All Products
Search
Document Center

Anti-DDoS:Allow back-to-origin IP addresses to access the origin server

Last Updated:Aug 30, 2024

After you enable Anti-DDoS Pro or Anti-DDoS Premium, the back-to-origin IP addresses become those of Anti-DDoS Pro or Anti-DDoS Premium. Therefore, if you configure IP address whitelists of security software and security group on your origin server for access control, you need to add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist. This ensures that the traffic from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium is not blocked by the security software or group on your origin server. This topic describes how to allow back-to-origin IP addresses to access the origin server.

Background information

Warning

After you add your website service to Anti-DDoS Pro or Anti-DDoS Premium for protection, the inbound traffic is rerouted to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing. Then, Anti-DDoS Pro or Anti-DDoS Premium forwards the service traffic to the origin server. If the back-to-origin IP addresses are not included the whitelist of your security software, the traffic from Anti-DDoS Pro or Anti-DDoS Premium may be blocked. As a result, your website service cannot be accessed.

Anti-DDoS Pro and Anti-DDoS Premium function as reverse proxies and support the Full NAT mode. Before Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives requests from the distributed IP addresses of clients. If no attacks are launched against your website service, each source IP address sends a small number of requests. After Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives all requests from a limited number of back-to-origin IP addresses. Each IP address forwards a large number of requests. As a result, the back-to-origin IP addresses may be regarded as malicious. If other DDoS mitigation policies are configured on the origin server, the back-to-origin IP addresses may be blocked or subject to rate limiting.

image

For example, the most common 502 error indicates that the origin server does not respond to requests that are forwarded from back-to-origin IP addresses, and the back-to-origin IP addresses may be blocked by the firewall on the origin server.

image

Therefore, we recommend that you add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the security software on your origin server before you change the DNS record to protect your website service.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Provisioning > Website Config.

  4. In the upper-right corner of the Website Config page, click View Back-to-origin CIDR Blocks. In the dialog box that appears, copy the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

  5. Add the back-to-origin IP addresses to the whitelist of the security software on your origin server.

References