Daily interview 1 question - how to prevent CDN protection from being bypassed

When the attacker finds that the target site exists CDN When protecting , Will try to find the real site by IP, To bypass the CDN protective .
Let's take a look at a common high availability architecture based on public cloud , as follows ：
CDN（ Entrance level ）->WAF（ Application layer protection ）-> SLB（ Load layer ）-> ECS（ Origin station ） -> RDS（ database ）
That is, the corresponding relationship is ： domain name cname CDN,CDN—>WAF,WAF—> SLB,SLB—> ECS.

SLB：Server Load Balancer Load balancing between network servers
When a client initiates a connection to a virtual server , Through some kind of load balancing algorithm , Forward to a real server .

Let's focus on CDN—>WAF—>SLB—>ECS The relationship between these layers of services .
hypothesis , The attacker knows SLB The real IP Address , You can go directly to SLB Of ip Address , So as to easily bypass CDN+WAF Safety protection of .
How to prevent CDN Being bypassed ？
Here's a CDN Protective techniques , adopt Middleware configuration only allows domain name access , prohibit ip visit .
In this way , All direct access sites are real IP All requests will be rejected , Any user can only access the site through the domain name , Through a pre-set network link , from DNS–>CDN–>waf protective –> Origin station , All access requests must go through WAF testing .
Even if the attacker finds the truth IP Address , Modify local hosts file , Force domain name and IP analysis , Can't access the target site .
Nginx Reference configuration ：

# Add one server, In the original server Binding domain name in 
server {
    
listen 80 default;
server_name _;
return 403;
}
server {
    
listen 80;
server_name www.demo.com;
.........

Apache Reference configuration ：

# stay httpd.conf Add at the back 
<VirtualHost  Fill in here IP>
ServerName  Fill in here IP
<Location />
Order Allow,Deny
Deny from all
</Location>
</VirtualHost>
<VirtualHost  Fill in here IP>
DocumentRoot /var/www/html
ServerName  Fill in the domain name here 
</VirtualHost>