Connecting Your Website to WAF (Cloud Mode - CNAME Access)

Solution Overview

In the cloud CNAME access mode, connecting a website to WAF is to point the website traffic to WAF. WAF checks received traffic and forwards only legitimate traffic to your origin server. Figure 1 shows how your website traffic is forwarded when WAF is used.

Figure 1 Website traffic access diagram

Access Process

You need to perform the following operations based on whether your website uses a proxy (such as AAD, CDN, and cloud acceleration products).

Prerequisites

• You have purchased a cloud WAF instance and understood details about how to connect a website to WAF.
• Make sure your domain names have Internet Content Provider (ICP) licenses, or they cannot be added to WAF.

Step 1. Add Your Domain Name to WAF

To connect your services to WAF, you need to add the domain name and origin server information to WAF.

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Web Application Firewall under Security & Compliance.
4. In the navigation pane, click Website Settings.
5. In the upper left corner of the website list, click Add Website.
6. Select Cloud Mode - CNAME and click Configure Now.
7. Configure the basic settings by referring to Table 1.
   Figure 2 Configuring basic information
   

   Table 1 Parameter description

   Parameter	Description	Example Value
   Domain Name	The domain name you want WAF to protect. You can enter a top-level single domain name, like example.com, a second-level domain name, like www.example.com, or a wildcard domain name, like *.example.com. NOTICE: The starter edition does not support adding wildcard domain names to WAF. The following are the rules for adding wildcards to domain names: If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three. If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. Each combination of a domain name and a port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. Only the domain names that have been registered with Internet Content Provider (ICP) licenses can be added to WAF.	-
   Website Name (Optional)	Website name you specify.	WAF
   Website Remarks (Optional)	Remarks of the website.	waftest
   Protected Port	Port to be protected. To protect port 80 or 443, select Standard port from the drop-down list. To protect other ports, select the one WAF supports. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF. NOTE: If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?	81
   Server Configuration	Information about the website server, including the client protocol, server protocol, server address, weight, and server port. Client Protocol: the protocol used by the client to access the server. The option can be HTTP or HTTPS. Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). HTTPS is widely used to protect privacy and integrity of data in transit and to authenticate website identities. So, if HTTPS is selected, you need to configure a certificate. If you set Client Protocol to HTTPS, HTTP/2 can be enabled. For details, see Enabling HTTP/2. NOTE: If Standard port is selected for Protected Port, by default, port 443 is protected for HTTPS, and port 80 for HTTP. Server Protocol: the protocol supported by your website server. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. NOTE: If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests. Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME of the domain name configured on the DNS) of the web server that a client accesses. The following IP address formats are supported: IPv4 address, for example, XX.XXX.1.1 IPv6 address, for example, fe80:0000:0000:0000:0000:0000:0000:0000 NOTICE: Only the professional and platinum editions support IPv6 protection. Server Port: service port over which the WAF instance forwards client requests to the origin server. Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.	Client Protocol: HTTP Server Protocol: HTTP Server Address: XXX.XXX.1.1 Server Port: 80
   Certificate	If you set Client Protocol to HTTPS, an SSL certificate is required. If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate. The newly imported certificates will be listed on the Certificates page as well. If a certificate has been created, select a valid certificate from the Existing certificates drop-down list. If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM. NOTICE: Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into PEM first. For details, see How Do I Convert a Certificate into PEM Format? Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. A record is automatically generated for the selected SSL certificate on the Certificates page. You can change the certificate name on this page, but the certificate name displayed in CCM will not be changed accordingly. If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF. WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications. Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.	-
   Specify Minimum TLS Version and Cipher Suite.	After selecting a certificate, you need to select the minimum TLS version and cipher suite. In WAF, the minimum TLS version configured is TLS v1.0, and the cipher suite is cipher suite 1 by default. For more details, see Configuring PCI DSS/3DS Compliance Check and TLS.	Minimum TLS version: TLS v1.0 Cipher suite: Cipher suite 1
   Use Layer-7 Proxy	Yes: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services. No: No layer-7 proxies are not used. NOTICE: If your website uses a proxy, select Yes. Then WAF obtains the actual access IP address from the related field in the configured header. For details, see Configuring a Traffic Identifier for a Known Attack Source.	No proxy

8. Complete advanced settings.
   Figure 3 Advanced Settings
   

   Table 2 Advanced settings

   Parameter	Description	Example Value
   Load Balancing Algorithm	If there are multiple origin server addresses, you need to select a load balancing algorithm so that traffic can be distributed across origin servers in the way you specify. Origin server IP hash: Requests from the same IP address are routed to the same backend server. Weighted round robin: All requests are distributed across origin servers in turn based on weights set to each origin server. The origin server with a larger weight receives more requests than others. Session hash: Requests with the same session tag are routed to the same origin server. To enable this algorithm, configure traffic identifiers for known attack sources, or Session hash algorithm cannot take effect. For more details, see Switching the Load Balancing Algorithm.	Weighted round robin
   IPv6 Protection	If the domain name is accessible using an IPv6 address, enable IPv6 Protection. After you enable it, WAF assigns an IPv6 address to the domain name. For more details, see Enabling IPv6 Protection. NOTE: Only the professional and platinum editions support IPv6 protection. If you select IPv6 for Server Address, IPv6 Protection is enabled by default. If you select IPv4 for Server Address and enable IPv6 Protection, WAF will assign an IPv6 address to the domain name so that the website is accessible over the IPv6 address. In this way, requests to the IPv6 address are routed by WAF to the IPv4 address of the origin server. For details, see How Does WAF Forward Traffic to an IPv6 Origin Server?. If the origin server uses IPv6 addresses, IPv6 protection is enabled by default. To prevent IPv6 service from interruption, keep the IPv6 protection enabled. If IPv6 protection is not needed, edit the server configuration and delete IPv6 configuration from the origin server first. For details, see Editing Server Information.	Enabled
   HTTP/2	If your website needs to support HTTP/2 access, select Use for HTTP/2. HTTP/2 can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol. NOTICE: Only the professional and platinum editions support HTTP/2. To make Server Configuration works, there must be at least one server configuration record with Client Protocol set to HTTPS. HTTP/2 can work only when the client supports TLS 1.2 or earlier versions.	Use
   Policy	Select the protection policy you want to use for the website. System-generated policy (default): For details, see Table 3. If the number of added protection policies reaches the quota, this option will be grayed out. Custom protection policy: a policy you create based on your security requirements. For more details, see Configuring a Protection Policy. NOTICE: If you are using WAF standard edition, only System-generated policy can be selected.	System-generated policy

   Table 3 Parameters for system-generated policies

   Edition	Policy	Description
   Standard	Basic web protection (Log only mode and common checks)	The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
   Professional and platinum	Basic web protection (Log only mode and common checks)	The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
   	Anti-crawler (Log only mode and Scanner feature)	WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

   

   Log only: WAF only logs detected attacks instead of blocking them.

9. Click Next.
   Whitelist WAF back-to-source IP addresses, test WAF, and modify DNS record for the domain name as prompted.

   Figure 4 Domain name added to WAF.
   

Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF, and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field.

If the origin server uses other firewalls, network ACLs, security groups, or antivirus software, they are more likely to block WAF back-to-source IP address as malicious ones. So, you need to configure an access control policy on your origin server to allow only WAF back-to-source IP addresses to access the origin server. This prevents hackers from bypassing WAF to attack origin servers.

• There will be more WAF IP addresses due to scale-out or new clusters. For your legacy domain names, WAF IP addresses usually fall into several class C IP addresses (192.0.0.0 to 223.255.255.255) of two to four clusters.
• Generally, these IP addresses do not change unless clusters in use are changed due to DR switchovers or other scheduling switchovers. Even when WAF cluster is switched over on the WAF background, WAF will check the security group configuration on the origin server to prevent service interruptions.

1. Obtain WAF back-to-source IP addresses.
   After Step 1. Add Your Domain Name to WAF is complete, expand Step 1: (Optional) Whitelist WAF back-to-source IP addresses and click to copy all back-to-source IP addresses. Alternatively, go to the Website Settings page, locate the target domain name, and click Whitelist WAF in the Access Status column. Then, click to copy all back-to-source IP addresses.

   Figure 5 Copying the back-to-source IP addresses
   

2. Open the security software on the origin server and add the copied IP addresses to the whitelist.
   • If origin servers are deployed on ECSs, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Are Deployed on ECSs.
   • If origin servers are added to backend servers of an ELB load balancer, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Use Load Balancers.
   • If you also use Cloud Firewall (CFW) on Huawei Cloud, refer to Adding a Protection Rule.
   • If your website is deployed on servers on other cloud vendors, whitelist the WAF back-to-source IP addresses in the corresponding security group and access control rules.
   • If only the personal antivirus software is installed on the origin server, the software does not have the interface for whitelisting IP addresses. If the origin server provides external web services, install the enterprise security software on or use Huawei Cloud Host Security Service (HSS) for the server. These products identify the sockets of some IP addresses with a large number of requests and occasionally disconnect the connections. Generally, the IP addresses of WAF are not blocked.

3. After the preceding operations are complete, click Finished.

Step 3: Test WAF

You can modify the hosts file on the local server, set the domain name addressing mapping (DNS resolution records that take effect only on the local computer), and point the website domain name to the WAF IP address on the local computer. In this way, you can access the protected domain name from the local computer to verify whether the domain name is accessible after it has been added to WAF, preventing website access exceptions caused by abnormal domain name configurations.

Before performing this operation, ensure that:

• The protocol, address, and port used by the origin server (for example, www.example5.com) are correctly configured when adding a domain name to WAF. If Client Protocol is set to HTTPS, ensure that the uploaded certificate and private key are correct.
• Operations in Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server have been finished.

1. Obtain the CNAME record.
   • Method 1: After Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server is complete, expand Step 2: Test WAF and copy the CNAME record on the displayed page. Alternatively, go to the Website Settings page, locate the target domain name, and click Test WAF in the Access Status column. On the page displayed, copy the CNAME record.
   • Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.

2. Ping the CNAME record and record the corresponding IP address.

   Use www.example5.com as an example and its CNAME record is xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com.

   Open cmd in Windows or bash in Linux and run the ping xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com command to obtain the WAF access IP addresses. As shown in Figure 6, the WAF access IP address is displayed.

   Figure 6 ping cname
   
   

   If no WAF access IP addresses are returned after you ping the CNAME record, your network may be unstable. You can ping the CNAME record again when your network is stable.

3. Add the domain name and WAF access IP addresses pointed to CNAME to the hosts file.
   1. Use a text editor to edit the hosts file. In Windows, the location of the hosts file is as follows:
      • Windows: C:\Windows\System32\drivers\etc
      • Linux: /etc/hosts
   2. Add a record like Figure 7 to the hosts file. The IP address is the WAF access IP address obtained in 2 and the domain name is the protected domain name.
      Figure 7 Adding a record
      
   3. Save the hosts file and ping the protected domain name on the local PC.
      Figure 8 Pinging the domain name
      

      It is expected that the resolved IP address is the access IP address of WAF obtained in 3.b. If the origin server address is returned, refresh the local DNS cache. (Run ipconfig/flushdns in Windows cmd or systemd-resolved in Linux Bash.)

4. Verify the access.
   1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

      If the domain name has been resolved to WAF back-to-source IP addresses and WAF configurations are correct, the website is accessible.

   2. Simulate simple web attack commands.
      1. Set the mode of Basic Web Protection to Block. For details, see Enabling Basic Web Protection.
      2. Clear the browser cache, enter the test domain name in the address bar, and check whether WAF blocks the simulated SQL injection attack against the domain name.
         Figure 9 Request blocked
         
      3. In the navigation pane, choose Events to view test data.

5. Verify that the preceding steps are complete and click Finished.

Step 4: Modify the DNS Records of the Domain Name

After a domain name is added to WAF, WAF functions as a reverse proxy between the client and server. The real IP address of the server is hidden, and only the IP address of WAF is visible to web visitors. You must point the DNS resolution of the domain name to the CNAME record provided by WAF. In this way, access requests can be resolved to WAF. After your website connectivity with WAF is tested locally, you can go to the DNS platform hosting your domain name and resolve the domain name to WAF. Then WAF protection can work.

Before modifying the DNS records of a domain name, ensure that:

• Operations in Step 1. Add Your Domain Name to WAF, Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server, and Step 3: Test WAF have been completed.
• You have the permission to modify domain name resolution settings on the DNS platform hosting your domain name.

No proxies used

1. Obtain the CNAME record of WAF.
   • Method 1: After Step 3: Test WAF is complete, expand Step 3: Change DNS Resolution, and copy the CNAME record on the displayed page. Alternatively, go to the Website Settings page, locate the target domain name, and click Modify DNS in the Access Status column. Then, copy the CNAME record on the page displayed.
   • Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.

2. Change the DNS records of the domain name to the WAF CNAME record.

   Configure the CNAME record at your DNS provider. For details, contact your DNS provider.

   The following uses Huawei Cloud DNS as an example to show how to configure a CNAME record. If the following configuration is inconsistent with your configuration, use information provided by the DNS providers.

   1. Click in the upper left corner of the page and choose Networking > Domain Name Service.
   2. In the navigation pane on the left, choose Public Zones.
   3. In the Operation column of the target domain name, click Manage Record Set. The Record Sets tab page is displayed.
      Figure 10 Record sets
      
   4. In the row containing the desired record set, click Modify in the Operation column.
   5. In the displayed Modify Record Set dialog box, change the record value.
      • Name: Domain name configured in WAF
      • Type: Select CNAME-Map one domain to another.
      • Line: Select Default.
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Change it to the WAF CNAME record copied from WAF.
      • Keep other settings unchanged.
      Figure 11 Modify Record Set
      
      

      About modifying the resolution record:

      • The CNAME record must be unique for the same host record. You need to change the existing CNAME record of your domain name to WAF CNAME record.
      • Record sets of different types in the same zone may conflict with each other. For example, for the same host record, the CNAME record conflicts with other records such as A record, MX record, and TXT record. If the record type cannot be directly changed, you can delete the conflicting records and add a CNAME record. Deleting other records and adding a CNAME record should be completed in as short time as possible. If no CNAME record is added after the A record is deleted, domain resolution may fail.

      For details about the restrictions on domain name resolution types, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

   6. Click OK.

Proxy used

1. Obtain the WAF CNAME record.
   • Method 1: After Step 3: Test WAF is complete, click Step 3: Change the back-to-source IP address of the proxy.. On the displayed page, copy the CNAME record. Alternatively, go to the Website Settings page, click Change Proxy IP Address in the Access Status column, and copy the CNAME record on the displayed page.
   • Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.

2. Make sure the domain name has been pointed to the proxy and change the back-to-source IP address of the used proxy, such as anti-DDoS and CDN services, to the copied CNAME record.
   

   To prevent other users from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), add the subdomain name and TXT record on your DNS management platform.

   1. Obtain the subdomain name and TXT record: On the top of the domain name basic information page, click next to Inaccessible. In the dialog box displayed, copy the subdomain name and TXT record.
   2. Add Subdomain Name at the DNS provider and configure TXT Record for the subdomain name. For details about the configuration method, see What Are Impacts If No Subdomain Name and TXT Record Are Configured?

   WAF determines which user owns the domain name based on the configured Subdomain Name and TXT Record.

Configuration verification

After completing the preceding configurations, you need to check the CNAME record of the domain name.

1. In Windows, choose Start > Run. Then enter cmd and press Enter.
2. Run a nslookup command to query the CNAME record.

   If the configured CNAME record is returned, the configuration is successful. An example command response is displayed in Figure 12.

   Using www.example.com as an example, the output is as follows:

   nslookup www.example.com

   Figure 12 Querying the CNAME
   

3. After the preceding steps are complete, select Finished.

Step 5: Verify Website Access

• Check the access status.

  Generally, if you have performed domain connection and Access Status is Accessible, the domain name is connected to WAF.

  

  If the domain name has been connected to WAF but its Access Status is still Inaccessible, click to refresh the status. If the status is still Inaccessible, fix the issue by referring to Why My Domain Name Is Inaccessible?

• Check the website accessibility.
  • Enter the domain name in the address bar of your browser and check whether the website is accessible.
    

    If a non-standard port is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?

  • Simulate simple web attack commands and check whether WAF protection takes effect. For details, see 4.b.

Follow-up Operations

After adding a domain name to WAF, you need to:

• Complete Recommended Configurations
  • If HTTPS is selected for Client Protocol, you can configure PCI DSS/3DS compliance check and TLS, enable HTTP/2, and enable cookies.
  • Enabling WAF IPv6 Protection: You can use WAF to protect IPv6 origin servers.
  • Configuring a Timeout for Connections Between WAF and a Website Server: The default timeout for a connection between WAF and the origin server is 30 seconds. You can customize the connection timeout, read timeout, and write timeout.
  • Configuring a Traffic Identifier for a Known Attack Source: Configure an identifier for the client IP address, session, or user to block malicious requests based on the IP address, cookie, or params for a duration you specify.
  • Forwarding Custom Header Fields: After you add a header field, WAF inserts it into the request before forwarding the requests to the origin server to mark the requests.
  • Modifying the Alarm Page: Customize the page you want to return to visitors when WAF blocks a website request.
• Adjust the protection policy configured for the protected domain name based on protection requirements. For details, see Protection Configuration Overview.