IP Access Rules
Last update:2024-07-17 17:26:54
In a communication network, IP addresses are unique and remain constant throughout the request process. When a client initiates a request to a CDN edge servers, the CDN edge servers can obtain the client’s IP address. Therefore, IP addresses can be utilized for access control. Upon receiving a request from a client, the CDN node checks the client’s IP address and then either allows or denies user requests that comply with specific rules.
The IP access rule is suitable for the following scenarios:
- When abnormal access behavior is detected from certain IP addresses, such as hotlinking or certain attacks, these IP addresses can be added to the blacklist. Consequently, access attempts from these IP addresses to CDN nodes will be directly denied.
- When access to accelerated content is restricted based on IP addresses, such as only allowing access to employees within a company and denying access to individuals outside the company, the fixed exit IP addresses of the company can be added to the whitelist. Consequently, access attempts from IP addresses other than those on the whitelist will be directly denied.
- When access to content is restricted based on geographic regions, such as allowing viewing or downloading only for users in the New York area and denying access to users from other regions, the region access permission feature can be used.
How to Set Up the IP Access Rule
- Log in to the CDNetworks Console and select the appropriate product.
- Go to the Configuration, locate the domain you wish to configure, and click Edit Configuration
. - Navigate to Hotlinking Protection - IP Blacklist/Whitelist Anti-Hotlinking in the left sidebar and click Add.
- Configure the settings as follows based on your needs.
Effective Range
This defines the range of requests that the rules will apply to. You can choose from the following options:
| Setting | Description |
|---|---|
| All Requests | The access control rule applies to all types of requests. |
| Only Homepage | Applies only to the root directory of the domain, such as http://domain/ or https://domain/. |
| Specified File Type | Applies only to specific types of files. You can select from the predefined file types on the left or define custom file types. Separate multiple custom types with a semicolon ;.(e.g., jpg;png). |
| Specified URI | Applies only to requests for content at a specific URI. Two URI matching options are available:Exact matching: Complete URI, including parameters.(e.g., path/index.html?abc=123). Ignore the parameter matching: URI without query parameters.(e.g., path/index.html). |
| Specified Directory | Applies to requests under specific directories. For example, /file/abc/ applies to all content under http://domain/file/abc/*.Note: Directories must start and end with /, and can only contain letters, numbers, and certain special characters (underscore, hyphen, percent sign, dot). Multiple directories are supposed to be seperated with line breaks. |
| URL Pattern | Uses regular expressions to control the range of requests that the rules will be applied to. For example, the pattern *.jpg$ ensures that access control applies to all URLs ending with .jpg. |
Rule Type
You can set up either a IP blacklist or whitelist:
| Type | Description |
|---|---|
| Blacklist | Set an IP blacklist to deny access from certain IPs or IP ranges. We provide four options:Custom: Define your IP blacklist by adding specified IP addresses and ranges. Access from these IPs will be denied.All IPs: Access denied for all IP addresses.All IPv4: Access denied for IPv4 addresses only.All IPv6: Access denied for IPv6 addresses only.You can add excetpions to permit access from certain IPs within a blocked range by Setting Exception IP Addresses/IP Segments. Multiple exceptions can be added simutaneously and should be separated by ;. |
| Whitelist | Set an IP whitelist to allow access only from specific IPs or IP ranges. Multiple IPs or ranges can be added simutaneously and should be separated by ;. |
The system supports only one whitelist rule. If multiple IPs or IP ranges are needed, they must all be included within this single whitelist.
Action
When a client’s IP does not meet the set rules, and their request is denied by the CDN, choose whether to return an error code directly or redirect to another URL:
- Deny Access: The CDN rejects the request with a 403 error.
- Redirect URL: The CDN redirects the requests to another URL.
Priority
When multiple access control rules are configured, the CDN prioritizes them based on their numerical value, executing higher numbers first.
After you have completed setting the configurations, please click OK and then select Next to submit your settings. To minimize any potential disruptions to your production environment, we strongly recommend conducting a Pre-deploy test in a staging environment. This crucial step ensures that your configurations are accurate before they go live. Once you have verified the accuracy of the settings, click Deploy Now to implement them in the live environment. The configurations typically become effective within 3-5 minutes. For comprehensive guidance on pre-deployment testing and to verify the effectiveness of your configurations, please consult the tutorial Deploy the Configurations to Staging Environment for Validation.
Best Practices
Example 1: Configure an IP Blacklist
Prohibit access from IP addresses 1.1.1.1 and 2.2.2.2 to http://cdnetworks/browse/index.html.
Example 2: Configure an IP Whitelist
Allow access only from IP addresses 1.1.1.1 or 2.2.2.2 to http://cdnetworks/browse/index.html.
Example 3: Permanent URL Ban
Block access to http://cdnetworks/browse/index.html for all users. The block will remain until the configuration is manually removed.
Notes
Please DO NOT configure both IP blacklists and whitelists simultaneously, as this may result in access to CDN being denied, potentially impacting your business. For example, configuring both a IP blacklist and whitelist as shown below can lead to all accesses being denied by the CDN.
Why would all requests be denied?
- When a request comes from IP
1.1.1.1, it matches the IP blacklist rules and is denied by the CDN。 - Requests from other IPs, while not denied by the blacklist, fail to meet the whitelist rule (which only allows access from
1.1.1.1) and are also denied.
If you need to configure both a blacklist and a whitelist, please contact our technical support for assistance to ensure proper setup.