Anti-DDoS:Protect a website service by using Anti-DDoS Proxy and WAF

Usage notes

Requests are sent to multiple intermediate proxy servers before the requests reach the origin server. The origin server cannot directly obtain the originating IP addresses of the requests. For information about how to obtain the originating IP addresses, see Obtain the originating IP addresses of requests.

Prerequisites

• An Anti-DDoS Proxy instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

• A WAF instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance or Purchase a pay-as-you-go WAF 3.0 instance.

  Note

  In this topic, WAF 3.0 is used as an example. If you use WAF 2.0, you can also refer to the steps in this topic.

Step 1: Add your website service to WAF

You can add your website service to WAF in CNAME record mode or cloud native mode. Before you add your website service, we recommend that you understand the recommended scenarios for each mode. For more information, see Overview.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, click Website Configuration.

3. On the CNAME Record or Cloud Native tab, add your website service to WAF.

   1. CNAME record mode

      1. On the CNAME Record tab, click Add.

      2. In the Configure Listener step, configure the parameters and click Next.

         The following table briefly describes the parameters. For more information about the detailed description of the parameters, see Add a domain name to WAF.

         Parameter	Description
         Domain Name	Enter the domain name of your website service.
         Protocol Type	Select the protocol type and ports that are used by your website service. Press the Enter key each time you enter a port number. Note If you select HTTPS, you must upload the certificate that is associated with the domain name to WAF. After you select HTTPS and configure the certificate, you can also specify whether to enable HTTP/2, turn on Enable HTTPS Routing, select a TLS version, and select an HTTPS cipher suite.
         Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Select Yes and specify Obtain Actual IP Address of Client. Use the First IP Address in X-Forwarded-For Field as Actual IP Address of Client (default) By default, WAF uses the first IP address in the X-Forwarded-For field as the originating IP address of a client. [Recommended] Use the First IP Address in Specified Header Field as Actual IP Address of Client to Prevent X-Forwarded-For Forgery If you use a proxy that contains the originating IP addresses of clients in a custom header field, such as X-Client-IP or X-Real-IP, select this value. Then, enter the custom header field in the Header Field field. Note We recommend that you use custom header fields to store the originating IP addresses of clients and specify the header fields in WAF. This way, attackers cannot forge X-Forwarded-For fields to bypass WAF protection. This improves the security of your business.
         More Settings	Specify whether to enable IPv6 and exclusive IP addresses, and select the type of protection resources that you want to use based on your business requirements.
         Resource Group	Select the resource group to which you want to add the domain name from the drop-down list. If you do not select a resource group, the domain name is added to the default resource group.

      3. In the Configure Forwarding Rule step, configure the parameters and click Submit.

      Parameter	Description
      Load Balancing Algorithm	If the origin server has multiple addresses, select a load balancing algorithm based on your business requirements.
      Origin Server Address	Enter the public IP address or domain name of the origin server. The IP address or domain name is used to receive the back-to-origin requests that are forwarded by WAF.
      Advanced HTTPS Settings	Specify whether to select Retry Back-to-origin Request and Enable Traffic Mark based on your business requirements.
      Other Advanced Settings	Specify whether to select Enable Traffic Mark and Retry Back-to-origin Requests, enable Back-to-origin Keep-alive Requests, and configure the Connection Timeout Period parameter based on your business requirements.

      4. In the Add Completed step, obtain the CNAME that is provided by WAF.

   2. Cloud native mode

      For more information, see Cloud native mode.

      If you use the following Alibaba Cloud services for your website service, we recommend that you add your website service to WAF in SDK module mode: Application Load Balancer (ALB), Microservices Engine (MSE), and Function Compute. If you use Alibaba Cloud Classic Load Balancer (CLB) or ECS for your website service, we recommend that you add your website service to WAF in reverse proxy cluster mode.

Step 2: Add your website service to Anti-DDoS Proxy

1. Log on to the Anti-DDoS Proxy console.

2. In the top navigation bar, select the region of your instance.

   • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

   • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

3. In the left-side navigation pane, choose Provisioning > Website Config.

4. On the Website Config page, click Add Website. Enter the required information and click Next.

   Parameter	Description
   Function Plan	Select the function plan of the Anti-DDoS Proxy instance that you want to use.
   Instance	Select the Anti-DDoS Proxy instance that you want to use. You can associate up to eight instances with a domain name. The instances associated with the domain name must use the same Function Plan.
   Websites	Enter the domain name of your website service.
   Protocol Type	Select the protocol type of your website service. Note If you select HTTPS, you must upload the certificate that is used by the domain name of your website service. After you select HTTPS, you can turn on Enable HTTPS Redirection, Enable HTTP Redirection of Back-to-origin Requests, and Enable HTTP/2 based on your business requirements. For more information about uploading certificates, customizing security policies, and enabling OCSP Stapling, see Add one or more websites.
   Server Address	If you add the domain name to WAF in CNAME record mode, select Origin Domain Name and enter the CNAME that is obtained in Step 1. If you add the domain name of your website service to WAF in cloud native mode, select Origin IP Address and enter the public IP address of the origin server.
   Server Port	The server port that you specify based on the value of Protocol Type. If you select HTTP or Websocket, the default port 80 is used. If you select HTTPS, HTTP/2, or Websockets, the default port 443 is used. You can click Custom to enter custom ports. Separate multiple ports with commas (,).
   CNAME Reuse	Specifies whether to enable CNAME reuse. This parameter is available only for Anti-DDoS Proxy (Outside Chinese Mainland). For more information, see Use the CNAME reuse feature.

5. Configure the forwarding settings, and then click Next.

   Parameter	Description
   Back-to-origin Scheduling Algorithm	The load balancing algorithm for back-to-origin requests. If multiple origin server addresses are configured, this parameter is required. The origin server addresses can be IP addresses or domain names. You can change the load balancing algorithm for back-to-origin requests or specify weights for the server addresses. Round-robin (Default): All requests are distributed to all server addresses in turn. By default, all server addresses have the same weight. You can change the weights of servers. The higher the weight of the server, the higher the possibility that requests are forwarded to the server. This is suitable for scenarios where multiple origin servers are used and there are high requirements for uniform load distribution across origin servers. IP hash: Supports setting IP hash while also configuring weights for servers. The IP hash option allows requests from the same client to be forwarded to the same server within a period of time, ensuring session consistency. Combined with the weight mode, weights are assigned according to server processing capabilities, ensuring higher-performance servers handle more requests, optimizing resource utilization efficiency. This is suitable for scenarios that require maintaining user session consistency. However, in extreme cases, there may be uneven load distribution. Least time: Through intelligent DNS resolution capabilities and the Least time back-to-origin algorithm, this ensures that the business traffic has the shortest latency across the entire link from the protection node to forwarding back to the origin server.
   Traffic Marking	Originating Port The name of the HTTP header that contains the originating port of the client. In most cases, the X-Forwarded-ClientSrcPort header is used to record the originating port of the client. If you use a custom header to record the originating port of the client, specify the custom header for Originating Port. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating port of the client. The steps to obtain the originating port of the client are similar to the steps to obtain the originating IP address of the client. For more information, see Obtain the originating IP addresses of requests. Originating IP Address The name of the HTTP header that contains the originating IP address of the client. In most cases, the X-Forwarded-For header is used to record the originating IP address of the client. If you use a custom header to record the originating IP address of the client, specify the custom header for Originating IP Address. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating IP address of the client. Custom Header You can add custom HTTP headers to requests that pass Anti-DDoS Proxy to mark the requests. To add custom HTTP headers, specify header names and values. After you create custom headers, Anti-DDoS Proxy adds the custom headers to the back-to-origin requests. This way, the backend servers can perform statistical analysis on the back-to-origin requests. Do not use the following default headers as custom headers: X-Forwarded-ClientSrcPort: This header is used to obtain the originating ports of clients that access Anti-DDoS Proxy (a Layer 7 proxy). X-Forwarded-ProxyPort: This header is used to obtain the ports of listeners that access Anti-DDoS Proxy (a Layer 7 proxy). X-Forwarded-For: This header is used to obtain the originating IP addresses of clients that access Anti-DDoS Proxy (a Layer 7 proxy). Do not use standard HTTP headers (such as Host, User-Agent, Connection, and Upgrade) or widely-used custom HTTP headers (such as X-Real-IP, X-True-IP, X-Client-IP, Web-Server-Type, WL-Proxy-Client-IP, EagleEye-RPCID, EagleEye-TraceID, X-Forwarded-Cluster, and X-Forwarded-Proto). If you use the above headers, the original headers are overwritten. You can add up to five custom HTTP headers.
   Cookie Settings	Delivery Status By default, this switch is turned on. When enabled, Anti-DDoS Proxy inserts cookies into the client (such as a browser) to distinguish between different clients or to obtain client fingerprint information. For more information, see Configure the HTTP flood mitigation feature. Important If you want to stop the Anti-DDoS Proxy from inserting cookies into your service, you can turn off the switch. However, disabling this option will prevent the Anti-DDoS Proxy from actively assessing and defending against HTTP flood attacks through the HTTP flood mitigation rules. Secure Attribute The Secure attribute is disabled by default. If enabled, cookies will only be delivered over HTTPS connections, not over HTTP connections, which helps protect cookies from being stolen by attackers. We recommend enabling this option if your website only supports HTTPS connections.
   Other Settings	Configure New Connection Timeout Period: the timeout period for establishing a connection. If Anti-DDoS Proxy fails to establish a connection to the origin server within the specified timeout period, the connection request fails. Valid values: 1 to 10. Unit: seconds. Configure Read Connection Timeout Period: the timeout period for processing a read request. If the origin server fails to respond to a read request sent by Anti-DDoS Proxy over the established connection within the specified timeout period, the read request fails. Valid values: 10 to 300. Unit: seconds. Configure Write Connection Timeout Period: the timeout period for processing a write request. If Anti-DDoS Proxy fails to send all data to the origin server or the origin server fails to start processing the data within the specified timeout period, the write request fails. Valid values: 10 to 300. Unit: seconds. Retry Back-to-origin Requests: If you turn on the switch and the resource requested by Anti-DDoS Proxy cannot be retrieved from the cache server, the cache server retrieves the resource from the upper-level cache server or the origin server. Back-to-origin Persistent Connections: If you turn on the switch, the TCP connection between the cache server and the origin server remains active for a period of time. The connection is not closed every time a request is complete. This helps reduce the time and resource required to establish a connection and improve the efficiency and speed of request processing. Requests Reusing Persistent Connections: the maximum number of HTTP requests that Anti-DDoS Proxy can send to the origin server over a TCP connection. The use of persistent connections helps reduce latency and resource consumption that are caused when you frequently establish and close connections. Valid values: 10 to 1000. We recommend that you specify a value less than or equal to the number of requests reusing persistent connections that is configured on the origin server, such as a WAF or SLB instance. This helps prevent service unavailability due to persistent connection failures. Timeout Period of Idle Persistent Connections: the timeout period for an idle persistent TCP connection that Anti-DDoS Proxy establishes to the origin server. If data is not transmitted over an open TCP connection in the connection pool of Anti-DDoS Proxy, the TCP connection is considered idle. If no new requests are initiated over the idle TCP connection within the specified timeout period, the connection is closed to release system resources. Valid values: 10 to 30. Unit: seconds. We recommend that you specify a value less than or equal to the timeout period configured on the origin server, such as a WAF or SLB instance. This helps prevent service unavailability due to persistent connection failures. Upper Limit for HTTP/2 Streams: the maximum number of HTTP/2 streams allowed between the client and Anti-DDoS Proxy. This feature is available only when HTTP/2 is used. Valid values: 16 to 32. If you want to specify a larger value, contact your account manager.

6. Copy the CNAME provided by Anti-DDoS Proxy.

Step 3: Modify the DNS record of the domain name

You must resolve the domain name of your website service to the CNAME provided by Anti-DDoS Proxy. In the following example, a domain name is hosted on Alibaba Cloud DNS (DNS). If you use a third-party DNS service, the following steps are only for reference.

1. Log on to the DNS console.

2. On the Domain Name Resolution page, find the domain name that you want to manage and click DNS Settings in the Actions column.

3. On the DNS Settings page, find the DNS record that you want to manage and click Modify in the Actions column.

   Note

   If you cannot find the DNS record that you want to modify in the list, you can click Add DNS Record to add a record.

4. In the Modify DNS Record (or Add DNS Record) panel, select CNAME for Record Type and set Record Value to the CNAME that is obtained in Step 2.

5. Click OK and wait for the settings to take effect.

6. Check whether your website service is accessible from a browser.

References

• For more information about how to add domain names to WAF 2.0 in CNAME record mode and transparent proxy mode, see Add a domain name to WAF and Transparent proxy mode.

• For more information about how to troubleshoot the exceptions that may occur when you access your website service after you modify the DNS record, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Proxy instance?.

• For more information about how to deploy both Anti-DDoS Proxy and CDN, see Use the CDN or DCDN interaction feature.