What is the Access Link in EdgeTrans?
As shown in the diagram, the traffic access process mainly involves the following steps:
The AccessOne empowers security capabilities to all edge nodes, and the user access is connected to the edge nodes nearby through an intelligent load balancing system.
Edge nodes parse access request packets and determine whether the access request is malicious based on the protection rules.
If it is a malicious request, the edge node handles it according to the policy configured by the client, e.g., blocking the request and directly responding to the blocking message to the request client.
If it is a normal business request, the edge node accelerates the network, carries out caching, dynamic routing and other related processing, and ultimately forwards the request to the client's origin server. For the request client, the origin server is invisible.
What’s the Reason for the Prompt of Failed Upload in Uploading HTTPS Certificates?
The AccessOne supports uploading clients’ owned HTTPS certificates. Generally, certificate upload failure is due to the following reasons:
• Invalid certificate format
Currently, only PEM format certificates are supported for uploading. Upload failure is often caused by incorrect certificate formats. Please carefully check the certificate format before uploading them again.
Example of PEM-format certificate file:
Example of private key of PEM-format certificate:
• Certificate does not match the key
Please check if the MD5 values in the certificate file and private key file of the certificate are the same. Different MD5 values indicate that the content of the certificate file and the private key file do not match.
You can execute the openssl x509- noout - modulus - in<file>| openssl md5 command to view the MD5 values of the certificate file and private key file respectively. If the MD5 values are different, please check the certificate content to confirm that the MD5 is consistent before re uploading them.
Does EdgeTrans Support Wildcard Domain Names?
• What is a wildcard domain name?
Acceleration of wildcard domain names refers to the acceleration of sub-domain names that match a specified domain name based on the configured rule. This allows for the centralized management of multiple subdomains, enabling the simultaneous provision of secure and accelerated services for various subdomains of a website. If you configure a wildcard domain name such as *.example.cn in the AccessOne console, its second-level domain names such as assets.example.cn and images.example.cn experience EdgeTrans services.
• How Can I Add a Wildcard Domain Name?
Does EdgeTrans Decrypt HTTPS Traffic and Record Request Content?
Upload the corresponding HTTPS certificate for the website to decrypt HTTPS traffic when EdgeTrans protect HTTPS services. By detecting the decrypted traffic, you can determine whether the request meets the attack characteristics.
EdgeTrans uses the HTTPS certificate uploaded to decrypt business traffic, which is only used for real-time monitoring. Only a portion of request message with attack characteristics is recorded, used for AccessOne console report display and attack log query.
How Can I Check Whether a CNAME Record Takes Effect.
Windows PC client: Hold down the Windows+R key, enter cmd, press "Enter" to open a command prompt window, enter the command "nslookup domain name", and check if the correct CNAME message is displayed in the returned result.
MAC OS or Linux client: Open the terminal tool, enter the command "dig domain name", and check if the returned result displays the correct CNAME message.
Can Multiple Domain Names Use the Same Origin Server IP Address?
Multiple domain names can use the same origin server IP address. However, note that if several domain names point to the same origin server IP address, consider the load processing capability of the origin server. Especially, in business scenarios with unexpected traffic spikes, the origin server may crash if only one IP address is used. Therefore, you are recommended to use multiple origin server IP addresses and allocate weights based on their load processing capabilities, or configure primary/secondary policies. AccessOne offers a wide range of back-to-origin policies and allows you to customize your origin server. For example, you can specify an origin server by IP address or domain name and configure multiple origin server addresses. In multi-origin server scenarios, you can set the priorities and weights of primary and secondary origin servers to achieve load balancing. For more information about back-to-origin configuration
Can the Origin Server's Domain Name be Consistent with the Accelerated Domain Name?
The origin server's domain name cannot be consistent with the EdgeTrans domain name. The reason is that when users access the website resources of the EdgeTrans domain name, when no cached corresponding content exists on the edge cloud node, the edge cloud node will return to the origin server to retrieve it and then return it to the user. If the origin server domain name matches the acceleration domain name, it will cause access requests to loop back to the edge cloud node, preventing the edge cloud node from fetching the correct content.
AccessOne EdgeTrans supports setting IP or domain name as the origin server. If the origin site is set in the form of a domain name, please ensure that the origin server's domain name is not an accelerated one.
How Can EdgeTrans Defend against CC Attacks?
• What’s CC Attack?
CC attack is a malicious network attack aimed at sending the target server massive requests that exceed its processing capacity, thus crippling its normal operation or service delivery.
• How can AccessOne defend against CC attacks?
CC protection intelligently identifies CC attacks based on visitors' URL, frequency, behavior, and other access characteristics, swiftly recognizing and intercepting CC attacks. This prevents origin server resource exhaustion during large-scale CC attacks, ensuring normal access to enterprise websites.
• How can CC protection policy be configured?
AccessOne EdgeTrans is able to defend against CC attacks, providing multiple CC protection modes. You can make your choice according to the actual business conditions. Kind reminder: CC defense policy is not applicable to API, Native App, and websocket businesses. It is recommended to configure exceptions for relevant matching conditions in the Protection Rules.
• How can you view the IP address of CC attackers?
It is recommended that you enter the AccessOne console, click Data Analysis under Log and Data Analysis, and then click Domain Name Security Protection Analysis.
How Long Can the Configuration Be Completed after the Domain Name Protection Configuration Be Changed in the AccessOne Console?
After you submit configuration changes from the console, the system will automatically make configuration modifications, and the entire process is completed within 10 minutes. During the configuration issuance, the domain name status is In Configuration.
Does It Support Accessing Websocket?
AccessOne supports Websocket acceleration. AccessOne supports simultaneous acceleration of both the websocket and the http/https protocols, i.e., the same domain name can have both the http/https protocol and websocket. You don't need to split the domain name. Via AccessOne, you can achieve simultaneous service of the http/https protocol and websocket protocol under the domain name.
The edge node automatically recognizes the protocol used by the client to communicate with the edge node, and automatically switches protocols. In general, the application of Websocket protocol is mostly dynamic business, highly real-time. The dynamic detection and routing ability of ICDN enables the selection of the fastest back-to-origin path for websocket applications, improving the access effect of websocket business.
Will Unconfigured Port Requests from Websites Connected to Protection Be Transmitted back to the origin, Posing A Security Risk to the Origin Server?
EdgeTrans provides external traffic access forwarding services, and the service cluster provides corresponding ports for your website access and protection services based on the HTTP/HTTPS ports configured during website access.
For websites connected to protection services, the service cluster does not forward HTTP/HTTPS port request traffic not configured during the access to the origin server. Therefore, this does not pose any security risk or threat to the origin server service.
What Is the Permanent Mode of CC Attack Protection?
Under normal conditions, we usually set the CC protection policy to threshold mode. However, if you find threshold mode cannot intercept CC attacks or are experiencing massive CC attacks, you can enable CC permanent mode.
The permanent mode of CC attacks means that all access requests perform corresponding protection checks according to the request method. Permanent mode can efficiently intercept CC attacks, but it may lead to more false interceptions.
How Can You Handle Long Connection Request Timeout?
If the origin server responds slowly for some reason and does not return content to the edge node after exceeding the edge security protection node's back-to-origin timeout, a 504 error message appears.
In this case, you can first investigate whether the origin server meets a CPU or bandwidth bottleneck. Then, start with the logic of the origin server processing requests to see if you can optimize the processing speed of the origin server. If it is confirmed that the origin server is no longer able to optimize the response speed, you can alleviate the problem by modifying the protection node to default the back-to-origin timeout duration.
What Should You Do in the Case of Abnormal Access to the Android Client or Mini-program?
In the case of abnormal access of some clients after the connection of the domain name to AccessOne, such as a blank space or abnormal mini-program access for the domain name in the Android version of WeChat despite normal PC browser access, this can be investigated in the following steps:
• Checking whether something goes wrong with the HTTPS certificate
Check whether it is the domain name accessed through the HTTPS protocol. If so, please check if the HTTPS certificate is valid and update the certificate in a timely manner when it becomes invalid. Also check if the certificate chain is complete. If it is incomplete, please upload the certificate with complete chain again.
• Judging whether the request is intercepted by WAF
If the request returns a 403 status code, it may have been intercepted by the WAF protection engine. In the AccessOne console, view the detailed attack information of each intercepted request through Log and Data Analysis > Data Analysis > Domain Name Security Protection Analysis. Determine the reason for interception through logs. If it is confirmed to be a false interception, add the corresponding trustlist rule for clearance.
What Should You Do If the Client Is Not Compatible with SNI and Causes Abnormal Access?
SNI (Server Name Indication) is designed to support multiple certificates and domain names on the same origin server. As an extension of the SSL/TLS protocols, it allows a server to support multiple certificates on the same IP address and TCP port, which enables multiple HTTPS websites to use the same origin IP address and port. After accessing EdgeTrans, if you encounter some problems with abnormal client HTTPS access, it may be due to some client versions not supporting SNI. When using a browser or client that does not support SNI to access a EdgeTrans website, the EdgeTrans protection node does not identify which domain name the client is requesting, so it cannot correctly obtain the certificate corresponding to the domain name to communicate and interact with the client. Now, a prompt Server Certificate Untrustworthy appears on the browser.
In practical scenarios, only some older-version PC browsers and Android clients do not support SNI. If the client does not support SNI extension, it is recommended to solve it through the following methods:
• It is recommended to update the client version or use a new version of the browser for access, such as Chrome, Firefox, etc.
• In the business scenario of third-party program callback, if the third-party program client does not support SNI, it is recommended to allow it to directly request access to the origin server's IP, bypassing EdgeTrans.
What's the QPS Cap Supported by CC Protection?
The CC protection capability provided by AccessOne does not set the QPS cap.