All Products
Search

This Product

    Anti-DDoS:Add a website configuration

    Document Center

    Anti-DDoS:Add a website configuration

    Last Updated:Nov 24, 2025

    After you add a website domain name to Anti-DDoS Pro and Anti-DDoS Premium, a CNAME is generated for the website. You must point the DNS record of the domain name to the CNAME. This allows Anti-DDoS Pro and Anti-DDoS Premium to forward service traffic and protect the website from DDoS attacks. This topic describes how to add a website configuration.

    Usage notes

    • Websites added to Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) must have an ICP filing. Websites added to Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland) do not have this requirement.

      Note

      • Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) regularly checks the ICP filing status of protected domain names. If the ICP filing for a domain name becomes invalid, the service stops forwarding traffic for that domain name. The message "The domain name has not completed ICP filing. Update the ICP filing status as soon as possible." appears on the Website Config page. To resume traffic forwarding, you must update the ICP filing information for the domain name.

      • If your origin server is an Alibaba Cloud service, you must meet the ICP filing requirements for both Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) and the origin Alibaba Cloud service. Otherwise, back-to-origin traffic forwarding will be affected. For more information, see the official documentation for each Alibaba Cloud service or contact the helpdesk. For example, if your origin server is an ECS instance, you must complete the ICP filing for the ECS instance. For more information, see Check the filing server and ICP filing process.

    • The domain names and port forwarding configurations are automatically deleted one month after all Anti-DDoS Proxy instances under your Alibaba Cloud account are released. If you have multiple Anti-DDoS Proxy instances, the domain names and port forwarding configurations are automatically deleted one month after the last instance is released.

    Prerequisites

    • An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

    • To add a website to an Anti-DDoS Pro or Anti-DDoS Premium instance in the Chinese mainland, make sure that the ICP filing for the website domain name is complete.

    Add a website configuration

    1. Log on to the Website Config page in the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. On the Website Config page, click Add Website.

      Note

      You can also click Batch Import at the bottom of the page to import website configurations in batches from an XML file. For more information about the file format, see Other operations.

      1. Enter the access information for the website and click Next.

        Configuration item

        Description

        Function Plan

        Select the function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance that you want to associate. Options: Standard and Enhanced.

        Note

        You can hover over the Description of Function Plan icon next to Function Plan to view the differences in features between the Standard and Enhanced function plans. For more information, see Differences between the Standard and Enhanced function plans.

        Instance

        Select the Anti-DDoS Pro or Anti-DDoS Premium instance to associate.

        You can associate a domain name with up to eight instances. The instances must use the same Function Plan.

        Websites

        Enter the domain name of the website that you want to protect. The domain name must meet the following requirements:

        • The domain name can contain letters (a to z and A to Z), digits (0 to 9), and hyphens (-). The domain name must start with a letter or a digit.

        • You can enter a wildcard domain name, such as *.aliyundoc.com. If you enter a wildcard domain name, Anti-DDoS Pro and Anti-DDoS Premium automatically matches the subdomains of the wildcard domain name.

        Note

        • If both a wildcard domain name and an exact-match domain name are configured, such as *.aliyundoc.com and www.aliyundoc.com, Anti-DDoS Pro and Anti-DDoS Premium prioritizes the forwarding rules and mitigation policies that are configured for the exact-match domain name, which is www.aliyundoc.com.

        • If you enter a first-level domain name, Anti-DDoS Pro and Anti-DDoS Premium protects only the first-level domain name. It does not protect subdomains such as second-level domains. If you want to protect a second-level domain, enter the second-level domain or a wildcard domain name.

        • You can specify only domain names. Website IP addresses are not supported.

        Protocol Type

        Select the protocol that the website supports. Options:

        • HTTP: selected by default.

        • HTTPS: If the website supports HTTPS encryption and authentication, select this protocol and complete the following configurations.

          Upload an international HTTP certificate

          Upload a certificate to allow Anti-DDoS Pro and Anti-DDoS Premium to scrub HTTPS service traffic.

          • Upload: Specify Certificate Name, then paste the certificate file content to the Certificate File field, and the private key file content to the Private Key field.

            Note

            • If the certificate file is in PEM, CER, or CRT format, open it in a text editor and copy the content. For other formats like PFX or P7B, convert the file to PEM format first, then copy the content. For information about how to convert the format of a certificate file, see Convert the format of a certificate or How do I convert an SSL certificate to the PEM format?

            • If the file includes multiple certificates (like a certificate chain), concatenate their contents and paste the combined content into the Certificate File field.

          • Select Existing Certificate: If you have applied for a certificate from Certificate Management Service (Original SSL Certificate) or have uploaded a certificate to Certificate Management Service, you can directly select the certificate.

          Custom TLS security policy

          For more information, see Configure a TLS security policy for an HTTPS certificate.

          1. TLS Versions for SSL Certificate:

            Select the TLS versions that the certificate that uses internationally accepted algorithms supports. Options:

            • TLS 1.0 and later. This setting provides the best compatibility but low security.: supports TLS 1.0, TLS 1.1, and TLS 1.2.

            • TLS 1.1 and later. This setting provides good compatibility and medium security.: supports TLS 1.1 and TLS 1.2.

            • TLS 1.2 and later. This setting provides good compatibility and high security level.: supports TLS 1.2.

            You can also select Enable TLS 1.3 as needed.

          2. Cipher Suites for SSL Certificate:

            Select the cipher suites that the certificate that uses internationally accepted algorithms supports, or select a custom cipher suite. You can move the pointer over the 问号 icon on a cipher suite option to view the cipher suites included in the option.

          Enable Mutual Authentication

          To perform TLS mutual authentication between the client and Anti-DDoS Pro and Anti-DDoS Premium, upload the root CA certificate or intermediate CA certificate that issues the client certificate to Anti-DDoS Pro and Anti-DDoS Premium. Both CA certificates issued by Alibaba Cloud and CA certificates not issued by Alibaba Cloud are supported.

          • Issued by Alibaba Cloud: In the Default CA Certificate drop-down list, select a CA certificate that is issued by Alibaba Cloud Certificate Management Service (Original SSL Certificate).

          • Not Issued by Alibaba Cloud:

            1. Upload the self-signed CA certificate to Certificate Management Service (Original SSL Certificate). For more information, see Upload a certificate to a repository (upload a certificate).

            2. In the Default CA Certificate drop-down list, select the uploaded self-signed CA certificate.

          Enable OCSP Stapling

          Specifies whether to enable the Online Certificate Status Protocol (OCSP) feature. We recommend that you enable this feature.

          OCSP is an Internet protocol used to send a query request to the Certificate Authority (CA) that issues a server certificate to check whether the certificate is revoked. During a TLS handshake, a client must obtain both the certificate and the corresponding OCSP response.

          • Disabled (default): The client browser sends an OCSP query to the CA. This blocks subsequent events until the client receives the OCSP response. If the network condition is poor, this may cause a long period of page loading latency and decrease HTTPS performance.

          • Enabled: Anti-DDoS Pro and Anti-DDoS Premium performs the OCSP query and caches the query result for 3,600 seconds. When a client sends a TLS handshake request to the server, Anti-DDoS Pro and Anti-DDoS Premium sends the OCSP information of the server certificate together with the certificate chain to the client. This prevents the blocking issue caused by the client query. This process does not cause additional security issues because the OCSP response cannot be forged.

          SM certificate-based HTTPS

          Only Anti-DDoS Pro and Anti-DDoS Premium instances in the Chinese mainland support SM certificates. Only the SM2 algorithm is supported.

          Note

          Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) is verified to process SM requests from 360 Browser and Honglianhua Browser.

          • Allow Access Only from SM Certificate-based Clients: This switch is turned off by default.

            • On: Only processes requests from clients with an installed SM certificate. 

              Note

              When enabled, TLS suite, mutual authentication, and OCSP stapling configurations for certificates using internationally accepted algorithms will not apply.

            • Off: Processes requests from clients with an installed SM certificate and those with a certificate using internationally accepted algorithms.

          • SM Certificate: You must upload an SM certificate to Certificate Management Service before selecting it.

          • SM Cipher Suites for HTTPS Support: The following cipher suites are enabled by default and cannot be modified.

            • ECC-SM2-SM4-CBC-SM3

            • ECC-SM2-SM4-GCM-SM3

            • ECDHE-SM2-SM4-CBC-SM3

            • ECDHE-SM2-SM4-GCM-SM3

        • Websocket: If you select this protocol, the HTTP protocol is automatically selected. You cannot select only the Websocket protocol.

        • Websockets: If you select this protocol, the HTTPS protocol is automatically selected. You cannot select only the Websockets protocol.

        After you select the HTTPS protocol, you can enable the following advanced settings as needed.

        • Enable HTTPS Redirection: This setting applies to websites that support both HTTP and HTTPS. After you enable this setting, all HTTP requests are forcibly converted to HTTPS requests and redirected to port 443 by default.

          Important

          • You can enable this setting only when both the HTTP and HTTPS protocols are selected and the Websocket protocol is not selected.

          • If you access the website over a non-standard HTTP port (other than port 80) and enable force redirect to HTTPS, the access requests are redirected to HTTPS port 443 by default.

        • Enable HTTP Redirection of Back-to-origin Requests: If the website does not support HTTPS for back-to-origin traffic, you must enable this setting. After you enable this setting, all HTTPS requests are sent to the origin server over HTTP, and all Websockets requests are sent to the origin server over Websocket. By default, the back-to-origin port is 80.

          Important

          If you access the website over a non-standard HTTPS port (other than port 443) and enable HTTP for back-to-origin traffic, the access requests are redirected to the origin server over HTTP port 80 by default.

        • Enable HTTP/2: If you enable this feature, HTTP/2.0 clients can access Anti-DDoS Pro and Anti-DDoS Premium. However, Anti-DDoS Pro and Anti-DDoS Premium still uses HTTP/1.1 to send requests to the origin server.

          HTTP/2.0 feature specifications

          • Idle timeout after a connection is closed (http2_idle_timeout): 120s

          • Maximum number of requests per connection (http2_max_requests): 1000

          • Maximum number of concurrent streams per connection (http2_max_concurrent_streams): 4

          • Maximum size of the entire request header list after HPACK decompression (http2_max_header_size): 256K

          • Maximum size of an HPACK-compressed request header field (http2_max_field_size): 64K

        Server Address

        Select the address type of the origin server and enter the address of the origin server.

        Note

        The origin server can be an Alibaba Cloud service or a service that is not hosted on Alibaba Cloud. If the origin server is an Alibaba Cloud service, make sure that the service belongs to your Alibaba Cloud account. If the service belongs to another Alibaba Cloud account, contact your business manager before you add the service.

        • Origin IP Address: the IP address of the origin server. You can enter up to 20 origin IP addresses. Separate multiple IP addresses with commas (,).

          • If the origin server is an ECS instance on Alibaba Cloud, enter the public IP address of the ECS instance. If an SLB instance is deployed before the ECS instance, enter the public IP address of the SLB instance.

          • If the origin server is in a data center that is not deployed on Alibaba Cloud or is hosted on another cloud service provider, you can run the ping domain name command to query the public IP address to which the domain name is resolved. Then, enter the obtained public IP address.

        • Origin Domain Name: This option is suitable for scenarios in which other proxy services, such as Web Application Firewall (WAF), are deployed between the origin server and Anti-DDoS Pro and Anti-DDoS Premium. The value of this parameter indicates the redirect address of the proxy service. You can enter up to 10 origin domain names. Separate multiple domain names with line breaks.

          For example, to deploy WAF after you deploy an Anti-DDoS Pro or Anti-DDoS Premium instance to improve application security, you can select Origin Domain Name and enter the CNAME of WAF. For more information, see Improve website protection by deploying Anti-DDoS Pro or Anti-DDoS Premium together with WAF.

          Important

          If you set Origin Domain Name to the default public endpoint of an OSS bucket, you must attach a custom domain name to the bucket. For more information, see Attach a custom domain name.

        Server Port

        Based on the Protocol Type, set the port on which the origin server provides the corresponding service.

        • The default port for the HTTP and Websocket protocols is 80.

        • The default port for the HTTPS, HTTP2, and Websockets protocols is 443.

        You can specify custom server ports. Separate multiple ports with commas (,). The following limits apply:

        • The custom ports must be within the allowed port range.

          • HTTP protocol port range: 80 to 65535.

          • HTTPS protocol port range: 80 to 65535.

        • The total number of custom ports for all website services that are protected by the Anti-DDoS Pro or Anti-DDoS Premium instance cannot exceed 10. This includes custom ports for different protocols.

          For example, you have two websites, A and B. Website A provides HTTP services and Website B provides HTTPS services. If you specify custom HTTP ports 80 and 8080 in the configuration of Website A, you can specify a maximum of eight different custom HTTPS ports in the configuration of Website B.

        CNAME Reuse

        This parameter is supported only by Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland). Select whether to enable CNAME reuse.

        This feature is suitable for scenarios in which multiple website services are hosted on the same server. After you enable CNAME reuse, you need to only point the DNS records of multiple domain names on the same server to the same CNAME of the Anti-DDoS Pro or Anti-DDoS Premium instance. This way, you can add multiple domain names to Anti-DDoS Pro and Anti-DDoS Premium without the need to add a website configuration for each domain name. For more information, see CNAME reuse.

      2. Configure the forwarding settings and click Next.

        Configuration item

        Description

        Back-to-origin Scheduling Algorithm

        This parameter is required if you have multiple origin server addresses (origin IP addresses or origin domain names). You can change the load balancing algorithm or set weights for different servers.

        • Round-robin (default): All requests are sequentially distributed to all server addresses. By default, all server addresses have the same weight. You can change the server weights. The greater the weight of a server, the higher the probability that requests are forwarded to the server. This algorithm is suitable for scenarios where multiple origin servers are used and an even load distribution across origin servers is required.

        • IP hash: You can set an IP hash and weights for servers. The IP hash algorithm ensures that requests from the same client are forwarded to the same server for a period of time. This ensures session consistency. In weight mode, weights are allocated based on the processing capabilities of servers. This ensures that servers with higher performance process more requests and improves resource utilization. This algorithm is suitable for scenarios where user session consistency must be maintained. In extreme cases, the load may be imbalanced.

        • Least time: The intelligent DNS resolution capability and the least time back-to-origin algorithm ensure the lowest latency for service traffic across the entire link from the protection node to the origin server.

        • Retry Back-to-origin Requests: When a resource requested by Anti-DDoS Pro and Anti-DDoS Premium is not found on the cache server, the cache server attempts to retrieve the resource from an upper-level cache server or the origin server.

          Note

          You can set the maximum number of back-to-origin retries for each origin server. The default value is 3.

        Traffic Marking

        • Originating Port

          The name of the HTTP header that contains the originating port of the client.

          In most cases, the X-Forwarded-ClientSrcPort header is used to record the originating port of the client. If you use a custom header to record the originating port of the client, specify the custom header for Originating Port. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating port of the client. The steps to obtain the originating port of the client are similar to the steps to obtain the originating IP address of the client. For more information, see Obtain the originating IP addresses of requests.

        • Originating IP Address

          The name of the HTTP header that contains the originating IP address of the client.

          In most cases, the X-Forwarded-For header is used to record the originating IP address of the client. If you use a custom header to record the originating IP address of the client, specify the custom header for Originating IP Address. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating IP address of the client.

        • Custom Header

          You can add custom HTTP headers to requests that pass Anti-DDoS Proxy to mark the requests. To add custom HTTP headers, specify header names and values. After you create custom headers, Anti-DDoS Proxy adds the custom headers to the back-to-origin requests. This way, the backend servers can perform statistical analysis on the back-to-origin requests.

          • Do not use the following default headers as custom headers:

            • X-Forwarded-ClientSrcPort: This header is used to obtain the originating ports of clients that access Anti-DDoS Proxy (a Layer 7 proxy).

            • X-Forwarded-ProxyPort: This header is used to obtain the ports of listeners that access Anti-DDoS Proxy (a Layer 7 proxy).

            • X-Forwarded-For: This header is used to obtain the originating IP addresses of clients that access Anti-DDoS Proxy (a Layer 7 proxy).

          • Do not use standard HTTP headers (such as Host, User-Agent, Connection, and Upgrade) or widely-used custom HTTP headers (such as X-Real-IP, X-True-IP, X-Client-IP, Web-Server-Type, WL-Proxy-Client-IP, EagleEye-RPCID, EagleEye-TraceID, X-Forwarded-Cluster, and X-Forwarded-Proto). If you use the above headers, the original headers are overwritten.

          • You can add up to five custom HTTP headers.

        Cookie Settings

        • Enabling status

          This feature is enabled by default. When enabled, Anti-DDoS Pro and Anti-DDoS Premium inserts a cookie into the client, such as a browser, to differentiate clients or obtain client fingerprints. For more information, see Configure CC security protection.

          Important

          To prevent Anti-DDoS Pro and Anti-DDoS Premium from inserting a cookie into your service, you can disable this feature. However, if you disable this feature, Anti-DDoS Pro and Anti-DDoS Premium cannot use the CC security protection policy module to proactively detect and defend against CC attacks.

        • Secure attribute

          This feature is disabled by default. If you enable this feature, the cookie is sent only over HTTPS connections, not over HTTP connections. This helps protect the cookie from being stolen by attackers. We recommend that you enable this feature when your website service supports only HTTPS connections.

        Other Settings

        • Configure New Connection Timeout Period: When Anti-DDoS Pro and Anti-DDoS Premium attempts to establish a connection to the origin server, the connection is considered to have failed if it is not established within this period. You can set this parameter to a value from 1 to 10 seconds.

        • Configure Read Connection Timeout Period: After Anti-DDoS Pro and Anti-DDoS Premium establishes a connection and sends a read request to the origin server, this is the maximum amount of time that Anti-DDoS Pro and Anti-DDoS Premium waits for a response from the origin server. You can set this parameter to a value from 10 to 300 seconds.

        • Configure Write Connection Timeout Period: After data is sent from Anti-DDoS Pro and Anti-DDoS Premium and before the origin server starts to process the data, this is the amount of time that Anti-DDoS Pro and Anti-DDoS Premium waits. The write request is considered to have failed if Anti-DDoS Pro and Anti-DDoS Premium has not sent all data to the origin server or the origin server has not started to process the data within this period. You can set this parameter to a value from 10 to 300 seconds.

        • Back-to-origin Persistent Connection: This feature keeps a TCP connection between the cache server and the origin server active for a period of time instead of closing the connection after each request is complete. After you enable this feature, the time and resources that are required to establish connections are reduced, and the request processing efficiency and speed are improved.

        • Requests Reusing Persistent Connections: the number of HTTP requests that can be sent over a TCP connection that is established between Anti-DDoS Pro and Anti-DDoS Premium and the origin server. This reduces the latency and resource consumption that are caused by frequent connection establishment and closure. You can set this parameter to a value from 10 to 1000. We recommend that you set this parameter to a value that is less than or equal to the number of requests that can reuse a persistent connection on the backend origin server, such as a WAF or SLB instance. This prevents service interruptions that are caused by the closure of persistent connections.

        • Timeout Period of Idle Persistent Connections: the maximum amount of time that a persistent TCP connection established between Anti-DDoS Pro and Anti-DDoS Premium and the origin server can remain open in the connection pool of Anti-DDoS Pro and Anti-DDoS Premium after no data is transmitted. If no new requests are received during this period, the connection is closed to release system resources. You can set this parameter to a value from 10 to 30 seconds. We recommend that you set this parameter to a value that is less than or equal to the timeout period that is configured on the backend origin server, such as a WAF or SLB instance. This prevents service interruptions that are caused by the closure of persistent connections.

        • Upper Limit for HTTP/2 Streams: This parameter is available only when HTTP/2 is enabled. It specifies the maximum number of concurrent streams that are allowed between the client and Anti-DDoS Pro and Anti-DDoS Premium. You can set this parameter to a value from 16 to 32. If you require a higher value, contact your business manager.

    What to do next

    1. (Optional) Change the public IP address of an ECS origin server.

      If your origin server is an ECS instance and the origin IP address is exposed, change the public IP address of the ECS instance. This prevents attackers from bypassing Anti-DDoS Pro and Anti-DDoS Premium to attack your origin server. For more information, see Static public IP address.

    2. Allow the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium on the origin server.

      If security software, such as a firewall, is installed on the origin server, add the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium to the allowlist on the origin server. This prevents traffic that is forwarded from Anti-DDoS Pro and Anti-DDoS Premium to the origin server from being incorrectly blocked. For more information, see Allow back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium.

    3. Verify that the traffic forwarding settings take effect on a local machine. For more information, see Verify traffic forwarding settings on a local machine.

      Warning

      If you switch service traffic before the forwarding settings take effect, your service may be interrupted.

    4. Change the DNS record to switch service traffic to Anti-DDoS Pro and Anti-DDoS Premium.

      After you add a website configuration, Anti-DDoS Pro and Anti-DDoS Premium assigns a CNAME to the website. You must point the DNS record of the domain name to the CNAME to switch service traffic to the Anti-DDoS Pro or Anti-DDoS Premium instance for protection. For more information, see Use a CNAME or an IP address to resolve a website domain name to Anti-DDoS Pro and Anti-DDoS Premium.

    5. (Optional) Configure DDoS mitigation policies for your website service.

      By default, the Anti-DDoS Global Mitigation Policy and Intelligent Protection features are enabled for websites added for protection. You can also enable additional protection features on the Protection for Website Services tab. For more information, see Protection for Website Services.

      Important

      After you configure CC security protection, cookies may be inserted. For more information, see Cookie insertion.

    6. (Optional) Configure CloudMonitor alerts.

      You can set alert rules for common service metrics, such as traffic and connections for an IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance, and for attack events, such as blackhole filtering and traffic scrubbing. This way, CloudMonitor can send you timely alerts when exceptions occur. This helps you shorten the response time and restore your services. For more information, see CloudMonitor alerts.

    7. (Optional) Configure the log analysis instance.

      Anti-DDoS Pro and Anti-DDoS Premium collects and stores the full logs of your website service for you to query and analyze. By default, the log analysis instance stores the full logs of your website for 180 days. This helps you meet the requirements of classified protection. For more information, see Quickly use full log analysis.

    References

    • To change the Anti-DDoS Pro or Anti-DDoS Premium instance for a domain name without interrupting service forwarding, see Change the Anti-DDoS Pro or Anti-DDoS Premium instance that is bound to a domain name.

    • To resolve latency issues that occur during normal service access, you can use Sec-Traffic Manager. If no attacks occur, service traffic is directly forwarded to the origin server without increasing latency. If attacks occur, traffic is switched to Anti-DDoS Pro and Anti-DDoS Premium for scrubbing and forwarding. For more information, see Sec-Traffic Manager.