Connecting Your Website to WAF with Cloud Mode - CNAME Access

Solution Overview

In cloud CNAME access mode, connecting a website to WAF is to point the website traffic to WAF. WAF checks received traffic and forwards only legitimate traffic to your origin server. Figure 1 shows how your website traffic is forwarded when WAF is used.

Figure 1 Website traffic access diagram

Access Process

You need to perform the following operations based on whether your website uses a proxy (such as AAD, CDN, and cloud acceleration products).

Prerequisites

• You have purchased a cloud WAF instance and understood details about how to connect a website to WAF.
• Make sure your domain names have Internet Content Provider (ICP) licenses, or they cannot be added to WAF.

Step 1. Add Your Domain Name to WAF

To connect your services to WAF, you need to add the domain name and origin server information to WAF.

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Website Settings.
   

   Before adding a website to WAF, you can click Usage Guide in the upper right corner of the page to learn about cloud mode CNAME access.

5. In the upper left corner of the website list, click Add Website.
6. Select Cloud Mode - CNAME and click Configure Now.
7. On the Add Website panel, configure Basic Settings.
   Figure 2 Configuring basic information
   

   Table 1 Parameter description

   Parameter		Description	Example Value
   Protected Domain Name		The domain name you want to add to WAF for protection. The domain name must have Internet Content Provider (ICP) licenses, or they cannot be added to WAF. If a domain name uses different ports, each combination of the domain name plus a port is a unique protected object. For example, if you add www.example.com:8080 and www.example.com:8081 to WAF, they are considered as two domain names and counted towards two domain names in your quota. You can add the following types of domain names: Single domain names, such as top-level domain name example.com or second-level domain name www.example.com. Wildcard domain names, such as *.example.com The starter edition does not support adding wildcard domain names to WAF. If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add wildcard domain name *.example.com to WAF to protect all three. If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one to WAF. You can click Quick Add Domain Names Hosted on this Cloud and select a domain name used in Huawei Cloud.	www.example.com
   Website Name (Optional)		Website name you specify.	WAF
   Website Remarks (Optional)		Remarks of the website.	waftest
   Protected Port		Port to be protected. Only one port can be added for a protected domain name. If you want to protect more ports for a domain name, add the domain name and each port to WAF by referring to Step 1. Add Your Domain Name to WAF. To protect port 80 or 443, select Standard port from the drop-down list. To protect other ports, choose one from the drop-down list. Click View Ports You Can Use to view the HTTP and HTTPS ports supported by WAF. For more information, see Ports Supported by WAF. If a port other than 80 or 443 is configured, the visitors need to add the non-standard port to the end of the website address when they access the website. Otherwise, a 404 error will occur. If a 404 error occurs, see How Do I Troubleshoot 404/502/504 Errors?	Standard ports
   Server Configuration		Configure the website server information, including: Client Protocol: protocol used by a client to access the website server. The options are as follows: HTTP: If you select Standard port for Protected Port, port 80 is protected by default for HTTP. HTTPS: If you select Standard port for Protected Port, port 443 is protected by default for HTTPS. Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). HTTPS is widely used to protect privacy and integrity of data in transit and to authenticate website identities. So, if HTTPS is selected, you need to configure a certificate. If you select HTTPS, you can enable HTTP/2. For details, see Enabling the HTTP/2 Protocol. Server Protocol: protocol used by WAF to forward requests to the website server. You can select HTTP or HTTPS. If the client protocol is different from the origin server protocol, WAF forcibly uses the origin server protocol to forward client requests. Server Address: the public IP address or domain name of your website server that the client accesses. The public IP address typically maps to the A record of your domain name hosted in the DNS platform. The following IP address formats are supported: IPv4 address, for example, XXX.XXX.1.1 IPv6, for example, fe80:0000:0000:0000:0000:0000:0000:0000 NOTE: Only professional and enterprise editions support IPv6 protection. The domain name typically maps to the CNAME record of your domain name in the DNS platform. Server Port: service port over which the WAF instance forwards client requests to the origin server. Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server. If you select the weighted round robin algorithm, requests are distributed across origin servers in turn based on the weight you assign to each origin server. For details, see Modifying the Load Balancing Algorithm. If you select the source IP hash or session hash algorithm, the weight only determines whether traffic is distributed. To distribute traffic, enter 0 for Weight. Otherwise, enter any other numbers for Weight. For details, see Modifying the Load Balancing Algorithm. Weight range: 0 to 65,536. A larger weight indicates more requests distributed to the server. If the weight is set to 0, the origin server will not accept new requests if multiple origin servers are configured. If only one origin server is configured, all requests are distributed to the origin server.	Client Protocol: HTTP Server Protocol: HTTP Server Address: XXX.XXX.1.1 Server Port: 80
   Certificate		If you select HTTPS for Client Protocol, you need to select the certificate associated with the website. International websites are supported. Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names to WAF one by one. If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF. WAF can send notifications if a certificate expires. You can configure such notifications on the Notifications page. For details, see Enabling Alarm Notifications. You can import a new certificate, select an existing certificate, or select an SCM certificate. Importing a certificate: If you have not created a certificate, click Import New Certificate. In the Import New Certificate dialog box, set certificate parameters. For more details, see Uploading a Certificate. Only .pem certificates can be used in WAF. If the certificate is not in PEM format, convert it into PEM first. For details, see How Do I Convert a Certificate into PEM Format? The newly imported certificates will be listed on the Certificates page as well. Selecting an existing certificate: If you have created a certificate in WAF, click the drop-down arrow, select Existing certificates, and select a correct and valid certificate from the list. Selecting an SCM certificate: If you have used a CCM certificate under the same account, you can select an SSL certificate from the drop-down list. The name of the SSL certificate you select must be the same as that in CCM. Currently, certificates purchased in Huawei Cloud SCM can be pushed only to the default enterprise project. For other enterprise projects, SSL certificates pushed by SCM cannot be used. A record is automatically generated for the selected SSL certificate on the Certificates page. You can change the certificate name on this page, but the certificate name displayed in CCM will not be changed accordingly.	-
   Specify Minimum TLS Version and Cipher Suite.		After selecting a certificate, you need to select the minimum TLS version and cipher suite. For more details, see Configuring PCI DSS/3DS Compliance Check and TLS. Minimum TLS Version: The default value is TLS v1.0. For details, see Table 1. Cipher Suite: The default value is Secure cipher suite. For details, see Table 2.	Minimum TLS version: TLS v1.0 Cipher suite: Security cipher suite
   Use Layer-7 Proxy		Check whether a layer-7 proxy is used before WAF. Layer-7 proxies include web proxy products, such as anti-DDoS (layer-7 proxy), CDN, and other cloud acceleration services. Yes: Web proxy products, such as anti-DDoS (layer-7 proxy), CDN, and other cloud acceleration services have been deployed before WAF. If your website has a layer-7 proxy configured, WAF reads the real client IP address from the related fields in the header. If you deploy AAD before WAF for your website, to let WAF obtain the real IP address of the client, you need to set IP Tag to $remote_addr in the Traffic Identifier area on the basic information page for the protected domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source. WAF cannot be switched to the Bypassed mode if a proxy is used before WAF. For more details, see Changing the Protection Mode. No: No layer-7 proxies are used.	No

8. Complete Advanced Settings.
   Figure 3 Advanced Settings
   

   Table 2 Advanced settings

   Parameter	Description	Example Value
   Load Balancing Algorithm	If there are multiple origin server addresses, you need to select a load balancing algorithm for the origin servers so that WAF can forward requests to the corresponding server. For details, see Modifying the Load Balancing Algorithm. WAF supports the following algorithms: Origin server IP hash: Requests from the same IP address are routed to the same backend server. Weighted round robin: All requests are distributed across origin servers in turn based on weights set to each origin server. The origin server with a larger weight receives more requests than others. Session hash: Requests with the same session tag are routed to the same origin server. To enable this algorithm, configure traffic identifiers for known attack sources, or Session hash algorithm cannot take effect.	Weighted round robin
   IPv6 Protection	If the domain name is accessible using an IPv6 address, enable IPv6 Protection. After you enable it, WAF assigns an IPv6 address to the domain name. For more details, see Enabling IPv6 Protection. If you select IPv6 for Server Address, IPv6 Protection will be enabled by default. If the origin server uses IPv6 addresses, IPv6 protection is enabled by default. To prevent IPv6 service from interruption, keep the IPv6 protection enabled. If IPv6 protection is not needed, edit the server configuration and delete IPv6 configuration from the origin server first. For details, see Editing Server Information. If you select IPv4 for Server Address and enable IPv6 Protection, WAF will assign an IPv6 address to the domain name so that the website is accessible over the IPv6 address. In this way, requests to the IPv6 address are routed by WAF to the IPv4 address of the origin server. For details, see How Does WAF Forward Traffic to an IPv6 Origin Server? NOTE: Only professional and enterprise editions support IPv6 protection.	Enabled
   HTTP/2	HTTP/2 cannot be configured unless you set Client Protocol to HTTPS for at least one origin server address record in Server Configuration. HTTP/2 is only used for communication between clients and WAF. You can enable this function if your website needs to support HTTP/2 access. After HTTP/2 is enabled, ensure that the client supports TLS 1.2. Otherwise, HTTP/2 does not take effect. NOTE: Only the professional and enterprise editions support HTTP/2.	Use
   Policy	Select the protection policy you want to use for the website. System-generated policy (default): For details, see Table 3. If the number of added protection policies reaches the quota, this option will be grayed out. Custom protection policy: a policy you create based on your security requirements. For more details, see Configuring a Protection Policy. NOTE: Only professional and enterprise editions allow you to specify a custom policy.	System-generated policy

   Table 3 Parameters for system-generated policies

   Edition	Policy	Description
   Standard	Basic Web Protection: General Check is enabled by default. Rule Set: Default rule set (medium) is selected. Protective Action: Log only. Then, WAF only logs detected attacks but does not block them.	The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
   Professional/Enterprise edition	Basic Web Protection: General Check is enabled by default. Rule Set: Default rule set (medium) is selected. Protective Action: Log only. Then, WAF only logs detected attacks but does not block them.	The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
   	Anti-Crawler: By default, Scanner detection is enabled, and Protective Action is set to Log only. WAF only logs detected attacks but does not block them.	WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

9. Click Next and complete the following operations as prompted in Test WAF:
   Figure 4 Domain name added
   
   1. Whitelist WAF Back-to-Source IP Addresses on Your Origin Servers
   2. Testing WAF
   3. Modifying DNS Records for a Domain Name

Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server

A back-to-source IP address is a source IP address used by WAF to forward client requests to origin servers. To origin servers, all web requests come from WAF, and all source IP addresses are WAF back-to-source IP addresses. The real client IP address is encapsulated into the HTTP X-Forwarded-For (XFF) header field.

If the origin server uses other firewalls, network ACLs, security groups, or antivirus software, they are more likely to block WAF back-to-source IP address as malicious ones. So, you need to configure an access control policy on your origin server to allow only WAF back-to-source IP addresses to access the origin server over any ports. This prevents hackers from bypassing WAF to attack origin servers.

• There will be more WAF IP addresses due to scale-out or new clusters. For your legacy domain names, WAF IP addresses usually fall into several class C IP addresses (192.0.0.0 to 223.255.255.255) of two to four clusters.
• Generally, these IP addresses do not change unless clusters in use are changed due to DR switchovers or other scheduling switchovers. Even when WAF cluster is switched over on the WAF background, WAF will check the security group configuration on the origin server to prevent service interruptions.

1. Obtain WAF back-to-source IP addresses.
   After completing Step 1. Add Your Domain Name to WAF, expand Step 1: (Optional) Whitelist WAF back-to-source IP addresses and click to copy all back-to-source IP addresses. Alternatively, go to the Website Settings page, locate the target domain name, and click Whitelist WAF in the Access Status column. Then, click to copy all back-to-source IP addresses.

   Figure 5 Copying the back-to-source IP addresses
   

2. Open the security software on the origin server and add the copied IP addresses to the whitelist.
   • If origin servers are deployed on ECSs, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Are Deployed on ECSs.
   • If origin servers are added to backend servers of an ELB load balancer, see Whitelisting WAF Back-to-Source IP Addresses on Origin Servers That Use Load Balancers.
   • If you also use Cloud Firewall (CFW) on Huawei Cloud, refer to Adding a Protection Rule.
   • If your website is deployed on servers on other cloud vendors, whitelist the WAF back-to-source IP addresses in the corresponding security group and access control rules.
   • If only the personal antivirus software is installed on the origin server, the software does not have the interface for whitelisting IP addresses. If the origin server provides external web services, install the enterprise security software on or use Huawei Cloud Host Security Service (HSS) for the server. These products identify the sockets of some IP addresses with a large number of requests and occasionally disconnect the connections. Generally, the IP addresses of WAF are not blocked.

3. After the preceding operations are complete, click Finished.

Step 3: Test WAF

After adding a domain name to WAF and whitelisting WAF back-to-source IP addresses, you still need to point the domain name resolution to the IP address of WAF. To this end, you need to modify the hosts file on the local computer and configure domain name resolution mappings, which are DNS resolution records that take effect only on the local computer. After that, access the protected domain name through the local computer to check whether access settings of the domain name are valid. This prevents website access exceptions caused by abnormal domain name access configuration.

Before performing this operation, ensure that:

• The protocol, address, and port used by the origin server are correctly configured when adding a domain name to WAF (for example, www.example.com). If you set Client Protocol to HTTPS, ensure that the uploaded certificate and private key are correct.
• Operations in Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server have been finished.

1. Obtain the CNAME record.
   • Method 1: After Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server is complete, expand Step 2: Test WAF and copy the CNAME record on the displayed page. Alternatively, go to the Website Settings page, locate the target domain name, and click Test WAF in the Access Status column. On the page displayed, copy the CNAME record.
   • Method 2: On the Website Settings page, click the target domain name. On the basic information page displayed, click in the CNAME row to copy the CNAME record.

2. Ping the CNAME record and record the corresponding IP address.

   Use www.example.com as an example and WAF CNAME record is xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com.

   Open cmd in Windows or bash in Linux and run the ping xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com command to obtain the WAF access IP addresses. As shown in Figure 6, the WAF access IP address is displayed.

   Figure 6 ping cname
   
   

   If no WAF access IP addresses are returned after you ping the CNAME record, your network may be unstable. You can ping the CNAME record again when your network is stable.

3. Add the domain name and WAF access IP addresses pointed to CNAME to the hosts file.
   1. Use a text editor to edit the hosts file. In Windows, the location of the hosts file is as follows:
      • Windows: C:\Windows\System32\drivers\etc
      • Linux: /etc/hosts
   2. Add a record like Figure 7 to the hosts file. The IP address is the WAF access IP address obtained in 2 and the domain name is the protected domain name.
      Figure 7 Adding a record
      
   3. Save the changes and then test the connectivity of the protected domain name through the CLI.
      Figure 8 Pinging the domain name
      

      It is expected that the resolved IP address is the access IP address of WAF obtained in 3.b. If the origin server address is returned, refresh the local DNS cache. (Run ipconfig/flushdns in Windows cmd or systemd-resolved in Linux Bash.)

4. Verify the access.
   1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

      If the domain name has been resolved to WAF back-to-source IP addresses and WAF configurations are correct, the website is accessible.

   2. Simulate simple web attack commands.
      1. Set the mode of Basic Web Protection to Block. For details, see Enabling Basic Web Protection.
      2. Clear the browser cache, enter the test domain name in the address bar, and check whether WAF blocks the simulated SQL injection attack against the domain name.
         Figure 9 Request blocked
         
      3. In the navigation pane on the left, choose Events to view test data.

5. Verify that the preceding steps are complete and click Finished.

Step 4: Modify the DNS Records of the Domain Name

After a domain name is added to WAF, WAF functions as a reverse proxy between the client and server. The real IP address of the server is hidden, and only the IP address of WAF is visible to web visitors. You must point the DNS resolution of the domain name to the CNAME record provided by WAF. In this way, access requests can be resolved to WAF. After your website connectivity with WAF is tested locally, you can go to the DNS platform hosting your domain name and resolve the domain name to WAF. Then WAF protection can work.

Before modifying the DNS records of a domain name, ensure that:

• Operations in Step 1. Add Your Domain Name to WAF, Step 2: Whitelist Back-to-Source IP Addresses on Your Origin Server, and Step 3: Test WAF have been completed.
• You have the permission to modify domain name resolution settings on the DNS platform hosting your domain name.

Step 5: Verify Website Access

• Checking the access status
  After the preceding configurations are complete, WAF automatically checks the access status of new or updated domain names every 30 minutes based on the following conditions: If the domain name was created more than two weeks ago and has not been modified in the past two weeks, you can click in the Access Status column to manually refresh the access status.

  • Check whether a CNAME record or TXT record is configured for the website domain name if proxies are used.
  • Check whether the website has traffic. There are at least 20 requests to the website within 5 minutes, or no traffic can be detected.

  Figure 17 shows the logic for checking the access status.

  Figure 17 Access status check logic
  
  Access status description:

  • Inaccessible: No CNAME or TXT record has been configured for the domain name, and no traffic passes through the domain name. You can allow the back-to-source IP addresses, test WAF, or modify the DNS resolution based on the access status. If the domain name is still Inaccessible after you manually refresh the access status, connect the domain name to WAF again by referring to Why Is My Domain Name or IP Address Inaccessible?
  • Accessible: The domain name has been connected to WAF. A CNAME record or a TXT record has been configured for the domain name, and the website has traffic.
  • DNS error: The website domain name has a TXT record, but the website does not have traffic. You can access the website more than 20 times within 5 minutes, manually refresh the access status, and check whether the access status is updated to Accessible.
• Protection Verification

  Simulate simple web attack commands and check whether WAF protection takes effect.

Video Tutorial

Follow-up Operations

1. (Optional) Recommended Configurations After Website Connection: After a domain name is connected to WAF, you need to configure security settings as required.
2. Configuring Protection Policies: If default protection rules cannot meet your website security requirements, you can configure custom protection rules.
3. Querying a Protection Event: View website protection details.

FAQs

• What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
• Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
• Why Cannot I Select an SCM Certificate When Adding a Domain Name to WAF?
• How Do I Troubleshoot 404/502/504 Errors?
• Why Does the Requested Page Respond Slowly After My Website Is Connected to WAF?
• What Can I Do If Files Cannot Be Uploaded After a Website Is Connected to WAF?
• Why Cannot the Protection Mode Be Enabled After a Domain Name Is Connected to WAF?