Obtain the actual source IP addresses of requests to an origin server that is not deployed on Alibaba Cloud - Anti-DDoS

If you use a server in your data center as the origin server and use Anti-DDoS Pro or Anti-DDoS Premium to protect your service, requests are first scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and then forwarded to the origin server. The origin server cannot directly obtain the actual source IP addresses of the requests. This topic describes how to configure the TOA module on the origin server to obtain the actual source IP addresses.

Scenario

The following table describes common deployment scenarios and whether the actual source IP addresses of requests can be obtained in each scenario.


Scenario	Description	Whether actual source IP addresses can be obtained
Anti-DDoS Pro or Anti-DDoS Premium - Layer 7 SLB instance - Server in your data center	The origin server is deployed in your data center. Requests are first scrubbed by Anti-DDoS Pro or Anti-DDoS Premium. Then, a Layer 7 SLB instance forwards the requests to the origin server that is deployed in your data center.	Yes
Anti-DDoS Pro or Anti-DDoS Premium - Layer 4 instance SLB - Server in your data center	The origin server is deployed in your data center. Requests are first scrubbed by Anti-DDoS Pro or Anti-DDoS Premium. Then, a Layer 4 SLB instance forwards the requests to the origin server that is deployed in your data center.	No
Anti-DDoS Pro or Anti-DDoS Premium - Server in your data center	The origin server is deployed in your data center. Requests are first scrubbed by Anti-DDoS Pro or Anti-DDoS Premium and then forwarded to the origin server that is deployed in your data center.	Yes

Applicable operating systems

The method in this topic applies to the following operating systems:

Red Hat Enterprise Linux
CentOS 6.x
CentOS 7.x

Procedure

Before you perform the following steps, take note of the following items:

Notice

Before you use the method in a production environment, you can use the method in a test environment to check whether your service runs as expected.
We recommend that you keep the original kernel of the operating system. This way, you can use the original kernel to restore your service if a restart fails.

Download the required kernel installation file based on the operating system of your server.
- CentOS 7.x: kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
- CentOS 6.x or Red Hat Enterprise Linux:
  - kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64
  - kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64
Install the kernel.
- CentOS 7.x
  Go to the directory of the installation file and run the following command:
```
sudo yum localinstall kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm
```
  Note We recommend that you use the yum localinstall command to install the kernel to avoid dependency issues. You can also use the sudo rpm -ivh kernel-3.10.0-957.21.3.el7.toa.x86_64.rpm command.
- CentOS 6.x or Red Hat Enterprise Linux
  Go to the directory of the installation file and run the following commands:
```
sudo rpm -ivh kernel-firmware-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
sudo rpm -ivh kernel-2.6.32-696.13.2.el6.centos.plus.toa.x86_64.rpm
```
  Note
  
  If kernel-firmware runs 2.6.32-696.13.2.el6.centos.plus.toa or later, use only the preceding second command.
  
  If dependency issues occur during installation, add the --nodeps parameter to the rpm command.
  
  If the kernel version is later than the TOA version, add the --force parameter to the rpm command to forcibly install the kernel.

Configure the TOA module to make sure that the module is automatically loaded when the operating system is started.

Create the /etc/sysconfig/modules/toa.modules file and add the following content to the file:

CentOS 7.x:

#!/bin/bash
if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko.xz ] ;
then 
modprobe toa > /dev/null 2>&1
fi

CentOS 6.x or Red Hat Enterprise Linux:

#!/bin/bash
if [ -e /lib/modules/`uname -r`/kernel/net/toa/toa.ko ] ;
then 
modprobe toa > /dev/null 2>&1
fi

Run the following command to grant execute permissions to the toa.modules file:
```
sudo chmod +x /etc/sysconfig/modules/toa.modules
```

Run the reboot command to restart the operating system.
After the installation is complete, the origin server can obtain the actual source IP addresses of requests.
If the actual source IP addresses are not obtained, run the lsmod|grep toa command to check the loading status of the TOA module. If the TOA module is not loaded, run the modprobe toa command to manually load it. After the TOA module is loaded, you can view server access logs and test whether the origin server can obtain the actual source IP addresses.

References

If I use the TOA module, does network performance deteriorate?
No, the network performance does not deteriorate. The TOA module is deployed in bypass mode and has little impact on network performance.
What do I do if the kernel is unstable after the TOA module is loaded?
We recommend that you keep the original kernel of the operating system. This way, you can use the original kernel to restore your service if a restart fails.