All Products
Search

This Product

    Anti-DDoS:Configure traffic marks

    Document Center

    Anti-DDoS:Configure traffic marks

    Last Updated:Feb 06, 2026

    After you add your website service to Anti-DDoS Proxy, configure traffic marks to include the client’s originating port, originating IP address, or a custom header field value in traffic forwarded to your origin server. This helps your backend server analyze and track traffic from Anti-DDoS Proxy. This topic explains how to configure traffic marks.

    Prerequisites

    You have added a website configuration. For more information, see Add a website configuration.

    Procedure

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Provisioning > Website Config.

    4. Find the website configuration you want to modify. In the Actions column, click Edit.

    5. In the forwarding configuration, enable traffic marking.

      • Request Header Forwarding Configuration: Anti-DDoS Proxy supports request header forwarding. You can add or modify HTTP request headers when forwarding requests to your origin server. This helps identify and mark traffic that passes through Anti-DDoS Proxy.

        • Insert X-Client-IP to Get Originating IP Address: Passes the client’s original IP address.

        • Insert X-True-IP to Forward Client IP: Passes the IP address the client used to establish the connection.

        • Insert Web-Server-Type to Get Service Type: Usually added by the first proxy. Tells the backend server which frontend web server or proxy handled the request.

        • Insert WL-Proxy-Client-IP to Get Connection IP: Same function as X-Client-IP. A header specific to Oracle WebLogic Server.

        • X-Forwarded-Proto (Listener Protocol): The protocol used between the client and the first proxy.

      • Traffic marks

        • Default marks

          Note

          • JA3 Fingerprint, JA4 Fingerprint, Client TLS Fingerprint, and HTTP/2 Fingerprint require assistance from your account manager to configure.

          • If your service uses custom fields instead of default marks, see Custom Header below. After you configure it, your origin server parses this field from requests forwarded by Anti-DDoS Proxy. For parsing examples, see Get the true source IP address after configuring Anti-DDoS Proxy.

          • Originating Port: The header field name for the client’s originating port in the HTTP header. Typically recorded in the X-Forwarded-ClientSrcPort field.

          • Originating IP Address: The header field name for the client’s originating IP address in the HTTP header. Typically recorded in the X-Forwarded-For field.

          • JA3 Fingerprint: The header field name for the MD5 hash value generated from the client JA3 fingerprint in the HTTP header. Typically recorded in the ssl_client_ja3_fingerprint_md5 field.

          • JA4 Fingerprint: The header field name for the MD5 hash value generated from the client JA4 fingerprint in the HTTP header. Typically recorded in the ssl_client_ja4_fingerprint_md5 field.

          • Client TLS Fingerprint: The header field name for the MD5 hash value generated from the client TLS fingerprint in the HTTP header. Typically recorded in the ssl_client_tls_fingerprint_md5 field.

          • HTTP/2 Fingerprint: The header field name for the MD5 hash value generated from the client HTTP/2.0 fingerprint in the HTTP header. Typically recorded in the http2_client_fingerprint_md5 field.

        • Custom Header: Add a custom HTTP header (including field name and value) to mark requests that pass through Anti-DDoS Proxy. When Anti-DDoS Proxy forwards website traffic, it adds the configured field value to requests sent to your origin server. This helps your backend service analyze and track traffic.

          • Naming restrictions: To avoid overwriting original request header fields, do not use the following reserved or common field names for your custom header:

            • Anti-DDoS Proxy default fields:

              • X-Forwarded-ClientSrcPort: Used by default to get the client port for Layer 7 engine access.

              • X-Forwarded-ProxyPort: Used by default to get the listening port for Layer 7 engine access.

              • X-Forwarded-For: Used by default to get the client IP address for Layer 7 engine access.

              • ssl_client_ja3_fingerprint_md5: Used by default to get the client JA3 fingerprint MD5 hash value.

              • ssl_client_ja4_fingerprint_md5: Used by default to get the client JA4 fingerprint MD5 hash value.

              • ssl_client_tls_fingerprint_md5: Used by default to get the MD5 hash value of the client TLS fingerprint.

              • http2_client_fingerprint_md5: Used by default to get the MD5 hash value of the client HTTP/2.0 fingerprint.

            • Standard HTTP fields: Such as host, user-agent, connection, and upgrade.

            • Common proxy fields: Such as x-real-ip, x-true-ip, x-client-ip, web-server-type, wl-proxy-client-ip, eagleeye-rpcid, eagleeye-traceid, x-forwarded-cluster, and x-forwarded-proto.

          • Quantity limit: You can add up to five custom header labels.

          • Configuration recommendations:

            • Use default marks first.

            • Verify the header field configuration in the staging environment before applying it to the production environment.

            • We recommend keeping field values to 100 characters or less to avoid affecting forwarding performance.

    6. Click Next and follow the instructions to complete the modification.

    Related operations

    Get the true source IP address after configuring Anti-DDoS Proxy