All Products
Search
Document Center

Anti-DDoS:Configure a custom TLS security policy

Last Updated:Mar 26, 2024

Anti-DDoS Proxy allows you to configure a custom Transport Layer Security (TLS) policy. After you add your website to Anti-DDoS Proxy, you can select TLS protocol versions and cipher suites and configure SM settings for your website based on your business requirements. This topic describes how to configure a custom TLS security policy.

Default TLS protocol versions

Anti-DDoS Proxy (Chinese Mainland) supports both certificates that use internationally accepted algorithms and SM certificates. Anti-DDoS Proxy (Outside Chinese Mainland) supports only certificates that use internationally accepted algorithms. If you upload a certificate for your website that is protected by Anti-DDoS Proxy, the certificate supports different TLS protocol versions. The following list describes the details:

  • Anti-DDoS Proxy (Chinese Mainland): By default, certificates that use internationally accepted algorithms support TLS 1.0, TLS 1.1, and TLS 1.2, and SM certificates support National Transport Layer Security (NTLS) 1.1.

  • Anti-DDoS Proxy (Outside Chinese Mainland): By default, certificates that use internationally accepted algorithms support TLS 1.1 and TLS 1.2.

Supported TLS protocol versions

If the default configurations cannot meet your business requirements, you can select different TLS protocol versions and cipher suites. The following table describes the TLS protocol versions that you can select for the certificates supported by Anti-DDoS Proxy. For more information about the cipher suites that correspond to different TLS protocol versions, see Procedure.

Anti-DDoS Proxy (Chinese Mainland)

Function plan

Certificate that uses internationally accepted algorithms

SM certificate

Standard function plan

  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2

  • Supports TLS 1.2 and later versions, including TLS 1.2

Note

If you want to use TLS 1.3 or custom cipher suites, upgrade your instance to the Enhanced function plan. For more information, see Upgrade an instance.

You cannot change the TLS protocol versions and cipher suites.

Enhanced function plan

  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2

  • Supports TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2

  • Supports TLS 1.2 and later versions, including TLS 1.2

Note

If you want to use TLS 1.3, you must select Enable TLS 1.3 Support. For more information, see Procedure.

Anti-DDoS Proxy (Outside Chinese Mainland)

Function plan

Certificate that uses internationally accepted algorithms

Standard function plan

You cannot configure custom TLS security policies.

You must upgrade your instance to the Enhanced function plan before you can configure custom TLS security policies. For more information, see Upgrade an instance.

Enhanced function plan

  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2

  • Supports TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2

  • Supports TLS 1.2 and later versions, including TLS 1.2

Note

If you want to use TLS 1.3, you must select Enable TLS 1.3 Support. For more information, see Procedure.

Scenarios

For example, you have purchased an Anti-DDoS Proxy (Chinese Mainland) instance of the Enhanced function plan and you want to disable TLS 1.0 for one of your services because the service needs to comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, you can change the value of the TLS Versions for SSL Certificate parameter to TLS 1.1 and later. This setting provides good compatibility and medium security. If the devices that access your another service uses TLS 1.3, you can select Enable TLS 1.3 Support.

Prerequisites

  • A website is added to Anti-DDoS Proxy, and HTTPS is selected for Protocol Type. For more information, see Add one or more websites.

  • An SSL certificate is uploaded for the website based on your business requirements. For more information, see Upload an HTTPS certificate.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Provisioning > Website Config.

  4. If you use an Anti-DDoS Proxy (Chinese Mainland) instance, perform the following steps to configure a TLS security policy:

    1. Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.

    2. In the TLS Security Settings dialog box, configure the parameters and click OK.

      Parameter

      Description

      TLS Versions for SSL Certificate

      Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:

      • Valid values in the Standard function plan:

        • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

        • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

      • Valid values in the Enhanced function plan:

        • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

        • TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.

        • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

        You can select Enable TLS 1.3 Support based on your business requirements.

      Cipher Suites for SSL Certificate

      Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. If you want to view more information about the cipher suites that are supported by the Enhanced function plan or the Standard function plan, go to the Anti-DDoS Proxy console. The following options are available for the Enhanced function plan or the Standard function plan:

      Note

      To view the cipher suites that are included in an option, you can move your pointer over the 问号 icon of the option.

      • All cipher suites. This setting provides low security but high compatibility. This is the default value.

        This option includes the following cipher suites:

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-ECDSA-AES256-SHA384

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES128-SHA256

        • ECDHE-RSA-AES256-SHA384

        • AES128-GCM-SHA256

        • AES256-GCM-SHA384

        • AES128-SHA256

        • AES256-SHA256

        • ECDHE-ECDSA-AES128-SHA

        • ECDHE-ECDSA-AES256-SHA

        • ECDHE-RSA-AES128-SHA

        • ECDHE-RSA-AES256-SHA

        • AES128-SHA

        • AES256-SHA

        • DES-CBC3-SHA

      • Enhanced cipher suites. This setting provides a very high security level but a very low compatibility.

        This option includes the following cipher suites:

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

      • Strong cipher suites. This setting provides a high security level but a low compatibility.

        This option includes the following cipher suites:

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-ECDSA-AES256-SHA384

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES128-SHA256

        • ECDHE-RSA-AES256-SHA384

        • ECDHE-ECDSA-AES128-SHA

        • ECDHE-ECDSA-AES256-SHA

      • Custom Cipher Suite

        If you select this option, you must select one or more cipher suites from all cipher suites.

      Enable SM Certificate-based Verification

      You can configure this parameter only after you upload an SM certificate. By default, the switch is turned off for the SM certificate that you upload.

      Specify whether Anti-DDoS Proxy (Chinese Mainland) can process requests from clients that use SM certificates.

      If you turn on the switch, Anti-DDoS Proxy (Chinese Mainland) can process requests from 360 Secure Browser and the Haitai browser that use SM certificates.

      • If you turn on Enable SM Certificate-based Verification, Anti-DDoS Proxy (Chinese Mainland) can process requests from clients that use SM certificates.

      • If you turn off Enable SM Certificate-based Verification, Anti-DDoS Proxy (Chinese Mainland) cannot process requests from clients that use SM certificates.

      Before you can turn off Enable SM Certificate-based Verification, you must turn off Allow Access Only from SM Certificate-based Clients.

      Allow Access Only from SM Certificate-based Clients

      Specify whether Anti-DDoS Proxy (Chinese Mainland) processes only requests from clients that use SM certificates. By default, the switch is turned off for an SM certificate that you upload.

      • If you turn on Allow Access Only from SM Certificate-based Clients, Anti-DDoS Proxy (Chinese Mainland) processes only requests from clients that use SM certificates.

      • If you turn off Allow Access Only from SM Certificate-based Clients, Anti-DDoS Proxy (Chinese Mainland) processes requests from clients that use certificates of the two types. The two types include SM certificates and certificates that use internationally accepted algorithms.

      Before you can turn on Allow Access Only from SM Certificate-based Clients, you must turn on Enable SM Certificate-based Verification.

      SM Cipher Suites for HTTPS Support

      After you upload an SM certificate, the following cipher suites are automatically enabled. You cannot select cipher suites for the SM certificate.

      • ECC-SM2-SM4-CBC-SM3

      • ECC-SM2-SM4-GCM-SM3

      • ECDHE-SM2-SM4-CBC-SM3

      • ECDHE-SM2-SM4-GCM-SM3

  5. If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance, perform the following steps to configure a TLS security policy:

    Note

    You can configure a custom TLS security policy only for Anti-DDoS Proxy (Outside Chinese Mainland) instances of the Enhanced function plan.

    1. Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.

    2. In the TLS Security Settings dialog box, configure the parameters and click OK.

      Parameter

      Description

      TLS Versions for SSL Certificate

      Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:

      • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

      • TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.

      • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

      You can select Enable TLS 1.3 Support based on your business requirements.

      Cipher Suites for SSL Certificate

      Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. Valid values:

      Note

      To view the cipher suites that are included in an option, you can move your pointer over the 问号 icon of the option.

      • All cipher suites. This setting provides low security but high compatibility This is the default value.

        This option includes the following cipher suites:

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-ECDSA-AES256-SHA384

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES128-SHA256

        • ECDHE-RSA-AES256-SHA384

        • AES128-GCM-SHA256

        • AES256-GCM-SHA384

        • AES128-SHA256

        • AES256-SHA256

        • ECDHE-ECDSA-AES128-SHA

        • ECDHE-ECDSA-AES256-SHA

        • ECDHE-RSA-AES128-SHA

        • ECDHE-RSA-AES256-SHA

        • AES128-SHA

        • AES256-SHA

        • DES-CBC3-SHA

      • Strong cipher suites. This setting provides a high security level but a low compatibility: This option is available only when TLS Versions for SSL Certificate is set to TLS 1.2 and later. This setting provides good compatibility and high security level.

        This option includes the following cipher suites:

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES128-SHA256

        • ECDHE-ECDSA-AES256-SHA384

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES128-SHA256

        • ECDHE-RSA-AES256-SHA384

        • ECDHE-ECDSA-AES128-SHA

        • ECDHE-ECDSA-AES256-SHA

      • Custom Cipher Suite

        If you select this option, you must select one or more cipher suites from all cipher suites.

Result

After you configure a custom TLS security policy for your website, Anti-DDoS Proxy forwards requests that are destined for your website based on the TLS security policy. If a client uses a TLS protocol version or cipher suite that is not specified in the TLS policy, the requests that are sent from the client are discarded.