FAQs about Security
Answer: In fact, the security and stability of the website are improved after the use of CDN, due to the reasons shown below:
- When the CDN service is used, users visit the website to get the IP address of the CDN acceleration node, while the real IP address of the origin server is not exposed on the public network, thus reducing the possibility of being attacked.
- The CDN has server backup and bandwidth backup between nodes. Even if a node fails, the access can be automatically redirected to another normal node, thus ensuring that the acceleration service cannot be interrupted.
- The CDN has a traffic balancing system, which allows the service not to interrupt due to network congestion even during peak access.
The 504 error indicates the request timeout, which is usually returned by the origin server. You should check whether the physical load and memory network of the origin server remain normal. At the same time, check the origin server log to see if there is a 504 request record. Check whether the origin website certificate and CDN certificate expires or mismatches. If you have any question, submitthe CDN ticket.
Answer: You can prevent the CC attack by setting the single IP frequency limit.
Answer: You can realize the QPS protection of the website by Set the IP Access Frequency Limit.
The CDN can limit the number of ip accesses through setting the Console – CDN - Domain name management-Click the corresponding domain name-Click access control modification-IP access frequency limit. By limiting the number of accesses per second of a single IP node, it can defend against some CC attacks and may also affect the normal access of the website. Set it reasonably. Baidu AI Cloud CDN does not commit to the DDOS defense traffic. If the attack affects the CDN products, it is blocked here. In the case of web attacks, it is recommended that you use cdnwaf for defense. For details, refer to Application Security Protection.
Answer: It is determined by your configuration. If you fail to enable the HTTPS configuration and the user accesses through the HTTP protocol, the whole process is not encrypted; if you enable HTTPS origin fetch and you access the origin server through the HTTP protocol, the process is half-encrypted; if you enable the HTTPS configuration and HTTPS origin fetch, the whole process is encrypted.
CDN can resist some CC attacks by limiting the number of accesses to a single IP node per second, which may affect the normal access to the website. Set it reasonably. Baidu AI Cloud CDN does not commit to the DDOS defense traffic. If the attack affects the CDN products, it is blocked here. If it is a web attack, it is recommended that you combine with cdnwaf to defense against the attack. For more information, refer to CDN WAF.
The CDN log records the status of various accesses. IP access blocked by the blacklist consumes a little traffic because only the request can return the 403 status code. Therefore, it is normal that a 403 status code appears.
If you believe that the business accesses may not be so large, you can download the log and carry out relevant access control according to your business access. CDN does not know your business logic, so access will not be restricted by default. You need to configure it according to your business conditions. For details, refer to Log Download.
To prevent your website traffic from being stolen or attacks like CC or DDOS, it is strongly recommended to perform the following configuration:
Set the Referer black/white list: Control the access source of business resources, and set the access control policy by setting the value of the referer field in the user's HTTP Request Header to limit the access source and prevent malicious users from stealing it. For more information, refer to Set Referer Blacklist and Whitelist.
Set IP blacklist and whitelist: You can configure the filtering policy for the source IP requested by users according to your business needs to help you solve problems, such as malicious IP theft and attack. For more information, refer to Set IP Blacklist and Whitelist.
Set IP access frequency limit: By limiting the times of access to the client IP from each node per second, it performs the CC attack defense. After the configuration is enabled, it directly returns “Error 514” when the request exceeds the QPS limit. Setting the low frequency limit may affect the use of your normal high frequency users. Please set the threshold according to the business conditions and application scenario reasonably. For more information, refer to Set IP Access Frequency Limit.
Set the bandwidth threshold: You can set the bandwidth capping threshold for the domain name. When the bandwidth generated by the domain name in a statistical period (5 minutes) exceeds the specified threshold, it automatically returns to the origin server or directly disables the CDN service to protect the security of your domain name. A 404 error is returned for all accesses. For details, see Bandwidth Threshold Setting.
Set the monitoring alarm: You can directly set alarm rules such as bandwidth/traffic and request number threshold in the cloud monitoring console. When an alarm rule is triggered, Cloud Monitoring sends you an alarm message based on the notification method you set, such as SMS and email. Set Alarm Policy