Configuring HTTP client verification
Configure HTTP client verification on the interface that is connected to the external network. The HTTP client verification protects internal HTTP servers against HTTP flood attacks.
IP addresses protected by HTTP client verification can be manually added or automatically learned:
You can manually add protected IP addresses. The device performs client verification when it receives the first HTTP Get packet destined for a protected IP address.
The HTTP client verification can automatically add victims' IP addresses to the protected IP list when collaborating with HTTP flood attack detection. Make sure client-verify is specified as the HTTP flood attack prevention action. For more information, see "Configuring an HTTP flood attack defense policy."
If an HTTP client is verified legitimate, the device adds the client's IP address to the trusted IP list. The device directly forwards HTTP packets from trusted IP addresses.
HTTP client verification can be used alone or together with an HTTP flood attack defense policy.
To configure HTTP client verification:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Specify an IP address to be protected by the HTTP client verification feature. | client-verify http protected { ip destination-ip-address | ipv6 destination-ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] | By default, the HTTP client verification feature does not protect any IP address. |
3. Enter interface view. | interface interface-type interface-number | N/A |
4. Enable HTTP client verification. | client-verify http enable | By default, HTTP client verification is disabled. |