CDN and protection
WebShield CDN and protection layer are enabled by proxying DNS records. When a record is proxied, user traffic goes through WebShield instead of going directly to your origin server.
Records That Can Be Proxied
Section titled “Records That Can Be Proxied”Proxying is available only for:
AAAAACNAME
Proxying is not available for MX, TXT, SRV, CAA, and other service records.
Enable CDN
Section titled “Enable CDN”- Open DNS.
- Find an
A,AAAA, orCNAMErecord for the required host. - Enable the Proxy switch.
- Open proxy parameters for this record and configure traffic behavior.
After proxying is enabled, requests to this hostname pass through WebShield CDN, WAF, and filtering mechanisms.
Proxy Parameters
Section titled “Proxy Parameters”The proxy parameters page includes:
- Host mode: Proxy - requests are proxied to the origin server with WAF protection.
- Host mode: Redirect to another host - instead of proxying, visitors receive a 301 redirect to the specified host with the path and query string preserved.
- SSL required - require HTTPS for the protected host.
- Redirect HTTP to HTTPS - redirect HTTP requests to HTTPS.
- Bot protection: Off - do not run an additional browser check.
- Bot protection: Browser - enable browser check for suspicious clients.
- Bot protection: Captcha - enable CAPTCHA verification. This mode is mutually exclusive with Browser.
- HTTP/2 - enable HTTP/2 for client connections.
- HTTP/3 - enable HTTP/3 for client connections.
Redirecting www to the Apex Domain
Section titled “Redirecting www to the Apex Domain”If your main site lives on the apex (for example, a static site on example.com)
and www.example.com should lead to it, there is nothing to proxy for www - it has
no origin server. Configure a redirect instead:
- Open DNS and enable Proxy for the
wwwrecord (this routes traffic to WebShield). - Open the proxy parameters for the
wwwrecord. - Choose the Redirect to another host mode and set the target host, e.g.
example.com. - Save the parameters.
Visitors of www.example.com will receive a 301 redirect to example.com with the
original path and query preserved. The certificate for www is issued automatically.
Bot Check Exclusions
Section titled “Bot Check Exclusions”Exclusions are entered line by line. Add only required service paths, and do not exclude areas that handle user data, authentication, or administrative functions.
Rules:
- up to 50 exclusions;
- each exclusion must start with
/; - root
/is not allowed; ..is not allowed;- maximum length is 200 characters per exclusion;
- allowed characters: letters, digits,
/,_,.,-,*; *is used as a mask at the end of a segment.
How the Current CDN Works
Section titled “How the Current CDN Works”The current WebShield CDN works as a reverse proxy in front of your website. The DNS record points to WebShield infrastructure; WebShield accepts the request, applies protection checks, and forwards allowed traffic to the origin defined by the record or configuration.
Statistics show traffic from users to WebShield separately from traffic between WebShield and the backend. This helps estimate CDN impact and origin load.