Edge Security Acceleration:Settings

Identify real client IP

Define the originating client IP address used for WAF and bot management rules. By default, the client IP addresses connected to POPs are used. You can add custom headers to clarify the actual IP addresses.

How ESA identifies the real client IP address

The following explains how ESA identifies the real client IP address with or without third-party reverse proxy.

Without third-party reverse proxy

In most cases, after you add your website to Edge Security Acceleration (ESA), your website is accelerated and protected by ESA. If no other proxy is deployed, client requests are directly forwarded to ESA points of presence (POPs), and ESA can identify the real client IP address.

With third-party reverse proxy

However, if you have deployed a third-party reverse proxy (such as WAF, DDoS mitigation, or Edge Routine) between the client and ESA, the proxy connects directly to ESA POPs. In this case, ESA cannot identify the real client IP address.

To resolve this, ensure that the real client IP address is included in the request headers (such as X-Forwarded-For). Then, use the Client IP Definition feature to specify which header ESA should use to identify the client IP. This allows ESA to obtain and use the actual client IP address for security and access controls.

Setup

1. In the ESA console, choose Websites, and click the name of the website you want to manage.

2. In the navigation pane on the left, choose Security > Settings.

3. In the Identify Real Client IP section, click Configure. Select a type of client IP address as required.

   • Connect IP (default): the client IP address connected to ESA POPs.

   • Custom Header: Use custom headers to identify the actual client IP address. Separate multiple headers with commas (,). You can enter up to five headers.

4. Click OK.

Security level

ESA checks whether incoming requests are malicious based on Alibaba Cloud's well-stocked threat intelligence library. Identified malicious requests are challenged based on the security level you configured. Only requests that pass the challenges can be served as expected. The following describes the security levels:

• Low (default): Challenges only requests from the IP addresses with the highest threat level. This is the default value. We recommend that you select this option when your website does not have historical attacks or historical click farming.

• Medium: Challenges requests from IP addresses with a high threat level. We recommend that you select this option for websites that have high security requirements. We recommend that you select this option or a higher security level when your website has historical click farming.

• High: Challenges requests from any suspicious IP addresses. We recommend that you select this option only during critical periods. We recommend that you select this option when your website has historical attacks or is under attack.

• I'm Under Attack: Challenges all requests. We recommend that you select this option only when your website is under attack.

• Essentially Off: Retains only the minimum platform protection policies of ESA. We recommend that you select this option only when unacceptable false positives occur. ESA will still challenge high-risk requests at this level to ensure platform security.

• Off (Available in Enterprise Plans): Completely disables protection. This option is available only for customers on Enterprise plans. We recommend that you select this option only when there are unacceptable false positives.

Select a security level

1. In the ESA console, choose Websites, and click the name of the website you want to manage.

2. In the navigation pane on the left, choose Security > Settings.

3. In the Security Level section, click Configure, and select a level from the drop-down list.

4. Click OK.