The Alibaba scrubbing center (AliSC) of Anti-DDoS Pro acts as a reverse proxy. It makes sure the client server remains invisible to the origin server. AliSC handles all requests from clients by blocking malicious requests while forwarding legitimate requests to the origin. Therefore, malicious traffic is mitigated when it goes through Anti-DDoS Pro.
In Full-NAT proxy mode, Anti-DDoS Pro uses the local IP as the source IP to establish connection with the origin server, as illustrated in the following figure.
- Multiple local IP addresses are available because AliSC has multiple physical servers.
- In Full NAT mode, each packet’s source IP address will be a local IP address.
- The origin server must whitelist all existing local IP addresses that are fixed to guarantee accessibility.
- AliSC uses local IP addresses to visit IDC network and keeps the real client IP address in HTTP/HTTPS header’s X-forwarded-for field.
For origin, Anti-DDoS Pro makes source IP addresses more concentrated, and improves the transmission speed of packets from them. In this case, however, the local IPs may be determined as suspicious to the origin server’s firewall or security software (if such software is applied). In case of the local IP being blocked or limited, make sure all the local IPs are whitelisted before being diverted to Alibaba Cloud.
For a deeper level of safety consideration, we recommend that you block all requests to the origin server from IP addresses except local IP addresses. By doing this, the origin is better protected even if the real IP addresses are disclosed.
Log on to the Anti-DDoS Pro console.
Go to Access > Web Service, and then select the domain name to be configured, and click Setting under the Policy column.
Click Setting of Black & White List, and then add the existing local IP addresses to the whitelist.