When your website responds slowly, you can use the rate limiting feature to block requests from specific IP addresses within seconds. This helps to improve website security. This topic describes how to configure rate limiting.

Background information

Rate limiting is supported only in the CDN console V1.0.22.


  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the left-side navigation pane of the specified domain name, click Security Settings.
  5. On the Rate Limiting page, click the Set Rate Limiting switch.
  6. Click Modify.
  7. In the Rate Limiting dialog box, enable parameter check, and select a control mode.
    Parameter Description
    Parameter Check After parameter check is enabled, the rate limiting feature will use the specified URIs with all parameters to match requests.
    Control Mode You can select one of the following control modes:
    • Normal

      The default rate limiting mode. Select this mode to prevent false positives when your website traffic is normal.

    • Emergency

      Select this mode when your website responds slowly and exceptions are detected in network traffic, CPU usage, memory usage, and other performance indicators.

    • Custom

      Select this mode when you want to customize rate limiting rules based on your actual needs. For more information about how to set a custom rule, see step 8.

    Set rate limiting
  8. If you set the control mode to Custom, you need to create custom rate limiting rules.
    1. Click Create Rule on the right side of Custom Rules.
      Note You can create up to five custom rules in the CDN console.
    2. Create a custom rule as follows.
      Parameter Description
      URI Enter the URI to be protected, for example, /register. You can include parameters in the URI, for example, /user?action=login.
      Match Criteria Select one of the following match modes:
      • Exact Match

        In this mode, requests from an address are counted only if the requested URI exactly matches the specified URI.

      • Prefix Match

        In this mode, requests from an address are counted if the requested URI starts with the specified URI. For example, if the URI is set to /register, requests sent to /register.html are counted.

      • Regex Match

        In this mode, requests from an address are counted if the requested URI matches the specified regular expression.

      Interval Set a period during which request statistics are collected. This interval must be used together with the number of visits from an individual IP address. The interval must be at least 10 seconds.
      Monitored Object Select one of the following objects for monitoring:
      • IP
      • Header
      • Domain
      • Parameter
      Match Criteria Click Add Criterion and configure the following parameters: Type, Option, Operator, and Value.
      Action Specify an action to be performed after the criteria are matched, and specify how long the IP address is blocked for.
      • Block

        When the criteria are matched, the connection is disconnected.

      • Human-machine Identification

        When the criteria are matched, CDN returns status code 200 and redirects the request for client verification. If the client passes the verification, requests are allowed to pass through. For example, if an IP address initiates requests more than five times within 20 seconds, a human-machine identification is performed. All requests from the IP address within 10 minutes must pass the human-machine identification. Requests from this IP address are allowed to pass through only when the IP address is verified.

      Block Duration Specify how long the IP address is blocked for. The minimum value is 60 seconds.
      The following table lists some sample custom rules.
      Scenario Monitored object Interval Match criteria Action Block duration
      A 4xx or 5xx error has occurred. IP 10 seconds status_ratio|404>60%&&count>50 Block 10 minutes
      A QPS spike has occurred. Domain 10 seconds count>N Human-machine identification 10 minutes
      Note Assign a value to N based on your actual workloads.
      create a custom rate limiting rule
    3. Click OK.