Recently to help friends deal with the website was DDoS hanging problems, found an interesting phenomenon: a lot of people spend a lot of money to buy a high-defense CDN, but because of the domain name binding configuration is not appropriate, either the traffic did not go to accelerate the node, or the firewall did not take effect. The most outrageous is an e-commerce station, set of CDN but the source station IP directly exposed, the attacker bypassed the protection directly to the server paralyzed - these days, even the CDN have to \u201cdefense teammates\u201d.<\/p>\n
In fact, the domain name binding of the high defense CDN is not so mysterious, but the details determine life and death. I have handled the case, 10 configuration problems 7 out of 10 in the domain name binding link. Don't look at the vendor console fancy, the core logic of the steps, understand once you can eat all the vendors.<\/p>\n
Splash cold water first:Don't ever think you can just fill in a domain name at the CDN vendor and be done with it!<\/strong>The complete process includes three core links: platform configuration + DNS resolution + validation. The complete process includes \u201cplatform configuration + DNS resolution + validation of the three core links, missing any step may be overturned. Below I have tested CDN5, CDN07 and 08Host three vendors as an example, dismantling the operation of multi-domain binding doorway.<\/p>\n Stage 1: Platform Configuration Key Pitfalls<\/strong><\/p>\n These parameters are the easiest to step on when adding a domain name to the CDN console:<\/p>\n Is \u201cIP\u201d or \u201cDomain\u201d selected as the source site type? If the source is a cloud server, it is highly recommended to fill in the IP address. I found that CDN07's domain name back to the source has a recursive resolution delay, and I have encountered cases where the source fails due to DNS caching. On the contrary, 08Host has optimized the domain name back to the source, which is suitable for multi-server load balancing scenarios.<\/p>\n Web applications usually use 80\/443, but some special business ports need to be filled in manually. Last year, a game customer set CDN after the player can not connect, is because I forgot to fill in the UDP 27015 port.<\/p>\n HTTPS certificate binding is a chain pit. If you choose \u201cforce jump to HTTPS\u201d, you must upload the certificate first, CDN5\u201cs certificate management interface is deeply hidden, you have to click \u201dSecurity Configuration\u201c - \u201dCertificate Management\" to upload the PEM file first, and then come back to check the \"Force Jump to HTTPS\" box. You have to click \"Security Configuration\"-\"Certificate Management\" to upload the PEM file, and then come back to check the \"Force Jump\" box. I've seen some people stuck in this step for three hours, so angry that they directly sprayed customer service work orders.<\/p>\n Multi-domain binding has a lazy trick: CDN5 supports batch import of domain names, separated by commas on the line. But note that each domain name should be configured independently of the source site, do not expect batch operation can be inherited settings - I once a breath of import 50 domain names, the results of all pointing to the same test server, and almost caused a production accident.<\/p>\n Stage 2: The tawdry operation of DNS resolution<\/strong><\/p>\n After the platform configuration will give you the CNAME address, this time to go to the DNS service provider side to modify the resolution record. The point is coming:Don't be in a hurry to delete the A-record.<\/strong>! Add the CNAME record first, then delete the original record after the TTL expires. It is recommended to use the dig command to verify that the parsing is working:<\/p>\n If you see that the output contains the domain name of the CDN vendor, it means that the resolution has taken effect. 08Host's CNAME suffix is .cdn08.net, and CDN5 uses .cdn5gb.com, so don't get confused.<\/p>\n What to do when you have multiple subdomains to bind? Save time and effort with wildcard resolution. Add a CNAME record of *.cdn.youdomain.com to DNS, and you can point all the sub-domains to the CDN. However, CDN07 charges extra for wildcard domain names, which is a bit pitiful.<\/p>\n Stage III: Validation of the ultimate means of entry into force<\/strong><\/p>\n It doesn't work right after configuration, I have a validation combo:<\/p>\n First check the HTTP header with curl:<\/p>\n Look for the CDN vendor's logo in the return header (e.g. X-CDN: CDN5). If you see the Server header exposed by the source IP, hurry up and check the configuration.<\/p>\n Secondly, the global Ping tool is used to detect the node coverage. 08Host's Asian nodes have excellent latency performance, but the European and American nodes are occasionally pumped. CDN5's Anycast network has more stable global latency, which is suitable for internationalized business.<\/p>\n Finally, you must do real traffic testing! In the CDN console to open real-time monitoring, their own pressure test tool to simulate the request, to observe whether the traffic hit the protection node. I have seen the most outrageous situation is: everything is configured normally, but because of the DNS local cache, the test traffic did not go to the CDN.<\/p>\n A high-level play on multidomain binding<\/strong><\/p>\n For large projects, it is recommended to use the API to manage domain names in bulk. both CDN5 and 08Host provide a complete REST API, and you can write a script in Python to automate the deployment:<\/p>\n Weight distribution is also practical skills. For example, the official website traffic is divided into CDN5, video distribution with 08Host, API interface go CDN07. through the weight resolution function of DNS, you can realize traffic diversion and failover.<\/p>\n A summary of the lessons learned through blood and tears<\/strong><\/p>\n Finally, a few words: after the domain name binding must regularly check the validity of the certificate! Set up a calendar to remind the renewal 30 days in advance; do not leak the source station IP in the CDN console, some vendors of the \u201ctest back to the source\u201d function will expose the IP address; encountered an attack on the temporary addition of the domain name to be cautious, I once shook my hand to protect the domain name deleted by mistake, resulting in 10 minutes to be hit into a black hole.<\/p>\n High-defense CDN is not a silver bullet, and binding a domain name is only the first step in a long journey. The real protection effect depends on the rule configuration, traffic cleaning strategy and operation and maintenance response speed. It is recommended that novices first use 08Host's free package to practice, familiar with the production environment. After all--<\/p>\n Configure it wrong and the money is all for nothing.<\/strong><\/p>","protected":false},"excerpt":{"rendered":" Recently to help friends deal with the website was DDoS hanging problems, found an interesting phenomenon: many people spend a lot of money to buy a high-defense CDN, but because of the domain name binding configuration is not appropriate, either the traffic did not go to accelerate the node, or the firewall did not take effect. The most outrageous is an e-commerce station, set of CDN, but the source station IP directly exposed, attackers bypass the protection directly to the server paralyzed - these days, even the CDN have to \u201cdefense teammates\u201d. In fact, high defense CDN domain name binding is not so mysterious, but the details determine life and death. I have handled the case, 10 configuration problems 7 out of 10 in the domain name binding link. Don't look at the vendor console fancy, the core logic of the steps, understand once you can eat all the vendors. First pour pots of cold water: do not think that the CDN vendors fill in a domain name on the end of the matter!<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"gallery","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[150],"tags":[],"collection":[],"class_list":["post-981","post","type-post","status-publish","format-gallery","hentry","category-updates","post_format-post-format-gallery"],"_links":{"self":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/comments?post=981"}],"version-history":[{"count":1,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/981\/revisions"}],"predecessor-version":[{"id":1144,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/981\/revisions\/1144"}],"wp:attachment":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/media?parent=981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/categories?post=981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/tags?post=981"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/collection?post=981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}