After Anti-Bot is configured for your website domain name, all the access requests sent to your website are first routed to the Anti-Bot instance, which filters malicious bot traffic and forwards the valid requests to the origin server. The process in which the Anti-Bot instance forwards traffic to the origin server is referred to as back-to-origin.

The Anti-Bot instance has a limited number of IP addresses, so all the requests received by the origin server are from these IP addresses. The security software (such as the dongle and cloud lock) considers this situation to be suspicious and may block the back-to-origin IP addresses of the Anti-Bot instance. Therefore, after configuring Anti-Bot, you must configure the firewall and security software of the origin server to allow all the back-to-origin IP addresses of the Anti-Bot instance.

Procedure

The Anti-Bot console provides the up-to-date origin CIDR block list. Perform the following steps:
  1. When you add the domain name information to the Anti-Bot instance, you can see the origin CIDR block of the Anti-Bot instance.

  2. Add the CIDR block retrieved in step 1 to the whitelists of the firewall and security software of the origin server.

FAQ

What is a back-to-origin IP address?

A back-to-origin IP address is the source IP address that Anti-Bot uses to process the client requests sent to the server in proxy mode. For the server, all the source IP addresses are changed to the back-to-origin IP addresses of the Anti-Bot instance after Anti-Bot is enabled. The actual client address is added to the XFF field of the HTTP header.

After configuring the Anti-Bot instance, ensure that the origin server allows all the back-to-origin IP addresses of Anti-Bot instance (by adding these IP addresses to the whitelist). Otherwise, the website can be inaccessible or less responsive.

Why must the origin CIDR block be allowed?

After the Anti-Bot instance is configured, it acts as the reverse proxy between the client and the server. The actual IP address of the server is hidden, and only the Anti-Bot instance but not the origin server is visible to the client.

Therefore, for the origin server (actual server), all the request source IP addresses are changed to the back-to-origin IP addresses of the Anti-Bot instance.

Source IP addresses are more concentrated, so access requests are sent more frequently. In this case, it is very likely that the firewall or security software of the origin server determines that attacks are mounted from the source IP addresses and therefore blocks these IP addresses. Once the back-to-origin IP addresses of the Anti-Bot instance are blocked, the origin server cannot properly respond to the requests forwarded by the Anti-Bot instance. In this case, ensure that the back-to-origin IP addresses of the Anti-Bot instances are allowed on the origin server.