1. Introduction to Simple WAF
Second, WAF-Piping
What you see above is the engine layer of WAF. In fact, WAF also has a layer of [Pipe] (configuration management console).
Piping is to interact with users and security experts (operation and maintenance). Users configure domain names, configure protection, configure rules for security experts, issue rules, etc.
The implemented domain name resolution is delivered to the engine layer and the rules are delivered to the engine layer.
Three, piping architecture diagram
Fourth, the domain name management
Website configuration: DNS configuration mode, transparent proxy mode.
DNS configuration mode: By modifying the method of domain name resolution, the access traffic of the protected domain name is directed to WAF; WAF forwards the processed request back to the source server according to the source server address configured by the domain name.
Transparent proxy mode: The HTTP protocol traffic received by the configured source site server's public IP port 80 is directly pulled to WAF, and then the normal access traffic is injected back to the source server after being processed by WAF.
The WAF transparent proxy model meets the conditions:
-
The WAF example is a monthly and monthly model;
-
The source server is deployed in Alibaba Cloud ECS, and the ECS instance is located in North China 2 (Beijing);
-
The ECS instance of the source site has a public network IP or a bound elastic public network IP (EIP);
DNS configuration mode: non-cloud resolution DNS, cloud resolution DNS.
Non-cloud resolution DNS (the website's DNS resolution is not hosted on Alibaba Cloud's DNS resolution):
- The user-configured website data is passed to the piping;
2. The piping checks the parameters. Converted to rsPolicyMo (used to store in the piping database, and user interaction data), gfMo (used to issue Ddos high-defense services); - Assign Vip and Cname;
- Turn on the precise access control (acl) in the protection function. The piping only saves the data to the piping database and then sends it to Etcd. The engine pulls the configuration to Etcd. All protection functions are in this incremental mode.
- Open the CC safety protection (cc) in the protection function, and the piping process is the same as above;
- Open the WEB application attack protection in the protection function, and the piping process is the same as above;
- Call the Ddos high-definition interface, and the user enables the basic protection capability of DDoS provided by Alibaba Cloud by default at a maximum of 5Gbps;
- Call the dns interface (internal interface) to resolve the user domain name to the Cname address assigned by Alibaba Cloud, and the Cname address is resolved to Vip (user domain name-> Alibaba Cloud Cname-> Vip);
- Data related to the domain name is saved to the management database;
If one of the links goes wrong, try to finally roll back the processing, determine which link is wrong by the flag, and do the corresponding rollback processing.
Both the steps and the processing of data actually have certain complexity.
The picture below is the conversion of website data —> rsPolicyMo —> gfMo configured by the user at that time, and piping has a certain complexity in the processing of many data.
Cloud resolution mode (DNS resolution of the website is hosted on Alibaba Cloud DNS resolution):
- Other operations are consistent with the non-cloud analysis mode.
- Invoke the Alibaba Cloud Cloud DNS resolution management interface to obtain the analysis record list interface to obtain the domain name of the user website and the IP address of the source server.
- Call Alibaba Cloud's bulk DNS resolution management interface to add batch resolution record interfaces, update the domain name resolution records, and forward Web site requests to WAF for monitoring.
Transparent proxy mode: It is called according to the internal drainage related interface specifications of the group, without too much complexity, and the life cycle management complexity of Eip will be greater.
Eip life cycle steps:
1. Require user authorization first, and record in user_profile table after authorization (is_ecs_authorized = 1);
2. Call ECS open api to synchronize authorized user ’s Eip, add new Eip, delete old Eip;
3. First Delete the drainage and then delete the Eip;
4. Eliminate the unauthorized uid from the user_eip table and delete the corresponding drainage and Eip
5. When deleting the user, delete the user_eip record and the corresponding drainage and Eip.
If there is a problem in any link (remote interface), the data of the piping is not deleted, and it is set to the deleted state. The next scheduled task is processed, and it is manually processed after multiple failures.
5. Related to the piping rules
Related to rules: adding, deleting, modifying, and querying rules; adding, deleting, modifying, and querying rule groups is a simple management function. The rule group actually has a field that holds the primary key of the rule.
A relatively high degree of complexity is the release of rules:
1. Make all rule groups and rules into one big record;
2. Compare with the previous version of the complete set of rules sets, compare which rules are added and which are deleted, Which is modified;
3. Generate release notes, generate engine batches according to the release mode (one by one, zone, region) (the batch status is not started, in progress, completed);
4. The engine will regularly pull rules, A version number will be reported. When the engine is in a gray batch and the version number is less than the current rule set version number or equal to 0, the engine is allowed to pull;
5. The master machine will start a consumer thread for each different type of version, listening / Modify the status of the batch, the pulling status of the engine, start the next batch, and modify the status of the release order;
6. The status of the release order at any stage can be paused, and the manual release and manual batching can be used to continue the release;
7. The release order can be withdrawn at any stage, the new rules for successful pulling are maintained, and those that have not been pulled are no longer pulled. The pulling is required to ensure that the pulling is completed;
8. The engine being pulled can be skipped;
9 . Rollback means setting the last release to the latest release and releasing it again;
