Connecting Your Website to WAF with Cloud Mode - Load Balancer Access

Solution Overview

In load balancer access mode, the traffic of a protected website is mirrored by load balancers to WAF. WAF checks the mirrored traffic and synchronizes the check result to the load balancer. The load balancer determines whether to forward client requests to the origin server based on the check result it receives. In this method, WAF does not forward traffic. This eliminates compatibility and stability issues that might be caused by additional-layer of traffic forwarding.

Figure 1 shows the request forwarding process after a domain name is connected to WAF.

Figure 1 Website access diagram

Prerequisites

• You have purchased a cloud WAF instance and understood details about how to connect a website to WAF.
  

  • After buying cloud mode WAF, you still need to submit a service ticket to enable the load balancer access method. For details about supported regions, see Function Overview.
  • To use Cloud Mode - Load balancer access, you need to buy the standard, professional, or enterprise edition first.

    Cloud Mode - Load balancer shares its domain name, QPS, and rule expansion package quotas with Cloud Mode - CNAME, and the service specifications are the same as those of the basic package for cloud mode you buy.

• You have purchased a dedicated load balancer with Specifications set to Application load balancing (HTTP/HTTPS). For more details, see Creating a Dedicated Load Balancer. Note that you should use the same account to buy the load balancer and dedicated WAF.

Connecting Your Website to WAF (Cloud Mode - Load balancer Access Mode)

1. Create a dedicated load balancer.
   • Specifications: Select Application load balancing (HTTP/HTTPS).
   • Set other parameters based on your service requirements.

2. Add a listener to the load balancer created in 1. For details, see Adding an HTTP Listener or Adding an HTTPS Listener.
3. Create a backend server group.
   • Load Balancer: Select Associate existing and select the load balancer created in 1 from the drop-down list.
   • Configure the server address of the website you plan to add to WAF in 5 as backend server.

4. Run the following command to check the service connectivity:

   curl -kv -H "Host: {Origin server domain name}" {protocol of the listener}://{IP address of the ELB load balancer}:{port of the listener}

   If status code 200 is returned, the service has been connected.

5. Configure the websites for which you want WAF to check the traffic.
   1. Click in the upper left corner of the page and choose Web Application Firewall under Security & Compliance.
   2. In the navigation pane on the left, click Website Settings.
   3. In the upper left corner of the website list, click Add Website.
   4. Select Cloud Mode - Load balancer and click Configure Now.
   5. On the displayed page, configure basic settings by referring to Table 1. Figure 2 shows an example.
      Figure 2 Configuring basic settings of a website
      

      Table 1 Parameter description

      Parameter	Description	Example Value
      ELB (Load Balancer)	Select the load balancer created in 1 and ensure that the server address of the protected website has been added to the load balancer.	elb-waf-test
      ELB Listener	Select the listener configured for the ELB load balancer. You can select an ELB listener of another account. All listeners: Select all listeners under the ELB load balancer. Specific listener: Select a specific listener under the ELB load balancer.	All listeners
      Website Name	(Optional) You can specify a name for your website.	None
      Domain Name	Set this parameter to the domain name or IP address (public or private IP address) you want to protect. Make sure that the domain name has been resolved to the EIP of the load balancer created in 1. Domain Name: Single domain names or wildcard domain names are supported. Single domain name: Enter a single domain name, for example, www.example.com. Wildcard domain name: If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three. If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. Wildcard domain name * can be added. In ELB load balancer access mode, one load balancer supports only one wildcard domain name. IP: You can select a public or private IP address. If a private IP address is used, ensure that the corresponding network path is accessible so that WAF can correctly monitor and filter traffic.	Single domain name: www.example.com Wildcard domain name: *.example.com IP Address: XXX.XXX.1.1
      Website Remarks	(Optional) You can enter a description for your website.	-
      Policy	Select the protection policy you want to use for the website. System-generated policy: Default value. Its details are as follows: Basic Web Protection: General Check is enabled by default. It can defend against attacks such as SQL injections, XSS, remote overflow attacks, file inclusions, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command/code injections. General Check includes: Rule Set: Default rule set (medium) is selected. Protective Action: Log only. Then, WAF only logs detected attacks but does not block them. Anti-Crawler: Scanner detection is enabled by default, and Protective Action is set to Log only. WAF only logs detected attacks but does not block them. This type of detection can defend against web scans, such as vulnerability and virus scanning, and crawler behaviors from tools like OpenVAS and Nmap. Custom protection policy: a policy you create based on your security requirements. For more details, see Configuring a Protection Policy. NOTE: Only professional and enterprise editions allow you to specify a custom policy.	System-generated policy
      Authorize WAF	Authorize WAF to access other cloud resources. To display the Load Balancer Name column in the protection event list, take the following steps: Click Authorize Now. In the Authorize WAF dialog box, confirm the permissions and click OK. The permissions to be granted are as follows: Tenant Guest: Read-only permissions for global cloud services (excluding IAM). This role is used to configure your dedicated WAF engines. Server Administrator: used to create, upgrade, or delete your dedicated WAF engine. VPC Administrator: used to configure networks for your dedicated WAF engine. ELB Administrator: used to configure a load balancer for your dedicated WAF instances. After authorization, WAF automatically creates agency premium_waf_svc_trust on the IAM console and grants it the required permissions. You can log in to the IAM console and view the agency and the permissions. For details, see Creating an Agency and Assigning Permissions. You can choose to display the Load Balancer Name column in the protection event list. For details, see 2.	Authorized

   6. Click OK.

      You can check the added websites in the protected website list.

Test WAF

• Checking the access status

  The initial access status of a website is Inaccessible. When the number of access requests reaches 20 within 5 minutes, the access status of the website automatically changes to Accessible.

• Verifying website accessibility

  Clear the browser cache and enter the domain name in the address bar to verify that the website is accessible.

  

  When accessing a website, do not include unencoded spaces in the request URL. Otherwise, the website cannot be accessed.

• Verifying the protection

  Simulate simple web attack commands and check whether WAF protection takes effect.

Follow-up Operations

• (Optional) Recommended Configurations After Website Connection: After a domain name is connected to WAF, you need to configure security settings as required.
• Configuring Protection Policies: If default protection rules cannot meet your website security requirements, you can configure custom protection rules.
• Querying a Protection Event: View website protection details.

FAQs

• Why Is the Access Status of a Domain Name or IP Address Inaccessible?
• How Do I Troubleshoot 404/502/504 Errors?
• What Can I Do If Files Cannot Be Uploaded After a Website Is Connected to WAF?
• Why Cannot the Protection Mode Be Enabled After a Domain Name Is Connected to WAF?