Protect a website service by using Anti-DDoS Proxy and WAF - Anti-DDoS

When your website faces both volumetric DDoS attacks and sophisticated web application attacks — such as SQL injection, cross-site scripting (XSS), and command injection — deploy Anti-DDoS Proxy and Web Application Firewall (WAF) together. This topic describes how to connect the two services to form a layered defense.

How it works

Traffic flows through two protection layers before reaching your origin server:

Layer	Service	Threats mitigated
Ingress	Anti-DDoS Proxy	Volumetric DDoS attacks (network-layer and transport-layer floods)
Intermediate	WAF	Web application attacks: SQL injection, XSS, command injection, HTTP floods
Backend	Origin server (ECS instance, SLB instance, VPC, or data center server)	Receives only clean, verified traffic

The following figure shows the traffic flow.

Usage notes

Requests pass through multiple intermediate proxy servers before reaching the origin server, so the origin server cannot directly obtain the originating IP addresses. For details, see Obtain the originating IP addresses of requests.

Prerequisites

Before you begin, ensure that you have:

An Anti-DDoS Proxy instance. For more information, see Purchase an Anti-DDoS Proxy instance.
A WAF instance. For more information, see Purchase a subscription WAF 3.0 instance or Purchase a pay-as-you-go WAF 3.0 instance.

This topic uses WAF 3.0 as an example. The steps also apply to WAF 2.0.

Step 1: Add your website to WAF

WAF supports two modes: CNAME record mode and cloud native mode. Before you start, review Overview to choose the right mode for your setup.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
On the CNAME Record or Cloud Native tab, add your website.

CNAME record mode

On the CNAME Record tab, click Add.

In the Configure Listener step, configure the parameters and click Next.

Parameter	Description
Domain name	Enter the domain name of your website.
Protocol type	Select the protocol and ports your website uses. Press Enter after each port number. If you select HTTPS, upload the certificate associated with the domain name. After uploading the certificate, you can also enable HTTP/2, HTTPS Routing, and configure the TLS version and cipher suite.
Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Select Yes and configure Obtain Actual IP Address of Client: <br>- Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default): WAF uses the first IP in the `X-Forwarded-For` header as the client's originating IP address.<br>- [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery: If your proxy records originating IPs in a custom header (such as `X-Client-IP` or `X-Real-IP`), select this option and enter the header name in the Header Field field. Using a custom header prevents attackers from forging `X-Forwarded-For` values to bypass WAF protection.
More settings	Enable IPv6 and exclusive IP addresses, and select the type of protection resources based on your requirements.
Resource group	Select the resource group for the domain name. If you leave this blank, the domain name is added to the default resource group.

In the Configure Forwarding Rule step, configure the parameters and click Submit.

Parameter	Description
Load balancing algorithm	If your origin server has multiple addresses, select a load balancing algorithm.
Origin server address	Enter the public IP address or domain name of the origin server that receives back-to-origin requests from WAF.
Advanced HTTPS settings	Specify whether to enable Retry Back-to-origin Request and Enable Traffic Mark.
Other advanced settings	Configure Enable Traffic Mark, Retry Back-to-origin Requests, Back-to-origin Keep-alive Requests, and the connection timeout period.

In the Add Completed step, copy the CNAME provided by WAF. You will use this CNAME as the origin server address in Anti-DDoS Proxy.

Cloud native mode

For more information, see Cloud native mode.

For Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute: use SDK module mode.
For Classic Load Balancer (CLB) or ECS: use reverse proxy cluster mode.

Step 2: Add your website to Anti-DDoS Proxy

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
- Anti-DDoS Proxy (Chinese Mainland): select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Website Config.

On the Website Config page, click Add Website. Enter the required information and click Next.

Parameter	Description
Function plan	Select the function plan of the Anti-DDoS Proxy instance.
Instance	Select the Anti-DDoS Proxy instance. You can associate up to eight instances with a domain name. All instances must use the same Function Plan.
Websites	Enter the domain name of your website.
Protocol type	Select the protocol used by your website. If you select HTTPS, upload the certificate for the domain name. After selecting HTTPS, you can also enable HTTPS Redirection, HTTP Redirection of Back-to-origin Requests, and HTTP/2. For more information about uploading certificates, customizing security policies, and enabling Online Certificate Status Protocol (OCSP) Stapling, see Add one or more websites.
Server address	- If you added the domain name to WAF in CNAME record mode: select Origin Domain Name and enter the WAF CNAME obtained in Step 1.<br>- If you added the domain name to WAF in cloud native mode: select Origin IP Address and enter the public IP address of the origin server.
Server port	Set based on the Protocol Type value. HTTP and WebSocket use port 80 by default; HTTPS, HTTP/2, and WebSockets use port 443 by default. Click Custom to enter additional ports, separated by commas (,).
CNAME reuse	Available only for Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Use the CNAME reuse feature.

Configure the forwarding settings and click Next.

Parameter	Description
Back-to-origin scheduling algorithm	Controls how Anti-DDoS Proxy distributes requests across multiple origin server addresses. Three options are available:<br>- Round-robin (default): Distributes requests to all addresses in turn. All addresses have equal weight by default; you can adjust weights to route more traffic to higher-capacity servers. Use this when you need even load distribution across multiple origin servers.<br>- IP hash: Routes requests from the same client IP to the same server for a period of time, maintaining session consistency. Combined with weight settings, higher-capacity servers handle proportionally more traffic. Use this when your application requires session persistence. Note that uneven load distribution may occur in edge cases.<br>- Least time: Uses intelligent DNS resolution to route each request to the server with the lowest latency across the entire link from the protection node to the origin.
Traffic marking	Adds information about client requests to HTTP headers for use by downstream systems:<br>- Originating Port: Specifies the header that records the client's originating port. The default header is `X-Forwarded-ClientSrcPort`. To use a custom header, enter the header name here.<br>- Originating IP Address: Specifies the header that records the client's originating IP address. The default header is `X-Forwarded-For`. To use a custom header, enter the header name here.<br>- Custom Header: Adds up to five custom HTTP headers to back-to-origin requests. Do not use the following reserved headers: `X-Forwarded-ClientSrcPort`, `X-Forwarded-ProxyPort`, `X-Forwarded-For`. Do not use standard HTTP headers (such as `Host`, `User-Agent`, `Connection`, `Upgrade`) or widely-used custom headers (such as `X-Real-IP`, `X-True-IP`, `X-Client-IP`, `Web-Server-Type`, `WL-Proxy-Client-IP`, `EagleEye-RPCID`, `EagleEye-TraceID`, `X-Forwarded-Cluster`, `X-Forwarded-Proto`). Using these reserved headers overwrites their original values.
Cookie settings	Controls how Anti-DDoS Proxy handles cookies:<br>- Delivery Status (enabled by default): Anti-DDoS Proxy inserts cookies into client responses to distinguish clients and collect fingerprint information. Disabling this switch prevents Anti-DDoS Proxy from actively assessing and defending against HTTP flood attacks through HTTP flood mitigation rules.<br>- Secure Attribute (disabled by default): When enabled, cookies are delivered only over HTTPS connections, protecting them from interception. Enable this setting if your website uses HTTPS exclusively.
Other settings	Fine-tune connection and request handling:<br>- Configure New Connection Timeout Period: Timeout for establishing a connection to the origin server. Valid values: 1–10 seconds.<br>- Configure Read Connection Timeout Period: Timeout for the origin server to respond to a read request. Valid values: 10–300 seconds.<br>- Configure Write Connection Timeout Period: Timeout for Anti-DDoS Proxy to send all data to the origin server. Valid values: 10–300 seconds.<br>- Retry Back-to-origin Requests: When enabled, if a requested resource is not in cache, the cache server retrieves it from an upper-level cache or the origin server.<br>- Back-to-origin Persistent Connections: When enabled, the TCP connection between the cache server and origin server stays open after each request, reducing connection setup overhead.<br>- Requests Reusing Persistent Connections: The maximum number of HTTP requests sent over a single persistent TCP connection. Valid values: 10–1,000. Set this to a value less than or equal to the limit configured on the origin server (such as WAF or SLB) to prevent connection failures.<br>- Timeout Period of Idle Persistent Connections: How long an idle persistent TCP connection is kept open before being closed. Valid values: 10–30 seconds. Set this to a value less than or equal to the timeout configured on the origin server to prevent connection failures.<br>- Upper Limit for HTTP/2 Streams: The maximum number of concurrent HTTP/2 streams between the client and Anti-DDoS Proxy. Valid values: 16–32. Available only when HTTP/2 is enabled. To set a higher limit, contact your account manager.

Copy the CNAME provided by Anti-DDoS Proxy.

Step 3: Update the DNS record

Point your domain name to the Anti-DDoS Proxy CNAME obtained in Step 2. The steps below use Alibaba Cloud DNS as an example. If you use a third-party DNS provider, refer to your provider's documentation.

Log on to the DNS console.
On the Domain Name Resolution page, find your domain name and click DNS Settings in the Actions column.
On the DNS Settings page, find the existing DNS record and click Modify in the Actions column.
If the DNS record does not exist in the list, click Add DNS Record to create one.
In the Modify DNS Record (or Add DNS Record) panel, set Record Type to CNAME and set Record Value to the Anti-DDoS Proxy CNAME.
Click OK and wait for the change to propagate.
Open a browser and verify that your website is accessible.

What's next

To add domain names to WAF 2.0 in CNAME record mode or transparent proxy mode, see Add a domain name to WAF and Transparent proxy mode.
To troubleshoot slow response, high latency, or access failures after updating the DNS record, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Proxy instance?.
To deploy both Anti-DDoS Proxy and CDN together, see Use the CDN or DCDN interaction feature.