Help Center/ Web Application Firewall/ User Guide (Paris) / Best Practices/ Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers
Updated on 2024-03-14 GMT+08:00

Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers

After you connect your website to Web Application Firewall (WAF), configure an access control policy on your origin server to allow only the WAF back-to-source IP addresses. This prevents hackers from obtaining your origin server IP addresses and then bypassing WAF to attack origin servers.

This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on ECSs or have been added to backend servers of an ELB load balancer.

  • WAF will forward incoming traffic destined for the origin servers no matter whether you configure access control rules on the origin servers. However, if you have no access control rules configured on origin servers, bad actors may bypass WAF and directly attack your origin servers once they obtain your origin server IP addresses.
  • If you use an NAT gateway before an ECS for forwarding data, you also need to configure an inbound rule in the security group the ECS belongs to by referring to Configuring an Inbound Rule for an ECS. This rule allows only WAF IP addresses to access origin servers to keep them secure.

Precautions

  • Before configuring an access control policy on an origin server, ensure that you have connected all domain names of websites hosted on Elastic Cloud Server (ECS) or having Elastic Load Balance (ELB) deployed to WAF.
  • The following issued should be considered when you configure a security group:
    • If you enable the WAF bypassed mode for your website but do not disable security group and network ACL configurations, the origin server may become inaccessible from the Internet.
    • If new WAF back-to-source IP addresses are assigned to WAF after a security group is configured for your website, the website may respond 5xx errors frequently.

How Do I Check Whether the Origin Server IP Address Is Exposed?

You can use a Telnet tool to establish a connection over the service port of the public IP address of your origin server (or enter the IP address of your web application in the browser). Then, check whether the connection is established.

  • Connection established

    The origin server has exposed to the public. Once a hacker obtains the public IP address of the origin server, the hacker can bypass WAF and directly attack the origin server.

  • Connection not established

    The origin server is hidden from the public and there is no exposure risk.

For example, to check whether the origin server is exposed, check whether the origin server IP address that has been protected by WAF can be connected over port 443. If information similar to that shown in Figure 1 is displayed, the connection is established and the origin server IP address is exposed.

Figure 1 Testing

Obtaining WAF Back-to-Source IP Addresses

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Website Settings.
  5. In the upper right corner above the website list, click the WAF Back-to-Source IP Addresses link.

    WAF back-to-source IP addresses are periodically updated. Whitelist the new IP addresses in time to prevent those IP addresses from being blocked by origin servers.

  6. In the displayed dialog box, click Copy to copy all the addresses.

Configuring an Inbound Rule for an ECS

If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the WAF back-to-source IP addresses to access the origin server.

Ensure that all WAF back-to-source IP addresses are whitelisted by an inbound rule of the security group configured for the ECS. Otherwise, website may become inaccessible.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Compute > Elastic Cloud Server.
  4. Locate the row containing the ECS you want. In the Name/ID column, click the ECS name to go to the ECS details page.
  5. Click the Security Groups tab. Then, click Change Security Group.
  6. Click the security group ID and view the details.
  7. Click the Inbound Rules tab and click Add Rule. Then, specify parameters in the Add Inbound Rule dialog box. For details, see Table 1.

    Table 1 Inbound rule parameters

    Parameter

    Description

    Protocol & Port

    Protocol and port for which the security group rule takes effect. If you select TCP (Custom ports), enter the origin server port number in the text box below the TCP box.

    Source

    Add all WAF back-to-source IP addresses copied in 6 one by one.

    NOTE:

    One IP address is configured in a rule. Click Add Rule to add more rules. A maximum of 10 rules can be added.

  8. Click OK.

    Then, the security group rules allow all inbound traffic from the WAF back-to-source IP addresses.

    To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.

Enabling ELB Access Control

If your origin server is deployed on backend servers of an ELB load balancer, perform the following steps to configure an access control list to allow only the WAF back-to-source IP addresses to access the origin server.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Networking > Elastic Load Balance.
  4. Locate the load balancer you want. In the Listener column, click the listener name to go to the details page.
  5. On the displayed details page, click the Listeners tab and then click Configure Access Control in the Access Control column.
  6. In the displayed dialog box, select Whitelist for Access Policy.

    1. Click Create IP Address Group and add the dedicated WAF instance IP addresses copied in 6 into the IP address group.
    2. Select the IP address group created in 6.a from the IP Address Group drop-down list.

  7. Click OK.

    To check whether the security group rules take effect, refer to How Do I Check Whether the Origin Server IP Address Is Exposed? If a connection cannot be established over the service port but the website is still accessible, the configuration takes effect.