Help Center/ Web Application Firewall/ Best Practices/ Website Access Configuration/ Connecting a Website Without a Proxy to WAF in CNAME Access Mode
Updated on 2024-11-05 GMT+08:00
View PDF
Share

Connecting a Website Without a Proxy to WAF in CNAME Access Mode

Application Scenarios

With the deepening of digital applications, web applications are widely used by most enterprises. Many web applications, such as enterprise websites, online shopping malls, and remote office systems, are publicly accessible. They are becoming major targets of hackers. According to historical data analysis, about 75% of information security attacks target web applications. In addition, web applications and components have more vulnerabilities than others. The critical Log4j vulnerability affected most web applications adversely.

This topic walks you through on how to add your website to WAF in cloud CNAME access mode when no proxies, such as anti-DDoS or CDN products, are used in front of WAF for your website.

Architecture

If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic.

Figure 1 No proxy used

Advantages

After you enable cloud WAF for your website, the website traffic goes through WAF first. WAF examines HTTP/HTTPS requests to identify and block attacks such as SQL injections, cross-site scripting, web shells, command/code injections, file inclusion, sensitive file access, third-party application vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery. Then, WAF forwards only legitimate traffic origin servers. In this way, WAF helps keep your website services secure and stable.

Resource and Cost Planning

Table 1 Resources and costs

Resource

Description

Monthly Fee

Web Application Firewall

Cloud - Standard edition

  • Billing mode: Yearly/Monthly
  • Domain name quota: 10, including a maximum of one top-level domain name
  • QPS quota: 2,000 QPS
  • Peak bandwidth: 100 Mbit/s inside the cloud and 30 Mbit/s outside the cloud

For details about pricing rules, see Billing Description.

Step 1: Buy the Standard Edition Cloud WAF

  1. Log in to Huawei Cloud management console.
  2. On the management console page, choose Security & Compliance > Web Application Firewall.
  3. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.

    • Region: Select the region nearest to your services WAF will protect.
    • Edition: Select Standard.
    • Expansion Package and Required Duration: Set them based on site requirements.

  4. Confirm the product details and click Buy Now in the lower right corner of the page.
  5. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
  6. On the payment page, select a payment method and pay for your order.

Step 2: Add Website Information to WAF

  1. In the navigation pane on the left, choose Website Settings.
  2. In the upper left corner of the website list, click Add Website.
  3. Select Cloud - CNAME and click Configure Now.
  4. Configure website information as prompted.

    Figure 2 Configuring basic information
    Table 2 Key parameters

    Parameter

    Description

    Example Value

    Domain Name

    Domain name you want to add to WAF.

    • The domain name has an ICP license.
    • You can enter a single domain name (for example, top-level domain name example.com or level-2 domain name www.example.com) or a wildcard domain name (*.example.com).

    www.example.com

    Protected Port

    The port over which the website service traffic goes

    Standard ports

    Server Configuration

    Web server address settings. You need to configure the client protocol, server protocol, server weights, server address, and server port.

    • Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
    • Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
    • Server Address: public IP address (generally corresponding to the A record configured for the domain name on the DNS) or domain name (generally corresponding to the CNAME record configured for the domain name on the DNS) of the web server that a client accesses.
    • Server Port: service port over which the WAF instance forwards client requests to the origin server.
    • Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.

    Client Protocol: Select HTTP.

    Server Protocol: HTTP

    Server Address: IPv4 XXX.XXX.1.1

    Server Port: 80

    Use Layer-7 Proxy

    You need to configure whether you deploy other layer-7 proxies in front of WAF. Select No.

    No

  5. Click Next. Then, whitelist WAF back-to-source IP addresses and test WAF as prompted.

    Figure 3 Domain name added to WAF

Step 3: Complete CNAME Access

If the Type of the domain name host record added on DNS is CNAME - Map one domain to another, add the domain name to WAF by following the steps below.

The methods to change DNS records on different DNS platforms are similar. The following example is based on our Domain Name Service (DNS).

  1. Obtain the CNAME record.

    1. Click in the upper left corner of the management console and select a region or project.
    2. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
    3. In the navigation pane, choose Website Settings.
    4. In the Domain Name column, click the target domain name to go to the Basic Information page.
      Figure 4 Basic Information
    5. In the CNAME row, click to copy the CNAME record.

  2. Change the DNS settings.

    1. Access the DNS resolution page, as shown in Figure 5.
      Figure 5 DNS page
    2. In the Operation column of the target domain name, click Modify. The Modify Record Set page is displayed.
    3. In the displayed Modify Record Set dialog box, change the record.
      • Name: Domain name configured in WAF
      • Type: Select CNAME - Map one domain to another.
      • Line: Default
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Change it to the copied CNAME value from WAF.
      • Keep other settings unchanged.

      About modifying the resolution record:

      • The CNAME record must be unique for the same host record. The existing CNAME record must be changed to the WAF CNAME record.
      • Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with another record, such as the A record, MX record, or TXT record. If the record type cannot be changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail.

      For details about the restrictions on domain name resolution types, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

      Figure 6 Modifying a record set
    4. Click OK.

  3. (Optional) Ping the IP address of your domain name to check whether the new DNS settings take effect.

    It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.