Access to website business

Last updated: 2020-02-27 15:28:05

PDF

This document describes how website business users connect their services to DDoS High Defense IP instances and verify repost configuration.

At present, the website business supports access in Beijing, Shanghai and Guangzhou, but does not support overseas regions for the time being.

prerequisite

  • Before adding repost rule, you need to successfully purchase DDoS High Defense IP instance
  • Before modifying the DNS information of a business domain name, you need to successfully purchase a domain name resolution product.

Operational Steps

Operation step

Configure forwarding rules

  1. Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * access configuration * * in Left sidebar.
  2. On the access configuration page, click "website Business", find and select the target DDoS High Defense IP instance, and add repost rule.
    • Add repost rule individually:
      1. Click [Create].
      2. On the add forwarding rules page, configure the following parameters according to the actual needs, and click [OK].

Parameter description:

  • Domain name: Enter needs to configure the domain name of the website to be protected.

  • Protocol: please select to support HTTP and HTTPS, according to the actual business needs:

    Use cases Related operation
    Contains only the website of HTTP Protocol Check [HTTP].
    Contains only the website of HTTPS Protocol
    • Check [HTTPS].
    • Certificate source: Tencent Cloud escrow certificate is selected by default.
    • Certificate: select the corresponding name of SSL Certificates Service.
  • Origin-pull method: support IP Origin-pull and domain name Origin-pull.

  • According to [Origin-pull method] Enter real server IP or real server domain name:
    -if you select "IP Origin-pull", the IP (or IP + port) of Enter real server server. When a website domain name corresponds to multiple real server IP (or IP + ports), you can enter all of them and separate multiple IP (or IP + ports) with enter. A maximum of 16 IP (or IP + ports) are supported.
    -if you select "Domain name Origin-pull", Enter Origin-pull domain name (CNAME) or domain name (CNAME) + port. When a website domain name corresponds to multiple real server domain name (CNAME) or domain name (CNAME) + ports, you can enter all of them and use enter to separate multiple domain name (CNAME) or domain name (CNAME) + ports. A maximum of 16 domain name (CNAME) or domain name (CNAME) + ports are supported.

    • Add repost rules in batch:

      1. Click [bulk Import].
1. In the rule input box of the bulk import page, paste the rules that need to be imported

<!-- ! [] (https://main.qcloudimg.com/raw/3032d13eaaf81e658fdd47d101c8eb53.png) -->
  • The pasted content from left to right are domain name, Protocol, real server IP (real server domain name is not supported for now) and real server port. The ports of real server IP and real server are separated by English ":", and the other ports are separated by spaces. There can only be one repost rule for Enter.
  • The number of repost rule entries added in batch is not allowed to exceed the current quota.

Open Intermediate IP Range

In order to prevent real server Block DDoS high defense IP intermediate IP from affecting business, it is recommended to set a whitelist policy on real server's firewall, Web application firewall, IPS intrusion protection system, Traffic management and other hardware Device, and turn off or set the whitelist policy of real server's host firewall and any other security software (such as security dogs, etc.), so as to ensure that the high defense intermediate IP is not affected by real server's security policy.
Users can log in by DDoS Protection Management console In Left sidebar, select "DDoS High Defense IP"-> "Asset list", find the row of the target DDoS High Defense IP instance, click "ID/ name", and view the detailed high defense IP Origin-pull address field in the pop-up "basic Information" page.

Local Verification Configurations

After the configuration of repost is completed, the high defense IP of the high defense IP instance of DDoS will send the message repost of the relevant port to the corresponding port of real server in accordance with repost rules.
In order to maximize the stability of the business, it is recommended to conduct local testing before fully switching the service. The specific verification methods are as follows:

  1. Modify the local hosts file so that local requests for protected sites are highly defended.
    Take Windows operating system as an example:
  2. Open the hosts file under the local computer C:\ Windows\ System32\ drivers\ etc path, and add the following at the end of the text:
    <High defense IP address.> <Domain name of the protected website>
    For example, the high defense IP is 10.1.1.1 and the domain name is Www.qq.com Then add:
    10.1.1.1 www.qq.com
  3. Save the hosts file.
  4. Run on the local computer for the protected domain name ping Orders.
    If the resolved IP address is the Anti-DDoS Advanced IP address bound in the hosts file, the forwarding is successful.

If the resolved IP address is still real server's address, try running it from a command prompt in Windows ipconfig/flushdns Command to flush the local DNS cache.
3. After confirming that the hosts binding has taken effect, use the domain name for verification.
If yes, the configuration has taken effect.

If you still fail to verify using the correct method, please log in DDoS Protection Management console Check that the configuration is correct. After eliminating configuration errors and incorrect verification methods, if the problem persists, please contact Tencent Cloud's technical support .

Modify DNS resolution of business domain name

Before using DDoS high defense IP protection, you need to change the A record of the business domain name DNS to the high defense IP address, so that Traffic of all users of Access's website goes through the high defense IP before returning to real server (that is, all Traffic is dragged to the high defense IP before returning to real server).

The configuration principle of different domain name resolution products is the same, and the specific configuration steps may be slightly different. This paper takes the use of Tencent Cloud domain name resolution products as an example.

  1. Login Tencent Cloud Console Select "Tencent Cloud services" > "Domain name and website" > "Tencent Cloud DNS", and in "Domain name Resolution list", click "Resolution" on the line of the target domain name.
  1. On the domain name record management page, click * * add record * *, change the IP address pointed to by the A record to DDoS High Defense IP, and click * * Save * *.