How to Configure a Protection Object: IP Addresses, Load Balancing, SSL, and Caching
In the left menu, select the Protected object item.
On the page that opens, customizable parameters are presented for you to configure according to your needs or preferences:
Available IP’s
On the page that opens, you will find configurable parameters, including Available IP’s. To assign an IP address from the list of options provided to you, select it by checking the box at the beginning of the row, and then click on the Assign button. We will provide you with several IP addresses and you will be able to assign them to your domains yourself.
Assigned IP’s
You can remove IP addresses from the list of assigned ones. To do this, select the address you no longer need by checking the box at the beginning of its row, and then click on the Delete button.
Backend servers
The service provides load balancing between multiple backend servers.
A backend is your server located behind the protection system. It processes user requests that have been filtered from attacks and generates responses.
How It Works?
- Users send requests over the internet.
- The protection system intercepts and filters the traffic.
- The filtered requests are forwarded to your backend servers.
- The server processes the request and returns a response to the user.
You can also specify the protocol used to access the backend servers: HTTP (port 80) or HTTPS (port 443).
To add a backend server, click the Add Backend button and fill in the form:
- IP Address – The backend server address that will receive filtered traffic.
- Domain Port – The port where user traffic is initially received.
- Backend Port – The port where filtered traffic is forwarded (may match the domain port or differ).
- Type – Select:
- Balance – For load-balanced servers (default).
- Backup – For failover servers (used only if primary servers are unavailable).
- Weight – Determines traffic distribution (higher weight = more requests).
Example:
With three servers weighted 5, 1, and 1, out of 7 requests:
- 5 requests go to the first server,
- 1 request each to the second and third.
Toggle HTTPS to ON if using port 443.
After completing the form, click Add. You can later modify backend settings via the Settings button.
Added objects will appear in the table. Using the buttons on the right side of each row, you can modify or delete a backend server.
The edit form is identical to the backend addition form. A warning will appear when attempting to delete an enabled backend.
Click the Disable backend server button, then confirm its deletion.
WebSocket Ports
Configure settings to protect your website from DDoS attacks through WebSocket protocol vulnerabilities.
- If your site uses standard ports for the WebSocket protocol (80 and 443), no special server protection settings are required.
- If non-standard ports are used for this protocol, a special configuration is necessary by specifying these ports. If necessary, you can also configure load balancing between backend servers.
Click on the Add websocket port button. Fill out the form and then press the Add button to complete the process. If the Add websocket port button is not active, it means that the maximum number of ports has been reached.
SSL certificate
You can obtain a free SSL certificate (from Let’s Encrypt) or install your own. You can also enable or disable redirection from HTTP to HTTPS (or vice versa), which will reduce the load on the end server.
- Own Certificate
To check SSL traffic, you need to specify the public key certificate and the private key. On the screen, they will be displayed in a truncated form (to prevent copying). You also need to enter the root and intermediate CA certificates (if applicable).
If you are using your own certificate, you will need to update it yourself when it expires.
Please note: all SSL certificates must start with “BEGIN CERTIFICATE” and end with “END CERTIFICATE”. Typically, the certificate validator sends this set of files marked “For Apache/Nginx”. The private key of the domain starts with the header “BEGIN RSA PRIVATE KEY”.
Before copying the certificate into the form field, make sure that the Let’s Encrypt Certificate switch is set to OFF.
If you receive a certificate validity error message, you need to check the following:
- Verify the certificate fields (Common Name, SANs, Valid)
- Use openssl to compare the hashes of the certificate and the key
- Check the entire certificate chain to ensure it validates correctly.
- Free New Certificate
If you do not have a certificate or do not wish to enter its data into the personal account, you can activate the Let’s Encrypt Certificate option. In this case, client keys are generated and a public key certificate is issued for the protected server. The certificate and key will be re-generated and replaced automatically three days before their expiration date.
To use such a certificate, the primary “A” record of the domain, as well as its www.* record, must point to the obtained protected IP address.
The certificate will be automatically installed within a few minutes. If you receive a DNS record mismatch error, please wait a bit – the domain zone update can take from 15 minutes to several hours, depending on the previously specified TTL value in the domain’s A record and the settings of internet providers.
Cache
Thanks to caching, your website will not only be more reliable but also faster.
Caching of static content will be performed in the RAM of caching servers at StormWall scrubbing centers, which significantly reduces the load on the end server.
You can independently set the cache lifetime and the types of files that will be subject to caching. If you need other parameters (geographical restrictions or anything else), please contact technical support.
To enable caching, select the cache lifetime and file extensions, and then set the Cache slider to the ON position.
When you press the Clear cache button, all data will be reloaded from the resources anew.
Redirects
Configure the rules for redirecting traffic between different addresses.
For example, here you can set up a redirect from “http” to “https”.
