Recently, an old customer called me in the middle of the night, said that the site suddenly hung up, the traffic soared to 100Gbps, a look is DDoS, traditional firewalls can not carry, I immediately suggested that he on the high-defense CDN, which only slowed down. These days, network attacks are as common as eating, you don't have a reliable protection, minutes to be screwed offline, so today I'll nag high defense CDN access to the whole process, from choosing a service provider to the resolution of the configuration, step by step to take you to avoid the pit.<\/p>\n
I first said a true statement, high defense CDN is not a panacea, but is definitely the current response to large-scale traffic preferred program, which disperses the attack traffic through distributed nodes, while caching the content to accelerate access, I found that a good high-defense CDN can carry the T-level attacks, but also enhance the loading speed, but do not believe that those who bragged about \u201c100% protection! But don't believe those who boast \u201d100% protection\" ads, are fooling people, the actual effect depends on the configuration and strategy.<\/p>\n
Why do I want to emphasize the high defense CDN? Because ordinary CDN is like a paper wall, can only accelerate, can not prevent malicious traffic, and high defense CDN integrated WAF, DDoS mitigation, and even behavioral analysis, I've seen too many projects because of the money to save ordinary CDN, the results of the CC attack penetration, the loss of heavy losses, so the core of the problem: you have to choose the right service provider, and the correct configuration, and then you have to choose the right service provider, and the correct configuration, or it is useless. Otherwise, it is a waste of money.<\/p>\n
When it comes to service providers, a bunch of choices on the market, but my personal preference CDN5, CDN07 and 08Host, CDN5's advantage is that there are many nodes, strong resistance to attacks, especially suitable for the e-commerce and gaming industry, the price is slightly higher but worth it, CDN07 is cost-effective and flexible in its configuration, and I often use it to do the test environment, and the highlights of the 08Host is that it is optimized well for Asia and has a low latency, which is suitable for Asia-Pacific business, but the Anti-attack ability is slightly weak, have to combine their own needs to choose.<\/p>\n
Below I dismantle the access steps, first from the beginning of the registration, CDN5 as an example, because it is full of documents, good support, to avoid blindness of novices, after registering an account, do not rush to rush in, first read their security policy, I have a brother did not look at the terms and conditions of the results of the configuration of the wrong chargebacks, angry straight to the feet.<\/p>\n
Add a domain name is a key step, in the CDN5 console, find the \u201cAdd Domain Name\u201d or similar options, enter your main domain name, such as example.com, the system will generate a CNAME record, which is the core of the subsequent resolution, do not get confused, I have found that if the domain name is not filed or SSL certificates I found that if the domain name is not filed or SSL certificate, it may be stuck, so prepare all the materials in advance.<\/p>\n
Next is the configuration session, high defense CDN usually has several settings: cache rules, security policies, SSL certificates, etc. Here I share a code example to set the cache time to avoid resource expiration, in CDN5, you can use API or UI to adjust it, for example, this JSON snippet is used to set the cache header:<\/p>\n
In terms of security policy, make sure to turn on WAF and DDoS protection, CDN5 provides customized rules, I often set the threshold to blocking abnormal requests, for example, if a single IP request more than 100 times per second, it will be automatically blacked out, which can effectively prevent CC attacks, don't forget to test the rules, otherwise it may mistakenly block normal users.<\/p>\n
The domain name resolution part is most likely to be wrong, I've seen countless people resolve wrongly resulting in the CDN does not take effect, in the DNS management platform (such as Cloudflare or their own DNS), add a CNAME record, your domain name to point to the CNAME address provided by CDN5, for example:<\/p>\n
It takes time for parsing to take effect, usually a few minutes to a few hours, during which time it can be checked with the dig command:<\/p>\n
If the address of the CDN is returned, it means it's successful, otherwise you have to troubleshoot the DNS settings, I suggest testing with a subdomain first, such as cdn.example.com, to avoid affecting the production environment.<\/p>\n
SSL certificate must be configured, otherwise the browser will report insecurity, CDN5 support automatic SSL, upload the certificate or use Let's Encrypt free version, find the SSL tab in the console, upload your certificate and private key, or turn on the automatic renewal, I tested and found that the manual upload is more reliable, to avoid the embarrassment of the failure of the automatic certificate.<\/p>\n
Test link can not be saved, access, with tools such as curl or browser to check the response header, confirm that the X-Cache header shows HIT, said hit CDN cache, while simulating attacks to test the protection, such as slowloris tool to send a slow request, to see if the CDN intercepts, CDN5 logging is very powerful, analyze the logs can optimize the configuration.<\/p>\n
Finally talk about optimization, high-defense CDN is not set-and-forget, you have to regularly monitor and adjust, I often use the CDN5 reporting function to see traffic peaks and security events, if you find anomalies, tweak the rules in a timely manner, such as adjusting the caching policy or strengthen the WAF, remember, network security is a continuous battle, lazy.<\/p>\n
In short, high defense CDN access seems complex, but step by step is simple, choose a service provider, configuration, resolution, testing, each link must be careful, I have so many years of experience to tell you, spend more time in the early stage, the late less stepped on the pit, the network world, preventing problems before they occur is the king's way, if you have a specific problem, welcome to exchange, I try to go back.<\/p>","protected":false},"excerpt":{"rendered":"
Recently, an old customer called me in the middle of the night, said that the site suddenly hung up, the traffic soared to 100Gbps, a look is DDoS, traditional firewalls can not carry, I immediately suggested that he on the high-defense CDN, which only slowed down. These days, network attacks are as common as eating, you don't have a reliable protection, minutes to be screwed offline, so today I'll nag high defense CDN access to the whole process, from choosing a service provider to the resolution of the configuration, step by step to take you to avoid the pit. I first said a true statement, high defense CDN is not a panacea, but is definitely the current response to large-scale flow of the preferred program, it is distributed nodes to disperse the attack traffic, while caching content to accelerate access, I found that a good high-defense CDN can carry T-level attacks, but also enhance the loading speed, but do not believe that those who bragged about the \u201c100% protection\", but the CDN is not the only one.<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"gallery","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[150],"tags":[],"collection":[],"class_list":["post-1039","post","type-post","status-publish","format-gallery","hentry","category-updates","post_format-post-format-gallery"],"_links":{"self":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/comments?post=1039"}],"version-history":[{"count":1,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1039\/revisions"}],"predecessor-version":[{"id":1086,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1039\/revisions\/1086"}],"wp:attachment":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/media?parent=1039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/categories?post=1039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/tags?post=1039"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/collection?post=1039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}