Edge Security Acceleration:Settings

How ESA identifies the real client IP address

The following explains how ESA identifies the real client IP address with or without third-party reverse proxy.

Without third-party reverse proxy

You can define the originating client IP addresses that match the Web Application Firewall (WAF) and bot management rules. By default, the client IP addresses that are used to connect to points of presence (POPs) are used. You can also add custom headers to clarify the client IP addresses.

In most cases, after you add your website to Edge Security Acceleration (ESA), your website is accelerated and protected by ESA. If no other proxy is deployed, client requests are directly forwarded to ESA POPs, and ESA can identify the real client IP address.

With third-party reverse proxy

However, if you have deployed a third-party reverse proxy such as WAF, anti-DDoS, or websites with Edge Routine activated between the client and ESA, the proxy is directly connected to ESA POPs, and ESA cannot identify the real client IP address. In this case, you need to specify custom headers in the Client IP Definition section and write the IP information in the headers of your client requests. This way, ESA can obtain the real client IP address.

Identify client IP

1. In the ESA console, choose Websites and click the name of the website you want to manage.

2. In the left-side navigation pane, choose Security > Settings.

3. In the Client IP Definition section, click Configure. Select a type of client IP address as required.

   • Connect IP (default): the client IP address that is used to connect to ESA POPs.

   • Custom Header: Use custom headers to define the client IP address. Separate multiple headers with commas (,). You can enter up to five headers.

4. Click OK.

Security level

ESA checks whether incoming requests are malicious based on Alibaba Cloud's well-stocked threat intelligence library. Identified malicious requests are challenged based on the security level you configured. Only requests that pass the challenges can be served as expected. The following describes the security levels:

• Low (default): Challenges only requests from the IP addresses with the highest threat level. This is the default value. We recommend that you select this option when your website does not have historical attacks or historical click farming.

• Medium: Challenges requests from IP addresses with a high threat level. We recommend that you select this option for websites that have high security requirements. We recommend that you select this option or a higher security level when your website has historical click farming.

• High: Challenges requests from any suspicious IP addresses. We recommend that you select this option only during critical periods. We recommend that you select this option when your website has historical attacks or is under attack.

• I'm Under Attack: Challenges all requests. We recommend that you select this option only when your website is under attack.

• Essentially Off: Retains only the minimum platform protection policies of ESA. We recommend that you select this option only when unacceptable false positives occur. ESA will still challenge high-risk requests at this level to ensure platform security.

• Off (Available in Enterprise Plans): Completely disables protection. This option is available only for customers on Enterprise plans. We recommend that you select this option only when there are unacceptable false positives.

Select a security level

1. In the ESA console, choose Websites and click the name of the website you want to manage.

2. In the left-side navigation pane, choose Security > Settings.

3. In the Security Level section, click Configure, and select a level from the drop-down list.

4. Click OK.