Skip to content

CDN and protection

WebShield CDN and protection layer are enabled by proxying DNS records. When a record is proxied, user traffic goes through WebShield instead of going directly to your origin server.

Proxying is available only for:

  • A
  • AAAA
  • CNAME

Proxying is not available for MX, TXT, SRV, CAA, and other service records.

  1. Open DNS.
  2. Find an A, AAAA, or CNAME record for the required host.
  3. Enable the Proxy switch.
  4. Open proxy parameters for this record and configure traffic behavior.

After proxying is enabled, requests to this hostname pass through WebShield CDN, WAF, and filtering mechanisms.

The proxy parameters page includes:

  • Host mode: Proxy - requests are proxied to the origin server with WAF protection.
  • Host mode: Redirect to another host - instead of proxying, visitors receive a 301 redirect to the specified host with the path and query string preserved.
  • SSL required - require HTTPS for the protected host.
  • Redirect HTTP to HTTPS - redirect HTTP requests to HTTPS.
  • Bot protection: Off - do not run an additional browser check.
  • Bot protection: Browser - enable browser check for suspicious clients.
  • Bot protection: Captcha - enable CAPTCHA verification. This mode is mutually exclusive with Browser.
  • HTTP/2 - enable HTTP/2 for client connections.
  • HTTP/3 - enable HTTP/3 for client connections.

If your main site lives on the apex (for example, a static site on example.com) and www.example.com should lead to it, there is nothing to proxy for www - it has no origin server. Configure a redirect instead:

  1. Open DNS and enable Proxy for the www record (this routes traffic to WebShield).
  2. Open the proxy parameters for the www record.
  3. Choose the Redirect to another host mode and set the target host, e.g. example.com.
  4. Save the parameters.

Visitors of www.example.com will receive a 301 redirect to example.com with the original path and query preserved. The certificate for www is issued automatically.

Exclusions are entered line by line. Add only required service paths, and do not exclude areas that handle user data, authentication, or administrative functions.

Rules:

  • up to 50 exclusions;
  • each exclusion must start with /;
  • root / is not allowed;
  • .. is not allowed;
  • maximum length is 200 characters per exclusion;
  • allowed characters: letters, digits, /, _, ., -, *;
  • * is used as a mask at the end of a segment.

The current WebShield CDN works as a reverse proxy in front of your website. The DNS record points to WebShield infrastructure; WebShield accepts the request, applies protection checks, and forwards allowed traffic to the origin defined by the record or configuration.

Statistics show traffic from users to WebShield separately from traffic between WebShield and the backend. This helps estimate CDN impact and origin load.