All Products
Search
Document Center

Anti-DDoS:Allow back-to-origin IP addresses to access the origin server

Last Updated:Feb 22, 2024

If you deploy third-party security software on your origin server, add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the security software before you change the DNS record to protect your website service. This ensures that the traffic from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium is not blocked by the security software on your origin server. This topic describes how to allow back-to-origin IP addresses to access the origin server.

Background information

Warning

After you add your website service to Anti-DDoS Pro or Anti-DDoS Premium for protection, the inbound traffic is rerouted to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing. Then, Anti-DDoS Pro or Anti-DDoS Premium forwards the service traffic to the origin server. If the back-to-origin IP addresses are not included the whitelist of your security software, the traffic from Anti-DDoS Pro or Anti-DDoS Premium may be blocked. As a result, your website service cannot be accessed.

Anti-DDoS Pro and Anti-DDoS Premium function as reverse proxies and support the Full NAT mode. Before Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives requests from the distributed IP addresses of clients. If no attacks are launched against your website service, each source IP address sends a small number of requests. After Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives all requests from a limited number of back-to-origin IP addresses. Each IP address forwards a large number of requests. As a result, the back-to-origin IP addresses may be regarded as malicious. If other DDoS mitigation policies are configured on the origin server, the back-to-origin IP addresses may be blocked or subject to rate limiting.

image

For example, the most common 502 error indicates that the origin server does not respond to requests that are forwarded from back-to-origin IP addresses, and the back-to-origin IP addresses may be blocked by the firewall on the origin server.

image

Therefore, we recommend that you add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the security software on your origin server before you change the DNS record to protect your website service.

Procedure

  1. Log on to the Anti-DDoS Pro console.

  2. In the top navigation bar, select the region of your asset.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.

    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

  3. In the left-side navigation pane, choose Provisioning > Website Config.

  4. In the upper-right corner of the Website Config page, click View Back-to-origin CIDR Blocks. In the dialog box that appears, copy the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

  5. Add the back-to-origin IP addresses to the whitelist of the security software on your origin server.