Halaman ini belum tersedia dalam bahasa lokal Anda. Kami berusaha keras untuk menambahkan lebih banyak versi bahasa. Terima kasih atas dukungan Anda.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Website Connection Overview

Updated on 2024-11-05 GMT+08:00

To use Web Application Firewall (WAF) to protect your web services, the services must be connected to WAF. WAF provides three access modes for you to connect web services to WAF: cloud CNAME, cloud load balancer, and dedicated access modes. You can select a proper access method based on how your web services are deployed. This topic describes how WAF works in different access modes, their differences, and when to use them.

NOTE:

Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

Application Scenarios

WAF provides the following access modes for you to connect websites to WAF.

  • Cloud mode - CNAME access mode
  • Cloud mode - Load balancer access mode
  • Dedicated mode
    • Service servers are deployed on Huawei Cloud.

      This mode is suitable for large enterprise websites that have a large service scale and have customized security requirements.

    • Protected object: domain names or IP addresses (public or private IP addresses)
    • Connecting a Website to WAF (Dedicated Mode)

Constraints

There are some restrictions on using different access modes.

When you connect your website to WAF in cloud CNAME access mode, pay attention to the following restrictions.

Constraint

Description

Domain name

  • A domain name can only be added to WAF once in cloud mode.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

  • Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.

Service edition

  • Only the professional and platinum editions support IPv6 protection, HTTP2, and load balancing algorithms.
  • If you are using WAF standard edition, only System-generated policy can be selected for Policy.

Certificate

  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

WebSocket protocol

WAF supports the WebSocket protocol, which is enabled by default.
  • WebSocket request inspection is enabled by default if Client Protocol is set to HTTP.
  • WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.

HTTP/2

HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.

  • To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS.
  • HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.

Limitation

After your website is connected to WAF, you can upload a file no larger than 1 GB each time.

When you connect your website to WAF in cloud load balancer access mode, pay attention to the following restrictions.

  • Only dedicated ELB load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
  • Only the professional and platinum editions allow you to specify a custom policy for Policy.
  • Limitation: After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

When you connect your website to WAF in dedicated mode, the restrictions are as follows:

Constraint

Description

ELB load balancer

Only dedicated ELB load balancers can be used for dedicated WAF instances. For details, see Load Balancer Types.
NOTE:

Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.

Domain name

  • The wildcard domain name * can be added to WAF. When the domain name is set to *, only non-standard ports except 80 and 443 can be protected.
  • A protected object can only be added to WAF once.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

Proxy

If a layer-7 proxy server, such as CDN or cloud acceleration, is used before WAF, you need to select Yes for Use Layer-7 Proxy. By doing this, WAF can obtain real client access IP addresses from the configured header field. For details, see Configuring a Traffic Identifier for a Known Attack Source.

Certificate

  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

WebSocket protocol

WAF supports the WebSocket protocol, which is enabled by default.
  • WebSocket request inspection is enabled by default if Client Protocol is set to HTTP.
  • WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.

Limitation

After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

When you connect your website to WAF in cloud CNAME access mode, pay attention to the following restrictions.

Constraint

Description

Domain name

  • A domain name can only be added to WAF once in cloud mode.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

  • Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.

Service edition

  • Only the professional and platinum editions support IPv6 protection, HTTP2, and load balancing algorithms.
  • If you are using WAF standard edition, only System-generated policy can be selected for Policy.

Certificate

  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

WebSocket protocol

WAF supports the WebSocket protocol, which is enabled by default.
  • WebSocket request inspection is enabled by default if Client Protocol is set to HTTP.
  • WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.

HTTP/2

HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.

  • To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS.
  • HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.

Limitation

After your website is connected to WAF, you can upload a file no larger than 1 GB each time.

When you connect your website to WAF in cloud load balancer access mode, pay attention to the following restrictions.

  • Only dedicated ELB load balancers with Specifications set to Application load balancing (HTTP/HTTPS) can be used. Dedicated load balancers with Specifications set to Network load balancing (TCP/UDP) are not supported.
  • Only the professional and platinum editions allow you to specify a custom policy for Policy.
  • Limitation: After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

When you connect your website to WAF in dedicated mode, the restrictions are as follows:

Constraint

Description

ELB load balancer

Only dedicated ELB load balancers can be used for dedicated WAF instances. For details, see Load Balancer Types.
NOTE:

Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023). For details, see Dedicated Engine Version Iteration.

Domain name

  • The wildcard domain name * can be added to WAF. When the domain name is set to *, only non-standard ports except 80 and 443 can be protected.
  • A protected object can only be added to WAF once.

    Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.

Proxy

If a layer-7 proxy server, such as CDN or cloud acceleration, is used before WAF, you need to select Yes for Use Layer-7 Proxy. By doing this, WAF can obtain real client access IP addresses from the configured header field. For details, see Configuring a Traffic Identifier for a Known Attack Source.

Certificate

  • Only .pem certificates can be used in WAF.
  • Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used.
  • Only accounts with the SCM Administrator and SCM FullAccess permissions can select SCM certificates.

WebSocket protocol

WAF supports the WebSocket protocol, which is enabled by default.
  • WebSocket request inspection is enabled by default if Client Protocol is set to HTTP.
  • WebSockets request inspection is enabled by default if Client Protocol is set to HTTPS.

Limitation

After your website is connected to WAF, you can upload a file no larger than 10 GB each time.

Processes of Connecting a Website to WAF

The process of connecting a website to WAF varied depending on the access mode you select.

When connecting a website to WAF in CNAME access mode, refer to the process shown in Figure 1.

Figure 1 Process of connecting a website to WAF - Cloud Mode (CNAME Access)
Table 1 Process of connecting your website domain name to WAF

Procedure

Description

Adding a Domain Name to WAF

Configure basic information, such as the domain name, protocol, and origin server.

Whitelisting WAF back-to-source IP addresses

If other security software or firewalls are installed on your origin server, whitelist only requests from WAF. This ensures normal access and protects the origin server from hacking.

Testing WAF

To ensure that your WAF instance forwards website traffic normally, test the WAF instance locally and then route traffic destined for the website domain name to WAF by modifying DNS record.

Modifying DNS Records for a Domain Name

  • No proxy used

    Configure a CNAME record for the protected domain name on the DNS platform you use.

  • Proxy (such as advanced anti-DDoS and CDN) used

    Change the back-to-source IP address of the used proxy, such as advanced anti-DDoS and CDN, to the copied CNAME record.

Connect your website to WAF in just a few clicks. For details, see Connecting Your Website to WAF (Cloud Mode - Load Balancer Access).

When connecting a website to WAF in dedicated mode, refer to the process shown in Figure 2.

Figure 2 Process of connecting a website to a dedicated WAF instance
Table 2 Process of connecting your website domain name to WAF

Procedure

Description

Adding Your Website to WAF

You need to configure your website (domain name or IP address) details, such as protocol and origin server.

Configuring a Load Balancer for Your Dedicated WAF Instance

To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

Binding an EIP to the Load Balancer

Unbind an elastic IP address (EIP) from the origin server and bind the EIP to the load balancer configured for the dedicated WAF instance. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

Allowing Back-to-Source IP Addresses of Dedicated WAF Instances on the Origin Server

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. As a result, your website may become unavailable or respond very slowly. Therefore, ACL rules must be configured on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

Testing Dedicated WAF Instances

After adding a website to a dedicated WAF instance, verify that WAF can forward traffic properly and ELB load balancers work well.

When connecting a website to WAF in CNAME access mode, refer to the process shown in Figure 1.

Figure 1 Process of connecting a website to WAF - Cloud Mode (CNAME Access)
Table 1 Process of connecting your website domain name to WAF

Procedure

Description

Adding a Domain Name to WAF

Configure basic information, such as the domain name, protocol, and origin server.

Whitelisting WAF back-to-source IP addresses

If other security software or firewalls are installed on your origin server, whitelist only requests from WAF. This ensures normal access and protects the origin server from hacking.

Testing WAF

To ensure that your WAF instance forwards website traffic normally, test the WAF instance locally and then route traffic destined for the website domain name to WAF by modifying DNS record.

Modifying DNS Records for a Domain Name

  • No proxy used

    Configure a CNAME record for the protected domain name on the DNS platform you use.

  • Proxy (such as advanced anti-DDoS and CDN) used

    Change the back-to-source IP address of the used proxy, such as advanced anti-DDoS and CDN, to the copied CNAME record.

Connect your website to WAF in just a few clicks. For details, see Connecting Your Website to WAF (Cloud Mode - Load Balancer Access).

When connecting a website to WAF in dedicated mode, refer to the process shown in Figure 2.

Figure 2 Process of connecting a website to a dedicated WAF instance
Table 2 Process of connecting your website domain name to WAF

Procedure

Description

Adding Your Website to WAF

You need to configure your website (domain name or IP address) details, such as protocol and origin server.

Configuring a Load Balancer for Your Dedicated WAF Instance

To ensure your dedicated WAF instance reliability, after you add a website to it, use Huawei Cloud Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

Binding an EIP to the Load Balancer

Unbind an elastic IP address (EIP) from the origin server and bind the EIP to the load balancer configured for the dedicated WAF instance. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

Allowing Back-to-Source IP Addresses of Dedicated WAF Instances on the Origin Server

The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. As a result, your website may become unavailable or respond very slowly. Therefore, ACL rules must be configured on the origin server to trust only the subnet IP addresses of your dedicated WAF instances.

Testing Dedicated WAF Instances

After adding a website to a dedicated WAF instance, verify that WAF can forward traffic properly and ELB load balancers work well.

Kami menggunakan cookie untuk meningkatkan kualitas situs kami dan pengalaman Anda. Dengan melanjutkan penelusuran di situs kami berarti Anda menerima kebijakan cookie kami. Cari tahu selengkapnya

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback