If you want to use Anti-DDoS Pro or Anti-DDoS Premium to protect your website against
DDoS attacks, you can add your website to Anti-DDoS Pro or Anti-DDoS Premium. Anti-DDoS
Pro and Anti-DDoS Premium protect your website only after you add the website to Anti-DDoS
Pro or Anti-DDoS Premium and complete forwarding settings. This topic describes how
to add your website. This topic also describes how to import the configurations of
more than one website to Anti-DDoS Pro or Anti-DDoS Premium at a time.
Background information
If you want to add your website to Anti-DDoS Pro, make sure that Internet Content
Provider (ICP) filing is complete for the domain name of your website. The information
that you use to complete the ICP filing of your domain name must be consistent with
the actual information about your domain name. This ensures the validity of the ICP
filing. After you add your website to Anti-DDoS Pro, we recommend that you keep the
ICP filing information up-to-date. Anti-DDoS Pro checks the status of ICP filing for
protected domain names on a regular basis. If the ICP filing of a domain name becomes
invalid, Anti-DDoS Pro no longer forwards the traffic of the domain name and displays
the message "Invalid ICP domain recordation. Please update the ICP recordation status"
on the Website Config page. If the message is displayed and you want to resume traffic forwarding, you
must update the ICP filing information for the domain name at the earliest opportunity
and submit a ticket.
If you want to add your website to Anti-DDoS Pro, make sure that the ICP filing is
complete for the domain name of your website. For more information, see ICP filing application overview.
In the top navigation bar, select the region where your instance resides.
Mainland China: If you select this region, the Anti-DDoS Pro console appears.
Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium
instances. Make sure that you select the required region when you use Anti-DDoS Pro
or Anti-DDoS Premium.
In the left-side navigation pane, choose Provisioning > Website Config.
On the Website Config page, add one or more websites.
You can add one or more websites to Anti-DDoS Pro or Anti-DDoS Premium:
To add a website, click Add Domain. Then, follow the instructions on the page to complete the Add Domain wizard.
Configure the parameters in the Enter Site Information step and click Add.
Parameter
Description
Function Plan
The function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance that you want
to use. Valid values: Standard and Enhanced.
You can move the pointer over the icon next to Function Plan to view the differences between the Standard and Enhanced function plans.
Instance
The Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use. You can associate
a maximum of eight instances with a domain name. The instances associated with the
domain name must use the same function plan.
Available instances are displayed after you configure Function Plan. If no instances are displayed, no instances use the function plan that you select.
In this case, you can purchase an instance or upgrade the Standard function plan to
the Enhanced function plan. For more information, see Upgrade an instance.
Domain
The domain name of the website that you want to protect. The domain name must meet
the following requirements:
The domain name can contain letters, digits, and hyphens (-). The domain name must
start with a letter or a digit.
The domain name can be a wildcard domain name, such as *.aliyundoc.com. If you enter a wildcard domain name, Anti-DDoS Pro or Anti-DDoS Premium automatically
matches all subdomains of the wildcard domain name.
If you configure a wildcard domain name and an exact-match domain name, the forwarding
rules and mitigation policies of the exact-match domain name take precedence. For
example, if you configure *.aliyundoc.com and www.aliyundoc.com, the forwarding rules and mitigation policies of www.aliyundoc.com take precedence.
Protocol
The type of the protocol that the website uses. Valid values:
HTTP
HTTPS: If the website uses HTTPS, select HTTPS and upload an SSL certificate file after you save the website configurations. For
more information, see Upload an SSL certificate. You can also customize a Transport Layer Security (TLS) policy for the website.
For more information, see Configure a custom TLS security policy.
If you select HTTPS, you can click Advanced Settings to configure the following options.
Enable HTTPS Routing: If the website supports both HTTP and HTTPS, this feature is available. If you enable
this feature, all HTTP requests to access the website are redirected to HTTPS requests
on the standard port 443.
Notice
This feature is available only when both HTTP and HTTPS are selected and Websocket is cleared.
If you access the website over HTTP on a non-standard port and enable this feature,
all HTTP requests are redirected to HTTPS requests on the standard port 443.
Enable HTTP: If the website does not support HTTPS, you must turn on Enable HTTP. If this feature
is enabled, all HTTPS requests are redirected to HTTP requests and forwarded to origin
servers, and all WebSockets requests are redirected to WebSocket requests and forwarded
to origin servers. By default, the requests are redirected over the standard port
80.
Notice If you access the website over HTTPS on a non-standard port and enable this feature,
all HTTPS requests are redirected to HTTP requests on the standard port 80.
Enable HTTP2: After you turn on Enable HTTP/2, HTTP/2 is used.
Websocket: If you select Websocket, HTTP is automatically selected. You cannot select only Websocket for the Protocol parameter.
Websockets: If you select Websockets, HTTPS is automatically selected. You cannot select only Websockets for the Protocol parameter.
Enable OCSP
Specifies whether to enable the OCSP
Online Certificate Status Protocol (OCSP) feature.
Notice This feature is available only for a website that supports HTTPS. If HTTPS is selected for Protocol, we recommend that you enable this feature.
The OCSP feature is disabled by default. In this case, OCSP queries are sent from
a browser that the client uses to a CA. Before the client obtains an OCSP response,
subsequent events are blocked. If transient connections or network disconnections
occur, a blank page is displayed for a long period of time, and the performance of
the website that supports HTTPS is compromised.
If the OCSP feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium executes OCSP queries
and caches the query results for 300 seconds. When a client initiates a TLS handshake
with the server, Anti-DDoS Pro or Anti-DDoS Premium returns the OCSP details and the
certificate chain to the client. This prevents blocking issues caused by OCSP queries
from the client. OCSP does not cause security risks because OCSP responses cannot
be forged.
Server IP
The address type of the origin server. You must enter the address of the origin server.
Valid values:
Origin Server IP: the IP address of the origin server. You can enter a maximum of 20 IP addresses.
If you enter more than one IP address, separate them with commas (,).
If the origin server is hosted on an Elastic Compute Service (ECS) instance, enter
the public IP address of the ECS instance. If the ECS instance is associated with
a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
If the origin server is deployed in data centers or on other clouds, you can run the
ping Domain name command to query the public IP address to which the domain name is resolved and enter
the public IP address.
Origin Server Domain: the domain name of the origin server. Select this option when you deploy a proxy
service, such as Web Application Firewall (WAF), between the origin server and Anti-DDoS Pro or Anti-DDoS Premium. You must also
enter the address of the proxy, such as a CNAME. You can enter a maximum of 10 domain
names. If you enter more than one domain name, separate them with line breaks.
Notice If you enter the default public endpoint of an Object Storage Service (OSS) bucket
for Origin Server Domain, a custom domain name must be mapped to the bucket. For more information, see Regions and endpoints and Map custom domain names.
If you enter more than one IP address or domain name, Anti-DDoS Pro or Anti-DDoS Premium
uses IP hash to forward website traffic to the origin servers. After you save the
website configurations, you can change the load balancing algorithm. For more information,
see Modify the back-to-origin settings for a website.
Server Port
The server port that you specify based on the value of Protocol.
If you select HTTP, the default port 80 is used. If you select HTTPS, the default port 443 is used.
Notice
The port for Websocket is the same as the port for HTTP.
The port for Websockets and HTTP/2 is the same as the port for HTTPS.
You can click Custom to the right of the Server Port parameter to specify one or more custom ports. You
can specify multiple custom HTTP or HTTPS ports. If you specify multiple custom ports, separate the ports with commas (,).
Take note of the following limits when you specify custom ports:
The custom ports that you want to specify must be supported by Anti-DDoS Pro or Anti-DDoS
Premium. You can click View optional range to view the HTTP and HTTPS ports that are supported.
The ports that are supported vary based on the function plan of your Anti-DDoS Pro or Anti-DDoS Premium instance.
Anti-DDoS Pro or Anti-DDoS Premium instance of the Standard function plan:
HTTP ports: ports 80 and 8080
HTTPS ports: ports 443 and 8443
Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced function plan:
HTTP ports: ports that range from 80 to 65535
HTTPS ports: ports that range from 80 to 65535
You can specify up to 10 custom ports for all websites that are added to your Anti-DDoS
Pro or Anti-DDoS Premium instance. The custom ports include HTTP ports and HTTPS ports.
For example, you want to add Website A and Website B to your Anti-DDoS Pro or Anti-DDoS
Premium instance, Website A provides services over HTTP ports, and Website B provides
services over HTTPS ports.
If you specify HTTP ports 80 and 8080 for Website A, you can specify up to eight HTTPS
ports for Website B.
Cname Reuse
Specifies whether to enable CNAME reuse. This parameter is available only for Anti-DDoS
Premium.
If more than one website is hosted on the same server, this feature is available.
After CNAME reuse is enabled, you need only to map the domain names hosted on the
same server to the CNAME that is assigned by Anti-DDoS Premium. For more information,
see Use the CNAME reuse feature.
Finish the Complete step.
You can perform the subsequent operations as instructed based on your business requirements.
What to do next
Reference
If security software, such as a firewall, is installed on the origin server, you must
add the back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance
to the whitelist of the origin server. This ensures that the traffic from Anti-DDoS
Pro or Anti-DDoS Premium is not blocked by the security software on your origin server.
If your origin server is an ECS instance and the origin IP address is exposed, you
must change the public IP address of the ECS instance. This prevents attackers from
bypassing Anti-DDoS Pro or Anti-DDoS Premium to attack your origin server.
Anti-DDoS Pro or Anti-DDoS Premium assigns a CNAME to the website that you added.
You must change the DNS record to map the domain name to the CNAME. This way, service
traffic can be switched to Anti-DDoS Pro or Anti-DDoS Premium for protection. You
can manually change the DNS record or use the NS Access Mode feature to enable the
system to automatically change the DNS record.
Import the configurations of more than one website at a time
Click Batch Domains Import below the website list.
In the Add Multiple Rules panel, enter the information about the websites that you want to add and click Next.
If you want to add the configurations of more than one website at a time, save the
configurations in an XML file and import the file. For more information about file
formats, see Website configurations in an XML file.
In the Import Rule panel, select the websites that you want to add and click OK. After the configurations are imported, close the The rules have been created panel.
Optional:Verify that the website configurations that you added to Anti-DDoS Pro or Anti-DDoS
Premium take effect on your computer. If you change the DNS record before the configurations
for the website take effect, services may be interrupted. For more information, see
Verify the forwarding configurations on your local computer.
What to do next
After you add a website, you must perform the following operations to enable Anti-DDoS
Pro or Anti-DDoS Premium to protect the website.
Configuration item
Description
References
Protection for website services
After you add the website, Anti-DDoS Global Mitigation Policies, Intelligent Protection, and Frequency Control are enabled by default. You can enable more features and modify protection rules
for the website on the Protection for Website Services tab.
CloudMonitor allows you to configure threshold-triggered alert rules for common service
metrics and attack events of Anti-DDoS Pro or Anti-DDoS Premium. The common service
metrics include the volume of traffic for an Anti-DDoS Pro or Anti-DDoS Premium instance
and the number of connections for an Anti-DDoS Pro or Anti-DDoS Premium instance.
The traffic and connection metrics can be measured at the IP address level. The attack
events include blackhole filtering events and traffic scrubbing events. After you
configure a threshold-triggered alert rule, CloudMonitor reports an alert when the
rule is triggered. This way, you can handle exceptions and recover your business at
the earliest opportunity.
Anti-DDoS Pro or Anti-DDoS Premium collects and stores full logs of the website. This
way, you can query and analyze the logs that are collected from the website. By default,
the Log Analysis feature stores full logs for 180 days. This helps meet the requirements
of classified protection.