tencent cloud

Cloud Load Balancer

Release Notes and Announcements
CLB Release Notes
Product Announcements
Product Introduction
Overview
Strengths
Use Cases
Principles
Product Comparison
Use Limits
Service Regions and Service Providers
Purchase Guide
Billing Overview
Billing
CLB Resource Package
Purchase Methods
Payment Overdue
Product Attribute Selection
Getting Started
Getting Started with Domain Name-Based CLB
Getting Started with CLB
Getting Started with IPv6 CLB
Deploying Nginx on CentOS
Deploying Java Web on CentOS
Operation Guide
CLB Instance
CLB Listener
Real Server
Health Check
Certificate Management
Log Management
Monitoring and Alarm
Cloud Access Management
Classic CLB
Practical Tutorial
Deploy certificate to CLB (mutual authentication)
Enabling Gzip Compression & Testing
HTTPS Forwarding Configurations
Obtaining Real Client IPs
Best Practices for Configuring Load Balancing Monitoring Alerts
Implementing HA Across Multiple AZs
Load Balancing Algorithm Selection and Weight Configuration Examples
Configuring WAF protection for CLB listening domain names
Configure IAP to authenticate web access to the CLB domain and path
Configure IAP to authenticate programmatic access to CLB's domain and path
Ops Guide
Solution to Excessive Clients in TIME_WAIT Status
Load Balancer HTTPS Service Performance Test
Stress Testing FAQ
CLB Certificate Operation Permissions
Troubleshooting
UDP Health Check Exception
API Documentation
History
Introduction
API Category
Instance APIs
Listener APIs
Backend Service APIs
Target Group APIs
Redirection APIs
Other APIs
Classic CLB APIs
Load Balancing APIs
Making API Requests
Data Types
Error Codes
CLB API 2017
FAQs
Billing
CLB Configuration
Troubleshooting Health Check Issues
HTTPS
WS/WSS Protocol Support
HTTP/2 Protocol Support
Default Domain Name Blocking Prompt
Service Level Agreement
Contact Us
Glossary
DocumentationCloud Load BalancerPractical TutorialConfiguring WAF protection for CLB listening domain names

Configuring WAF protection for CLB listening domain names

PDF
Focus Mode
Font Size
Last updated: 2024-01-04 14:39:00
By binding domain names with CLB listeners, CLB Web Application Firewall (WAF) can detect and block the HTTP or HTTPS traffic passing through CLB listeners. This document describes how to use CLB WAF to apply Web security protection for the domain names added to CLB.

Prerequisites

You have created an HTTP or HTTPS listener, and the domain name can be accessed. For more information, see Getting Started with CLB.
You have purchased the CLB WAF service. For more information, see Purchase Guide.

Directions

Step 1: Confirm the CLB domain name configuration

This document takes the domain name www.example.com as an example.
1. Log in to the CLB console and click Instance management in the left sidebar.
2. On the Instance management page, select the instance region and then click Configure listener on the right of the target instance.
3. Select the Listener management tab, in the HTTP/HTTPS listener section, click the + icon on the left of the target listener to see the domain name details.

4. Check the CLB domain name configuration and make sure the configuration is as follows: CLB instance ID: lb-f8lm****; listener name: http-test; domain name: www.example.com; domain name protection status: Not Enabled (the ID, name, and domain name are subject to actual cases).

Step 2: Add a domain name in the WAF console and bind it to a CLB instance

To apply protection to a domain name with the CLB WAF service, you need to add a CLB-listening domain name in WAF and bind it with a CLB listener.
1. Log in to the WAF console, and choose Web Application Firewall > Defense Settings in the left sidebar.
2. Select the CLB tab.
3. Click Add domain name.

4. Enter the domain name, and click Next.

5. Select your CLB region, select the CLB instance confirmed in Step 1: Confirm the CLB domain name configuration, and click Select a listener.

6. In the pop-up window, select the CLB listener confirmed in Step 1: Confirm the CLB domain name configuration and click OK.

7. Return to the Select a listener tab and click Complete.
8. Return to the Domain name list page, check the domain name, region, ID of the bound CLB instance, bound listener, and other information.

Step 3: Verify the result

1. Follow the directions in Step 1: Confirm the CLB domain name configuration to check whether Domain name protection is Enabled and whether Traffic mode is Traffic mirroring mode on the Listener management tab. If so, domain name protection is enabled.
If you have not configured DNS resolution for your domain name, see Step 2. Perform Local Testing to verify if WAF protection takes effect.
If you have configured DNS resolution for your domain name, follow the directions below to verify if WAF protection takes effect.
2. Visit http://www.example.com/?test=alert(123) via a browser.
3. Log in to the WAF console, and choose Attack Logs in the left sidebar.
4. On the Log Query tab, select the protected domain name www.example.com, and then click Search. WAF protection takes effect on the domain name configured in CLB if there are XSS attack logs in the log list.
Previous Topic: Load Balancing Algorithm Selection and Weight Configuration ExamplesNext Topic: Configure IAP to authenticate web access to the CLB domain and path

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback