Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create accurate access control rules for website services that they protect. The Accurate Access Control policy allows you to customize access control rules. You can filter access requests based on commonly used HTTP fields, such as IP, URI, Referer, User-Agent, and Params. For requests that meet the filter conditions, you can allow, block, or verify them. This policy supports custom protection policies for different scenarios, such as hotlinking protection and management console protection.
- A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
- Protection settings in Anti-DDoS Pro or Anti-DDoS Premium of the latest version are enabled.
- Match conditions specify the HTTP fields to be recognized. The following table describes
the HTTP fields supported by accurate access control rules.
Note Different HTTP fields use different logical operators. For example, the source IP field uses the Is Part Of or Is Not Part Of logical operator. The URI field uses the Contains or Does Not Contain logical operator. For more information, see the Supported logical operator column in the following table.
Field Description Supported logical operator IP The source IP address of the request. Is Part Of and Is Not Part Of URI The request URI. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than User-Agent The information about the client browser that sends the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than Cookie The cookie in the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist Referer The source URI of the request, namely, the page from which the access request is redirected. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist Content-Type The HTTP content type of the response specified by the request, namely, MIME type information. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than X-Forwarded-For The actual client IP address of the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist Content-Length The amount of bytes in the HTTP body of the request. Is Smaller Than, Has a Value Of, and Is Larger Than Post-Body The content of the request. Contains, Does Not Contain, Equals, and Does Not Equal Http-Method The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, and TRACE. Equals and Does Not Equal Header The request header that is used to customize the HTTP header field and value. Params The parameters in the request URI. The parameter part of the URI usually follows a question mark (
?). For example, in URI
www.abc.com/index.html? action=login, the parameter part is
The following table describes the limits on Accurate Access Control based on the function plan of an Anti-DDoS Pro or Anti-DDoS Premium instance.
|Limit||Standard function plan||Enhanced function plan|
|Number of custom rules||≤ 5||≤ 10|
|Supported match fields||IP, URI, Referer, and User-Agent||All fields that support matching|
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region of your Anti-DDoS instance.
- Mainland China: Anti-DDoS Pro
- Outside Mainland China: Anti-DDoS Premium
- In the left-side navigation pane, choose .
- On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
- In the Accurate Access Control section, click Change Settings.
- Configure accurate access control rules for the domain name.
- Create a rule
- Click Create Rule.
Note If the number of custom rules reaches the upper limit, the Create Rule button is unavailable.
- In the Create Rule dialog box, specify the required parameters and then click OK.
Parameter Description Name The name of the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_). Match Conditions The match condition of the rule. To add match conditions of a rule, click Add Condition. Each condition consists of Field Name, Logical Relation, and Field Value.
- Set Field Name and Logical Relation based on Supported match field.
- Set Field Value based on Field Name. The value of Field Value is case sensitive. Field Value does not support regular expressions, but can be left blank.
You can add multiple match conditions. If multiple match conditions are specified, a request matches the rule only when all the conditions are met.
Action The operation that is performed when a request meets the match conditions. Valid values:
- Blocked: Requests that meet match conditions are blocked.
- Clear: Requests that meet match conditions are allowed.
Validity The validity period of the rule. You can set this parameter to 5 Minutes, 10 Minutes, 30 Minutes, 60 Minutes, 90 Minutes, 120 Minutes, or Permanent.
In this example, after configurations are complete, if a request is sent to a
/loginpage and the User-Agent field of the request contains
- If you create multiple rules, the priority of a rule depends on its rank in the rule list. The higher the rank, the higher the priority. The system compares a request against rules based on their priorities. The higher the rule priority, the sooner the rule is compared.
- If a request meets multiple match conditions of different rules, the action of the rule with the highest priority takes effect.
- Block specific requests
In most cases, the root directory of a website does not receive POST requests. If HTTP flood attacks occur, your website may receive a large number of POST requests that target the root directory. We recommend that you check whether these requests are valid. If these requests are invalid, you can use accurate access control rules to block them. The following figure shows sample configurations.
- Block web crawlers
If your website receives a large number of crawler requests within a certain period of time, which may be HTTP flood attacks initiated from bots that simulate crawlers, you can block these requests. The following figure shows sample configurations.
- Click Create Rule.
- Edit a rule
- In the rule list, find the target rule and click Edit in the Actions column.
- In the Edit Rule dialog box, modify the rule settings and click OK. Configure the rule settings in the same way you create a rule. However, you cannot change the value of Name.
- Delete a rule
- In the rule list, find the target rule and click Delete in the Actions column.
- In the message that appears, click OK.
- Create a rule
- Go back to the Accurate Access Control section and turn on Status to apply the settings.