Configuring WAF protection for CLB listening domain names

Last updated: 2020-12-10 16:46:53

    By binding domain names with CLB listeners, CLB Web Application Firewall (WAF) can detect and block the HTTP or HTTPS traffic passing through CLB listeners. This document introduces how to use CLB WAF to apply Web security protection for the domain names added to CLB.

    Prerequisites

    • CLB WAF is currently in beta, if you want to try it out, please Submit an Application.
    • You have successfully created an HTTP or HTTPS listener, and the domain name can be accessed. For more information, please see Getting Started with CLB.
    • You have successfully purchased the CLB WAF service. For more information, please see Purchase Guide.

    Limits

    Currently, only IPv4 CLB instances support CLB WAF protection, this feature is not available for IPv6 and NAT64.

    Directions

    Step 1: Confirm the CLB domain name configuration

    This document takes the domain name www.example.com as an example.

    1. Log in to the CLB console, click CLB Instance List on the left sidebar to enter the Instance Management page.
    2. Select the instance region and then click Configure Listener on the right of the target instance.
    3. Select the Listener Management tab, in the HTTP/HTTPS Listener section, click the + icon on the left of the target listener to see the domain name details.
    4. Check the CLB domain name configuration to match the following: CLB instance ID: lb-f8lm****; listener name: http-test; domain name: www.example.com; domain name protection status: Not Enabled (the ID, name, and domain name are subject to actual cases).

    Step 2: Add a domain name in the WAF console and bind it to a CLB instance

    To apply protection to a domain name with the CLB WAF service, you need to add a CLB-listening domain name in WAF and bind it with a CLB listener.

    1. Log in to the WAF console, and select Web Application Firewall -> Defense Settings on the left sidebar.
    2. Select the CLB tab.
    3. Click Add Domains.
    4. Enter the domain name, and click Next.
    5. Select your CLB region, then the domain name in the "Step 1: Confirm the CLB domain name configuration", and click Select a Listener.
    6. In the pop-up window, select the CLB listener in the "Step 1: Confirm the CLB domain name configuration", and then click Confirm.
    7. Click Confirm in the Select a Listener step to finish binding a domain name with CLB listener in WAF.
    8. Back to the Domain List page, check the domain name, region, bound CLB instance ID, listener, and other information.

    Step 3: Verify the result

    1. Follow the directions in "Step 1: Confirm the CLB domain name configuration" to check the domain name. The domain name protection is enabled if the domain name protection is Enabled and the traffic mode is Mirror.
      • If you have not configured DNS resolution for your domain name, please see Step 2. Perform Local Testing to verify if the WAF protection is enabled.
      • If you have configured DNS resolution for your domain name, please follow the directions below to verify if the WAF protection is enabled.
    2. Visit http://www.example.com/?test=alert(123) via a browser.
    3. Log in to the WAF console, and then select Log Services -> Attack Log on the left sidebar.
    4. Select the Log Search tab, select the added protection domain name www.example.com, and then click Search. WAF protection for the domain name configured in CLB is effective if there are XSS Attack logs in the log list.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help