For HTTPS application layer protection, ADS establishes a TLS connection with a client in replace of the server, and then authenticates the client through the application-layer protocol HTTP. If the client properly responds to the HTTP packet from ADS, ADS deems this client reliable and will add it to the trust list so that it can directly communicate with the server.
In V4.5R90F03, the application-layer HTTPS protection function also supports HTTP/2 so that users can choose to use HTTP or HTTP/2 for client authentication. Also, the protocol can be determined through negotiations between ADS and the client. Meanwhile, when HTTP/2 authentication is used, ADS authenticates the client’s communications according to RFC7540 specifics and identifies and blocks noncompliant communications.
Click Policy > Anti-DDoS > Protection Groups > Protection Policy > HTTPS Protection Policy.
Click Add Rules, select the HTTP2 algorithm to enable the HTTP2 protection function, and click OK to save the configuration.
If HTTP2 RFC authentication is selected, the system will authenticate HTTP/2 communications. If login failures for an individual source IP address reach the specified threshold, the system will take the action as specified in the HTTP2 RFC authentication rule.
- HTTP2 RFC authentication works only for rules with the HTTP/2 protection algorithm enabled.
- A rule can have both the HTTP and HTTP/2 algorithms enabled. If a rule has both HTTP and HTTP/2 protection algorithms enabled, the actual application-layer protocol is determined through negotiations between ADS and the client. During protection, HTTP/2 algorithms come before HTTP algorithms.