Route your website traffic through Anti-DDoS Proxy for DDoS attack protection. After you add a domain name, point its DNS record to the CNAME that Anti-DDoS Proxy generates to activate protection.
Prerequisites
Before you begin, ensure that you have:
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance. See Purchase an Anti-DDoS Proxy instance
An ICP filing for your domain name, if you are adding it to an Anti-DDoS Proxy (Chinese Mainland) instance. ICP filing is not required for Anti-DDoS Proxy (Outside Chinese Mainland) instances
Add a website
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region that matches your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
Click Add Website.
Note To add multiple website configurations at once, click Batch Import at the bottom of the page. Configurations must be in an XML file. For the file format, see Other operations.Fill in the Website Config settings, then click Next.
Fill in the Forwarding Settings, then click Next.
Website config settings
Basic configuration
Function Plan
Select the function plan for the Anti-DDoS Proxy instance: Standard or Enhanced. Hover over the 
icon to compare features. For details, see Differences between Standard and Enhanced function plans.
Instance
Select the Anti-DDoS Proxy instance to associate with this domain.
A domain name can be associated with a maximum of eight Anti-DDoS Proxy instances. All instances must use the same Function Plan.
Websites
Enter the domain name to protect. Accepted formats:
Exact-match domain:
www.example.comWildcard domain:
*.example.com
Behavior notes:
If both a wildcard domain (for example,
*.aliyundoc.com) and an exact-match domain (for example,www.aliyundoc.com) are configured, Anti-DDoS Proxy applies the forwarding rules and mitigation policies of the exact-match domain.A root domain protects only the root domain itself. Second-level domains and other subdomains are not protected automatically. To protect a second-level domain, enter it explicitly or use a wildcard domain.
Domain names only — IP addresses are not accepted.
Protocol type
Select the protocols your website supports:
HTTP / HTTPS: Standard web protocols.
Note For HTTPS settings, see HTTPS configuration below.WebSocket / WebSockets: Real-time communication protocols. Selecting either automatically enables HTTP or HTTPS.
Server address
Set the backend origin server address that Anti-DDoS Proxy uses for origin fetch:
Origin IP address: Enter one or more public IP addresses, separated by commas.
Origin server location What to enter Alibaba Cloud ECS instance Public IP of the ECS instance Behind an SLB instance (Alibaba Cloud) Public IP of the SLB instance Non-Alibaba Cloud or another cloud Run ping <domain name>to find the public IP, then enter itOrigin domain name: Use this when another proxy service sits between the origin server and Anti-DDoS Proxy — for example, WAF or an OSS bucket default endpoint.
If WAF is the preceding proxy, enter the CNAME of the WAF instance. See Protect a website by using both Anti-DDoS Proxy and WAF.
If the origin domain is the default public endpoint of an OSS bucket, attach a custom domain name to the bucket first. See Attach a custom domain name.
Maximum: 10 origin domain names, one per line.
Server port
Set the port the origin server listens on:
| Protocol | Default port | Custom port range |
|---|---|---|
| HTTP / WebSocket | 80 | 80–65535 |
| HTTPS / WebSockets | 443 | 80–65535 |
For custom ports, separate multiple values with commas. The total number of custom ports (excluding 80 and 443) across all website configurations under an instance cannot exceed 10.
HTTPS configuration
Complete this section if you selected HTTPS as a protocol.
Configure a certificate
Choose how to provide the SSL certificate based on your situation:
You already have a certificate file: Select Upload. Enter a Certificate name, paste the certificate content into Certificate file, and paste the private key into Private key.
Note - PEM, CER, and CRT files can be opened in a text editor and copied directly. For PFX or P7B files, convert to PEM format first. See Convert the format of a certificate or How do I convert an SSL certificate to the PEM format?. - If the certificate includes a certificate chain, concatenate all certificates and paste the combined content into Certificate file.You purchased or uploaded a certificate in Certificate Management Service: Select Select existing certificate and choose the certificate from the list.
TLS security settings
For details on custom TLS policies, see Customize the TLS security policy for an HTTPS certificate.
TLS versions for SSL certificate
Select the minimum TLS version your international standard HTTPS certificate supports:
| Option | Supported versions | Security level |
|---|---|---|
| TLS 1.0 and later | TLS 1.0, 1.1, 1.2 | Low (best compatibility) |
| TLS 1.1 and later | TLS 1.1, 1.2 | Medium |
| TLS 1.2 and later | TLS 1.2 | High |
| Enable TLS 1.3 support | TLS 1.3 | — |
Cipher suites for SSL certificate
Select a cipher suite for the international standard HTTPS certificate, or specify a custom suite. Hover over the 
icon next to each option to see which cipher suites it includes.
Mutual authentication
Issued by Alibaba Cloud: Select a CA certificate from the A default CA certificate is required. drop-down list. This certificate is issued by Certificate Management Service (Original SSL Certificate).
Not issued by Alibaba Cloud: Upload the self-signed CA certificate to Certificate Management Service first (see Upload certificate repository), then select it from the A default CA certificate is required. drop-down list.
OCSP stapling
Online Certificate Status Protocol (OCSP) stapling lets Anti-DDoS Proxy pre-fetch and cache the OCSP response from the certificate authority (CA), so clients receive it during the TLS handshake without querying the CA directly.
OCSP responses are digitally signed by the CA and cannot be forged. Enabling this feature does not introduce additional security risks.
| Setting | Behavior |
|---|---|
| Disabled (default) | The client queries the CA directly during each TLS handshake. On a slow network, this can delay page loading. |
| Enabled | Anti-DDoS Proxy queries the CA and caches the result for 3,600 seconds. Each TLS handshake includes the cached response, eliminating client-side blocking. |
SM certificate
Allow access only from SM certificate-based clients (off by default):
On: Processes requests only from clients with an SM certificate installed. When enabled, TLS, mutual authentication, and OCSP stapling settings for internationally accepted algorithm certificates do not apply.
Off: Processes requests from both SM certificate clients and clients using internationally accepted algorithm certificates.
SM certificate: Upload an SM certificate to Certificate Management Service before selecting it here.
SM cipher suites for HTTPS support: The following cipher suites are enabled by default and cannot be modified:
ECC-SM2-SM4-CBC-SM3
ECC-SM2-SM4-GCM-SM3
ECDHE-SM2-SM4-CBC-SM3
ECDHE-SM2-SM4-GCM-SM3
Advanced settings
Enable HTTPS redirection
Redirects all HTTP requests to HTTPS on port 443.
Requires both HTTP and HTTPS to be selected, with WebSocket not selected.
If a request comes in on a non-standard HTTP port (not 80), it is redirected to HTTPS port 443.
HTTP/2 listener
When enabled, clients can connect to Anti-DDoS Proxy using HTTP/2. Anti-DDoS Proxy still uses HTTP/1.1 for origin fetch.
| Specification | Value |
|---|---|
Idle timeout (http2_idle_timeout) | 120 s |
Maximum requests per connection (http2_max_requests) | 1,000 |
Maximum concurrent streams per connection (http2_max_concurrent_streams) | 4 |
Maximum request header list size after HPACK decompression (http2_max_header_size) | 256 K |
Maximum HPACK-compressed header field size (http2_max_field_size) | 64 K |
Use Upper limit for HTTP/2 streams to set the maximum number of concurrent streams between the client and Anti-DDoS Proxy.
Set forward connection timeout
The idle timeout for a persistent TCP connection between a client and Anti-DDoS Proxy — the maximum wait time between two client requests. If no new request arrives within this period, Anti-DDoS Proxy closes the connection to release resources.
Forwarding settings
Back-to-origin scheduling
If you configure multiple origin IP addresses or origin domain names, select a load balancing algorithm:
| Algorithm | Best for | How it works |
|---|---|---|
| Round-robin (default) | Multiple origin servers with similar capacity | Distributes requests across all servers in sequence. All servers have equal weight by default; adjust weights to favor higher-capacity servers. |
| IP hash | Session-consistency requirements | Routes requests from the same client IP address to the same origin server. Supports custom weights. Note: uneven traffic distribution may occur in some cases. |
| Least time | Latency-sensitive services (gaming, online transactions) | Combines intelligent DNS resolution with a least-time algorithm to minimize end-to-end latency from the POP to the origin. |
Retry back-to-origin requests
The number of health check probes before marking an origin server unavailable. Default: 3.
The retry mechanism works as follows:
When service traffic hits an edge zone and the origin server is unreachable, the edge zone retries the origin fetch.
If the origin is still unreachable after the maximum retries, it enters a silence period. No traffic is forwarded and no probes are sent during this time.
After the silence period ends, the retry mechanism is triggered again on the next request. If successful, the origin server is reactivated.
Traffic marking
Use traffic marking to pass client connection information to your origin server via HTTP headers.
Originating port
The HTTP header that carries the client's originating port. The default header is X-Forwarded-ClientSrcPort. To use a custom header instead, specify it here — your origin server must then parse that header to obtain the port. For details, see Obtain the originating IP addresses of requests.
Originating IP address
The HTTP header that carries the client's originating IP address. The default header is X-Forwarded-For. To use a custom header, specify it here.
Custom header
Add up to five custom HTTP headers to back-to-origin requests for backend statistical analysis.
Do not use the following reserved headers as custom headers:
X-Forwarded-ClientSrcPort— client originating portX-Forwarded-ProxyPort— listener portX-Forwarded-For— client originating IP address
Do not override standard HTTP headers (such as Host, User-Agent, Connection, Upgrade) or widely used custom headers (such as X-Real-IP, X-True-IP, X-Client-IP, Web-Server-Type, WL-Proxy-Client-IP, EagleEye-RPCID, EagleEye-TraceID, X-Forwarded-Cluster, X-Forwarded-Proto). Using any of these overwrites the original header value.
CNAME reuse
CNAME reuse is supported only by Anti-DDoS Proxy (Outside Chinese Mainland) instances.
When CNAME reuse is enabled, point multiple domain names hosted on the same origin server to the same Anti-DDoS Proxy CNAME — no separate website configuration needed per domain. See CNAME reuse.
Other settings
Enable HTTP redirection of back-to-origin requests
Enable this if your origin server does not support HTTPS. All HTTPS requests are forwarded to the origin over HTTP (port 80), and WebSockets requests are forwarded over WebSocket.
HTTP/2.0 origin
When enabled, Anti-DDoS Proxy uses HTTP/2.0 to send requests to the origin server.
To configure this feature, contact your account manager.
Do not enable this feature if your origin server does not support HTTP/2.0. Doing so will make your website inaccessible.
Cookie settings
| Setting | Default | Description |
|---|---|---|
| Delivery status | Enabled | Anti-DDoS Proxy inserts a cookie into the client to differentiate clients or obtain client fingerprints for HTTP flood protection. If you experience login failures or session losses after onboarding, disable this setting. Note that disabling it reduces the effectiveness of some HTTP flood protection features. |
| Secure attribute | Disabled | When enabled, the cookie is transmitted only over HTTPS, preventing it from being intercepted over HTTP. Enable this if your website supports HTTPS only. |
For details, see Configure HTTP flood protection.
Configure new connection timeout period
The time Anti-DDoS Proxy waits to establish a connection to the origin server. If the connection is not established within this period, the attempt is treated as a failure.
Configure read connection timeout period
The maximum time Anti-DDoS Proxy waits for a response from the origin server after sending a read request.
Configure write connection timeout period
The time Anti-DDoS Proxy waits for the origin server to begin processing data after sending it. If the data is not sent in full or the origin server does not start processing within this period, the attempt is treated as a failure.
Back-to-origin persistent connections
Keeps the TCP connection between Anti-DDoS Proxy and the origin server alive across multiple requests, reducing connection setup overhead.
| Sub-setting | Description |
|---|---|
| Requests reusing persistent connections | Maximum number of HTTP requests sent over a single TCP connection. Set this value to no more than the persistent connection limit configured on your backend (for example, WAF or SLB) to avoid unexpected connection termination. |
| Timeout period of idle persistent connections | Maximum idle time before an unused connection in the pool is closed. Set this to no more than the timeout configured on your backend to avoid unexpected connection termination. |
Going live
After completing the website configuration, follow this checklist to go live without service interruption.
Complete the required steps in order. Switching DNS before allowlisting back-to-origin IP addresses or verifying forwarding can cause immediate service disruption.
Required steps
Add back-to-origin IP addresses to your origin server's allowlist: In your origin server's firewall or security group, allowlist the back-to-origin IP address ranges of Anti-DDoS Proxy. This prevents Anti-DDoS Proxy's forwarded traffic from being blocked. See Add the back-to-origin IP addresses of Anti-DDoS Proxy to a whitelist.
Verify the configuration locally: Before switching DNS, update your local
hostsfile to test that forwarding works correctly. This catches misconfiguration before it affects live traffic. See Verify traffic forwarding settings on a local machine.Switch the DNS record: After local verification succeeds, update the DNS record of your domain to the CNAME provided by Anti-DDoS Proxy. This routes live traffic through Anti-DDoS Proxy for protection. See Use a CNAME or an IP address to resolve a domain name to an Anti-DDoS Proxy instance.
Optional steps
Change the origin IP address: If your origin server is an Alibaba Cloud ECS instance with an exposed public IP, change the public IP address after onboarding. This prevents attackers from bypassing Anti-DDoS Proxy to target your origin directly. See Static public IP address.
Configure DDoS mitigation policies: Beyond the default policies (Anti-DDoS global mitigation policy, Intelligent protection, and Frequency control), enable additional protection features on the Protection for website services tab as needed. See Protection for website services.
ImportantEnabling HTTP flood protection policies may insert a cookie into the client. See Cookie insertion.
Configure CloudMonitor alerts: Set up alert rules for traffic, connections, blackhole filtering events, and traffic scrubbing events to get notified of anomalies and respond quickly. See CloudMonitor alerts.
Enable log analysis: Collect and store website access logs for 180 days by default — useful for business analysis and classified protection compliance. See Quickly use the log analysis feature.
Limitations
| Resource | Limit |
|---|---|
| Anti-DDoS Proxy instances per domain | 8 |
| Custom ports (non-80/443) per instance | 10 total across all website configurations |
| Custom HTTP headers per website | 5 |
FAQ
Why do I get a 502 or 504 error after completing the configuration?
This almost always means origin fetch is failing. Check these three things in order:
Origin server firewall or security group: Confirm that the back-to-origin IP address ranges of Anti-DDoS Proxy are in your allowlist.
HTTP redirection for back-to-origin: If your origin server listens only on HTTP (port 80) but you configured HTTPS in Anti-DDoS Proxy without enabling Enable HTTP redirection of back-to-origin requests, origin fetch fails. Enable that setting.
Origin server status: Confirm that Origin IP address is correct and the origin server is running.
Why does my browser report a certificate error after enabling HTTPS?
Check these:
Certificate-domain mismatch: The certificate must cover the domain you added. A certificate for
www.example.comdoes not coverexample.comunless it is a wildcard or multi-domain certificate.Incomplete certificate chain: Upload the complete certificate chain (server certificate plus all intermediate CA certificates, concatenated).
Expired certificate: Check whether the uploaded certificate is still valid.
How do I confirm that traffic is passing through Anti-DDoS Proxy?
Use any of these methods:
DNS lookup: Run
ping <your domain>ordig <your domain>and verify that the resolved address is the Anti-DDoS Proxy CNAME or one of its IP addresses.Console traffic reports: Check the reports page in the Anti-DDoS Proxy console for inbound traffic data.
Origin server logs: Check your origin web server logs and confirm that request source IPs belong to the Anti-DDoS Proxy back-to-origin IP ranges.
My application logs show only Anti-DDoS Proxy IP addresses, not real visitor IPs. How do I get the real visitor IP?
This is expected behavior. As a reverse proxy, Anti-DDoS Proxy connects to your origin using its back-to-origin IP addresses. To retrieve the real visitor IP, configure your web server (Nginx, Apache, or similar) to read the X-Forwarded-For header. See Obtain the real IP addresses of clients after you configure an Anti-DDoS Proxy instance.
Reference
ICP filing
Periodic checks: Anti-DDoS Proxy (Chinese Mainland) periodically checks the ICP filing status of protected domains. If a filing becomes invalid, traffic forwarding for the affected domain stops, and the Website Config page displays: "The domain name has not completed ICP filing. Please update the filing status."
Dual filing requirement: If the origin server is an Alibaba Cloud product (for example, an ECS instance), it must meet the ICP filing requirements of both Anti-DDoS Proxy and that product. See ICP filing check for servers and ICP filing process.
Service recovery: If you receive an invalid ICP filing notification, update your filing information immediately to resume service.
Delete a website configuration
Restore the DNS record before deleting the website configuration. Deleting the configuration while DNS still points to Anti-DDoS Proxy will interrupt your service.
Restore the DNS record: Update the DNS record of the domain so it no longer points to the Anti-DDoS Proxy instance IP address, the Anti-DDoS Proxy CNAME, or a Sec-Traffic Manager CNAME.
Delete the website configuration:
Manually: On the Website Config page, find the configuration and click Delete in the Actions column. See Delete a website configuration.
Automatically: One month after the last Anti-DDoS Proxy instance under your account is released, the system automatically deletes all domain name and port forwarding configurations.