Access Control Tutorial

最終更新日:2024-10-28 17:27:45

Scenario 1: Restrict the access area of users to the service

Example: Your website is about a government announcement, so you only want clients from China to access your hostnames www.announcement.com. You can add a blackl list to deny all the requests except China. The configuration steps are as follows:

1. Create custom rule

  1. Navigate to the Security Settings > Shared Configurations > Custom Rules.
  2. Click Create.

2. Configure rule information

  1. Configure Match Conditions: select Object as “Geo”, Operator as “does not equal”, Area as “China.”, or you can select the province of China if required.
  2. Configure Action: select Action as “Deny”.
  3. Click Confirm to create this rule.

3. Associate hostnames

  1. Go back to Custom Rules page, and find the created rule.
  2. Click 企业微信截图_1729848403930.png to associate the hostname, select “www.announcement.com” from the hostname list, then click Confirm to issue this rule.

Scenario 2: Minimize sensitive resource exposure surfaces

Example: The sensitive resource is published on your website www.sensitive.com, the access path is /sensitive/access, so you only want give the access permission to the client from IP 1.1.1.1 and 2.2.2.2. The configuration steps are as follows:

1. Create custom rule

  1. Navigate to the Security Settings > Shared Configurations > Custom Rules.
  2. Click Create.

2. Configure rule information

  1. Configure Match Conditions: select Object as “IP/CIDR”, Operator as “does not equal”, and type the IP addresses “1.1.1.1;2.2.2.2”.
  2. Click 企业微信截图_17298523894860.png to add another Match Condition: select Object as “Path”, Operatoer as “equals”, and type the content “/sensitive/access”.
  3. Configure Action: select Action as “Deny”.
  4. Click Confirm to create this rule.

3. Associate hostnames

  1. Go back to Custom Rules page, and find the created rule.
  2. Click 企业微信截图_1729848403930.png to associate the hostname, select “www.sensitive.com” from the hostname list, then click Confirm to issue this rule.