Anti-DDoS Pro or Anti-DDoS Premium and Web Application Firewall (WAF) can be used
together to protect websites against both DDoS attacks and web application attacks.
This topic describes how to add a website to both Anti-DDoS Pro or Anti-DDoS Premium
and WAF.
Background information
To configure Anti-DDoS Pro or Anti-DDoS Premium and WAF for your website, you can
deploy the following network architecture: Use Anti-DDoS Pro or Anti-DDoS Premium
at the ingress to defend against DDoS attacks. Use WAF at the intermediate layer to
defend against web application attacks. Configure an ECS instance, SLB instance, or
on-premises server as the origin server.
Note After you apply the preceding architecture, access requests are sent to multiple intermediate
proxy servers before reaching the origin server. The origin server cannot directly
obtain the actual source IP addresses of the requests. For more information about
how to obtain the actual source IP addresses, see
Obtain the real IP address of a visitor.
Procedure
- Add the domain name of your website to WAF. For more information, see Add domain names.
In the
Enter your website information step, set
Destination Server (IP Address) to
IP and enter the public IP address of the origin server. The origin server can be an
SLB instance, ECS instance, or on-premises server. Set
Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF to
Yes.

After you add the domain name to WAF, go to the
Website Access page in the
WAF console to obtain the
CNAME address of WAF.

- Add your website service to Anti-DDoS Pro or Anti-DDoS Premium. For more information,
see Add a website.
In the
Enter Site Information step, set
Server IP to
Origin Server Domain and enter the
CNAME address of WAF obtained in the previous step.

After you add the domain name to Anti-DDoS Pro or Anti-DDoS Premium, go to the
Website Config page in the
Anti-DDoS Pro or Anti-DDoS Premium console to obtain the
CNAME address of Anti-DDoS Pro or Anti-DDoS Premium.

- On the website of your DNS service provider, modify DNS records to point the domain
name to the CNAME address of Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Modify DNS records to protect websites.
After the preceding configuration is complete, traffic to access your website is first
scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and then forwarded to WAF to filter
out web application attacks. Only normal traffic is forwarded to the origin server.