IP ACL

You can filter out requests from specific IP addresses to restrict access and prevent content theft and attacks.

Precautions

This function is disabled by default.
Either an IP address blacklist or IP address whitelist can be configured.
If your domain name is connected to EdgeSec and an IP address blacklist/whitelist rule is configured in both services, the rule in CDN is executed first.
This function uses the Layer 7 HTTP IP address identification technology. When a client request hits the blacklist and is blocked, a small amount of traffic or bandwidth fees are generated. If the service type of the domain name is whole site acceleration, the client request is also charged for the request fees.

Procedure

Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.
The CDN console is displayed.
In the navigation pane, choose Domains.
In the domain list, click the target domain name or click Configure in the Operation column.
Click the Access Control tab.
In the IP ACL area, click Edit. The Configure IP ACL dialog box is displayed.
Figure 1 Configuring an IP ACL
Switch on Status to enable this configuration item.

Select a type and enter rules.

Parameter	Description
Type	IP address blacklist: If the IP address of a user is included in the blacklist, status code 403 will be returned when the user accesses a CDN PoP. IP address whitelist: If the IP address of a user is not included in the whitelist, status code 403 will be returned when the user accesses a CDN PoP. NOTE: Either an IP address blacklist or IP address whitelist can be configured.
Rule	Up to 500 IPv4 and IPv6 addresses and CIDR blocks are supported. The prefix length ranges from 1 to 32 bits for IPv4 and 1 to 128 bits for IPv6. Each line contains one IP address. A CIDR block is in the format of First host IP address/Prefix length. Duplicate IP addresses and IP address segments will be removed. Wildcards are not supported, for example, 192.168.0.. NOTE: An IP address segment cannot include an IP address you specify. Example: You cannot enter 10.62.53.75* and 10.62.53.0/24 in the same rule.

Parameter

Description

Type

IP address blacklist: If the IP address of a user is included in the blacklist, status code 403 will be returned when the user accesses a CDN PoP.

IP address whitelist: If the IP address of a user is not included in the whitelist, status code 403 will be returned when the user accesses a CDN PoP.

NOTE:

Either an IP address blacklist or IP address whitelist can be configured.

Rule

Up to 500 IPv4 and IPv6 addresses and CIDR blocks are supported. The prefix length ranges from 1 to 32 bits for IPv4 and 1 to 128 bits for IPv6. Each line contains one IP address.
A CIDR block is in the format of First host IP address/Prefix length.
Duplicate IP addresses and IP address segments will be removed.
Wildcards are not supported, for example, 192.168.0.*.

NOTE:

An IP address segment cannot include an IP address you specify. Example: You cannot enter 10.62.53.75 and 10.62.53.0/24 in the same rule.

Click OK.
(Optional) Disable the IP ACL.
- Switch off Status to disable the IP ACL and clear all IP ACL settings. You need to set related parameters when enabling this function again.

Examples

Assume that you have configured the following ACL for domain name www.example.com.

A user requests http://www.example.com/abc.jpg. The user client IP address 192.168.1.1 is included in the blacklist, so error code 403 is returned.
A user requests http://www.example.com/abc.jpg. The user client IP address 192.168.1.3 is not included in the blacklist, so the requested content is returned.

Parent topic: Access Control

Previous topic: Referer Validation

Next topic: User-Agent ACL