- Release Notes and Announcements
- CLB Release Notes
- [April 15, 2024] Domain Name Upgrade for Domain Name-based Public Network CLB
- [July 25, 2023] Adding Rate Limits on Shared CLB Instances
- [July 3, 2023] CLB API Authentication Upgrade
- [June 9, 2023] Adjusting the Grace Period for Pay-as-you-go CLB Instances
- [March 6, 2023] Launching Domain Name-Based Public CLBs
- [Feb. 24, 2023] Changing Health Check Source IP to 100.64.0.0/10 IP Range
- Product Introduction
- Purchase Guide
- Getting Started
- Directions
- CLB Instance
- Directions for Upgrading to Domain Name-Based CLB
- Creating CLB Instances
- Creating an IPv6 CLB Instance
- Creating IPv6 NAT64 CLB Instances
- Configure CLB Forwarding Domain Name
- Configuring CLB Security Group
- Binding Private Network CLB to EIP
- Enabling or Disabling a CLB Instance
- Cloning CLB Instances
- Exporting CLB Instances
- Upgrade to a LCU-supported instances
- Adjusting Specification of LCU-supported CLBs
- Deleting CLB Instances
- Releasing Idle CLB Instances
- Configuring Deletion Protection
- Adjusting Instance Public Network Configurations
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring a UDP Listener
- Configuring TCP SSL Listener
- Configuring a QUIC Listener
- Configuring an HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring gRPC Support for Layer-7 Protocols
- Real Server
- Health Check
- Certificate Management
- Log Management
- Monitoring and Alarm
- Cloud Access Management
- Classic CLB
- CLB Instance
- Practical Tutorial
- Enabling Gzip Compression & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Best Practices for Configuring Load Balancing Monitoring Alerts
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Configure IAP to authenticate web access to the CLB domain and path
- Configure IAP to authenticate programmatic access to CLB's domain and path
- Ops Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Instance APIs
- Listener APIs
- Backend Service APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- DescribeClsLogSet
- CreateLoadBalancerSnatIps
- DeleteLoadBalancerSnatIps
- DescribeLoadBalancerListByCertId
- DescribeQuota
- ModifyLoadBalancersProject
- ReplaceCertForLoadBalancers
- SetLoadBalancerClsLog
- SetLoadBalancerSecurityGroups
- SetLoadBalancerStartStatus
- SetSecurityGroupForLoadbalancers
- CreateClsLogSet
- CreateTopic
- DescribeLoadBalancerTraffic
- DescribeResources
- DescribeTaskStatus
- InquiryPriceCreateLoadBalancer
- InquiryPriceModifyLoadBalancer
- InquiryPriceRenewLoadBalancer
- Classic CLB APIs
- Making API Requests
- Load Balancing APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- CLB Release Notes
- [April 15, 2024] Domain Name Upgrade for Domain Name-based Public Network CLB
- [July 25, 2023] Adding Rate Limits on Shared CLB Instances
- [July 3, 2023] CLB API Authentication Upgrade
- [June 9, 2023] Adjusting the Grace Period for Pay-as-you-go CLB Instances
- [March 6, 2023] Launching Domain Name-Based Public CLBs
- [Feb. 24, 2023] Changing Health Check Source IP to 100.64.0.0/10 IP Range
- Product Introduction
- Purchase Guide
- Getting Started
- Directions
- CLB Instance
- Directions for Upgrading to Domain Name-Based CLB
- Creating CLB Instances
- Creating an IPv6 CLB Instance
- Creating IPv6 NAT64 CLB Instances
- Configure CLB Forwarding Domain Name
- Configuring CLB Security Group
- Binding Private Network CLB to EIP
- Enabling or Disabling a CLB Instance
- Cloning CLB Instances
- Exporting CLB Instances
- Upgrade to a LCU-supported instances
- Adjusting Specification of LCU-supported CLBs
- Deleting CLB Instances
- Releasing Idle CLB Instances
- Configuring Deletion Protection
- Adjusting Instance Public Network Configurations
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring a UDP Listener
- Configuring TCP SSL Listener
- Configuring a QUIC Listener
- Configuring an HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring gRPC Support for Layer-7 Protocols
- Real Server
- Health Check
- Certificate Management
- Log Management
- Monitoring and Alarm
- Cloud Access Management
- Classic CLB
- CLB Instance
- Practical Tutorial
- Enabling Gzip Compression & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Best Practices for Configuring Load Balancing Monitoring Alerts
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Configure IAP to authenticate web access to the CLB domain and path
- Configure IAP to authenticate programmatic access to CLB's domain and path
- Ops Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Instance APIs
- Listener APIs
- Backend Service APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- DescribeClsLogSet
- CreateLoadBalancerSnatIps
- DeleteLoadBalancerSnatIps
- DescribeLoadBalancerListByCertId
- DescribeQuota
- ModifyLoadBalancersProject
- ReplaceCertForLoadBalancers
- SetLoadBalancerClsLog
- SetLoadBalancerSecurityGroups
- SetLoadBalancerStartStatus
- SetSecurityGroupForLoadbalancers
- CreateClsLogSet
- CreateTopic
- DescribeLoadBalancerTraffic
- DescribeResources
- DescribeTaskStatus
- InquiryPriceCreateLoadBalancer
- InquiryPriceModifyLoadBalancer
- InquiryPriceRenewLoadBalancer
- Classic CLB APIs
- Making API Requests
- Load Balancing APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
Configuring WAF protection for CLB listening domain names
Last updated: 2024-01-04 14:39:00
By binding domain names with CLB listeners, CLB Web Application Firewall (WAF) can detect and block the HTTP or HTTPS traffic passing through CLB listeners. This document describes how to use CLB WAF to apply Web security protection for the domain names added to CLB.
Prerequisites
You have created an HTTP or HTTPS listener, and the domain name can be accessed. For more information, see Getting Started with CLB.
You have purchased the CLB WAF service. For more information, see Purchase Guide.
Directions
Step 1: Confirm the CLB domain name configuration
This document takes the domain name
www.example.com as an example.1. Log in to the CLB console and click Instance management in the left sidebar.
2. On the Instance management page, select the instance region and then click Configure listener on the right of the target instance.
3. Select the Listener management tab, in the HTTP/HTTPS listener section, click the + icon on the left of the target listener to see the domain name details.
4. Check the CLB domain name configuration and make sure the configuration is as follows: CLB instance ID:
lb-f8lm****; listener name: http-test; domain name: www.example.com; domain name protection status: Not Enabled (the ID, name, and domain name are subject to actual cases).Step 2: Add a domain name in the WAF console and bind it to a CLB instance
To apply protection to a domain name with the CLB WAF service, you need to add a CLB-listening domain name in WAF and bind it with a CLB listener.
1. Log in to the WAF console, and choose Web Application Firewall > Defense Settings in the left sidebar.
2. Select the CLB tab.
3. Click Add domain name.
4. Enter the domain name, and click Next.
5. Select your CLB region, select the CLB instance confirmed in Step 1: Confirm the CLB domain name configuration, and click Select a listener.
6. In the pop-up window, select the CLB listener confirmed in Step 1: Confirm the CLB domain name configuration and click OK.
7. Return to the Select a listener tab and click Complete.
8. Return to the Domain name list page, check the domain name, region, ID of the bound CLB instance, bound listener, and other information.
Step 3: Verify the result
1. Follow the directions in Step 1: Confirm the CLB domain name configuration to check whether Domain name protection is Enabled and whether Traffic mode is Traffic mirroring mode on the Listener management tab. If so, domain name protection is enabled.
If you have not configured DNS resolution for your domain name, see Step 2. Perform Local Testing to verify if WAF protection takes effect.
If you have configured DNS resolution for your domain name, follow the directions below to verify if WAF protection takes effect.
2. Visit
http://www.example.com/?test=alert(123) via a browser.3. Log in to the WAF console, and choose Attack Logs in the left sidebar.
4. On the Log Query tab, select the protected domain name
www.example.com, and then click Search. WAF protection takes effect on the domain name configured in CLB if there are XSS attack logs in the log list.
Yes
No
Was this page helpful?