Case practice of connecting Alibaba Cloud CDN architecture to WAF application firewall

Enterprise 2023-09-13 18:45:22 views: null

Article directory

Rough implementation steps:

​ 1. Configure the WAF firewall to access the website (configure the website domain name, protocol type, server address, protocol port, and load algorithm)

2. Generate WAF CNAME domain name address

​ 3. Configure the HTTPS certificate in the WAF website access and use HTTPS to access the website.

​ 4. Adjust the CDN’s return-to-source address to the WAF’s CNAME address and return to the WAF.

5. Point the DNS resolution record of the domain name to the domain name address of the CDN.

KodCloud is accessed via HTTPS, so CDN, WAF, and SLB all need to be configured with HTTPS. If the website is deployed to force HTTPS, then the port number of the WAF back to the source SLB can be 80.

1. Website structure changes

The current website architecture is that when users request the cloud disk system, DNS will resolve the domain name to the domain name server provided by the CDN. When the requested data does not exist in the CDN, it will return to the source to obtain the data from SLB.

image-20220216140907700

We need to connect the KodCloud cloud disk system to the WAF application firewall to ensure website security.

The architecture diagram after connecting to WAF is as follows: DNS—>CDN acceleration—>data return to WAF—>data return to SLB.

image-20220216135147051

2. Configure WAF application firewall

It is necessary to configure website access, WAF back-to-origin, and configure HTTPS.

2.1. Configure the website to access the WAF firewall

1) Configure website access method

Click Website Access—>Domain Name List—>Website Access.

The access method is Cname manual access.

image-20220216142958937

2) Fill in the website information

1) Fill in the website domain name: kodcloud.jiangxl.com.cn

2) For protocol type, check HTTP, HTTPS and HTTP2

3) Check to enable back-to-origin SNI to be consistent with the actual request host (if there are multiple projects in the load balancer, this item must be checked to follow the source address forwarding)

4) The server address is the address to be protected and the data return address. Fill in the address of the load balancer here: 47.95.212.251

5) The server port number is 80 for HTTP and 443 for HTTPS.

6) Load balancing algorithm selection polling

7) If there is a seven-layer proxy in front of the WAF, select Yes. There will be a CDN accelerator in front of the WAF. Check the first IP in X-Forwarded-For as the client source IP.

8) After the configuration is completed, click Next.

image-20220216143315220

2.2.WAF firewall generates CNAME address

After configuring WAF website access, the CNAME address of WAF will be provided in the second step. We need to configure the CNAME address in the CDN accelerator. We will not configure it at this time.

WAF’s CNAME address: 7wciklcupr28znnhkwrghcsgdjahwszt.yundunwaf1.com

image-20220216144901826

Then click Next to complete the configuration of the website access WAF firewall. The third step will prompt us to add the WAF address to the whitelist to avoid accidental blocking.

image-20220216145005968

2.3. Configure WAF firewall HTTPS certificate

When the website connects to WAF, the HTTPS protocol is selected. At this time, the HTTPS certificate needs to be configured in the WAF firewall, otherwise the program will not be accessible.

1) Find the kodcloud website in website access, and click to upload the certificate in the source site information column.

image-20220216145305814

2) Select an existing certificate—>select the domain name certificate of the website

image-20220216145446420

3) The certificate is added.

image-20220216145522772

2.4.WAF firewall enables HTTP back-to-origin SLB

This option is not available when you start configuring WAF. This function is only available when you click Edit after the WAF configuration is completed.

Find our website in the website access list and click the edit button in the operation column.

After entering the editing page, find the protocol type -> check to enable HTTP back-to-origin. At this time, the WAF back-to-origin SLB will use HTTP.

If you want WAF to use HTTP to return to the origin, you must turn off HTTP forced redirection in SLB. Otherwise, website requests will always be redirected and the website will be inaccessible.

image-20220216145757153

Since my website is forced to HTTPS, I will not enable HTTP back-to-origin here.

3. Configure CDN accelerator back-to-origin WAF firewall

1) Enter the CDN’s domain name management page—>Basic Settings—>Find the previously added origin site information—>Edit.

image-20220216150219433

2) Modify the origin site information to the origin site domain name -> fill in the CNAME domain name address of the WAF - use port 443.

image-20220216150423252

3) The CDN back-to-origin pointing to WAF configuration is completed.

image-20220216150502407

4. Point the domain name DNS resolution to the domain name of the CDN

The domain name has been pointed to the domain name of the CDN in the previous analysis.

image-20220216151232733

5. Test whether the website can be accessed normally

At this time, kodcloud's website architecture has been connected to the WAF firewall. Let's test whether the website can be opened normally.

The website opens with no problem.

image-20220216153312704

6. Simulate attacks to observe the role of WAF

At present, the website can be accessed normally when connected to the WAF firewall, but we cannot see the effect compared to before. Let us now simulate the total number of websites and observe the effect of WAF.

Let's simulate an xss attack and add a simulated xss public attack after my website domain name ?alert('xss').

https://kodcloud.jiangxl.com.cn/index.php?alert(%27xss%27)

After visiting it a few times, the page shown below will appear. You can see that the abnormal traffic has been intercepted by WAF.

image-20220216154109511

This user's computer has tried to attack our website many times and has been blacklisted by WAF. Even normal access cannot succeed.

image-20220216154725078

7. Unblock IPs banned by WAF

The high-frequency tool kodcloud website will be intercepted and blocked by WAF. As shown in the figure above, we can also manually unblock it.

Click Website Protection—>High Frequency WEB Attack Block—>Unblock the currently blocked IP.

image-20220216155408674

Refresh the website again to access it normally.

image-20220216155524318

8. View WAF protection records

In the WAF overview, you can observe how much intrusion prevention and traffic analysis has been intercepted by the WAF.

image-20220216154832313

It can also be browsed in the security report.

image-20220216154936013

Guess you like

Origin blog.csdn.net/weixin_44953658/article/details/132845837
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com