Step 1: Add Domain
Before using Web Application Firewall (WAF) to protect your web services, you need to add the website to be protected to WAF. Your WAF protection will not take effect until the website is added. This document guides you through how to add a domain name in SaaS WAF.
Prerequisites
You have purchased a SaaS type WAF instance. For details, please go to WAF purchase page.
If the added origin server domains are located in the Chinese mainland, the business content of the origin server must comply with laws and complete MIIT filing. For specific filing requirements, please refer to requirements for domains added to WAF.
Operation Steps
1. Log in to WAF console, and select the region where the instance is located (Chinese mainland/non-Chinese mainland) at the top of the left sidebar.
2. In the left sidebar, choose Connection Management > Domain Onboarding.
3. On the Domain Onboarding page, click Add domain to go to the Add domain page.
4. Configure relevant basic parameters on the Add Domain Name page.
Field Description
Associated Instance: Select the SaaS type, and on the right side, select the specific instance required.
Domain name: Add the domain name to be protected in the input box.
Note:
1. Domain name format requirements: supports adding standard domain names (such as example.com, a.b.example.com). The single domain name access configuration applies only to that specific domain.
2. Wildcard domain name format requirements: under the same account, both exact domain names (such as a.path.example.com) and wildcard domain names (such as *.path.example.com) can be added. The system prioritizes matching policies with higher specificity. Domains under the same wildcard domain name cannot be added across different accounts.
Server Configuration: Protocol and port can be selected based on actual conditions. For adding more ports, see Access Related Ports.
HTTP: Enter the corresponding port.
HTTPS: After entering the port, configure the associated certificate, HTTPS forced redirect, and HTTPS origin-pull method.
General Certificate Configuration: When enabling the HTTPS protocol, you need to configure the SSL certificate associated with the website domain to WAF to monitor and protect the domain's HTTPS traffic. Click Associate with General Certificate to choose one of the following two methods for certificate configuration:
Tencent Cloud-managed certificate: Select from certificates uploaded to SSL Certificates Management for association. It is recommended to use this method, as certificates can be automatically renewed upon expiration.
Uploading Self-Owned Standard Certificate: Supports directly pasting certificate content or uploading certificate files. PEM-encoded certificate and private key files must be prepared before uploading.
Note:
It is recommended to use Tencent Cloud Certificate Service to manage certificates for centralized management and automatic renewal.
When using third-party issued certificates, you need to monitor the expiration date and update them promptly to avoid service disruptions due to expired certificates.
SM Certificate Configuration: If a website needs to support the SM2 algorithm, you need to upload an SM certificate. SM certificates and regular certificates can be active at the same time. This feature is only supported in the Enterprise edition and above. Click Associate with SM Certificate to choose one of the following two methods to configure the certificate:
SM Certificate Managed by Tencent Cloud: Select from SM certificates uploaded to SSL Certificates Management for association. It is recommended to use this method, as certificates can be automatically renewed upon expiration.
Upload Self-Owned State Secret Certificate: Supports directly pasting certificate content or uploading certificate files. PEM-encoded certificate file, private key file, encryption certificate file, and encryption key must be prepared before uploading.
Force HTTPS redirect: To enable Force HTTPS redirect, you must select both HTTP and HTTPS access protocols.
HTTPS forwarding method:
HTTP: The origin-pull port can be configured.
HTTPS: The origin-pull port can be configured.
Origin-pull SNI switch: After enabling, you can set the host method to keep the Original host, change to the Origin host, or Specified host.
Use proxy: Based on actual business needs, select whether to use proxy services such as Anti-DDoS, CDN, or Cloud Acceleration.
If you select No: Requests received by WAF come directly from clients. WAF uses the IP address establishing connections with clients as the client IP address.
If you select Yes: Requests received by WAF come from other layer-7 proxy services. To ensure the real client IP address is obtained for security analysis, the client IP address determination method needs to be configured:
First IP in X-Forwarded-For
Network layer remote_ip (prevent XFF forgery)
IP in the specified header
Note:
It is recommended to use a custom Header to store the client IP address in business operations and configure the corresponding Header field in WAF. This approach prevents attackers from forging XFF fields, bypassing WAF protection rules, and enhances business security.
Origin address: Select IP or Domain name based on actual requirements:
IP: Enter the origin server IPv4 or IPv6 addresses. Separate multiple addresses with line breaks. Up to 50 entries are supported.
Domain name: Enter the origin server domain name.
Note:
The origin server domains cannot be the same as the protected domain.
Load balancing policy: Supports RR, IP Hash, and weighted RR policies. When two or more origin server IP addresses are configured, it supports selecting the weighted RR policy, and uses RR by default.
5. Click OK to save.
6. After completing the configuration, you can view the newly added domain name in the domain list. The current page shows that the CNAME record is not configured. You need to perform Local Verification Test before Modifying DNS Resolution.
Note:
Web Application Firewall (WAF) assigns a unique CNAME to each domain name added to WAF, regardless of whether it is a primary or secondary domain.
Following Steps
After the domain name is added, the following steps can be performed:
Help and Support
Was this page helpful?
You can also Contact sales or Submit a Ticket for help.
Help us improve! Rate your documentation experience in 5 mins.
Feedback