed. Then, your website requests directly go to the origin servers without passing through WAF. It takes about 3 to 5 minutes for WAF bypass to take effect.

  • Dedicated mode
    • If your website has a private network load balancer deployed behind the dedicated WAF instance, as shown in Figure 1, unbind the EIP from the internet-facing load balancer and then bind the EIP to the private load balancer. In doing so, your website traffic will bypass WAF and directly go to the origin server.
      Figure 1 Dedicated WAF instance deployment architecture (private network load balancers deployed behind dedicated WAF instances)
    • If your website has no private network load balancer deployed behind the dedicated WAF instance, as shown in Figure 2, unbind the EIP from the dedicated WAF instance and then bind the EIP to the origin server. In doing so, your website traffic will bypass WAF and directly go to the origin server.
      Figure 2 Dedicated WAF instance deployment architecture (no private network load balancer deployed behind dedicated WAF instances)

Constraints

You can switch the WAF working mode to Bypassed only when Cloud mode is selected for the website and your website encounters any of the following issues:
  • Website services need to be restored to the status when the website is not connected to WAF.
  • You need to investigate website errors, such as 502, 504, or other incompatibility issues.
  • No proxy is configured between the client and WAF.

Configuring CNAME Access in Cloud Mode

The following procedure walks you through how to configure the WAF Bypassed mode.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the navigation pane on the left, choose Website Settings.
  5. In the row containing the target domain name, click in the Mode column and select a mode you want.

Procedure for Bypassing a Dedicated WAF Instance in Scenarios Where a Private Network Load Balancer Is Deployed Behind a WAF Instance

You can unbind the EIP from the public network load balancer and then bind it to the private load balancer so that the traffic to your protected website can bypass WAF and directly go to the origin server.

  1. Click in the upper left corner of the management console and select a region or project.
  2. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
  3. On the Load Balancers page, locate the row that contains the internet-facing load balancer, click More in the Operation column, and select Unbind IPv4 EIP. Figure 3 shows an example.

    Figure 3 Unbinding an EIP from an internet-facing load balancer

  4. In the displayed dialog box, click Yes to unbind the EIP from the load balancer.
  5. On the Load Balancers page, locate the row that contains the private load balancer, click More in the Operation column, and select Bind IPv4 EIP.
  6. In the displayed Bind IPv4 EIP dialog box, select the public IP address you unbind in Step 3 and click OK.

Procedure for Bypassing a Dedicated WAF Instance in Scenarios Where No Private Network Load Balancer Is Deployed Behind WAF Instances

You can remove the dedicated WAF instance from the public network load balancer and add the origin server to the internet-facing load balancer so that the traffic to your website can bypass WAF and directly go to the origin server.

  1. Click in the upper left corner of the management console and select a region or project.
  2. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the Load Balancers page.
  3. Click the name of the load balancer you want in the Name column to go to the Basic Information page.

    Figure 4 Load balancer list

  4. Click the Backend Server Groups tab, select the dedicated WAF instance you want to remove, and click Remove in the Operation column. Figure 5 shows an example.

    Figure 5 Removing a dedicated WAF instance from an internet-facing load balancer

  5. In the displayed dialog box, click Yes.
  6. Click Add Backend Server and select servers in the displayed Add Backend Server dialog box.
  7. Click Next, configure a backend port, and click Finish.

    Figure 6 Adding origin servers as backend servers

Operations After Connecting Websites to WAF FAQs

more