Step 1: Configuring a Protected Domain Name (Website Services)

Prerequisites

• You have purchased an AAD instance.
• The domain name of the website to be protected has been registered.

Specification Limitations

Each AAD instance can protect a maximum of 50 domain names. Domain names that need to be protected cannot be added in batches.

Constraints

• Currently, the origin server domain name can only be set to a CNAME of Huawei Cloud WAF.
• Currently, AAD only supports .pem certificates.
• A CNAME record is generated based on the domain name. For the same domain name, the CNAME records are the same.
• AAD supports the Web Socket protocol, which is enabled by default.
• You can select multiple lines (AAD IP addresses) for a domain name. When selecting multiple AAD IP addresses, ensure that the number of forwarding rules, the forwarding protocol, forwarding port, and service type configured for each AAD IP address are the same.

Procedure

1. Log in to the management console.
2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
3. In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access. The Domain Name Acess page is displayed.
   Figure 1 Domain name access
   

4. On the displayed page, click Add Domain Name.
5. On the Add Domain Name page, configure domain name information, as shown in Figure 2. Table 1 describes the parameters.
   Figure 2 Configuring website domain
   

   Table 1 Domain name parameters

   Parameter	Description	Example Value
   Protected Domain Name	Enter the domain name of the service to protect. Single domain name: Enter a single domain name, for example, www.example.com. Wildcard domain name If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can directly add the wildcard domain name *.example.com to AAD for protection. If the server IP addresses of subdomain names are different, add subdomain names one by one.	Single domain name: www.example.com Wildcard domain name: *.example.com
   Origin Server Type	Type of the origin server. IP address: IP address of the origin server. Enter a maximum of 20 IP addresses and separate them using commas (,). Domain name Currently, only Huawei Cloud WAF CNAMEs are supported. Forwarding Protocol Protocol used by AAD to forward requests from clients (such as browsers) The options are HTTP and HTTPS. Origin Server Port Port used by AAD to forward client requests to the server NOTICE: If the protected domain name to be added shares the high-defense IP address and protocol or port with a domain name, the values of Origin Server Type for the domain names must be same. If Origin Server Type is set to IP address for a domain name, ensure the web protection is enabled for the domain name. For details about how to enable the web protection, see Enabling Basic Web Protection and CC Attack Protection. If Origin Server Type is set to Domain name for a domain name, ensure that the domain name and the protected domain name to be added are connected to the same WAF. If Origin Server Type is set to Domain name, ensure that the domain name has been allowed to use a proxy. Otherwise, the service may be unavailable after being connected to AAD. If you connect your service to AAD using a WAF CNAME but no longer need WAF protection, delete the service domain name from AAD first.	Origin server IP address: XXX.XXX.1.1 Forwarding Protocol: HTTP Origin Server Port: 80
   Certificate Name	If Origin Server Type is set to IP Address and Forwarding Protocol is set to HTTPS, you need to upload a certificate. For details about how to upload a certificate, see 6.	-

6. (Optional) Upload a certificate.

   If Origin Server Type is set to IP Address and Forwarding Protocol is set to HTTPS, you need to import a certificate.

   You can select an existing certificate from the drop-down list or upload a certificate.

   To upload a certificate, perform the following steps:

   1. Click Upload Certificate. In the displayed Upload Certificate dialog box, select a certificate upload mode.
      • Manual: Enter the certificate name and paste the certificate and private key text content, as shown in Figure 3. Table 2 describes the parameters.
      • Automatic: Select an issued certificate.
      

      The certificate name contains a maximum of 10 characters and cannot contain special characters.

      Figure 3 Uploading a certificate
      
      

      • Currently, only TLS 1.0, TLS 1.1, and TLS 1.2 certificates can be uploaded.
      • Currently, only .pem certificates are supported.
      • Each certificate name of a user must be unique.

      Table 2 Parameter description

      Parameter	Description
      Certificate	The certificate must be in the following format: -----BEGIN CERTIFICATE----- MIIDljCCAv+gAwIBAgIJAMD2jG2tYGQ6MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD VQQGEwJDSDELMAkGA1UECBMCWkoxCzAJBgNVBAcTAkhaMQ8wDQYDVQQKEwZodWF3 ZWkxDzANBgNVBAsTBmh1YXdlaTEPMA0GA1UEAxMGaHVhd2VpMQ8wDQYDVQQpEwZz ZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE3p3YW5nd2VpZGtkQDE2My5jb20wHhcNMTUw MzE4MDMzNjU5WhcNMjUwMzE1MDMzNjU5WjCBjzELMAkGA1UEBhMCQ0gxCzAJBgNV BAgTAlpKMQswCQYDVQQHEwJIWjEPMA0GA1UEChMGaHVhda2VpMQ8wDQY...... -----END CERTIFICATE----- Method for you to copy your certificate: For a .pem certificate: Use a text editor to open the certificate file and copy the content here. For other certificates: Convert your certificate to a .pem one. Then open it with a text editor and copy its content.
      Private Key	The private key must be in the following format: -----BEGIN RSA PRIVATE KEY----- MIIDljCCAv+gAwIBAgIJAMD2jG2tYGQ6MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQG EwJDSDELMAkGA1UECBMCWkoxCzAJBgNVBAcTAkhaMQ8wDQYDVQQKEwZodWF3ZWkxDzAN BgNVBAsTBmh1YXdlaTEPMA0GA1UEAxMGaHVhd2VpMQ8wDQYDVQQpEwZzZXJ2ZXIxIjAg BgkqhkiG9w0BCQEWE3poYW5nd2VpZGtkQDE2My5jb20wHhcNMTUwMzE4MDMzNjU5WhcN MjUwMzE1MDMzNjU5WjCBjzELMAkGA1UEBhMCQ0gxCzAJBgNVBAgTAlpKMQswCQYDVQQH EwJIWjEPMA0GA1UEChMGaHVhd2VpMQ8wDQYDVQQLEwZ -----END RSA PRIVATE KEY----- Method for you to copy your private key: For a .pem file: Use a text editor to open the private key file and copy the content here. For other certificates: Convert your certificate to a .pem one. Then open it with a text editor and copy its content.

   2. Click OK.

7. Click Next and select an AAD instance and line, as shown in Figure 4.
   Figure 4 Selecting an AAD instance and line
   
   

   • You can select multiple lines (AAD IP addresses) for a domain name. When selecting multiple AAD IP addresses, ensure that the number of forwarding rules, the forwarding protocol, forwarding port, and service type configured for each AAD IP address are the same.

8. Click Submit and Continue. A dialog box is displayed, as shown in Figure 5.
   You are advised to click Next to skip this step. You can configure DNS later according to Step 4: Modifying DNS Resolution.

   Figure 5 Modifying DNS
   

9. Click Finish to complete the configuration.

   After the domain name is configured, the Domain Name Access is automatically displayed. You can view the added domain name in the domain name list.

   Figure 6 Back-to-origin IP address
   

   If a firewall has been configured or security software has been installed on the origin server, add the back-to-origin IP address to the firewall or security software, so as to ensure that the back-to-origin IP address is not affected by the security policies set on the origin server. For details, see Step 2: Adding the Back-to-Source IP Address Range to the Whitelist.

   

   AAD replaces customers' real IP addresses and diverts access traffic to the back-to-origin IP addresses.

   • If AAD is not used, access traffic is sent directly from the source IP addresses of clients towards origin servers. From the view of origin servers, the requests originate from scattered clients and each source IP address sends only a few access requests.
   • After AAD is enabled, access traffic will be forwarded to the back-to-origin IP addresses. From the view of origin servers, the requests originate from these back-to-origin IP addresses. These IP addresses are fixed and limited in quantity, and each carries more requests than the source IP address. Therefore, they may be mistakenly regarded as the sources that launch attacks. In this case, other Anti-DDoS security policies working on the origin servers may block or limit the requests from the back-to-origin IP addresses. For example, error 502 is reported if the access request is blocked by mistake.

Follow-up Procedure

After the domain name is configured, you are advised to locally verify that the domain name parameters are correctly configured. For details, see Step 3: Locally Verifying the Website Service Configuration.

Related Operation

• If you do not want a domain name to be resolved to a high-defense IP address, locate the row containing the domain name on the Domain Name Access page and click View details in the Instance and Line column. On the page that is displayed, click for the target high-defense IP address to set DNS Resolution to .
• If you do not want to protect a domain name, locate the row containing the domain name on the Domain Name Access page and click Delete in the Operation column.