Help Center/ Content Delivery Network/ Best Practices/ Accelerating Delivery of Resources Protected by WAF

Updated on 2024-11-14 GMT+08:00

View PDF

Accelerating Delivery of Resources Protected by WAF

Scenario

CDN is a smart virtual network on the Internet infrastructure. By deploying PoP servers across the network and distributing content from origin servers to these PoP servers, CDN enables users to obtain desired content nearby. Websites connected to CDN can quickly respond to user requests.

WAF keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block attacks, including Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

If your websites have high requirements on security and acceleration, you can associate Huawei Cloud CDN with WAF to accelerate delivery of website resources, defend against web attacks, and secure your websites.

In this practice, CDN has been enabled, the acceleration domain name is www.example.com, and the domain name is resolved on Huawei Cloud.
The domain name has been licensed.

Solution Overview

The CDN+WAF solution protects your domain names and accelerates response speed of the websites regardless of their locations, on Huawei Cloud or not. The traffic flow is as follows: CDN > WAF > origin server. CDN forwards the traffic to WAF, and WAF filters out unauthorized traffic and routes only authorized traffic back to your origin server.

Click to enlarge

Solution Advantages

This solution shortens website content access latency, speeds up website response, and improves website availability. You can stop worrying about low network bandwidth, large user access traffic, and uneven distribution of branches. Besides that, this combination protects your website from web application attacks, such as SQL injections, XSS, web shells, command/code injections, file inclusion, sensitive file access, third-party application vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery.

Resources and Costs

The following table lists the resources required for this practice.

Resource	Description	Monthly Fee
CDN	Billing mode: pay-per-use Resource packages available	For billing details, see Billing.
WAF	Cloud - Standard edition Billing mode: Yearly/Monthly Domain name quota: 10, including a maximum of one top-level domain name QPS quota: 2,000 QPS Peak bandwidth: 100 Mbit/s inside the cloud and 30 Mbit/s outside the cloud	For billing details, see Billing.

Resource

Description

Monthly Fee

CDN

Billing mode: pay-per-use
Resource packages available

For billing details, see Billing.

WAF

Cloud - Standard edition

Billing mode: Yearly/Monthly
Domain name quota: 10, including a maximum of one top-level domain name
QPS quota: 2,000 QPS
Peak bandwidth: 100 Mbit/s inside the cloud and 30 Mbit/s outside the cloud

For billing details, see Billing.

Procedure

Purchase the standard edition of cloud WAF.
1. Log in to Huawei Cloud console.
2. Choose Service List > Security & Compliance > Web Application Firewall.
3. In the upper right corner, click Buy WAF. On the displayed page, set WAF Mode to Cloud Mode.
  - Region: Select the region nearest to your services to be protected.
  - Edition: Select Standard.
  - Standard Expansion Package and Required Duration: Set them as required.
4. Confirm the details and click Buy Now.
5. Check the order details, read and agree to the Huawei Cloud WAF Disclaimer, and click Pay Now.
6. On the payment page, select a payment method and pay for your order.

Add website information to WAF.

In the navigation pane of the WAF console, choose Website Settings.
In the upper left corner of the website list, click Add Website.
Select Cloud - CNAME and click OK.
- For details about the Cloud - Load balancer mode, see Connecting a Website to WAF (Cloud Mode - Load Balancer Access)

Configure website information based on Table 1.

Figure 1 Basic information configuration
Click to enlarge

**Table 1** Key parameters
Parameter	Description	Example
Domain Name	Domain name you want WAF to protect. The domain name has been licensed. You can enter a top-level single domain name, like example.com, a second-level domain name, like www.example.com, or a wildcard domain name, like *.example.com.	www.example.com
Protection Port	Service port corresponding to the domain name of the website you want to protect.	Standard port
Server Configuration	Configurations of your web server address. You need to configure the client protocol, server protocol, server address, server port, and server weight. Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. Server Address: public IP address (generally corresponding to the A record of the domain name configured on DNS) or domain name (generally corresponding to the CNAME of the domain name configured on DNS) of the web server that a client accesses. Server Port: service port over which the WAF instance forwards client requests to the origin server. Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.	Client Protocol: HTTP Server Protocol: HTTP Server Address: IPv4 XXX.XXX.1.1 Server Port: 80
Proxy Your Website Uses	Other proxies you deploy in front of WAF. In this example, Layer-7 proxy is selected.	Layer-7 proxy

CDN supports only domain names with the default ports. If the domain name is added to WAF using a non-standard port, the domain name cannot be added to CDN.
If you have uploaded an HTTPS certificate for the domain name on WAF, upload the certificate to CDN. Otherwise, the domain name cannot be accessed.

Click Next and finish configuration by referring to Whitelist WAF Back-to-Source IP Addresses and Verification.

Copy the CNAME generated by WAF. On the basic information page of the domain name, click under CNAME.
Add the domain name to CDN.
1. In the upper left corner of Huawei Cloud console, choose Service List > Content Delivery & Edge Computing > Content Delivery Network.
  The CDN console is displayed.
2. In the navigation pane, choose Domains.
3. On the Domains page, click Add Domain Names and specify domain parameters.
  - When adding an origin server, set Type to Domain name and Address to the CNAME generated by WAF.
4. Click OK. CDN generates a dedicated CNAME for the domain name.
(Optional) Test your acceleration domain name before adding a CNAME record to the domain's DNS records to ensure that your domain configurations are correct. For details, see (Optional) Testing the Domain Name.
Configure CNAME resolution.
1. In the upper left corner of Huawei Cloud console, choose Service List > Networking > Domain Name Service.
  
  The DNS console is displayed.
2. In the navigation pane, choose Public Zones.
3. Click the domain name you want to add a record set to. Configure the following parameters:
  - Name: Enter www.
  - Type: Select CNAME – Map one domain to another.
  - Alias: Select No.
  - Line: Select Default.
  - TTL (s): The recommended value is 5 min. The larger the TTL value, the slower the update of DNS records.
  - Value: Enter the CNAME generated in 4.
  - Keep other settings unchanged.
4. Click OK.
Check whether the CNAME record has taken effect.
Open the Windows command line interface and run the following command:
```
nslookup -qt=cname Domain name
```
If the CNAME is displayed, the CNAME record has taken effect. A typical command output is shown in the following figure.