Documentation

Domain Management

Add, configure, verify, pause, and remove domains. Each domain gets independent protection settings and full control over your CloShield deployment.

1. Adding a Domain

To add a new domain to CloShield:

  • Navigate to DomainsAdd Domain in your dashboard
  • Enter the domain name (e.g. example.com or api.example.com)
  • Enter the backend origin: either an IP with port (e.g. 203.0.113.10:443) or a full URL
  • Select the initial protection level: Easy, Medium, or Hard

The system generates a verification token and provides DNS instructions. Each domain receives independent settings, so you can tune protection per domain without affecting others.

2. DNS Verification

Two DNS records are required for verification:

  • A record — Point your domain (or subdomain) to CloShield's edge IP
  • TXT record — Add _closhield.yourdomain.com with your verification token

Verification checks DNS propagation via public resolvers. DNS changes can take up to 5 minutes to propagate globally. If you have connected a Cloudflare API token in Settings, CloShield can perform automatic verification.

Tip: Enable the Cloudflare proxy (orange cloud) on the A record for full L3/L4 protection.

Example DNS records:

# A record - point to CloShield edge
example.com     A      104.21.x.x

# TXT record - domain verification
_closhield.example.com     TXT     "your-verification-token"

3. Domain Settings

Once verified, you can configure the following per domain:

Protection Level

Easy, Medium, or Hard — Adjustable anytime. Higher levels apply stricter challenge thresholds and more aggressive rate limiting.

Backend Origin

Update the IP or port of your origin server without re-verification. Changes take effect immediately.

IP Whitelist

IP addresses that bypass all challenges and rate limits. Useful for monitoring tools, CI/CD pipelines, or trusted partners.

IP Blacklist

IP addresses that are always blocked. Requests from blacklisted IPs receive an immediate deny response.

Country Blocking

Block entire countries by ISO code (e.g. RU, CN). Useful when you do not serve traffic from certain regions.

ASN Blocking

Block by autonomous system number (ASN). Target specific ISPs or hosting providers known for abusive traffic.

4. Multiple Backend Origins

Available on the Business plan. Add multiple backend origins with health check URLs for high availability and load distribution.

  • Health check URLs — Each origin can have a URL that CloShield polls to verify availability
  • Routing strategies — Choose round-robin or weighted distribution
  • Sticky sessions — Uses the client IP (via Cf-Connecting-Ip header) to pin users to the same origin for 5 minutes
  • Automatic failover — After 2 consecutive health check failures, traffic is routed to healthy origins. Fail-open mode (default) falls back to unhealthy backends rather than returning 503
  • Health check interval — Configurable (default 15 seconds), checks for 2xx/3xx response
# Example: Two origins with round-robin
Origin 1: 203.0.113.10:443  (health: https://example.com/health)
Origin 2: 203.0.113.11:443  (health: https://example.com/health)
Strategy: round-robin
Interval: 30s

5. Pausing and Resuming Protection

Pause — Traffic passes directly to your origin, bypassing CloShield. All protection settings are temporarily disabled. Useful for debugging, maintenance windows, or when you need to isolate issues.

Resume — Re-activates all protection settings. Traffic flows through CloShield's edge again with full DDoS mitigation and firewall rules applied.

6. Removing a Domain

Two removal options are available:

  • Soft-delete — The domain is marked inactive. DNS records remain in place. You can restore the domain later if needed.
  • Full removal — The domain and all associated data (logs, rules, settings) are purged permanently. This cannot be undone.

Before removing a domain, update your DNS to point back to your origin server. Otherwise, traffic will fail to reach your backend once the domain is removed from CloShield.