Summary
This guide describes how to use JD Cloud Web Application Firewall (WAF for short) to fully protect a simple website (whether running on JD Cloud, other public clouds or IDC). The guide includes the following:
1 Prepare the environment
1.1 Prepare the web site on JD Cloud
1.2 Purchase an instance of JD Cloud Web Application Firewall
2 Configure Web Application Firewall
2.1 Adding the website configuration of the Web Application Firewall instance
2.2 Release WAF back-to-source IP on the cloud platform
2.3 Local Authentication Configuration
2.4 Modify the domain name resolution configuration
3 Test the web protection effect
3.1 Initiate normal access
3.2 Launching abnormal attacks
3.3 Analyzing Security Reports
4 Environmental cleanup
1 Prepare the environment
1.1 Prepare a web site on JD Cloud
Select the CentOS system on JD Cloud to create a cloud host, assign a public IP, install Nginx, and configure the domain name and IP mapping on the domain name resolution service. The specific web application information is as follows:
# 操作系统信息
[root@waf-demo ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 安装dig命令,该命令可显示域名的解析情况
bash
[root@waf-demo ~]# yum install bind-utils -y
[root@waf-demo ~]# dig -v
DiG 9.9.4-RedHat-9.9.4-72.el7
# Nginx服务信息
[root@waf-demo ~]# service nginx status
Redirecting to /bin/systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
...After configuring the domain name and public network IP mapping, run the dig command to obtain the domain name resolution.
[root@waf-demo ~]$ dig waf-demo.jdcoe.top +trace
...
waf-demo.jdcoe.top. 60 IN A 114.67.85.98
;; Received 63 bytes from 153.99.179.161#53(ns2.jdgslb.com) in 13 msThe Web site is accessed remotely via the Internet.
MacBook:~ user001$ curl http://waf-demo.jdcoe.top -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 24 Dec 2018 03:22:21 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes1.2 Purchase an instance of JD Cloud Web Application Firewall
Enter the JD Cloud console, click Cloud Security, Web Application Firewall, Package Purchase, enter the "Web Application Firewall - Purchase" interface, and select the Enterprise Edition package (please refer to the package details for each package specification). The specific purchase interface is as follows:
After the purchase is complete, you will see the purchased instance information in the instance management interface.
2 Configure Web Application Firewall
Before using JD Cloud Web Application Firewall to protect a website, you need to complete the following configurations so that HTTP/HTTPS access requests submitted by users can be detected by the Web Application Firewall before being sent to the Web site.
2.1 Configuring Web Application Firewall Instance Protection Websites
On the Web Application Firewall interface, click Website Configuration, add a website, and enter the relevant configuration information in the following interface.
The interface parameters are described as follows:
Domain Name: Enter the domain name of the website to be protected;
- Protocol: HTTP is selected by default, if the website supports HTTPS, select HTTPS, and select SSL certificate; Server address: IP of the website;
- Server port: the access port of the website;
- Has a proxy been used: "No" is selected by default, but if the website also uses the Anti-DDoS Pro service, that is, the access request comes from Anti-DDoS Pro, you should select "Yes";
- Load balancing algorithm: When multiple origin site IPs are configured, WAF will perform load balancing according to IP Hash or round robin when returning the filtered access request to the origin.
The protection settings of the newly created website configuration are disabled, you need to click the protection configuration link to enter the configuration interface.
On the website protection configuration interface, set the Web application attack protection status to On mode as protection, and the protection rule policy level to Strict. Set the CC security protection status to On and the mode to normal.
2.2 Local Authentication Configuration
In the website configuration list interface, you can get the CNAME generated for the protected website. For the domain name "waf-demo.jdcoe.top", the generated WAF CNAME is
waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com.
By running the ping command, you can obtain the IP address of the web application firewall as 101.124.23.163.
MacBook:etc user001$ ping waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com
PING waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com (101.124.23.163): 56 data bytes
64 bytes from 101.124.23.163: icmp_seq=0 ttl=49 time=57.525 ms
^C
--- waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 57.525/57.525/57.525/0.000 msThe application security website does not allow access through the generated CNAME or IP address. If you access it directly, a "Bad Request" error will be reported.
MacBook:etc user001$ curl waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com
<h1> Bad Request </h1>MacBook:etc user001$
MacBook:etc user001$ curl 101.124.23.163
<h1> Bad Request </h1>MacBook:etc user001$Modify the mapping between the local IP address 101.124.23.163 and the domain name waf-demo.jdcoe.top. Under Linux, the domain name configuration file is /etc/hosts.
1101.124.23.163 waf-demo.jdcoe.topThen execute the following command "curl waf-demo.jdcoe.top -I" locally, it will show that the server is jfe, indicating that the Web application firewall has passed.
MacBook:~ user001$ curl waf-demo.jdcoe.top -I
HTTP/1.1 200 OK
Server: jfe
Date: Mon, 24 Dec 2018 07:12:03 GMT
Content-Type: text/html
Content-Length: 3700
Connection: keep-alive
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytesAt this point, if you look at the web access log, you will see the following information, indicating that the request has passed through the web application firewall and is then forwarded to the web origin site.
1101.124.23.116 - - [24/Dec/2018:15:12:04 +0800] "HEAD / HTTP/1.0" 200 0 "-" "curl/7.54.0" "117.136.0.210"2.3 Release the WAF back-to-source IP on the cloud platform
After the WAF service is configured on the origin site, in principle, the origin site can only receive forwarding requests from the WAF. The initial security group configuration of the website cloud host is as follows, so that any client can directly access the website.
Web sites can be accessed directly through the curl command.
MacBook:~ user001$ curl 114.67.85.98 -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 24 Dec 2018 07:20:08 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytesThe IP addresses used by JD Cloud WAF services are as follows:
101.124.31.248/30
101.124.23.116/30
14.116.246.0/29
103.40.15.0/29Therefore, it is necessary to delete the rule that allows all source IP addresses to access the Web site in the security group, and add a rule that allows the above address segment to access the Web site. The modified security group configuration information is as follows:
In this way, the Web site will only receive requests from the WAF and cannot be accessed directly.
# 不能直接访问源站
MacBook:~ user001$ curl 114.67.85.98 -I
^C
# 可以通过WAF服务访问源站
MacBook:~ user001$ curl waf-demo.jdcoe.top -I
HTTP/1.1 200 OK
Server: jfe
Date: Mon, 24 Dec 2018 07:52:19 GMT
Content-Type: text/html
Content-Length: 3700
Connection: keep-alive
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes2.4 Modify the domain name resolution configuration
Finally, it is necessary to modify the resolution rules of the original domain name in the domain name resolution. The following is the cloud resolution of JD Cloud as an example. Configure the CNAME of the domain name waf-demo.jdcoe.top as
waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com.
Finally, delete the static mapping of the local domain name and IP address, and then execute the dig command, you will see the CNAME configured for the domain name waf-demo.jdcoe.top.
[root@waf-demo ~]# dig waf-demo.jdcoe.top +trace
...
waf-demo.jdcoe.top. 60 IN CNAME waf-demo.jdcoe.top-15f08249c274.jdcloudwaf.com.
;; Received 107 bytes from 59.37.144.32#53(ns1.jdgslb.com) in 28 ms3 Test the web protection effect
3.1 Initiate normal access
The page can be accessed normally on one machine, and a normal response can be obtained, and the access log can be seen on the Web site at the same time.
[root@jdcoe-bastion ~]# curl waf-demo.jdcoe.top/index.html -I
HTTP/1.1 200 OK
Server: jfe
Date: Mon, 24 Dec 2018 08:35:24 GMT
Content-Type: text/html
Content-Length: 3700
Connection: keep-alive
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytesNginx website access log
101.124.31.248 - - [24/Dec/2018:16:35:24 +0800] "HEAD /index.html HTTP/1.0" 200 0 "-" "curl/7.29.0" "114.67.95.131"3.2 Launching abnormal attacks
The following simulates a "file read/include attack", that is to say include a read-specific system problem in an HTTP request. Without WAF protection, the web site will return the following information:
[root@waf-demo ~]# curl localhost/index.html/etc/passwd -I
HTTP/1.1 404 Not Found
Server: nginx/1.12.2
Date: Mon, 24 Dec 2018 08:37:15 GMT
Content-Type: text/html
Content-Length: 3650
Connection: keep-alive
ETag: "5a9e5ebd-e42"However, if protected by WAF, WAF will detect that the request contains access to sensitive files, and therefore block the access request.
[root@jdcoe-bastion ~]# curl waf-demo.jdcoe.top/index.html/etc/passwd -I
HTTP/1.1 403 Forbidden
Server: jfe
Date: Mon, 24 Dec 2018 08:37:22 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive3.3 Security Analysis Report
JD Cloud WAF will block illegal HTTP requests according to the configuration, and obtain information about the source and type of attacks through security reports. The following figure is the protection report of the waf-demo.jdcoe.top website under the WAF instance.
4 Environmental cleanup
This guide will use paid resources such as cloud hosts, public network bandwidth, and web application firewalls. If you use per-configuration billing when purchasing, it is recommended to delete resources.
Summarize:
This guide describes how to use Web Application Firewall to secure a website. The Web application firewall detects and filters HTTP/HTTPS requests to reduce the risk of information leakage caused by application security vulnerabilities.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。