Web Application Firewall WAF and CDN Linkage Practice Tutorial-Practical Tutorial-Help & Documentation-Tencent Cloud

This article will introduce how to access WAF and provide more effective security protection when a CDN network layer is added to the network.
CDN provides powerful accelerated distribution processing capability for static website content, significantly enhancing website resource loading speed. End users located in different regions can enjoy a fast and smooth webpage experience. During periods of high concurrency, it can relieve pressure on the origin server, ensuring service stability and smooth access to the webpages.
WAF can block web attacks in real time to ensure the security of your business data and information.
﻿
Test Environment
CVM: A Web Service exists.
Registered Domain Name.
WAF .
CDN CDN .
Access Steps
Step 1: Configure WAF
1. Log in to the  WAF Console, in the left navigation, select Access Management.
2. On the Domain Access page, click Add Domain.
3. On the Add Domain page, configure relevant parameters, click OK.
﻿
Parameter name
Description
Domain name
Add the domain that needs protection in the domain input box. In this example, enter youlin.life.
Proxy
Select whether proxy services including Anti-DDoS, CDN, and Cloud Acceleration are used based on the actual conditions.
Note:
Since this article requires CDN access, select yes.
No: Indicates that the business request received by WAF comes from the client initiating the request. WAF directly obtains the IP address connected to WAF as the Client IP.
Yes: Indicates that the business request received by WAF is forwarded by other layer 7 proxy services, rather than directly from the client initiating the request. To ensure WAF can obtain the real Client IP for security analysis and protection, you need to further set the Client IP determination method.
Take the first IP address in the request header field X-Forwarded-For (XFF) as the Client IP. 
Obtain the network layer's remote_ip as the client's source IP to prevent XFF forgery.
Obtain the IP address from the specified header field.
Origin server address
Enter the IP or domain name as needed.
Other parameters
For details, see Step 1: Adding a Domain.
4. After completing the configuration, you can see the accessed domain name on the current page. The current accessed CNAME is 09a10b6316608b648da8eec6fffeb59b.qcloudwzgj.com.
﻿
Step 2: Configure CDN
1. Log in to the CDN console and on the left sidebar, select Domain Management.
2. On the Domain Management page, click Add Domain, enter the acceleration domain name and origin address, configure relevant parameters, and click Confirm Add.
Note:
Acceleration Domain Name: Enter the target domain name.
Origin Address: Enter the WAF's CNAME address.
For more details, see Configuring CDN from Scratch.
﻿
3. After the configuration is complete, you can see the added domain name and the generated CDN CNAME address on the current page.
﻿
Step 3: Configure DNS
1. Log in to the DNS Console, and in the left navigation pane, select My Resolutions.
2. On the My Resolutions page, select the domain name to be operated on, and click Resolution.
﻿
3. Add the CNAME address, where the record value is the CDN's CNAME address.
﻿
Test Verification
Verification 1: Check if the domain name can be accessed normally
Access the target domain name http://xx.com in the browser to check if it is normal.
Verification 2: Check if the WAF is successfully integrated
Access the browser at http://xx.com/?test=alert(123) to check whether it can be intercepted by WAF.
﻿
Verification 3: Whether CDN access is successful
Open the browser's developer mode and visit the acceleration domain name.
Verification Method ①: Confirm whether the Remote Address IP belongs to a CDN node IP. For operation details, refer to IP Ownership Query.
Verification Method ②:
Method to determine cache hit: If any of the following is returned, it indicates a cache hit; otherwise, it indicates no cache hit.
X-Cache-Lookup: Hit From MemCache
X-Cache-Lookup: Hit From Disktank
X-Cache-Lookup: Cache Hit
﻿
Verification 4: Whether WAF can correctly recognize Client IP
1. On the Attack Logs page, check the latest recorded attack_ip.
﻿
2. Verify whether the attack_ip is the client's real IP, not the CDN's IP.
Compare it with the local IP to see if it matches the test machine's IP.
You can use the CDN's IP Ownership Query feature for verification.
﻿
﻿
﻿
﻿
﻿

Parameter name	Description
Domain name	Add the domain that needs protection in the domain input box. In this example, enter youlin.life.
Proxy	Select whether proxy services including Anti-DDoS, CDN, and Cloud Acceleration are used based on the actual conditions. Note: Since this article requires CDN access, select yes. No: Indicates that the business request received by WAF comes from the client initiating the request. WAF directly obtains the IP address connected to WAF as the Client IP. Yes: Indicates that the business request received by WAF is forwarded by other layer 7 proxy services, rather than directly from the client initiating the request. To ensure WAF can obtain the real Client IP for security analysis and protection, you need to further set the Client IP determination method. Take the first IP address in the request header field X-Forwarded-For (XFF) as the Client IP. Obtain the network layer's remote_ip as the client's source IP to prevent XFF forgery. Obtain the IP address from the specified header field.
Origin server address	Enter the IP or domain name as needed.
Other parameters	For details, see Step 1: Adding a Domain.

WAF and CDN Linkage Practice Tutorial

On this page:

Test Environment

Access Steps

Step 1: Configure WAF

Step 2: Configure CDN

Step 3: Configure DNS

Test Verification

Verification 1: Check if the domain name can be accessed normally

Verification 2: Check if the WAF is successfully integrated

Verification 3: Whether CDN access is successful

Verification 4: Whether WAF can correctly recognize Client IP

﻿