BLB-WAF Overview
BLB is responsible for parsing and forwarding HTTP and HTTPS protocol requests, and WAF is responsible for providing security protection functions. The created WAF instances needs to be bound to the HTTP/HTTPS business on the BLB instances in the same region, so the WAF can provide Web protection for the HTTP/HTTPS business.
Note
When configuring BLB WAF, the user must ensure that the purchased BLB and WAF are in the same region.
Create BLB WAF Instances
- Log into Baidu AI Cloud Console.
- After logging in, select "Product Service > Web Application Firewall" to enter the page of BLB WAF list.
- Click [Purchase WAF Instance] key and select the configuration information:
Parameter | Description |
---|---|
Region | Currently, the following regions are supported: North China - Beijing, South China- Guangzhou, East China - Suzhou, "Finance Central China - Shanghai and Hong Kong Zone II. |
Number of supported root domains | Each WAF instance protects one root domain. |
Number of supported subdomains | The package covers the protection of 10 subdomains by default; according to business requirements, you can also purchase more additional subdomains for protection. |
Protocol supported | The package includes two protocol types, HTTP and HTTPS. |
Web security protection | The WAF service can automatically update attack vulnerabilities, including different common Web attacks, and 0day attack rules. |
Custom access rules | You can realize the control and filtration of your own business by the custom rules. Currently, the matching processing of the following contents is supported: "source IP", "URL address", "Referer" field, "User-Agent" fields of the http request, etc.. The package supports a maximum of 20 custom rules by default; if you need to customize more rules, please purchase additional rules in the console. |
- Select the purchased duration and number of WAF instances, and click [Next] . Confirm the purchase information and complete payment.
- After payment, the WAF instance is created. You can return to the list page to view.
Configure BLB
Configure BLB Monitoring
- Select "Product Services > Load Balance" to enter the page of "Instance List".
- Select the BLB instance requiring configuration of a monitor, and then Frontend protocol/port Or Backend protocol/port Column, click Configure Enter the details page of monitor setting for configuration.
-
Fill in the configuration information.
Parameter Description BLB protocol [Port ] According to the protocol and port of the external service in the user's actual business, select the protocol type of http/https and fill in the port. Backend protocol [Port ] According to the protocol and port of the external service in the user's actual business, select the protocol type of http/https and fill in the port. - The rest functions are available by default. Finally, click Confirm Complete the setting of BLB monitor.
BLB Add Backend Servers
- Select "Product Services > Load Balance" to enter the page of "Instance List".
- Select the BLB instance requiring configuration of a monitor, and then Backend server Column, click Configure Enter the page of back-end server.
- Click Add backend server In the pop-up menu bar, select the server BCC instance to be configured, and click Next step Then, set the server weighted value, and finally click "Confirm". Complete the addition of BLB in the back-end server.
Configure WAF
After purchase of the WAF instance, you need to configure the WAF instance to realize the WAF protection capability. The configuration steps are as follows:
- Select "Product Services > Web Application Firewall" to enter the page of BLB WAF list. Click Primary domain under the column Configure Enter the details page of configuration.
-
To fill in the basic configuration, you need to fill in the "root domain" and "subdomain" to be protected, and select the bound load balance BLB instance.
Only the BLB instances which are in the same region with WAF instance can be bound, and only the HTTP/HTTPS protocol is supported. In case of no BLB instances meeting conditions, please go to Console to purchase or re-configure the BLB instance.
-
Enable the Web protection, and select the protection policy level.
- The set of intermediate policies is enabled by default. The stricter the policies are, the better the security protection effect is. The set of advanced policies means the enablement of strict protection policies, but the error interception may occur; the set of intermediate policies means a set of intermediate and low policies; and the set of low policies means loose protection policies.
- Each kind of protection policy has the functions of [Intercept] and [Observe] . The interception pattern requests to immediately block an attack when finding it; the observation pattern request to immediately record but not intercept an attack when finding it.
-
(Optional) Enable the custom access control, click [Add] key, and realize the control and filtration of your own business by the custom rules.
Parameter Description Name Name of custom access control rule Match Matching processing of the following contents: "source IP", "URL address", "Referer" field, "User-Agent" fields of the http request, etc. Matched pattern Select the matched pattern: Prefix, include or postfix. Match string Enter the string requiring access control. Executed action Blacklist or whitelist strings Pattern Intercept: Immediately block an attack when finding it; observe: Immediately record but not intercept an attack when finding it. - Click [Confirmation], and complete the BLB binding operation.
Rebind EIP
To realize the WAF protection function of BLB, you need to unbind EIP from the Baidu Cloud Compute, and then bind it to the corresponding BLB. The specific procedures are as follows:
Note In this step, EIP needs to be unbound, which may cause the business interruption. Please reasonably arrange the operation time to reduce the impact on the online business.
Unbind EIP from BCC
- Select "Product Service > Baidu Cloud Compute" to enter the page of BCC instance list.
- Click the name of instance from which the EIP is to be unbound, and enter the instance details page of the instance.
- On Configuration information In the contents, click "Unbind EIP", and in the pop-up menu bar, select Confirm Unbind the EIP from BCC.
Bind EIP to BLB.
- Select "Product Service > Load Balance" to enter the page of "BLB Instance List".
-
Select the BLB instance to which EIP is to be bound, and click Public IP/Bandwidth The corresponding network symbol in the bar, enter the page of "Bind EIP".
- From the EIP list, select the EIP which is just unbound from BCC, and then click Confirm Bind the EIP to BLB.