edit-icon download-icon

Set a whitelist or blacklist for a domain

Last Updated: Feb 05, 2018

You can set whitelist or blacklist by configuring HTTP ACL policies in WAF. Those whitelist and blacklist are only effective on the specific domain that has the HTTP ACL policy configured.


  1. Log on to the Alibaba Cloud console.

  2. Locate to Security>Web Application Firewall>Management>Website Configuration page, find the domain that you want to add whitelist or blacklist for, click Polices.


  3. Enable HTTP ACL Policy, and then click Settings.

    HTTP ACL Policy settings

  4. Click Add Rule to add a new ACL rule. For example, allow all requests from IP

    Add rule

    Note: If you want allow all requests from this IP, do not select any “proceed to …” protection options in the Add Rule dialog box; If any protection options selected, some requests from this IP can still be blocked by those protection rules.

Similarly, you can also follow this procedure to set blacklist for a specific domain.

More information

  • The relationships among multiple matching conditions in one rule are “and”. Thus, if you want to add whitelist or blacklist for multiple IPs/IP segments, you have to create multiple HTTP ACL rules.

    Multiple HTTP ACL rules

    Note: The IP matching filed in HTTP ACL rules supports mask format (for example, is supported), and the logical operator supports “not have”. For example, you can refer to the following rule configuration when you want to only allow requests from specific IP segment to one domain.

    Only allow requests from specific IP segment

  • There is a priority among multiple HTTP ACL rules. WAF applies the HTTP ACL rules according to the displayed sequence (from top to bottom) of HTTP ACL rules in the HTTP ACL Policy list. Additionally, you can click Sort Rules to adjust the priority among the HTTP ACL rules.

    Sort rules

Thank you! We've received your feedback.