Anti-DDoS Pro and Anti-DDoS Premium protect your website by routing traffic through Anti-DDoS scrubbing nodes. Attack traffic is filtered out; legitimate traffic is forwarded to your origin server.
Purchasing an instance does not automatically protect your website. Complete all four steps in this guide — and update your DNS record — before your traffic is protected.
Prerequisites
Before you begin, ensure that you have:
An Anti-DDoS Pro or Anti-DDoS Premium instance. Purchase one if you haven't already. For details, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.
ICP filing completed (Chinese mainland instances only). If your instance is deployed in the Chinese mainland, your domain must have a valid ICP filing.
Step 1: Add your website
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region that matches your instance:
Anti-DDoS Proxy (Chinese Mainland) — select Chinese Mainland
Anti-DDoS Proxy (Outside Chinese Mainland) — select Outside Chinese Mainland
Click Add Website, then complete the following two configuration screens.
To add multiple websites at once, click Batch Import at the bottom of the page and upload an XML file. For the required format, see Other operations.
Access information
| Configuration item | Description |
|---|---|
| Function Plan | Select the function plan of the instance to associate: Standard or Enhanced. Hover over the  icon to compare features between plans. For details, see Differences between the Standard and Enhanced function plans. |
| Instance | Select the Anti-DDoS Pro or Anti-DDoS Premium instance to associate. A domain name can be associated with up to 8 instances. All selected instances must use the same function plan. |
| Websites | Enter the domain name to protect. Requirements: letters (a–z, A–Z), digits (0–9), and hyphens (-); must start with a letter or digit. Wildcard domain names are supported (for example, *.aliyundoc.com) and automatically match subdomains. If both a wildcard and an exact-match domain are configured (for example, *.aliyundoc.com and www.aliyundoc.com), the exact-match domain takes priority. If you enter a first-level domain, only that domain is protected — not its subdomains. To protect subdomains, enter each subdomain or use a wildcard. IP addresses are not supported. |
| Protocol Type | Select the protocols the website supports. HTTP is selected by default. See the protocol options below. |
| Server Address | Select the origin server address type and enter the address. See the server address options below. |
| Server Port | Based on the selected protocol, specify the port the origin server listens on. See the port configuration details below. |
| CNAME Reuse | (Outside the Chinese mainland only) Enable this feature if multiple website services share the same origin server. After enabling, point DNS records for all domain names on that server to the same Anti-DDoS Proxy CNAME — without adding a separate website configuration for each. For details, see CNAME reuse. |
Protocol options
HTTP is selected by default. Select additional protocols as needed:
HTTPS — required for HTTPS traffic. After selecting HTTPS, upload a certificate and optionally configure TLS settings. See HTTPS certificate and TLS configuration.
WebSocket — automatically selects HTTP. Cannot be selected without HTTP.
WebSockets — automatically selects HTTPS. Cannot be selected without HTTPS.
After selecting HTTPS, the following advanced settings are available:
Enable HTTPS Redirection — forces all HTTP requests to HTTPS port 443. Requires both HTTP and HTTPS to be selected, and WebSocket must not be selected. If you access the website over a non-standard HTTP port, requests are still redirected to HTTPS port 443.
Enable HTTP Redirection of Back-to-origin Requests — sends back-to-origin traffic over HTTP (port 80 by default). Enable this if your origin server does not support HTTPS. If you access the website over a non-standard HTTPS port, back-to-origin traffic is redirected to HTTP port 80.
HTTP/2 Listener — allows HTTP/2 clients to connect to Anti-DDoS Proxy. Back-to-origin traffic still uses HTTP/1.1. Specifications:
Parameter Value Idle timeout ( http2_idle_timeout)120s Max requests per connection ( http2_max_requests)1,000 Max concurrent streams per connection ( http2_max_concurrent_streams)4 Max header list size after HPACK decompression ( http2_max_header_size)256K Max HPACK-compressed header field size ( http2_max_field_size)64K
HTTPS certificate and TLS configuration
Upload a certificate to allow Anti-DDoS Proxy to scrub HTTPS traffic.
Upload a certificate:
Upload — enter a Certificate Name, paste the certificate content into Certificate File, and the private key into Private Key. For PEM, CER, or CRT files, open the file in a text editor and copy the content. For PFX or P7B files, convert to PEM format first. See Convert the format of a certificate. If the certificate includes a chain, concatenate all certificate contents before pasting.
Select Existing Certificate — select a certificate you previously uploaded to Certificate Management Service (Original SSL Certificate).
Custom TLS security policy:
Configure the TLS versions and cipher suites for certificates using internationally accepted algorithms. For full details, see Configure a TLS security policy for an HTTPS certificate.
TLS Versions for SSL Certificate — select the TLS versions to support: Optionally enable TLS 1.3 in addition to the selected version range.
Option Supported versions Security level TLS 1.0 and later TLS 1.0, 1.1, 1.2 Low (best compatibility) TLS 1.1 and later TLS 1.1, 1.2 Medium TLS 1.2 and later TLS 1.2 High Cipher Suites for SSL Certificate — select a cipher suite group or custom configuration. Hover over the
icon next to each option to see the included cipher suites.
Enable Mutual Authentication:
Upload a root CA or intermediate CA certificate to require TLS mutual authentication between clients and Anti-DDoS Proxy. Both Alibaba Cloud-issued and third-party CA certificates are supported.
Issued by Alibaba Cloud — select a CA certificate from the Default CA Certificate dropdown.
Not Issued by Alibaba Cloud — upload the self-signed CA certificate to Certificate Management Service, then select it from the Default CA Certificate dropdown. For upload instructions, see Upload a certificate to a repository.
Enable OCSP Stapling:
Online Certificate Status Protocol (OCSP) Stapling is disabled by default.
Disabled (default) — the client browser queries the CA directly for certificate status during TLS handshakes. On slow networks, this can cause page load latency.
Enabled — Anti-DDoS Proxy performs the OCSP query and caches the result for 3,600 seconds. During TLS handshakes, the proxy sends the cached OCSP response together with the certificate chain, eliminating the client-side blocking query. Enable this feature to improve HTTPS performance.
SM certificate (Chinese mainland only):
Anti-DDoS Pro and Anti-DDoS Premium instances in the Chinese mainland support SM certificates using the SM2 algorithm. SM requests from 360 Browser and Honglianhua Browser are supported.
Allow Access Only from SM Certificate-based Clients — off by default. When enabled, only clients with an SM certificate installed can connect. When disabled, both SM certificate clients and clients using internationally accepted algorithm certificates can connect. Enabling this switch disables TLS suite, mutual authentication, and OCSP Stapling settings for internationally accepted algorithm certificates.
SM Certificate — upload an SM certificate to Certificate Management Service before selecting it here.
SM Cipher Suites for HTTPS Support — the following cipher suites are enabled by default and cannot be modified:
ECC-SM2-SM4-CBC-SM3
ECC-SM2-SM4-GCM-SM3
ECDHE-SM2-SM4-CBC-SM3
ECDHE-SM2-SM4-GCM-SM3
Server address options
| Address type | When to use | Details |
|---|---|---|
| Origin IP Address | Direct connection to origin | Enter up to 20 IP addresses, separated by commas. For ECS instances, enter the public IP address. If an SLB instance sits in front of ECS, enter the SLB public IP address. For non-Alibaba Cloud origins, run ping <domain-name> to find the public IP address. |
| Origin Domain Name | A proxy (such as WAF) sits between origin and Anti-DDoS Proxy | Enter up to 10 domain names, one per line. For example, enter the WAF CNAME to deploy WAF after Anti-DDoS Proxy. See Protect a website by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF. If the origin domain name is an OSS bucket's default public endpoint, attach a custom domain name to the bucket first. See Attach a custom domain name. |
The origin server can be an Alibaba Cloud service or a service hosted elsewhere. If it is an Alibaba Cloud service, it must belong to your account. If it belongs to another account, contact your business manager before proceeding.
Port configuration
Default ports:
| Protocol | Default port |
|---|---|
| HTTP, WebSocket | 80 |
| HTTPS, HTTP/2, WebSockets | 443 |
To use non-default ports, enter custom values separated by commas. The valid range for both HTTP and HTTPS is port 80 to 65535.
The total number of custom ports across all website services on a single instance cannot exceed 10, counting across all protocols. For example: if Website A uses HTTP ports 80 and 8080, Website B on the same instance can use at most 8 custom HTTPS ports.
Forwarding settings
| Configuration item | Description |
|---|---|
| Back-to-origin Scheduling Algorithm | Applies when multiple origin server addresses are configured. Select how traffic is distributed across origin servers. See the algorithm options below. |
| Traffic Marking | Add headers to back-to-origin requests for origin server tracking and analysis. See the traffic marking options below. |
| Cookie Settings | Control how Anti-DDoS Proxy inserts cookies for client identification and HTTP flood protection. |
| Other Settings | Configure connection timeouts and persistent connection parameters. |
Back-to-origin scheduling algorithm
| Algorithm | Behavior | Best for |
|---|---|---|
| Round-robin (default) | Distributes requests evenly across all origin addresses. Adjustable weights determine relative traffic share. | Multiple origin servers requiring even load distribution |
| IP hash | Routes requests from the same client to the same origin server for a period of time. Supports weight-based allocation based on server capacity. | Scenarios requiring session consistency (note: may cause imbalanced load in edge cases) |
| Least time | Uses intelligent DNS resolution to route requests to the origin with the lowest latency across the full link from protection node to origin. | Latency-sensitive traffic |
Retry back-to-origin requests: When Anti-DDoS Proxy cannot find a requested resource in cache, it retries against an upper-level cache or the origin server. The default maximum retry count per origin server is 3.
Traffic marking
Originating Port — the HTTP header recording the client's source port. The default is
X-Forwarded-ClientSrcPort. Specify a custom header name here if your origin server uses a different header to capture client port information. For details on how origins parse this header, see Obtain the originating IP addresses of requests.Originating IP Address — the HTTP header recording the client's source IP address. The default is
X-Forwarded-For. Specify a custom header name if your origin uses a different header.Custom Header — add up to 5 custom HTTP headers to back-to-origin requests. Specify header names and values. These headers are added by Anti-DDoS Proxy to all forwarded requests, allowing your backend to perform statistical analysis. Do not use these reserved headers as custom headers: Do not use standard HTTP headers (such as
Host,User-Agent,Connection,Upgrade) or widely-used custom headers (such asX-Real-IP,X-True-IP,X-Client-IP,Web-Server-Type,WL-Proxy-Client-IP,EagleEye-RPCID,EagleEye-TraceID,X-Forwarded-Cluster,X-Forwarded-Proto). Using any of these overwrites the original header values.Reserved header Purpose X-Forwarded-ClientSrcPortClient source port X-Forwarded-ProxyPortListener port X-Forwarded-ForClient originating IP address
Cookie settings
Delivery Status — enabled by default. Anti-DDoS Proxy inserts a cookie into client browsers to differentiate clients and support HTTP flood protection. Disabling this setting prevents Anti-DDoS Proxy from using the HTTP flood protection policy module for proactive CC attack detection. See Configure CC security protection.
Secure Attribute — disabled by default. When enabled, the cookie is sent only over HTTPS connections. Enable this when your website uses HTTPS only, to reduce the risk of cookie theft.
Other settings
| Parameter | Range | Description |
|---|---|---|
| New Connection Timeout | 1–10 seconds | Maximum time Anti-DDoS Proxy waits when establishing a connection to the origin server. If no connection is established within this period, the attempt is marked as failed. |
| Read Connection Timeout | 10–300 seconds | Maximum time Anti-DDoS Proxy waits for a response from the origin server after sending a read request. |
| Write Connection Timeout | 10–300 seconds | Maximum time Anti-DDoS Proxy waits to finish sending data to the origin server and for the origin server to start processing it. |
| Back-to-origin Persistent Connection | Enabled/Disabled | Keeps a TCP connection between the cache server and the origin server active after each request completes, rather than closing it. Enabling this feature reduces the time and resources required to establish connections, and improves request processing efficiency and speed. |
| Requests Reusing Persistent Connections | 10–1,000 | Maximum number of HTTP requests that can be sent over a single persistent TCP connection to the origin. Set this to a value equal to or less than the backend's own persistent connection limit (for WAF or SLB instances, match their configuration) to avoid service interruptions from premature connection closure. |
| Timeout Period of Idle Persistent Connections | 10–30 seconds | Maximum idle time for a persistent TCP connection in the connection pool before it is closed. Set this to a value equal to or less than the backend's idle timeout to avoid service interruptions. |
| Upper Limit for HTTP/2 Streams | 16–32 | Maximum concurrent streams between clients and Anti-DDoS Proxy. Available only when HTTP/2 is enabled. Contact your business manager for values above 32. |
Step 2: Switch website traffic to Anti-DDoS Proxy
Test the forwarding configuration locally before updating DNS. Switching DNS without prior verification risks service interruption.
Complete these three tasks in order:
Allow back-to-origin IP addresses. Add Anti-DDoS Pro or Anti-DDoS Premium back-to-origin IP address ranges to your origin server's firewall or security group allowlist. This prevents the proxy's forwarded traffic from being blocked. For instructions, see Allow back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.
Verify the configuration locally. Before changing your DNS record, test the forwarding configuration by modifying your local
hostsfile. This confirms traffic is forwarded and the origin server responds correctly. For instructions, see Verify traffic forwarding settings on a local machine.Update your DNS record. After local verification passes, update your domain's DNS record to point to the CNAME address provided by Anti-DDoS Pro or Anti-DDoS Premium. This routes live traffic through the Anti-DDoS scrubbing nodes. For instructions, see Resolve your website domain name to Anti-DDoS Pro or Anti-DDoS Premium using a CNAME or IP address.
Step 3: Configure mitigation policies
After adding your website, the following policies are enabled by default:
| Policy | Description |
|---|---|
| Anti-DDoS Global Mitigation Policy | Provides three built-in policies classified by traffic scrubbing intensity, allowing immediate response to volumetric attacks. For details, see Configure the global mitigation policy. |
| Intelligent Protection | Uses a big data analysis engine to learn traffic patterns, detect new types of HTTP flood attacks, and dynamically adjust blocking policies. For details, see Use the intelligent protection feature. |
| Frequency Control | Limits request frequency from individual source IP addresses. Runs in Normal mode by default to protect against common HTTP flood attacks. For details, see Configure frequency control. |
The following policies require manual configuration:
| Policy | Description |
|---|---|
| Blacklist and Whitelist | Block requests from specific IP addresses or CIDR blocks, or allow them to bypass all mitigation policies. For details, see Configure blacklists and whitelists for domain names. |
| Location Blacklist | Block all requests from IP addresses in specified geographic locations. For details, see Configure a location blacklist for a domain name. |
| Accurate Access Control | Create custom rules to allow, block, or challenge requests based on HTTP fields such as IP, URI, Referer, User-Agent, and query parameters. For details, see Configure accurate access control rules. |
To modify any policy, go to Website Config, find the target domain name, and click Actions > Mitigation Settings. Configure policies on the Protection for Website Services tab.
Step 4: View protection data
After your website is onboarded, use the console to monitor protection status:
Security Overview — view instance and domain statistics and details of DDoS attack events. See Security Overview.
Operation Logs — review important operational records. See Query operation logs.
Log Analysis — view detailed access logs and HTTP flood attack logs for your website. See Use the Log Analysis feature.
Log Analysis is a value-added service that must be purchased and enabled separately. Once enabled, Alibaba Cloud Log Service collects website access logs and HTTP flood attack logs. You can search and analyze log data in real time and view results on dashboards. For details, see What is Log Service?.
FAQ
Users report login failures or session loss after I added my website to Anti-DDoS Proxy.
This is most likely caused by the cookie insertion feature. Anti-DDoS Proxy inserts a cookie to identify clients for HTTP flood protection, and some session management systems conflict with it. Disable the Delivery Status switch under Forwarding Settings > Cookie Settings.
Disabling cookie insertion reduces the effectiveness of HTTP flood protection rules.
I purchased an instance. Is my website protected now?
No. Purchasing an instance is only the first step. Your website is not protected until you complete the Add Website configuration in the console and update your DNS record to point to the CNAME address provided by Anti-DDoS Pro or Anti-DDoS Premium. Traffic is protected only after the DNS change propagates.