feat: add aliyun waf deployer

2025-01-23 17:09:05 +08:00 · 2025-01-23 17:09:05 +08:00 · 2a7be1b24d
parent 2965fb2b47
commit 2a7be1b24d
18 changed files with 454 additions and 93 deletions
--- a/README.md
+++ b/README.md
@ -114,22 +114,22 @@ make local.run

 <summary>[展开查看]</summary>

-| 提供商                                  | 备注                                                           |
-| :-------------------------------------- | :------------------------------------------------------------- |
-| 本地部署                                | 可部署到本地服务器                                             |
-| SSH 部署                                | 可部署到远程服务器（通过 SSH+SFTP）                            |
-| Webhook 回调                            | 可部署到 Webhook                                               |
-| [Kubernetes](https://kubernetes.io/)    | 可部署到 Kubernetes Secret                                     |
-| [阿里云](https://www.aliyun.com/)       | 可部署到阿里云 OSS、CDN、DCDN、SLB（CLB/ALB/NLB）、Live 等服务 |
-| [腾讯云](https://cloud.tencent.com/)    | 可部署到腾讯云 COS、CDN、ECDN、EdgeOne、CLB、CSS 等服务        |
-| [百度智能云](https://cloud.baidu.com/)  | 可部署到百度智能云 CDN 等服务                                  |
-| [华为云](https://www.huaweicloud.com/)  | 可部署到华为云 CDN、ELB 等服务                                 |
-| [火山引擎](https://www.volcengine.com/) | 可部署到火山引擎 TOS、CDN、DCDN、CLB、Live 等服务              |
-| [七牛云](https://www.qiniu.com/)        | 可部署到七牛云 CDN、直播云等服务                               |
-| [多吉云](https://www.dogecloud.com/)    | 可部署到多吉云 CDN                                             |
-| [BytePlus](https://www.byteplus.com/)   | 可部署到 BytePlus CDN 等服务                                   |
-| [优刻得](https://www.ucloud.cn/)        | 可部署到优刻得 US3、UCDN 等服务                                |
-| [Edgio](https://edg.io/)                | 可部署到 Edgio Applications 等服务                             |
+| 提供商                                  | 备注                                                                |
+| :-------------------------------------- | :------------------------------------------------------------------ |
+| 本地部署                                | 可部署到本地服务器                                                  |
+| SSH 部署                                | 可部署到远程服务器（通过 SSH+SFTP）                                 |
+| Webhook 回调                            | 可部署到 Webhook                                                    |
+| [Kubernetes](https://kubernetes.io/)    | 可部署到 Kubernetes Secret                                          |
+| [阿里云](https://www.aliyun.com/)       | 可部署到阿里云 OSS、CDN、DCDN、SLB（CLB/ALB/NLB）、WAF、Live 等服务 |
+| [腾讯云](https://cloud.tencent.com/)    | 可部署到腾讯云 COS、CDN、ECDN、EdgeOne、CLB、CSS 等服务             |
+| [百度智能云](https://cloud.baidu.com/)  | 可部署到百度智能云 CDN 等服务                                       |
+| [华为云](https://www.huaweicloud.com/)  | 可部署到华为云 CDN、ELB 等服务                                      |
+| [火山引擎](https://www.volcengine.com/) | 可部署到火山引擎 TOS、CDN、DCDN、CLB、Live 等服务                   |
+| [七牛云](https://www.qiniu.com/)        | 可部署到七牛云 CDN、直播云等服务                                    |
+| [多吉云](https://www.dogecloud.com/)    | 可部署到多吉云 CDN                                                  |
+| [BytePlus](https://www.byteplus.com/)   | 可部署到 BytePlus CDN 等服务                                        |
+| [优刻得](https://www.ucloud.cn/)        | 可部署到优刻得 US3、UCDN 等服务                                     |
+| [Edgio](https://edg.io/)                | 可部署到 Edgio Applications 等服务                                  |

 </details>

--- a/README_EN.md
+++ b/README_EN.md
@ -113,22 +113,22 @@ The following hosting providers are supported:

 <summary>[Fold/Unfold to view ...]</summary>

-| Provider                                        | Remarks                                                                     |
-| :---------------------------------------------- | :-------------------------------------------------------------------------- |
-| Local                                           | Supports deployment to local servers                                        |
-| SSH                                             | Supports deployment to remote servers (via SSH+SFTP)                        |
-| Webhook                                         | Supports deployment to Webhook                                              |
-| [Kubernetes](https://kubernetes.io/)            | Supports deployment to Kubernetes Secret                                    |
-| [Alibaba Cloud](https://www.alibabacloud.com/)  | Supports deployment to Alibaba Cloud OSS, CDN, DCDN, SLB(CLB/ALB/NLB), Live |
-| [Tencent Cloud](https://www.tencentcloud.com/)  | Supports deployment to Tencent Cloud COS, CDN, ECDN, EdgeOne, CLB, CSS      |
-| [Baidu AI Cloud](https://intl.cloud.baidu.com/) | Supports deployment to Baidu AI CLoud CDN                                   |
-| [Huawei Cloud](https://www.huaweicloud.com/)    | Supports deployment to Huawei Cloud CDN, ELB                                |
-| [Volcengine](https://www.volcengine.com/)       | Supports deployment to Volcengine TOS, CDN, DCDN, CLB, Live                 |
-| [Qiniu Cloud](https://www.qiniu.com/)           | Supports deployment to Qiniu Cloud CDN, Pili                                |
-| [Doge Cloud](https://www.dogecloud.com/)        | Supports deployment to Doge Cloud CDN                                       |
-| [BytePlus](https://www.byteplus.com/)           | Supports deployment to BytePlus CDN                                         |
-| [UCloud](https://www.ucloud-global.com/)        | Supports deployment to UCloud US3, UCDN                                     |
-| [Edgio](https://edg.io/)                        | Supports deployment to Edgio Applications                                   |
+| Provider                                        | Remarks                                                                          |
+| :---------------------------------------------- | :------------------------------------------------------------------------------- |
+| Local                                           | Supports deployment to local servers                                             |
+| SSH                                             | Supports deployment to remote servers (via SSH+SFTP)                             |
+| Webhook                                         | Supports deployment to Webhook                                                   |
+| [Kubernetes](https://kubernetes.io/)            | Supports deployment to Kubernetes Secret                                         |
+| [Alibaba Cloud](https://www.alibabacloud.com/)  | Supports deployment to Alibaba Cloud OSS, CDN, DCDN, SLB(CLB/ALB/NLB), WAF, Live |
+| [Tencent Cloud](https://www.tencentcloud.com/)  | Supports deployment to Tencent Cloud COS, CDN, ECDN, EdgeOne, CLB, CSS           |
+| [Baidu AI Cloud](https://intl.cloud.baidu.com/) | Supports deployment to Baidu AI CLoud CDN                                        |
+| [Huawei Cloud](https://www.huaweicloud.com/)    | Supports deployment to Huawei Cloud CDN, ELB                                     |
+| [Volcengine](https://www.volcengine.com/)       | Supports deployment to Volcengine TOS, CDN, DCDN, CLB, Live                      |
+| [Qiniu Cloud](https://www.qiniu.com/)           | Supports deployment to Qiniu Cloud CDN, Pili                                     |
+| [Doge Cloud](https://www.dogecloud.com/)        | Supports deployment to Doge Cloud CDN                                            |
+| [BytePlus](https://www.byteplus.com/)           | Supports deployment to BytePlus CDN                                              |
+| [UCloud](https://www.ucloud-global.com/)        | Supports deployment to UCloud US3, UCDN                                          |
+| [Edgio](https://edg.io/)                        | Supports deployment to Edgio Applications                                        |

 </details>

--- a/go.mod
+++ b/go.mod
@ -57,6 +57,8 @@ require (
 	github.com/alibabacloud-go/tea-oss-sdk v1.1.3 // indirect
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
+	github.com/alibabacloud-go/waf-openapi-20211001 v1.0.0 // indirect
+	github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.0.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.48.1 // indirect
 	github.com/blinkbean/dingtalk v1.1.3 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -123,6 +123,7 @@ github.com/alibabacloud-go/darabonba-encode-util v0.0.2 h1:1uJGrbsGEVqWcWxrS9MyC
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8=
 github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIpjmafa0qOTp6udc=
 github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
+github.com/alibabacloud-go/darabonba-openapi v0.1.18/go.mod h1:PB4HffMhJVmAgNKNq3wYbTUlFvPgxJpTzd1F5pTuUsc=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.0/go.mod h1:5JHVmnHvGzR2wNdgaW1zDLQG8kOC4Uec8ubkMogW7OQ=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.2/go.mod h1:5JHVmnHvGzR2wNdgaW1zDLQG8kOC4Uec8ubkMogW7OQ=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.5/go.mod h1:kUe8JqFmoVU7lfBauaDD5taFaW7mBI+xVsyHutYtabg=
@ -130,6 +131,7 @@ github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10 h1:GEYkMApgpKEVDn6z12DcH
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10/go.mod h1:26a14FGhZVELuz2cc2AolvW4RHmIO3/HRwsdHhaIPDE=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7 h1:UzCnKvsjPFzApvODDNEYqBHMFt1w98wC7FOo0InLyxg=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7/go.mod h1:oUzCYV2fcCH797xKdL6BDH8ADIHlzrtKVjeRtunBNTQ=
+github.com/alibabacloud-go/darabonba-string v1.0.0/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA=
 github.com/alibabacloud-go/darabonba-string v1.0.2 h1:E714wms5ibdzCqGeYJ9JCFywE5nDyvIXIIQbZVFkkqo=
 github.com/alibabacloud-go/darabonba-string v1.0.2/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA=
 github.com/alibabacloud-go/dcdn-20180115/v3 v3.5.0 h1:EQmKhYju6y38kJ1ZvZROeJG2Q1Wk6hlc8KQrVhvGyaw=
@ -173,6 +175,7 @@ github.com/alibabacloud-go/tea-oss-utils v1.1.0 h1:y65crjjcZ2Pbb6UZtC2deuIZHDVTS
 github.com/alibabacloud-go/tea-oss-utils v1.1.0/go.mod h1:PFCF12e9yEKyBUIn7X1IrF/pNjvxgkHy0CgxX4+xRuY=
 github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils v1.3.6/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
+github.com/alibabacloud-go/tea-utils v1.4.3/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=
 github.com/alibabacloud-go/tea-utils v1.4.5 h1:h0/6Xd2f3bPE4XHTvkpjwxowIwRCJAJOqY6Eq8f3zfA=
 github.com/alibabacloud-go/tea-utils v1.4.5/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5aYp9U67G+E3R8fcQw=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.0/go.mod h1:U5MTY10WwlquGPS34DOeomUGBB0gXbLueiq5Trwu0C4=
@ -186,6 +189,10 @@ github.com/alibabacloud-go/tea-xml v1.1.1/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE
 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
 github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=
 github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
+github.com/alibabacloud-go/waf-openapi-20211001 v1.0.0 h1:CJ2vCd/wy3AVDIEkJdD5TJ7urzbbu9+9ruQ9V+WunN4=
+github.com/alibabacloud-go/waf-openapi-20211001 v1.0.0/go.mod h1:UJvk4Yr8upLmocsvWY1GYJGCQ41A8ea8tfaRqV0itBY=
+github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.0.4 h1:Od0KgA73DyG9X2XFwuZZTkDv2pzA6B5mhYapyyca6QE=
+github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.0.4/go.mod h1:DohGoS8BnMxHXghHebtjPP7+GMdxPsRN19T3nn2HcCU=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.83 h1:YBkf7H5CSgrlb3C1aWcpDt7Vk8UEGFPeD2OOirtt6IM=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.83/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible h1:8psS8a+wKfiLt1iVDX79F7Y6wUM49Lcha2FMXt4UM8g=
@ -284,6 +291,7 @@ github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6D
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/clbanning/mxj v1.8.4/go.mod h1:BVjHeAH+rl9rs6f+QIpeRl0tfu10SXn1pUSa5PVGJng=
 github.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
+github.com/clbanning/mxj/v2 v2.5.6/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
 github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=
 github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
--- a/internal/deployer/providers.go
+++ b/internal/deployer/providers.go
@ -12,6 +12,7 @@ import (
 	providerAliyunLive "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-live"
 	providerAliyunNLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-nlb"
 	providerAliyunOSS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-oss"
+	providerAliyunWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-waf"
 	providerBaiduCloudCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baiducloud-cdn"
 	providerBytePlusCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/byteplus-cdn"
 	providerDogeCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/dogecloud-cdn"
@ -49,7 +50,7 @@ func createDeployer(options *deployerOptions) (deployer.Deployer, logger.Logger,
 	  NOTICE: If you add new constant, please keep ASCII order.
 	*/
 	switch options.Provider {
-	case domain.DeployProviderTypeAliyunALB, domain.DeployProviderTypeAliyunCDN, domain.DeployProviderTypeAliyunCLB, domain.DeployProviderTypeAliyunDCDN, domain.DeployProviderTypeAliyunLive, domain.DeployProviderTypeAliyunNLB, domain.DeployProviderTypeAliyunOSS:
+	case domain.DeployProviderTypeAliyunALB, domain.DeployProviderTypeAliyunCDN, domain.DeployProviderTypeAliyunCLB, domain.DeployProviderTypeAliyunDCDN, domain.DeployProviderTypeAliyunLive, domain.DeployProviderTypeAliyunNLB, domain.DeployProviderTypeAliyunOSS, domain.DeployProviderTypeAliyunWAF:
 		{
 			access := domain.AccessConfigForAliyun{}
 			if err := maps.Decode(options.ProviderAccessConfig, &access); err != nil {
@ -127,6 +128,15 @@ func createDeployer(options *deployerOptions) (deployer.Deployer, logger.Logger,
 				}, logger)
 				return deployer, logger, err

+			case domain.DeployProviderTypeAliyunWAF:
+				deployer, err := providerAliyunWAF.NewWithLogger(&providerAliyunWAF.AliyunWAFDeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maps.GetValueAsString(options.ProviderDeployConfig, "region"),
+					InstanceId:      maps.GetValueAsString(options.ProviderDeployConfig, "instanceId"),
+				}, logger)
+				return deployer, logger, err
+
 			default:
 				break
 			}
--- a/internal/domain/provider.go
+++ b/internal/domain/provider.go
@ -85,6 +85,7 @@ const (
 	DeployProviderTypeAliyunLive        = DeployProviderType("aliyun-live")
 	DeployProviderTypeAliyunNLB         = DeployProviderType("aliyun-nlb")
 	DeployProviderTypeAliyunOSS         = DeployProviderType("aliyun-oss")
+	DeployProviderTypeAliyunWAF         = DeployProviderType("aliyun-waf")
 	DeployProviderTypeBaiduCloudCDN     = DeployProviderType("baiducloud-cdn")
 	DeployProviderTypeBytePlusCDN       = DeployProviderType("byteplus-cdn")
 	DeployProviderTypeDogeCloudCDN      = DeployProviderType("dogecloud-cdn")
--- a/internal/pkg/core/deployer/providers/aliyun-alb/aliyun_alb.go
+++ b/internal/pkg/core/deployer/providers/aliyun-alb/aliyun_alb.go
@ -73,22 +73,7 @@ func NewWithLogger(config *AliyunALBDeployerConfig, logger logger.Logger) (*Aliy
 		return nil, xerrors.Wrap(err, "failed to create sdk clients")
 	}

-	aliyunCasRegion := config.Region
-	if aliyunCasRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 ALB 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if !strings.HasPrefix(aliyunCasRegion, "cn-") {
-			aliyunCasRegion = "ap-southeast-1"
-		} else {
-			aliyunCasRegion = "cn-hangzhou"
-		}
-	}
-	uploader, err := providerCas.New(&providerCas.AliyunCASUploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          aliyunCasRegion,
-	})
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
 	if err != nil {
 		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
 	}
@ -446,3 +431,24 @@ func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients
 		cas: casClient,
 	}, nil
 }
+
+func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+	casRegion := region
+	if casRegion != "" {
+		// 阿里云 CAS 服务接入点是独立于 ALB 服务的
+		// 国内版固定接入点：华东一杭州
+		// 国际版固定接入点：亚太东南一新加坡
+		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
+			casRegion = "ap-southeast-1"
+		} else {
+			casRegion = "cn-hangzhou"
+		}
+	}
+
+	uploader, err := providerCas.New(&providerCas.AliyunCASUploaderConfig{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		Region:          casRegion,
+	})
+	return uploader, err
+}
--- a/internal/pkg/core/deployer/providers/aliyun-nlb/aliyun_nlb.go
+++ b/internal/pkg/core/deployer/providers/aliyun-nlb/aliyun_nlb.go
@ -61,22 +61,7 @@ func NewWithLogger(config *AliyunNLBDeployerConfig, logger logger.Logger) (*Aliy
 		return nil, xerrors.Wrap(err, "failed to create sdk client")
 	}

-	aliyunCasRegion := config.Region
-	if aliyunCasRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 NLB 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if !strings.HasPrefix(aliyunCasRegion, "cn-") {
-			aliyunCasRegion = "ap-southeast-1"
-		} else {
-			aliyunCasRegion = "cn-hangzhou"
-		}
-	}
-	uploader, err := providerCas.New(&providerCas.AliyunCASUploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          aliyunCasRegion,
-	})
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
 	if err != nil {
 		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
 	}
@ -249,3 +234,24 @@ func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunNlb.Cl

 	return client, nil
 }
+
+func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+	casRegion := region
+	if casRegion != "" {
+		// 阿里云 CAS 服务接入点是独立于 NLB 服务的
+		// 国内版固定接入点：华东一杭州
+		// 国际版固定接入点：亚太东南一新加坡
+		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
+			casRegion = "ap-southeast-1"
+		} else {
+			casRegion = "cn-hangzhou"
+		}
+	}
+
+	uploader, err := providerCas.New(&providerCas.AliyunCASUploaderConfig{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		Region:          casRegion,
+	})
+	return uploader, err
+}
--- a/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf.go
+++ b/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf.go
@ -0,0 +1,150 @@
+package aliyunwaf
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+	aliyunWaf "github.com/alibabacloud-go/waf-openapi-20211001/v5/client"
+	xerrors "github.com/pkg/errors"
+
+	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	"github.com/usual2970/certimate/internal/pkg/core/logger"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+	providerCas "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
+)
+
+type AliyunWAFDeployerConfig struct {
+	// 阿里云 AccessKeyId。
+	AccessKeyId string `json:"accessKeyId"`
+	// 阿里云 AccessKeySecret。
+	AccessKeySecret string `json:"accessKeySecret"`
+	// 阿里云地域。
+	Region string `json:"region"`
+	// 阿里云 WAF 实例 ID。
+	InstanceId string `json:"instanceId"`
+}
+
+type AliyunWAFDeployer struct {
+	config      *AliyunWAFDeployerConfig
+	logger      logger.Logger
+	sdkClient   *aliyunWaf.Client
+	sslUploader uploader.Uploader
+}
+
+var _ deployer.Deployer = (*AliyunWAFDeployer)(nil)
+
+func New(config *AliyunWAFDeployerConfig) (*AliyunWAFDeployer, error) {
+	return NewWithLogger(config, logger.NewNilLogger())
+}
+
+func NewWithLogger(config *AliyunWAFDeployerConfig, logger logger.Logger) (*AliyunWAFDeployer, error) {
+	if config == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	if logger == nil {
+		return nil, errors.New("logger is nil")
+	}
+
+	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to create sdk client")
+	}
+
+	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
+	}
+
+	return &AliyunWAFDeployer{
+		logger:      logger,
+		config:      config,
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *AliyunWAFDeployer) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
+	if d.config.InstanceId == "" {
+		return nil, errors.New("config `instanceId` is required")
+	}
+
+	// 上传证书到 CAS
+	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to upload certificate file")
+	}
+
+	d.logger.Logt("certificate file uploaded", upres)
+
+	// 查询默认 SSL/TLS 设置
+	// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedefaulthttps
+	describeDefaultHttpsReq := &aliyunWaf.DescribeDefaultHttpsRequest{
+		InstanceId: tea.String(d.config.InstanceId),
+		RegionId:   tea.String(d.config.Region),
+	}
+	describeDefaultHttpsResp, err := d.sdkClient.DescribeDefaultHttps(describeDefaultHttpsReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.DescribeDefaultHttps'")
+	}
+
+	d.logger.Logt("已查询到默认 SSL/TLS 设置", describeDefaultHttpsResp)
+
+	// 修改默认 SSL/TLS 设置
+	// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-modifydefaulthttps
+	modifyDefaultHttpsReq := &aliyunWaf.ModifyDefaultHttpsRequest{
+		InstanceId:  tea.String(d.config.InstanceId),
+		RegionId:    tea.String(d.config.Region),
+		CertId:      tea.String(upres.CertId),
+		TLSVersion:  describeDefaultHttpsResp.Body.DefaultHttps.TLSVersion,
+		EnableTLSv3: describeDefaultHttpsResp.Body.DefaultHttps.EnableTLSv3,
+	}
+	modifyDefaultHttpsResp, err := d.sdkClient.ModifyDefaultHttps(modifyDefaultHttpsReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.ModifyDefaultHttps'")
+	}
+
+	d.logger.Logt("已修改默认 SSL/TLS 设置", modifyDefaultHttpsResp)
+
+	return &deployer.DeployResult{}, nil
+}
+
+func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunWaf.Client, error) {
+	config := &aliyunOpen.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+		Endpoint:        tea.String(fmt.Sprintf("wafopenapi.%s.aliyuncs.com", region)),
+	}
+
+	client, err := aliyunWaf.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
+	casRegion := region
+	if casRegion != "" {
+		// 阿里云 CAS 服务接入点是独立于 WAF 服务的
+		// 国内版固定接入点：华东一杭州
+		// 国际版固定接入点：亚太东南一新加坡
+		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
+			casRegion = "ap-southeast-1"
+		} else {
+			casRegion = "cn-hangzhou"
+		}
+	}
+
+	uploader, err := providerCas.New(&providerCas.AliyunCASUploaderConfig{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		Region:          casRegion,
+	})
+	return uploader, err
+}
--- a/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf_test.go
+++ b/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf_test.go
@ -0,0 +1,80 @@
+package aliyunwaf_test
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	provider "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-waf"
+)
+
+var (
+	fInputCertPath   string
+	fInputKeyPath    string
+	fAccessKeyId     string
+	fAccessKeySecret string
+	fRegion          string
+	fInstanceId      string
+)
+
+func init() {
+	argsPrefix := "CERTIMATE_DEPLOYER_ALIYUNWAF_"
+
+	flag.StringVar(&fInputCertPath, argsPrefix+"INPUTCERTPATH", "", "")
+	flag.StringVar(&fInputKeyPath, argsPrefix+"INPUTKEYPATH", "", "")
+	flag.StringVar(&fAccessKeyId, argsPrefix+"ACCESSKEYID", "", "")
+	flag.StringVar(&fAccessKeySecret, argsPrefix+"ACCESSKEYSECRET", "", "")
+	flag.StringVar(&fRegion, argsPrefix+"REGION", "", "")
+	flag.StringVar(&fInstanceId, argsPrefix+"INSTANCEID", "", "")
+}
+
+/*
+Shell command to run this test:
+
+	go test -v ./aliyun_waf_test.go -args \
+	--CERTIMATE_DEPLOYER_ALIYUNWAF_INPUTCERTPATH="/path/to/your-input-cert.pem" \
+	--CERTIMATE_DEPLOYER_ALIYUNWAF_INPUTKEYPATH="/path/to/your-input-key.pem" \
+	--CERTIMATE_DEPLOYER_ALIYUNWAF_ACCESSKEYID="your-access-key-id" \
+	--CERTIMATE_DEPLOYER_ALIYUNWAF_ACCESSKEYSECRET="your-access-key-secret" \
+	--CERTIMATE_DEPLOYER_ALIYUNOSS_REGION="cn-hangzhou" \
+	--CERTIMATE_DEPLOYER_ALIYUNWAF_INSTANCEID="your-waf-instance-id"
+*/
+func TestDeploy(t *testing.T) {
+	flag.Parse()
+
+	t.Run("Deploy", func(t *testing.T) {
+		t.Log(strings.Join([]string{
+			"args:",
+			fmt.Sprintf("INPUTCERTPATH: %v", fInputCertPath),
+			fmt.Sprintf("INPUTKEYPATH: %v", fInputKeyPath),
+			fmt.Sprintf("ACCESSKEYID: %v", fAccessKeyId),
+			fmt.Sprintf("ACCESSKEYSECRET: %v", fAccessKeySecret),
+			fmt.Sprintf("REGION: %v", fRegion),
+			fmt.Sprintf("INSTANCEID: %v", fInstanceId),
+		}, "\n"))
+
+		deployer, err := provider.New(&provider.AliyunWAFDeployerConfig{
+			AccessKeyId:     fAccessKeyId,
+			AccessKeySecret: fAccessKeySecret,
+			Region:          fRegion,
+			InstanceId:      fInstanceId,
+		})
+		if err != nil {
+			t.Errorf("err: %+v", err)
+			return
+		}
+
+		fInputCertData, _ := os.ReadFile(fInputCertPath)
+		fInputKeyData, _ := os.ReadFile(fInputKeyPath)
+		res, err := deployer.Deploy(context.Background(), string(fInputCertData), string(fInputKeyData))
+		if err != nil {
+			t.Errorf("err: %+v", err)
+			return
+		}
+
+		t.Logf("ok: %v", res)
+	})
+}
--- a/internal/pkg/core/deployer/providers/qiniu-pili/qiniu_pili_test.go
+++ b/internal/pkg/core/deployer/providers/qiniu-pili/qiniu_pili_test.go
@ -34,7 +34,7 @@ func init() {
 /*
 Shell command to run this test:

-	go test -v ./qiniu_cdn_test.go -args \
+	go test -v ./qiniu_pili_test.go -args \
 	--CERTIMATE_DEPLOYER_QINIUPILI_INPUTCERTPATH="/path/to/your-input-cert.pem" \
 	--CERTIMATE_DEPLOYER_QINIUPILI_INPUTKEYPATH="/path/to/your-input-key.pem" \
 	--CERTIMATE_DEPLOYER_QINIUPILI_ACCESSKEY="your-access-key" \
--- a/ui/src/components/workflow/node/DeployNodeConfigForm.tsx
+++ b/ui/src/components/workflow/node/DeployNodeConfigForm.tsx
@ -22,6 +22,7 @@ import DeployNodeConfigFormAliyunDCDNConfig from "./DeployNodeConfigFormAliyunDC
 import DeployNodeConfigFormAliyunLiveConfig from "./DeployNodeConfigFormAliyunLiveConfig";
 import DeployNodeConfigFormAliyunNLBConfig from "./DeployNodeConfigFormAliyunNLBConfig";
 import DeployNodeConfigFormAliyunOSSConfig from "./DeployNodeConfigFormAliyunOSSConfig";
+import DeployNodeConfigFormAliyunWAFConfig from "./DeployNodeConfigFormAliyunWAFConfig";
 import DeployNodeConfigFormBaiduCloudCDNConfig from "./DeployNodeConfigFormBaiduCloudCDNConfig";
 import DeployNodeConfigFormBytePlusCDNConfig from "./DeployNodeConfigFormBytePlusCDNConfig";
 import DeployNodeConfigFormDogeCloudCDNConfig from "./DeployNodeConfigFormDogeCloudCDNConfig";
@ -133,6 +134,8 @@ const DeployNodeConfigForm = forwardRef<DeployNodeConfigFormInstance, DeployNode
          return <DeployNodeConfigFormAliyunNLBConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.ALIYUN_OSS:
          return <DeployNodeConfigFormAliyunOSSConfig {...nestedFormProps} />;
+        case DEPLOY_PROVIDERS.ALIYUN_WAF:
+          return <DeployNodeConfigFormAliyunWAFConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.BAIDUCLOUD_CDN:
          return <DeployNodeConfigFormBaiduCloudCDNConfig {...nestedFormProps} />;
        case DEPLOY_PROVIDERS.BYTEPLUS_CDN:
--- a/ui/src/components/workflow/node/DeployNodeConfigFormAliyunWAFConfig.tsx
+++ b/ui/src/components/workflow/node/DeployNodeConfigFormAliyunWAFConfig.tsx
@ -0,0 +1,79 @@
+import { useTranslation } from "react-i18next";
+import { Form, type FormInstance, Input } from "antd";
+import { createSchemaFieldRule } from "antd-zod";
+import { z } from "zod";
+
+type DeployNodeConfigFormAliyunWAFConfigFieldValues = Nullish<{
+  region: string;
+  instanceId: string;
+}>;
+
+export type DeployNodeConfigFormAliyunWAFConfigProps = {
+  form: FormInstance;
+  formName: string;
+  disabled?: boolean;
+  initialValues?: DeployNodeConfigFormAliyunWAFConfigFieldValues;
+  onValuesChange?: (values: DeployNodeConfigFormAliyunWAFConfigFieldValues) => void;
+};
+
+const initFormModel = (): DeployNodeConfigFormAliyunWAFConfigFieldValues => {
+  return {};
+};
+
+const DeployNodeConfigFormAliyunWAFConfig = ({
+  form: formInst,
+  formName,
+  disabled,
+  initialValues,
+  onValuesChange,
+}: DeployNodeConfigFormAliyunWAFConfigProps) => {
+  const { t } = useTranslation();
+
+  const formSchema = z.object({
+    region: z
+      .string({ message: t("workflow_node.deploy.form.aliyun_waf_region.placeholder") })
+      .nonempty(t("workflow_node.deploy.form.aliyun_waf_region.placeholder"))
+      .trim(),
+    instanceId: z
+      .string({ message: t("workflow_node.deploy.form.aliyun_instance_id.placeholder") })
+      .nonempty(t("workflow_node.deploy.form.aliyun_instance_id.placeholder"))
+      .max(64, t("common.errmsg.string_max", { max: 64 }))
+      .trim(),
+  });
+  const formRule = createSchemaFieldRule(formSchema);
+
+  const handleFormChange = (_: unknown, values: z.infer<typeof formSchema>) => {
+    onValuesChange?.(values);
+  };
+
+  return (
+    <Form
+      form={formInst}
+      disabled={disabled}
+      initialValues={initialValues ?? initFormModel()}
+      layout="vertical"
+      name={formName}
+      onValuesChange={handleFormChange}
+    >
+      <Form.Item
+        name="region"
+        label={t("workflow_node.deploy.form.aliyun_waf_region.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.aliyun_waf_region.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.aliyun_waf_region.placeholder")} />
+      </Form.Item>
+
+      <Form.Item
+        name="instanceId"
+        label={t("workflow_node.deploy.form.aliyun_waf_instance_id.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("workflow_node.deploy.form.aliyun_waf_instance_id.tooltip") }}></span>}
+      >
+        <Input placeholder={t("workflow_node.deploy.form.aliyun_waf_instance_id.placeholder")} />
+      </Form.Item>
+    </Form>
+  );
+};
+
+export default DeployNodeConfigFormAliyunWAFConfig;
--- a/ui/src/domain/provider.ts
+++ b/ui/src/domain/provider.ts
@ -174,6 +174,7 @@ export const DEPLOY_PROVIDERS = Object.freeze({
  ALIYUN_LIVE: `${ACCESS_PROVIDERS.ALIYUN}-live`,
  ALIYUN_NLB: `${ACCESS_PROVIDERS.ALIYUN}-nlb`,
  ALIYUN_OSS: `${ACCESS_PROVIDERS.ALIYUN}-oss`,
+  ALIYUN_WAF: `${ACCESS_PROVIDERS.ALIYUN}-waf`,
  BAIDUCLOUD_CDN: `${ACCESS_PROVIDERS.BAIDUCLOUD}-cdn`,
  BYTEPLUS_CDN: `${ACCESS_PROVIDERS.BYTEPLUS}-cdn`,
  DOGECLOUD_CDN: `${ACCESS_PROVIDERS.DOGECLOUD}-cdn`,
@ -226,6 +227,7 @@ export const deployProvidersMap: Map<DeployProvider["type"] | string, DeployProv
    [DEPLOY_PROVIDERS.ALIYUN_CLB, "common.provider.aliyun.clb"],
    [DEPLOY_PROVIDERS.ALIYUN_ALB, "common.provider.aliyun.alb"],
    [DEPLOY_PROVIDERS.ALIYUN_NLB, "common.provider.aliyun.nlb"],
+    [DEPLOY_PROVIDERS.ALIYUN_WAF, "common.provider.aliyun.waf"],
    [DEPLOY_PROVIDERS.ALIYUN_LIVE, "common.provider.aliyun.live"],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_COS, "common.provider.tencentcloud.cos"],
    [DEPLOY_PROVIDERS.TENCENTCLOUD_CDN, "common.provider.tencentcloud.cdn"],
--- a/ui/src/i18n/locales/en/nls.common.json
+++ b/ui/src/i18n/locales/en/nls.common.json
@ -37,32 +37,33 @@

  "common.provider.acmehttpreq": "Http Request (ACME Proxy)",
  "common.provider.aliyun": "Alibaba Cloud",
-  "common.provider.aliyun.alb": "Alibaba Cloud - Application Load Balancer (ALB)",
-  "common.provider.aliyun.cdn": "Alibaba Cloud - Content Delivery Network (CDN)",
-  "common.provider.aliyun.clb": "Alibaba Cloud - Classic Load Balancer (CLB)",
-  "common.provider.aliyun.dcdn": "Alibaba Cloud - Dynamic Route for Content Delivery Network (DCDN)",
-  "common.provider.aliyun.dns": "Alibaba Cloud - Domain Name Service (DNS)",
+  "common.provider.aliyun.alb": "Alibaba Cloud - ALB (Application Load Balancer)",
+  "common.provider.aliyun.cdn": "Alibaba Cloud - CDN (Content Delivery Network)",
+  "common.provider.aliyun.clb": "Alibaba Cloud - CLB (Classic Load Balancer)",
+  "common.provider.aliyun.dcdn": "Alibaba Cloud - DCDN (Dynamic Route for Content Delivery Network)",
+  "common.provider.aliyun.dns": "Alibaba Cloud - DNS (Domain Name Service)",
  "common.provider.aliyun.live": "Alibaba Cloud - ApsaraVideo Live",
-  "common.provider.aliyun.nlb": "Alibaba Cloud - Network Load Balancer (NLB)",
-  "common.provider.aliyun.oss": "Alibaba Cloud - Object Storage Service (OSS)",
+  "common.provider.aliyun.nlb": "Alibaba Cloud - NLB (Network Load Balancer)",
+  "common.provider.aliyun.oss": "Alibaba Cloud - OSS (Object Storage Service)",
+  "common.provider.aliyun.waf": "Alibaba Cloud - WAF (Web Application Firewall)",
  "common.provider.aws": "AWS",
  "common.provider.aws.route53": "AWS - Route53",
  "common.provider.azure": "Azure",
  "common.provider.azure.dns": "Azure - DNS",
  "common.provider.baiducloud": "Baidu Cloud",
-  "common.provider.baiducloud.cdn": "Baidu Cloud - Content Delivery Network (CDN)",
+  "common.provider.baiducloud.cdn": "Baidu Cloud - CDN (Content Delivery Network)",
  "common.provider.byteplus": "BytePlus",
-  "common.provider.byteplus.cdn": "BytePlus - Content Delivery Network (CDN)",
+  "common.provider.byteplus.cdn": "BytePlus - CDN (Content Delivery Network)",
  "common.provider.cloudflare": "Cloudflare",
  "common.provider.dogecloud": "Doge Cloud",
-  "common.provider.dogecloud.cdn": "Doge Cloud - Content Delivery Network (CDN)",
+  "common.provider.dogecloud.cdn": "Doge Cloud - CDN (Content Delivery Network)",
  "common.provider.edgio": "Edgio",
  "common.provider.edgio.applications": "Edgio - Applications",
  "common.provider.godaddy": "GoDaddy",
  "common.provider.huaweicloud": "Huawei Cloud",
-  "common.provider.huaweicloud.cdn": "Huawei Cloud - Content Delivery Network (CDN)",
-  "common.provider.huaweicloud.dns": "Huawei Cloud - Domain Name Service (DNS)",
-  "common.provider.huaweicloud.elb": "Huawei Cloud - Elastic Load Balance (ELB)",
+  "common.provider.huaweicloud.cdn": "Huawei Cloud - CDN (Content Delivery Network)",
+  "common.provider.huaweicloud.dns": "Huawei Cloud - DNS (Domain Name Service)",
+  "common.provider.huaweicloud.elb": "Huawei Cloud - ELB (Elastic Load Balance)",
  "common.provider.kubernetes": "Kubernetes",
  "common.provider.kubernetes.secret": "Kubernetes - Secret",
  "common.provider.local": "Local deployment",
@ -71,28 +72,28 @@
  "common.provider.ns1": "NS1 (IBM NS1 Connect)",
  "common.provider.powerdns": "PowerDNS",
  "common.provider.qiniu": "Qiniu",
-  "common.provider.qiniu.cdn": "Qiniu - Content Delivery Network (CDN)",
+  "common.provider.qiniu.cdn": "Qiniu - CDN (Content Delivery Network)",
  "common.provider.qiniu.pili": "Qiniu - Pili",
  "common.provider.rainyun": "Rain Yun",
  "common.provider.ssh": "SSH deployment",
  "common.provider.tencentcloud": "Tencent Cloud",
-  "common.provider.tencentcloud.cdn": "Tencent Cloud - Content Delivery Network (CDN)",
-  "common.provider.tencentcloud.clb": "Tencent Cloud - Cloud Load Balancer (CLB)",
-  "common.provider.tencentcloud.cos": "Tencent Cloud - Cloud Object Storage (COS)",
-  "common.provider.tencentcloud.css": "Tencent Cloud - Cloud Streaming Service (CSS)",
-  "common.provider.tencentcloud.dns": "Tencent Cloud - Domain Name Service (DNS)",
-  "common.provider.tencentcloud.ecdn": "Tencent Cloud - Enterprise Content Delivery Network (ECDN)",
+  "common.provider.tencentcloud.cdn": "Tencent Cloud - CDN (Content Delivery Network)",
+  "common.provider.tencentcloud.clb": "Tencent Cloud - CLB (Cloud Load Balancer)",
+  "common.provider.tencentcloud.cos": "Tencent Cloud - COS (Cloud Object Storage)",
+  "common.provider.tencentcloud.css": "Tencent Cloud - CSS (Cloud Streaming Service)",
+  "common.provider.tencentcloud.dns": "Tencent Cloud - DNS (Domain Name Service)",
+  "common.provider.tencentcloud.ecdn": "Tencent Cloud - ECDN (Enterprise Content Delivery Network)",
  "common.provider.tencentcloud.eo": "Tencent Cloud - EdgeOne",
  "common.provider.ucloud": "UCloud",
-  "common.provider.ucloud.ucdn": "UCloud - UCloud Content Delivery Network (UCDN)",
-  "common.provider.ucloud.us3": "UCloud - UCloud Object-based Storage (US3)",
+  "common.provider.ucloud.ucdn": "UCloud - UCDN (UCloud Content Delivery Network)",
+  "common.provider.ucloud.us3": "UCloud - US3 (UCloud Object-based Storage)",
  "common.provider.volcengine": "Volcengine",
-  "common.provider.volcengine.cdn": "Volcengine - Content Delivery Network (CDN)",
-  "common.provider.volcengine.clb": "Volcengine - Cloud Load Balancer (CLB)",
-  "common.provider.volcengine.dcdn": "Volcengine - Dynamic Content Delivery Network (DCDN)",
-  "common.provider.volcengine.dns": "Volcengine - Domain Name Service (DNS)",
+  "common.provider.volcengine.cdn": "Volcengine - CDN (Content Delivery Network)",
+  "common.provider.volcengine.clb": "Volcengine - CLB (Cloud Load Balancer)",
+  "common.provider.volcengine.dcdn": "Volcengine - DCDN (Dynamic Content Delivery Network)",
+  "common.provider.volcengine.dns": "Volcengine - DNS (Domain Name Service)",
  "common.provider.volcengine.live": "Volcengine - Live",
-  "common.provider.volcengine.tos": "Volcengine - Tinder Object Storage (TOS)",
+  "common.provider.volcengine.tos": "Volcengine - TOS (Tinder Object Storage)",
  "common.provider.webhook": "Webhook",
  "common.provider.westcn": "West.cn",

--- a/ui/src/i18n/locales/en/nls.workflow.nodes.json
+++ b/ui/src/i18n/locales/en/nls.workflow.nodes.json
@ -153,6 +153,12 @@
  "workflow_node.deploy.form.aliyun_oss_domain.label": "Alibaba Cloud OSS domain",
  "workflow_node.deploy.form.aliyun_oss_domain.placeholder": "Please enter Alibaba Cloud OSS domain name",
  "workflow_node.deploy.form.aliyun_oss_domain.tooltip": "For more information, see <a href=\"https://oss.console.aliyun.com\" target=\"_blank\">https://oss.console.aliyun.com</a>",
+  "workflow_node.deploy.form.aliyun_waf_region.label": "Alibaba Cloud region",
+  "workflow_node.deploy.form.aliyun_waf_region.placeholder": "Please enter Alibaba Cloud region (e.g. cn-hangzhou)",
+  "workflow_node.deploy.form.aliyun_waf_region.tooltip": "For more information, see <a href=\"https://www.alibabacloud.com/help/en/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-endpoint\" target=\"_blank\">https://www.alibabacloud.com/help/en/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-endpoint</a>",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.label": "Alibaba Cloud WAF instance ID",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.placeholder": "Please enter Alibaba Cloud WAF instance ID",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.tooltip": "For more information, see <a href=\"https://waf.console.aliyun.com\" target=\"_blank\">https://waf.console.aliyun.com</a>",
  "workflow_node.deploy.form.baiducloud_cdn_domain.label": "Baidu Cloud CDN domain",
  "workflow_node.deploy.form.baiducloud_cdn_domain.placeholder": "Please enter Baidu Cloud CDN domain name",
  "workflow_node.deploy.form.baiducloud_cdn_domain.tooltip": "For more information, see <a href=\"https://console.bce.baidu.com/cdn\" target=\"_blank\">https://console.bce.baidu.com/cdn</a>",
--- a/ui/src/i18n/locales/zh/nls.common.json
+++ b/ui/src/i18n/locales/zh/nls.common.json
@ -45,6 +45,7 @@
  "common.provider.aliyun.live": "阿里云 - 视频直播 Live",
  "common.provider.aliyun.nlb": "阿里云 - 网络型负载均衡 NLB",
  "common.provider.aliyun.oss": "阿里云 - 对象存储 OSS",
+  "common.provider.aliyun.waf": "阿里云 - Web 应用防火墙 WAF",
  "common.provider.aws": "AWS",
  "common.provider.aws.route53": "AWS - Route53",
  "common.provider.azure": "Azure",
--- a/ui/src/i18n/locales/zh/nls.workflow.nodes.json
+++ b/ui/src/i18n/locales/zh/nls.workflow.nodes.json
@ -153,6 +153,12 @@
  "workflow_node.deploy.form.aliyun_oss_domain.label": "阿里云 OSS 自定义域名",
  "workflow_node.deploy.form.aliyun_oss_domain.placeholder": "请输入阿里云 OSS 自定义域名",
  "workflow_node.deploy.form.aliyun_oss_domain.tooltip": "这是什么？请参阅 see <a href=\"https://oss.console.aliyun.com\" target=\"_blank\">https://oss.console.aliyun.com</a>",
+  "workflow_node.deploy.form.aliyun_waf_region.label": "阿里云地域",
+  "workflow_node.deploy.form.aliyun_waf_region.placeholder": "请输入阿里云地域（例如：cn-hangzhou）",
+  "workflow_node.deploy.form.aliyun_waf_region.tooltip": "这是什么？请参阅 <a href=\"https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-endpoint\" target=\"_blank\">https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-endpoint</a>",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.label": "阿里云 WAF 实例 ID",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.placeholder": "请输入阿里云 WAF 实例 ID",
+  "workflow_node.deploy.form.aliyun_waf_instance_id.tooltip": "这是什么？请参阅 <a href=\"https://waf.console.aliyun.com\" target=\"_blank\">https://waf.console.aliyun.com</a>",
  "workflow_node.deploy.form.baiducloud_cdn_domain.label": "百度智能云 CDN 加速域名（支持泛域名）",
  "workflow_node.deploy.form.baiducloud_cdn_domain.placeholder": "请输入百度智能云 CDN 加速域名",
  "workflow_node.deploy.form.baiducloud_cdn_domain.tooltip": "这是什么？请参阅 <a href=\"https://console.bce.baidu.com/cdn\" target=\"_blank\">https://console.bce.baidu.com/cdn</a><br><br>泛域名表示形式为：*.example.com",