百度智能云

All Product Document

          Web Application Firewall WAF

          CDN-WAF-Overview

          The Web Application Firewall is responsible for providing the application security protection function for CDN to effectively defend different common Web attacks such as SQL injection, XSS cross-site script, backdoor upload, and unauthorized access. The user needs to add a domain in CDN for the created WAF instance, and in this way, WAF can provide web protection for your domains.

          Create a CDN WAF Instance

          1. Log into Baidu AI Cloud Console.
          2. After logging in, select "Product Service > Web Application Firewall" to enter the page of WAF list.
          3. Click [Purchase WAF Instance] key and select the configuration information:
          Parameter Description
          Region global
          Number of supported root domains Each WAF instance protects one root domain.
          Number of supported subdomains The package covers the protection of 10 subdomains by default; according to business requirements, you can also purchase more additional subdomains for protection.
          Protocol supported The package includes two protocol types, HTTP and HTTPS.
          Web security protection The WAF service can automatically update attack vulnerabilities, including different common Web attacks, and 0day attack rules.
          Custom access rules You can realize the control and filtration of your own business by the custom rules. Currently, the matching processing of the following contents is supported: "source IP", "URL address", "Referer" field, "User-Agent" fields of the http request, etc.. The package supports a maximum of 20 custom rules by default; if you need to customize more rules, please purchase additional rules in the console.
          1. Select the purchased duration and number of WAF instances, and click [Next] . Confirm the purchase information and complete payment.
          2. After payment, the WAF instance is created. You can return to the list page to view.

          Associate a CDN Instance

          1. Enter the page of CDN WAF list, and click [Configure] key in one operation column of WAF instances.
          2. Fill in the "root domain" and "subdomain" to be protected, and select the bound domain.

            Only the main domains existing in the list of CDN domains of Baidu AI Cloud can be bound, and only the HTTP/HTTPS protocol is supported. In case of no domains meeting conditions, please go to Console to purchase or re-configure the domains.

          3. Enable the Web protection, and select the protection policy level.

            • The set of intermediate policies is enabled by default. The stricter the policies are, the better the security protection effect is. The set of advanced policies means the enablement of strict protection policies, but the error interception may occur; the set of intermediate policies means a set of intermediate and low policies; and the set of low policies means loose protection policies.
            • Each kind of protection policy has the functions of [Intercept] and [Observe] . The interception pattern requests to immediately block an attack when finding it; the observation pattern request to immediately record but not intercept an attack when finding it.
          4. (Optional) Enable the custom access control, click [Add] key, and realize the control and filtration of your own business by the custom rules.
          Parameter Description
          Name Name of custom access control rule
          Match Matching processing of the following contents: "source IP", "URL address", "Referer" field, "User-Agent" fields of the http request, etc.
          Matched pattern Select the matched pattern: Prefix, include or postfix.
          Match string Enter the string requiring access control.
          Executed action Blacklist or whitelist strings
          Pattern Intercept: Immediately block an attack when finding it; observe: Immediately record but not intercept an attack when finding it.
          1. Click [Confirm Validation] , and complete the BLB binding operation.

          WAF bound to CDN Instance

          1. In the console, select Content delivery network CDN Enter the product page, and in the left navigation bar, click Domain management Enter the page of CDN domain management list.
          2. Click the domain requiring addition of WAF protection, enter the details page of domain, and click Security configuration in the left navigation bar. Enter the page of WAF configuration.
          3. Click the button next to the WAF configuration, and enter the interface of WAF configuration modification. In the pop-up window, select Enable Enable the WAF protection function.

          The WAF configuration is closed by default, and can be used only when the user selects "Enable".

          1. In the list of WAF instance, select the WAF instance to be bound, and finally click "Save" to bind WAF to CDN instance. If you don't purchase any WAF instance, purchase the CDN WAF instance according to the prompt.

          Note:
          Explanation on the primary domain status: When the list of primary domains displays "Unconfigure", it means that the primary domain is not configured; when the list of primary domains displays bfgdu.com, it means that the primary domains are inconsistent; in the two cases, you can use the WAF function only after you complete the configuration. The number of online configured domains is 20. If the domains exceed the configured number, the temporarily unavailable domains needs to be deleted.

          1. (Optional) In the pop-up window, click Manage my WAF instance, jump to the page of CDN WAF list. The user can manage and configure the WAF instance here.
          Previous
          BLB-WAF Overview
          Next
          View Data Report