Proxy Servers and Upstream
When a client accesses a website, DNS is used to resolve the domain name into the IP address of the corresponding web server. The client then connects directly to that server to request content.
Because domain names are publicly accessible, anyone can reach the web server simply by entering the domain name into a browser. Attackers can take advantage of this, often leveraging compromised devices to target the server directly. To protect against this, the first step is to introduce a proxy—an intermediary server that receives traffic on behalf of the web server and helps shield it from direct access.
With a proxy in place, DNS no longer points to the web server itself, but to the proxy. The proxy then forwards legitimate traffic to the protected server while filtering or mitigating malicious requests.
Proxy Security Requirements
For the proxy to function correctly and provide effective protection, the following conditions must be met:
- Only the proxy knows the web server IP address. When setting up WEDOS.protection, DNS records are updated to replace the web server’s IP addresses with the proxy’s IP addresses. This removes the most visible public reference to the origin server.
- The web server only accepts traffic from the proxy. The web server should be configured to allow incoming connections only from IP addresses belonging to the Anycast proxy network. This prevents attackers from bypassing the proxy and accessing the server directly.
Upstream Configuration
In WEDOS.protection, the upstream refers to the target web server IP addresses configured on the proxy. During setup, the system performs an automatic check and suggests upstream IPs for the main domain and commonly used subdomains.
- IPv4 and IPv6. For optimal performance and reliability, DNS record types should match the IP versions supported by the web server. Use A records for IPv4 and AAAA records for IPv6. If the web server only supports IPv4, both DNS and upstream configuration should contain only IPv4 addresses.
- Subdomains. By default, WEDOS.protection uses the same upstream configuration for the main domain and its subdomains. Some service plans allow separate upstream IPs for specific subdomains, such as an online store hosted on a different platform than the main website.