After you add the domain name of a website to Anti-DDoS Proxy, Anti-DDoS Proxy assigns a CNAME to the website. You must change the DNS record to map the domain name to the CNAME. This way, service traffic can be switched to Anti-DDoS Proxy for protection. This topic describes how to add websites.
Usage notes
Internet Content Provider (ICP) filing must be complete for the domain name of your website that is added to Anti-DDoS Proxy (Chinese Mainland). ICP filing is not required if your website is added to Anti-DDoS Proxy (Outside Chinese Mainland).
Anti-DDoS Proxy (Chinese Mainland) checks the status of ICP filing for protected domain names on a regular basis. If the ICP filing of a domain name becomes invalid, Anti-DDoS Proxy (Chinese Mainland) no longer forwards the traffic of the domain name and displays the "ICP filing for the domain name is not complete. Update the ICP filing status at the earliest opportunity" message on the Website Config page. If the message is displayed and you want to resume traffic forwarding, you must update the ICP filing information for the domain name at the earliest opportunity.
If your origin server is an Alibaba Cloud service, ICP filing requirements for Anti-DDoS Proxy (Chinese Mainland) and the Alibaba Cloud service must be met. Otherwise, forwarding of back-to-origin traffic is affected. For more information, see the documentation of each Alibaba Cloud service on the Alibaba Cloud official website or contact technical support. If the origin server of your website is an Elastic Compute Service (ECS) instance, you must check the instance for ICP filing and access information. For more information, see Check the instance for ICP filing and access information and Overview.
One month after all Anti-DDoS Proxy instances in your Alibaba Cloud account are released, all domain names and port forwarding configurations in Anti-DDoS Proxy are automatically deleted from your Alibaba Cloud account. If you have multiple Anti-DDoS Proxy instances, the domain names and port forwarding configurations are automatically deleted one month after the last instance is released.
Prerequisites
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
If you want to add your website to Anti-DDoS Proxy (Chinese Mainland), make sure that ICP filing is complete for the domain name of your website. For more information about ICP filing, see Overview.
Add one or more websites
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose
.On the Website Config page, click Add Website.
NoteYou can also click Batch Import in the lower part of the page to add multiple websites at a time. To add multiple websites, you must import multiple website configurations at a time by using an XML file. For more information about the file format, see Website configurations in an XML file.
In the Website Config step, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Function Plan
The function plan of the Anti-DDoS Proxy instance that you want to use. Valid values: Standard and Enhanced.
NoteYou can move the pointer over the icon next to Function Plan to view the differences between the Standard and Enhanced function plans. For more information, see Differences between the Standard and Enhanced function plans.
Instance
The Anti-DDoS Proxy instance that you want to use.
You can associate up to eight instances with a domain name. The instances associated with the domain name must use the same Function Plan.
Websites
The domain name of the website that you want to protect. The domain name must meet the following requirements:
The domain name can contain letters, digits, and hyphens (-). The domain name must start with a letter or a digit.
The domain name can be a wildcard domain name, such as
*.aliyundoc.com
. If you enter a wildcard domain name, Anti-DDoS Proxy automatically matches all subdomains of the wildcard domain name.If you configure a wildcard domain name and an exact-match domain name, the forwarding rules and mitigation policies of the exact-match domain name take precedence. For example, if you configure
*.aliyundoc.com
andwww.aliyundoc.com
, the forwarding rules and mitigation policies ofwww.aliyundoc.com
take precedence.
NoteIf you configure a second-level domain name, Anti-DDoS Proxy protects only the second-level domain name. Anti-DDoS Proxy does not protect subdomains of the second-level domain name. If you want to protect a subdomain, configure the subdomain or a wildcard domain name.
You can specify only domain names for this parameter. IP addresses of websites are not supported.
Protocol Type
The type of the protocol that the website uses. Valid values:
HTTP
HTTPS: If the website uses HTTPS, select HTTPS. You must upload an SSL certificate file after you save the website. For more information, see Upload an SSL certificate. You can also configure a custom Transport Layer Security (TLS) policy for the website. For more information, see Configure a custom TLS security policy.
If you select HTTPS, you can click Advanced Settings to configure the following options.
Enable HTTPS Redirection: If the website supports both HTTP and HTTPS, this feature is available. If you enable this feature, all HTTP requests to access the website are redirected to HTTPS requests on the standard port 443.
ImportantThis feature is available only when both HTTP and HTTPS are selected and Websocket is cleared.
If you access the website over HTTP on a non-standard port and enable this feature, all HTTP requests are redirected to HTTPS requests on the standard port 443.
Enable HTTP Redirection of Back-to-origin Requests: If the website does not support HTTPS, you must enable this feature. If this feature is enabled, all HTTPS requests are redirected to HTTP requests and forwarded to origin servers, and all WebSockets requests are redirected to WebSocket requests and forwarded to origin servers. By default, the requests are redirected over the standard port 80.
ImportantIf you access the website over HTTPS on a non-standard port and enable this feature, all HTTPS requests are redirected to HTTP requests on the standard port 80.
Enable HTTP/2: After you turn on Enable HTTP/2, clients that use HTTP/2 can be added to Anti-DDoS Proxy. In this case, Anti-DDoS Proxy forwards all client requests to origin servers over HTTP/1.1.
Websocket: If you select Websocket, HTTP is automatically selected. You cannot select only Websocket for the Protocol Type parameter.
Websockets: If you select Websockets, HTTPS is automatically selected. You cannot select only Websockets for the Protocol Type parameter.
Server Address
The address type of the origin server. You must enter the address of the origin server. Valid values:
Origin IP Address: the IP address of the origin server. You can enter up to 20 IP addresses. If you enter more than one IP address, separate them with commas (,).
If the origin server is hosted on an ECS instance, enter the public IP address of the ECS instance. If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
If the origin server is deployed in data centers or on other clouds, you can run the
ping Domain name
command to query the public IP address to which the domain name is resolved and enter the public IP address.
Origin Domain Name: the domain name of the origin server. Select this option when you deploy a proxy service, such as Web Application Firewall (WAF), between the origin server and Anti-DDoS Proxy. You must also enter the address of the proxy. You can enter up to 10 domain names. If you enter more than one domain name, separate them with line breaks.
If you want to use Anti-DDoS Proxy together with WAF, select Origin Domain Name and enter the CNAME that WAF assigns. This provides enhanced protection for the website. For more information, see Protect a website service by using Anti-DDoS Proxy and WAF.
ImportantIf you enter the default public endpoint of an Object Storage Service (OSS) bucket for Origin Domain Name, a custom domain name must be mapped to the bucket. For more information, see Regions and endpoints and Map custom domain names.
If you enter more than one IP address or domain name, Anti-DDoS Proxy uses IP hash to forward website traffic to the origin servers. After you save the website configurations, you can change the load balancing algorithm. For more information, see Modify the back-to-origin settings for a website.
Server Port
The server port that you specify based on the value of Protocol Type.
If you select HTTP or Websocket, the default port 80 is used.
If you select HTTPS, HTTP/2, or Websockets, the default port 443 is used.
You can specify one or more custom ports. If you specify multiple custom ports, separate the ports with commas (,). Take note of the following limits when you specify custom ports:
The custom ports that you want to specify must be supported by Anti-DDoS Proxy.
Anti-DDoS Proxy instance of the Standard function plan:
HTTP ports: ports 80 and 8080
HTTPS ports: ports 443 and 8443
Anti-DDoS Proxy instance of the Enhanced function plan:
HTTP ports: ports that range from 80 to 65535
HTTPS ports: ports that range from 80 to 65535
You can specify up to 10 custom ports for all websites that are added to your Anti-DDoS Proxy instance. The custom ports include HTTP ports and HTTPS ports.
For example, you want to add Website A and Website B to your Anti-DDoS Proxy instance, Website A provides HTTP services, and Website B provides HTTPS services. If you specify HTTP ports 80 and 8080 for Website A, you can specify up to eight HTTPS ports for Website B.
CNAME Reuse
Specifies whether to enable CNAME reuse. This parameter is available only for Anti-DDoS Proxy (Outside Chinese Mainland).
If more than one website is hosted on the same server, this feature is available. After CNAME reuse is enabled, you need only to map the domain names hosted on the same server to the CNAME that is assigned by Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Use the CNAME reuse feature.
In the Forwarding Settings step, configure the parameters and click Next. The following table describes the parameters.
Parameter
Description
Enable OCSP Stapling
Specifies whether to enable the Online Certificate Status Protocol (OCSP) stapling feature.
ImportantThis feature is available only for a website service that supports HTTPS. If HTTPS is selected for Protocol Type, we recommend that you enable this feature.
OCSP is an Internet protocol that is used by a Certificate Authority (CA) to check the revocation status of a certificate. When a client initiates a TLS handshake with a server, the client must obtain the certificate and an OCSP response.
The OCSP stapling feature is disabled by default. In this case, OCSP queries are sent from a browser of the client to a CA. Before the client obtains an OCSP response, subsequent events are blocked. If transient connections or network disconnections occur, a blank page is displayed for a long period of time, and the performance of the website that supports HTTPS is compromised.
If the OCSP stapling feature is enabled, Anti-DDoS Proxy executes OCSP queries and caches the query results for 3,600 seconds. When a client initiates a TLS handshake with the server, Anti-DDoS Proxy returns the OCSP details and the certificate chain to the client. This prevents blocking issues caused by OCSP queries from the client. OCSP does not cause security risks because OCSP responses cannot be forged.
Traffic Marking
Originating Port
The name of the HTTP header that contains the originating port of the client.
In most cases, the
X-Forwarded-ClientSrcPort
header is used to record the originating port of the client. If you use a custom header to record the originating port of the client, specify the custom header for Originating Port. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating port of the client. The steps to obtain the originating port of the client are similar to the steps to obtain the originating IP address of the client. For more information, see Obtain the originating IP addresses of requests.Originating IP Address
The name of the HTTP header that contains the originating IP address of the client.
In most cases, the
X-Forwarded-For
header is used to record the originating IP address of the client. If you use a custom header to record the originating IP address of the client, specify the custom header for Originating IP Address. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating IP address of the client.Custom Header
You can add custom HTTP headers to requests that pass Anti-DDoS Proxy to mark the requests. To add custom HTTP headers, specify header names and values. After you create custom headers, Anti-DDoS Proxy adds the custom headers to the back-to-origin requests. This way, the backend servers can perform statistical analysis on the back-to-origin requests.
Do not use the following default headers as custom headers:
X-Forwarded-ClientSrcPort
: This header is used to obtain the originating ports of clients that access Anti-DDoS Proxy (a Layer 7 proxy).X-Forwarded-ProxyPort
: This header is used to obtain the ports of listeners that access Anti-DDoS Proxy (a Layer 7 proxy).X-Forwarded-For
: This header is used to obtain the originating IP addresses of clients that access Anti-DDoS Proxy (a Layer 7 proxy).
Do not use standard headers, such as User-Agent. If you use standard headers, the original headers are overwritten.
You can add up to five custom HTTP headers.
Back-to-origin Scheduling Algorithm
The load balancing algorithm for back-to-origin requests. If multiple origin server addresses are configured, this parameter is required. The origin server addresses can be IP addresses or domain names. You can change the load balancing algorithm for back-to-origin requests or specify weights for the server addresses.
IP hash: If you select this option, you can specify weights for the origin servers. The IP hash option allows requests from a specific client to be forwarded to the same origin server within a period of time. This ensures session consistency. You can specify a higher weight for an origin server that has better performance. This way, the high-performance origin server can process more requests, and resource utilization is optimized.
Round-robin: If you select this option, all requests are distributed to the origin servers in turn. By default, all origin servers have the same weight. You can change the weights of the origin servers. The higher the weight of the origin server, the higher the possibility that back-to-origin requests are forwarded to the origin server.
Least time: If you select this option, the system uses intelligent Domain Name System (DNS) resolution and the least-response-time algorithm to reduce latency when requests are forwarded to the origin servers.
Other Settings
Configure New Connection Timeout Period: the timeout period for establishing a connection. If Anti-DDoS Proxy fails to establish a connection to the origin server within the specified timeout period, the connection request fails. Valid values: 1 to 10. Unit: seconds.
Configure Read Connection Timeout Period: the timeout period for processing a read request. If the origin server fails to respond to a read request sent by Anti-DDoS Proxy over the established connection within the specified timeout period, the read request fails. Valid values: 10 to 300. Unit: seconds.
Configure Write Connection Timeout Period: the timeout period for processing a write request. If Anti-DDoS Proxy fails to send all data to the origin server or the origin server fails to start processing the data within the specified timeout period, the write request fails. Valid values: 10 to 300. Unit: seconds.
Retry Back-to-origin Requests: If you turn on the switch and the resource requested by Anti-DDoS Proxy cannot be retrieved from the cache server, the cache server retrieves the resource from the upper-level cache server or the origin server.
Back-to-origin Persistent Connections: If you turn on the switch, the TCP connection between the cache server and the origin server remains active for a period of time. The connection is not closed every time a request is complete. This helps reduce the time and resource required to establish a connection and improve the efficiency and speed of request processing.
Requests Reusing Persistent Connections: the maximum number of HTTP requests that Anti-DDoS Proxy can send to the origin server over a TCP connection. The use of persistent connections helps reduce latency and resource consumption that are caused when you frequently establish and close connections. Valid values: 10 to 1000. We recommend that you specify a value less than or equal to the number of requests reusing persistent connections that is configured on the origin server, such as a WAF or SLB instance. This helps prevent service unavailability due to persistent connection failures.
Timeout Period of Idle Persistent Connections: the timeout period for an idle persistent TCP connection that Anti-DDoS Proxy establishes to the origin server. If data is not transmitted over an open TCP connection in the connection pool of Anti-DDoS Proxy, the TCP connection is considered idle. If no new requests are initiated over the idle TCP connection within the specified timeout period, the connection is closed to release system resources. Valid values: 10 to 30. Unit: seconds. We recommend that you specify a value less than or equal to the timeout period configured on the origin server, such as a WAF or SLB instance. This helps prevent service unavailability due to persistent connection failures.
Upper Limit for HTTP/2 Streams: the maximum number of HTTP/2 streams that are allowed on the server. This feature is available only when HTTP/2 is used. Valid values: 16 to 32. If you want to specify a larger value, contact your account manager.
Subsequent configurations
Optional. Change the public IP address of an ECS origin server.
If your origin server is an ECS instance and the origin IP address is exposed, you must change the public IP address of the ECS instance. This prevents attackers from bypassing Anti-DDoS Proxy to attack your origin server. For more information, see Change the public IP address of an ECS origin server.
Add back-to-origin CIDR blocks of the Anti-DDoS Proxy instance to the whitelist of the origin server.
If security software, such as a firewall, is installed on the origin server, you must add the back-to-origin IP addresses of the Anti-DDoS Proxy instance to the whitelist of the origin server. This ensures that the traffic from Anti-DDoS Proxy is not blocked by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Check whether the forwarding settings take effect on your computer. For more information, see Verify the forwarding configurations on your local computer.
WarningIf you switch your service traffic to Anti-DDoS Proxy before the forwarding settings take effect, your service may be interrupted.
Change DNS records to switch service traffic to Anti-DDoS Proxy.
Anti-DDoS Proxy assigns a CNAME to the website that you added. You must change the DNS record to map the domain name to the CNAME. This way, service traffic can be switched to Anti-DDoS Proxy for protection. For more information, see Map the domain name of a website to a CNAME or an IP address.
Optional. Configure mitigation settings for your website.
By default, Anti-DDoS Global Mitigation Policy and Intelligent Protection are enabled for websites that are added. You can enable more features on the Protection for Website Services tab. For more information, see Protection for website services.
ImportantAfter you enable the HTTP flood mitigation feature, cookies may be inserted. For more information, see Cookie insertion.
Optional. Configure alert rules in CloudMonitor.
CloudMonitor allows you to configure threshold-triggered alert rules for common service metrics and attack events of Anti-DDoS Proxy. The common service metrics include the volume of traffic for an Anti-DDoS Proxy instance and the number of connections for an Anti-DDoS Proxy instance. The traffic and connection metrics can be measured at the IP address level. The attack events include blackhole filtering events and traffic scrubbing events. After you configure a threshold-triggered alert rule, CloudMonitor reports an alert when the rule is triggered. This way, you can handle exceptions and recover your business at the earliest opportunity. For more information, see Use the alert monitoring feature of CloudMonitor.
Optional. Configure the Log Analysis feature.
Anti-DDoS Proxy collects and stores full logs of the website. This way, you can query and analyze the logs that are collected from the website. By default, the Log Analysis feature stores full logs for 180 days. This helps meet the requirements of classified protection. For more information, see Use the log analysis feature.
What to do next
Modify the configuration of a website
You can modify the configurations of one or more websites except the domain names of the websites. For example, you can add the websites to other Anti-DDoS Proxy instances or modify the origin IP addresses. You can modify multiple websites at a time.
If you want to use another Anti-DDoS Proxy instance to protect an added domain name, follow the steps that are described in Add the domain name that is added to an Anti-DDoS Proxy instance to a different Anti-DDoS Proxy instance to make sure that service traffic is forwarded as expected.
Modify a website
On the Website Config page, find the website that you want to modify and click Edit in the Actions column.
On the details page, modify the website except the domain name of the website and click OK.
Modify multiple websites
Click Batch Modify in the lower part of the Website Config page. In the Batch Modify panel, enter the information about the websites and click Next.
In the Import Rule panel, select the websites that you want to import and click OK.
Click Finish. The Uploaded. panel is closed.
Delete website configurations
If a website no longer needs anti-DDoS protection, you can delete the website. Before you perform this operation, you must update the DNS records and make sure that the DNS record values are not any of the following: the Anti-DDoS Proxy instance IP, the CNAME assigned by Anti-DDoS Proxy, or the CNAME assigned by Sec-Traffic Manager. If you do not update the DNS records before you delete the website, services may be interrupted.
On the Website Config page, find the website that you want to delete and click Delete in the Actions column.
In the message that appears, click Delete.
If you use Anti-DDoS Proxy (Chinese Mainland), you can delete multiple websites at a time. Select the websites that you want to delete and click Batch Delete below the website list.
References
To resolve the latency increase issue that occurs during normal service access, you can use Sec-Traffic Manager. If no attacks occur, service traffic is directly forwarded to the origin server without latency increase. If attacks occur, traffic is switched to Anti-DDoS Proxy for scrubbing and forwarding. For more information, see Sec-Traffic Manager.