To use Anti-DDoS Pro or Anti-DDoS Premium to protect your website service, you must first add the domain name you want to protect and then add a traffic forwarding rule in the Anti-DDoS Pro or Anti-DDoS Premium console.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is available. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can select the Mainland China or Outside Mainland China region to switch between the Anti-DDoS Pro and Anti-DDoS Premium consoles. Then, you can configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances based on your business requirements. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

This topic uses Anti-DDoS Pro as an example to describe this specific operation. If you use Anti-DDoS Premium, see Add a website.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select Mainland China.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. On the Website Config page, click Add Domain.
    Note You can also import website configurations in batches. For more information, see Import the configurations of more than one website at a time.
  5. Complete the Add Domain wizard.
    1. In the Enter Site Information step, configure the parameters and click Add.
      Website configurations
      Parameter Applicable instance Description
      Function Plan Anti-DDoS Pro and Anti-DDoS Premium instances The function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use. Valid values: Standard Function and Enhanced Function.
      You can move the pointer over the Function plan description icon next to Function Plan to view the differences between the Standard and Enhanced function plans. The following figure shows the differences. Function Plan
      Instance Anti-DDoS Pro and Anti-DDoS Premium instances The Anti-DDoS Pro or Anti-DDoS Premium instance that you want to use. You can associate a maximum of eight instances with a domain name. The instances associated with the domain name must use the same function plan.

      Available instances are displayed after you configure Function Plan. If no instances are displayed, no instances use the function plan that you select. In this case, you can purchase an instance or upgrade the Standard function plan to the Enhanced function plan. For more information, see Upgrade an instance.

      Domain Anti-DDoS Pro and Anti-DDoS Premium instances The domain name of the website that you want to protect. The domain name must meet the following requirements:
      • The domain name can contain letters, digits, and hyphens (-). The domain name must start with a letter or a digit.
      • The domain name can be a wildcard domain name, such as *.aliyundoc.com. If you enter a wildcard domain name, Anti-DDoS Pro or Anti-DDoS Premium automatically matches all subdomains of the wildcard domain name.
      • If you configure a wildcard domain name and an exact-match domain name, the forwarding rules and mitigation policies of the exact-match domain name take precedence. For example, if you configure *.aliyundoc.com and www.aliyundoc.com, the forwarding rules and mitigation policies of www.aliyundoc.com take precedence.
      Protocol Anti-DDoS Pro and Anti-DDoS Premium instances The type of the protocol that the website uses. Valid values:
      • HTTP
      • HTTPS: If the website uses HTTPS, select HTTPS and upload an SSL certificate file after you save the website configurations. For more information, see Upload an HTTPS certificate.
      • Websocket: If you select Websocket, HTTP is automatically selected. You cannot select only Websocket for the Protocol parameter.
      • Websockets: If you select Websockets, HTTPS is automatically selected. You cannot select only Websockets for the Protocol parameter.
      If you select HTTPS, you can click Advanced Settings to configure the following options.Advanced Settings
      • Enable HTTPS Routing: If the website supports both HTTP and HTTPS, this feature is available. If you enable this feature, all HTTP requests to access the website are redirected to HTTPS requests on the standard port 443.
        Notice
        • This feature is available only when both HTTP and HTTPS are selected and Websocket is cleared.
        • If you access the website over HTTP on a non-standard port and enable this feature, all HTTP requests are redirected to HTTPS requests on the standard port 443.
      • Enable HTTP: If the website does not support HTTPS, this feature is available. If this feature is enabled, all HTTPS requests are redirected to HTTP requests and forwarded to origin servers, and all WebSockets requests are redirected to WebSocket requests and forwarded to origin servers. By default, the requests are redirected over the standard port 80.
        Notice
        • If the website does not support HTTPS, turn on Enable HTTP.
        • If you access the website over HTTPS on a non-standard port and enable this feature, all HTTPS requests are redirected to HTTP requests on the standard port 80.
      • Enable HTTP2: After you turn on Enable HTTP/2, HTTP/2 is used.
      Enable OCSP Anti-DDoS Pro and Anti-DDoS Premium instances Specifies whether to enable the Online Certificate Status Protocol (OCSP) feature.
      Notice This feature is available only for a website that supports HTTPS. If HTTPS is selected for Protocol, we recommend that you enable this feature.

      OCSP is an Internet protocol that is used by a Certificate Authority (CA) to check the revocation status of a certificate. When a client initiates a Transport Layer Security (TLS) handshake with a server, the client must obtain the certificate and an OCSP response.

      The OCSP feature is disabled by default. In this case, OCSP queries are sent from a browser that the client uses to a CA. Before the client obtains an OCSP response, subsequent events are blocked. If transient connections or network disconnections occur, a blank page is displayed for a long period of time, and the performance of the website that supports HTTPS is compromised.

      If the OCSP feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium executes OCSP queries and caches the query results for 300 seconds. When a client initiates a TLS handshake with the server, Anti-DDoS Pro or Anti-DDoS Premium returns the OCSP details and the certificate chain to the client. This prevents blocking issues caused by OCSP queries from the client. OCSP does not cause security risks because OCSP responses cannot be forged.

      Server IP Anti-DDoS Pro and Anti-DDoS Premium instances The address type of the origin server. You must enter the address of the origin server. Valid values:
      • Origin Server IP: the IP address of the origin server. You can enter a maximum of 20 IP addresses. If you enter more than one IP address, separate them with commas (,).
        • If the origin server is hosted on an Elastic Compute Service (ECS) instance, enter the public IP address of the ECS instance. If the ECS instance is associated with a Server Load Balancer (SLB) instance, enter the public IP address of the SLB instance.
        • If the origin server is deployed in data centers or on other clouds, you can run the ping Domain name command to query the public IP address to which the domain name is resolved and enter the public IP address.
      • Origin Server Domain: the domain name of the origin server. Select this option when you deploy a proxy service, such as Web Application Firewall (WAF), between the origin server and Anti-DDoS Pro or Anti-DDoS Premium. You must also enter the address of the proxy, such as a CNAME. You can enter a maximum of 10 domain names. If you enter more than one domain name, separate them with line breaks.

        If you want to use Anti-DDoS Pro or Anti-DDoS Premium together with WAF, select Origin Server Domain and enter the CNAME that WAF assigns. This provides enhanced protection for the website. For more information, see Add a website to both Anti-DDoS Pro or Anti-DDoS Premium and WAF.

        Notice If you enter the default public endpoint of an Object Storage Service (OSS) bucket for Origin Server Domain, a custom domain name must be mapped to the bucket. For more information, see Regions and endpoints and Map custom domain names.

      If you enter more than one IP address or domain name, Anti-DDoS Pro or Anti-DDoS Premium uses IP hash to forward website traffic to the origin servers. After you save the website configurations, you can change the load balancing algorithm. For more information, see Modify the back-to-origin settings for a website.

      Server Port Anti-DDoS Pro and Anti-DDoS Premium instances The server port that you specify based on the value of Protocol.
      If you select HTTP, the default port 80 is used. If you select HTTPS, the default port 443 is used.
      Notice
      • The port for Websocket is the same as the port for HTTP.
      • The port for Websockets and HTTP/2 is the same as the port for HTTPS.
      You can click Custom to the right of the Server Port parameter to specify one or more custom ports. You can specify multiple custom HTTP or HTTPS ports. If you specify multiple custom ports, separate the ports with commas (,). Custom portsTake note of the following limits when you specify custom ports:
      • The custom ports that you want to specify must be supported by Anti-DDoS Pro or Anti-DDoS Premium. You can click View optional range to view the HTTP and HTTPS ports that are supported.
        The ports that are supported vary based on the function plan of your Anti-DDoS Pro or Anti-DDoS Premium instance.
        • Anti-DDoS Pro or Anti-DDoS Premium instance of the Standard function plan:
          • HTTP ports: ports 80 and 8080
          • HTTPS ports: ports 443 and 8443
        • Anti-DDoS Pro or Anti-DDoS Premium instance of the Enhanced function plan:
          • HTTP ports: ports that range from 80 to 65535
          • HTTPS ports: ports that range from 80 to 65535
      • You can specify up to 10 custom ports for all websites that are added to your Anti-DDoS Pro or Anti-DDoS Premium instance. The custom ports include HTTP ports and HTTPS ports.

        For example, you want to add Website A and Website B to your Anti-DDoS Pro or Anti-DDoS Premium instance, Website A provides services over HTTP ports, and Website B provides services over HTTPS ports.

        If you specify HTTP ports 80 and 8080 for Website A, you can specify up to eight HTTPS ports for Website B.

      Cname Reuse Anti-DDoS Premium Specifies whether to enable CNAME reuse.

      If more than one website is hosted on the same server, this feature is available. After CNAME reuse is enabled, you need only to map the domain names hosted on the same server to the CNAME that is assigned by Anti-DDoS Premium. For more information, see Use the CNAME reuse feature.

    2. In the Complete step, perform the subsequent operations as instructed.
      Complete configurations

      1. Allow back-to-origin IP addresses to access the origin server:

        If security software, such as a firewall, is installed on the origin server, you must add the back-to-origin IP addresses of the Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of the origin server. This ensures that the traffic from Anti-DDoS Pro or Anti-DDoS Premium is not blocked by the security software on your origin server.

        If no security software is installed, skip this step.

      2. Change the public IP address of an ECS origin server:

        If your origin server is an ECS instance and the origin IP address is exposed, you must change the public IP address of the ECS instance. This prevents attackers from bypassing Anti-DDoS Pro or Anti-DDoS Premium to attack your origin server.

        If your origin server is not an ECS instance and the origin IP address is not exposed, skip this step.

      3. Upload an HTTPS certificate:
        If a website that provides HTTPS services is added to Anti-DDoS Pro or Anti-DDoS Premium, you must upload the SSL certificate file that is associated with the domain name of the website. This way, HTTPS requests can be redirected to Anti-DDoS Pro or Anti-DDoS Premium for protection.
        Note If a website is associated with an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan, you can create a custom TLS policy for the website after you upload an SSL certificate file. For more information, see Customize a TLS policy.

        If the website provides only HTTP services, skip this step.

      4. Optional:Verify the forwarding configurations on your local computer:

        Verify that the website configurations that you added to Anti-DDoS Pro or Anti-DDoS Premium take effect on your computer. If you change the DNS record before the configurations for the website take effect, services may be interrupted.

      5. Change the DNS record:

        Anti-DDoS Pro or Anti-DDoS Premium assigns a CNAME to the website that you added. You must change the DNS record to map the domain name to the CNAME. This way, service traffic can be switched to Anti-DDoS Pro or Anti-DDoS Premium for protection. You can manually change the DNS record or use the NS Access Mode feature to enable the system to automatically change the DNS record.

        For more information, see Change DNS records to protect website services and Enable NS Mode Access to protect a website.

    3. Click Websites List to view the domain name that you added and the CNAME that is assigned by Anti-DDoS Pro or Anti-DDoS Premium in the website list.
    After you complete the Add Domain wizard, you can perform the following operations on the newly added domain name: CNAME
    • Add remarks: You can click the Pencil icon icon next to Remark to add remarks that help you identify the website configurations.
    • Modify or delete the domain name: You can click Edit or Delete to manage the website configurations that you added.
      Notice After you click Edit in the Actions column, you can turn on Getting source port from the real customer on the page that appears. After you turn on Getting source port from the real customer, you can obtain the actual ports of clients or mark the back-to-origin requests that Anti-DDoS Pro or Anti-DDoS Premium forwards to the origin server by using custom HTTP headers. For more information, see Mark back-to-origin requests.
    • Configure DNS settings: If you purchase a paid edition of Alibaba Cloud DNS, you can enable NS Access Mode. This way, the system automatically changes the DNS record of the domain name and redirects traffic to Anti-DDoS Pro or Anti-DDoS Premium.

      For more information, see Enable NS Mode Access to protect a website.

    • Configure mitigation settings: You can click Mitigation Settings in the Actions column to go to the Protection for Website Services tab and modify the mitigation settings.

      After you add the website, Intelligent Protection and Frequency Control are enabled by default. You can enable more features and modify protection rules for the website on the Protection for Website Services tab.

      For more information, see Use the intelligent protection feature.

    • Configure back-to-origin settings: If the website that you add to Anti-DDoS Pro or Anti-DDoS Premium resides on more than one origin server, you can click Back to the origin settings to change the load balancing algorithm for back-to-origin traffic.

      For more information, see Modify the back-to-origin settings for a website.

Result

Anti-DDoS Pro assigns a CNAME record to the domain name. You only need to map the DNS record of the domain name to the CNAME record of the Anti-DDoS Pro instance to reroute inbound traffic to the instance for traffic scrubbing.

What to do next