tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud EdgeOne
    Documentation
    Download PDF

    Custom rule(IP blocklist/allowlist、regional restrictions,etc)

    Last updated: 2024-11-19 17:51:41
    Download PDF

      Overview

      If your site needs to customize the user access policy, such as prohibiting users from specified regions, allowing specified external sites to link to the site content, and allowing only specified users to access certain resources. Custom rules support matching client requests based on single rule matching conditions or multiple matching conditions. By allowing, intercepting, redirecting, and returning custom pages, you can control the request strategy of matched requests, which can help your site more flexibly limit the content that users can access.

      Typical Scenarios and Usage

      You can choose the appropriate rule type to protect your site according to different scenarios. Custom rules are divided into the following types:
      Basic access control: Supports single condition matching requests, disposes or observes matched requests, and is suitable for simple scenario protection, such as configuring IP blocklist/allowlist, Referer blocklist, UA blocklist/allowlist, or regional restrictions.
      Precise matching rules: Supports multiple condition combination matching requests, disposes or observes matched requests, and is suitable for complex scenario protection configuration, such as allowing only specified users to access files under specified paths.
      Managed custom policy: A policy customized by Tencent security experts, which does not support console adjustment. For details, please see: Managed custom rules.
      Note:
      When there are multiple rules of the same type, the priority of the rules is as follows:
      1. Rules within Basic access control: when a request matches multiple rules, the actions will be executed in the following order: Observe > Block.
      2. Precise matching rules will be executed from high to low priority (Priority Value from small to large);
      3. For the priority order of Custom rules and other Web Protection capabilities, please refer to: Web Protection Request Processing Order.

      Basic Access Control

      Example Scenario 1: Only allow access from specific countries/regions

      To comply with the legal requirements of specified business regions, if the current business only allows access from non-Chinese mainland regions, you may need to restrict the visitor's source region. For such scenarios, you can use the regional control rules in basic access control to achieve this. The operation steps are as follows:
      1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
      2. Click Security > Web Security . By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and then click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
      3. Locate the Custom rules tab and click Add rule in Basic access control .
      4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Region Control , select the matching method as Include and the matching content as Chinese mainland (All) , and set the action to Block .
      
      5. Click Save . The rule will be deployed and take effect. At this time, if the client access IP is from the Chinese mainland, the access to the website is denied.

      Example Scenario 2: Configure Referer to control external site access

      Note:
      The HTTP protocol allows the Referer header to use a full URL or partial URL. You should configure the matching content according to the actual situation. For details about the Referer header, see RFC 9110.
      To prevent unauthorized site access, you can use the Referer control rules in basic access control to block access requests with unauthorized Referer headers. For example, if the service at the https://www.myexample.com site needs to allow access requests through the advertising partner's link https://ads.example.com/ads-link and reject access through other site links, you can take the following steps:
      1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
      2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.myexample.com , to enter the configuration page for the security policy of the target domain name.
      3. Locate the Custom rules tab and click Add rule in Basic access control.
      4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Referer control , and select the action as Block when the request Referer does not equal https://www.myexample.com or https://ads.example.com/ads-link.
      
      5. Click Save. The rule will be deployed and take effect.

      Precise Matching Rules

      Example Scenario: Precisely control the exposure surface of sensitive resources on the site

      If you need to control the exposure surface of sensitive resources (such as the background management page) on the site and only allow access from specific clients or specified networks. You can use the client IP matching and request URL matching combination in precise matching rules to achieve this.
      For example, the current site domain name www.example.com has a management background login address path of /adminconfig/login, and this background is only allowed to be logged in by the specified client IP user 1.1.1.1. The operation steps are as follows:
      1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
      2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.example.com, to enter the configuration page for the security policy of the target domain name.
      3. Locate the Custom rules tab and click Add rule in Precise matching rules .
      4. On the rule adding page, select creating a blank rule, enter the rule name, and click Add.
      5. Configure the judgment conditions and actions. In this example scenario, you can configure the matching fields as Request path (Path) equals /adminconfig/login and Client IP not matching 1.1.1.1 , and set the action to Block.
      Note:
      Priority: The lower the value, the higher the priority. When a request matches multiple rules, the action of the rule with the higher priority (lower numerical value) applies.
      
      6. Click Save and publish . The rule will be deployed and take effect.

      Related References

      Supported Matching Condition Range

      Custom rules can use matching conditions to control the scope of rule application. The following are the matching conditions supported by different custom rule types:
      Basic access control
      Rule type
      Description
      Client IP control
      Control access requests based on client IP
      Regional control
      Control access requests based on client IP location
      Referer control
      Control access requests based on the Referer header content
      User-Agent control
      Control access requests based on the User-Agent
      ASN control
      Control access requests based on the client IP location ASN
      URL control
      Control access requests based on the request URL, supporting wildcard matching
      Precise matching rules
      Precise matching rules support the following matching conditions, and the support level for different EdgeOne plans is also not consistent.
      Note:
      For the description and plan restrictions of supported matching conditions, please refer to: Matching conditions.
      Request domain name (Host)
      Request client IP
      Request client IP (prioritizing XFF header)
      Request method (Method)
      Request User-Agent header
      Session cookie
      XFF extended header
      Request path (Path)
      Custom request header
      Request URL
      Request source (Referer)
      Network layer protocol
      Application layer protocol
      Request body
      JA3 fingerprint

      Supported Actions

      Different custom protection rules support the following actions. For the description of different actions, please refer to Actions.
      Protection rule type
      Supported actions
      Basic access control
      Observe
      Intercept
      Precise matching rules
      Release
      Intercept
      Observe
      IP blocking rule
      Return custom response content Annotation
      Redirect to URL
      JavaScript challenge
      Note:
      Annotation: You can configure the return custom response content action for a single custom rule (only precise matching rules are supported). When a request matches the rule, EdgeOne will return the specified page and status code. You can also configure the custom response page to specify the page and status code used for all custom rules to block requests.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy