Integrating 1C-Bitrix with DDoS-Guard

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Showing 1 of 1 servicesAll 1626 services

Medium

~1-2 weeks

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

B2B ADVANCE company website development
1177
Website development for FIXPER company
811
Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
564
Development based on 1C Enterprise for MIRSANBEL
747
Website development on CRM Bitrix24 for DOLBIMBY
655
Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
976

Show more works

Integration of 1C-Bitrix with DDoS-Guard

DDoS-Guard is CDN and anti-DDoS service popular in CIS due to Moscow servers and reasonable price. Like any reverse proxy it breaks Bitrix standard behavior: IP addresses, SSL termination, security and statistic module operation. Difference from Cloudflare — in details: different header for real IP, different IP ranges, different caching logic. Let's cover specifics.

Determining real client IP

DDoS-Guard passes client IP in X-Forwarded-For header. Unlike Cloudflare (which sends CF-Connecting-IP — one IP), X-Forwarded-For may contain chain: client, proxy1, proxy2. Real IP is first in list.

In /bitrix/php_interface/dbconn.php add before core load:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ips = array_map('trim', explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
    $_SERVER['REMOTE_ADDR'] = $ips[0];
}

Spoofing issue: X-Forwarded-For header can be faked if server accepts connections bypassing DDoS-Guard. Must close direct server access — only DDoS-Guard IP ranges in firewall. Current ranges published in DDoS-Guard docs and via DNS query to _origin.ddos-guard.net.

SSL and redirects

DDoS-Guard terminates SSL on its side and may connect to origin server over HTTP (Flexible SSL mode) or HTTPS (Full SSL mode).

With Flexible SSL Bitrix doesn't know client came via HTTPS. Header X-Forwarded-Proto: https is sent by DDoS-Guard but Bitrix doesn't check it by default. Add to dbconn.php:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
    && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

Without this: infinite redirect loop if "Redirect to HTTPS" enabled in admin, mixed content on pages, forms submit over HTTP.

Caching: differences from Cloudflare

DDoS-Guard automatically caches static files (JS, CSS, images). HTML not cached by default — unlike Cloudflare where you must explicitly disable PHP cache.

This simplifies integration: Bitrix composite cache works normally, no double caching occurs. But there's a nuance — DDoS-Guard caches static aggressively and after JS/CSS updates users may get old versions.

Solutions:

File versioning — Bitrix adds ?v=timestamp to connected files automatically if using \Bitrix\Main\Page\Asset. Check custom templates do same.
Purge cache via DDoS-Guard API — after deploy call API to clear cache for specific resources or whole domain.

Proactive protection and Web Application Firewall

DDoS-Guard filters L3/L4 attacks (SYN-flood, UDP-flood) and some L7 attacks (HTTP-flood). But DDoS-Guard WAF rules less granular than Cloudflare. Bitrix proactive filter remains important line.

Typical issue: DDoS-Guard during strong attack enables JavaScript Challenge — check page filtering out bots. If site is called by 1С (data exchange over HTTP) or payment system (callback) — they won't pass JS Challenge. Exclude 1С server and payment gateway IPs from check via DDoS-Guard settings ("IP whitelist").

Statistics module and geolocation

Module statistic determines geolocation by IP. If REMOTE_ADDR not redefined — all visitors geolocked to DDoS-Guard IP (Moscow or Rostov-on-Don). After proper header configuration geolocation works normally.

Module sale uses geolocation to auto-determine delivery city. Without IP fix dealer from Brest will see "Moscow" in city field at checkout.

Monitoring and debugging

After connecting DDoS-Guard add checks:

Check	How to do
Real IP in logs	In `access.log` Apache/Nginx should have client IP not DDoS-Guard. Configure `RemoteIPHeader X-Forwarded-For` in Apache or `set_real_ip_from` + `real_ip_header` in Nginx
SSL correct	Open site, check `$_SERVER['HTTPS']` — should be `on`
Composite works	Check header `X-Bitrix-Composite: Cache` in response
1С exchange	Run exchange, ensure `/bitrix/admin/1c_exchange.php` accessible
Payment callbacks	Place test order, check payment status

Timeline

Stage	Duration
DNS connection + basic setup	2–3 hours
IP, SSL, firewall	3–4 hours
Testing all modules	2–3 days
Configuring exceptions (1С, payments)	1 day
Stabilization and monitoring	3–5 days
Total	1–2 weeks

1C Bitrix presentation 1C Bitrix24 presentation 1C Enterprise presentation