Updated on 2024-07-05 GMT+08:00

IP ACL

You can filter out requests from specific IP addresses to restrict access and prevent content theft and attacks.

Precautions

  • This function is disabled by default.
  • Either an IP address blacklist or IP address whitelist can be configured.
  • If your domain name is connected to EdgeSec and an IP address blacklist/whitelist rule is configured in both services, the rule in CDN is executed first.

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab.
  5. In the IP ACL area, click Edit. The Configure IP ACL dialog box is displayed.
    Figure 1 Configuring an IP ACL

  6. Switch on Status to enable this configuration item.
  7. Select a type and enter rules.

    Parameter

    Description

    Type

    • IP address blacklist: If the IP address of a user is included in the blacklist, status code 403 will be returned when the user accesses a CDN PoP.
    • IP address whitelist: If the IP address of a user is not included in the whitelist, status code 403 will be returned when the user accesses a CDN PoP.
      NOTE:
      • Either an IP address blacklist or IP address whitelist can be configured.

    Rule

    • Up to 500 IP addresses or subnets are supported. Enter one IP address or subnet on each row.
    • The IP address portion of the subnet must be the first IP address on that block.
    • Duplicate IP addresses and IP address segments will be removed.
    • Wildcards are not supported, for example, 192.168.0.*.
    • IPv6 is supported.
      NOTE:

      An IP address segment cannot include an IP address you specify.

      • Example: You cannot enter 10.62.53.75 and 10.62.53.0/24 in the same rule.
  8. Click OK.
  9. (Optional) Disable the IP ACL.
    • Switch off Status to disable the IP ACL and clear all IP ACL settings. You need to set related parameters when enabling this function again.

Examples

Assume that you have configured the following ACL for domain name www.example.com.

  • A user requests http://www.example.com/abc.jpg. The user client IP address 192.168.1.1 is included in the blacklist, so error code 403 is returned.
  • A user requests http://www.example.com/abc.jpg. The user client IP address 192.168.1.3 is not included in the blacklist, so the requested content is returned.