User-Agent Access Rules
Last update:2026-04-13 18:31:07
When a client sends a request to a web server, it typically carries a User-Agent header, which identifies the device and browser from which the request originates. It details the operating system and version, as well as the browser type and version. Therefore, access control can be performed based on this header. When a CDN edge server receives a client request, it checks the information in the User-Agent field of the HTTP request header, and then allows or denies user requests that comply with specific rules.
The User-Agent access rule is suitable for the following scenarios:
- When the content is only allowed to be accessed by specific browsers, such as only allowing Internet Explorer to access and denying access from Chrome, User-Agent anti-theft can be used.
- When accelerated domains are only allowed to be accessed by specific clients, such as having a dedicated client that carries specific User-Agent information when sending requests, the User-Agent access rules can be used.
How to Set Up the User-Agent Access Rule
- Log in to the CDNetworks Console and select the appropriate product.
- Go to the Configuration, locate the domain you wish to configure, and click Edit Configuration
. - Navigate to Access Control - User-Agent Access List in the left sidebar and click Add.
- Configure the settings as follows based on your needs.
Apply to
This defines the scope for the requests that User-Agent rules will apply to. You can choose from the following options:
| Setting | Description |
|---|---|
| All Requests | The access control rule applies to all types of requests. |
| Only Homepage | Applies only to the root directory of the domain, such as http://domain/ or https://domain/. |
| Specific File Type | Applies only to specific types of files. You can select from the predefined file types on the left or define custom file types. Separate multiple custom types with a semicolon ; (e.g., jpg;png). |
| Specific URL Path | Applies only to requests for content at a specific URL path. Two URL path matching options are available:Full URL Path: Complete URL path, including parameters (e.g., path/index.html?abc=123). Ignore Query String: URL path without query parameters (e.g., path/index.html). |
| Specific Directory | Applies to requests under specific directories. For example, /file/abc/ applies to all content under http://domain/file/abc/*.Note: Directories must start and end with /, and can only contain letters, numbers, and certain special characters (underscore, hyphen, percent sign, dot). Multiple directories are supposed to be separated with line breaks. |
| URL Pattern (Regex) | Uses regular expressions to control the scope for the requests that the rules will be applied to. For example, the pattern *.jpg$ ensures that access control applies to all URLs ending with .jpg. |
Advanced Scope Conditions
You can further refine the rule’s scope using Advanced Scope Conditions. This will intersect with the basic Apply to for precise control. Select one or more parameters to form an AND relationship with the basic rules to target specific requests or responses.
| Parameter | Description |
|---|---|
| Region or Exclude Regions | Supports direct search selection from the list of countries/regions provided by CDNetworks; For Mainland China, it is possible to select specific provinces or larger geographical areas, such as East Region and Southwest Region. |
| Exclude File Type | Excludes certain file types. Separate multiple types with ;. |
| Exclude Custom File Type | Excludes custom file types as needed. Separate multiple types with ;. |
| Exclude Directory | Excludes specific directory paths. Paths must start and end with /. Separate multiple directories with ;. |
| Exception URL (Regex) | Excludes URLs using regex, e.g., .*\.jpg$. |
| Access-Control-Allow Methods | Matches HTTP request methods. Separate multiple methods with ;, e.g., GET;POST. |
| Exclude Request Method | Excludes specific HTTP request methods. |
Rule Type
You can set up either a User-Agent blocklist or whitelist:
| Configuration | Description |
|---|---|
| Blocklist | If the User-Agent in the HTTP request header matches the blocklist, access will be denied for the user. |
| Allowlist | Users are only allowed access to the content if the User-Agent in their HTTP request header matches the allowlist. |
Tips
- Both the User-Agent blocklist and allowlist can contain multiple values, which should be separated by line breaks.
- The system supports only one allowlist rule. If multiple User-Agent values are needed, they must all be included within this single allowlist.
Action
When the User-Agent does not meet the set rules, and a request is denied by the CDN, choose whether to return an error code directly or redirect to another URL:
- Block Access: Returns a 403 error for failed access validations.
- Redirect: Redirects failed validations to a specified URL.
Case-Insensitive Match
You can set whether the blocklist or allowlist rules are case-insensitive. The default value is Yes.
If set to Yes, the values in the list will NOT be case-sensitive. For example, if Chrome/123.0.0.0 is allowed in the allowlist, the request will be permitted whether the User-Agent is Chrome/123.0.0.0 or chrome/123.0.0.0.
Priority
When multiple User-Agent access control rules are configured, the CDN prioritizes them based on their numerical value, executing higher numbers first.
After you have completed setting the configurations, please click OK and then select Next to submit your settings. To minimize any potential disruptions to your production environment, we strongly recommend conducting a Pre-deploy test in a staging environment. This crucial step ensures that your configurations are accurate before they go live. Once you have verified the accuracy of the settings, click Deploy Now to implement them in the live environment. The configurations typically become effective within 3-5 minutes.
For comprehensive guidance on pre-deployment testing and to verify the effectiveness of your configurations, please consult the tutorial Deploy the Configurations to Staging Environment for Validation.
Notes
Please DO NOT configure both User-Agent blocklists and allowlists simultaneously, as this may result in all CDN access being denied, potentially disrupting your online operations. For instance, configuring both a User-Agent blocklist and allowlist as shown below can lead to all access being denied.
Why would all access be denied?
- Access is denied when the request’s User-Agent carries the value
Chrome/123.0.0.0, as it matches the User-Agent blocklist. - Conversely, requests without the User-Agent
Chrome/123.0.0.0, while not denied by the blocklist, fail to meet the allowlist (which only allows access for requests with the User-AgentChrome/123.0.0.0) and are also denied.
If you need to configure both a blocklist and an allowlist, please contact our Customer Service for assistance to ensure proper setup.