Alibaba Cloud CDN allows you to configure a User-Agent blacklist or whitelist to identify and filter requests. This can restrict access to CDN resources and improve service security. This topic describes how to configure a User-Agent blacklist or whitelist.

Background information

User-Agent is an HTTP header. It contains the information about the client that makes the request, including the operating system (OS), OS version, browser, and browser version.

After you configure a User-Agent blacklist or whitelist, Alibaba Cloud CDN matches the User-Agent header in requests against the blacklist or whitelist.
  • User-Agent blacklist: Requests whose User-Agent header is in the blacklist are rejected. The HTTP 403 status code is returned to the client.
  • User-Agent whitelist: Only requests whose User-Agent header is in the whitelist are allowed to access resources on CDN points of presence (POPs).
Note
  • The blacklist and whitelist are mutually exclusive. You can configure only one of them.
  • If the value of the User-Agent field in a request is in the User-Agent blacklist, the request can still access the Alibaba Cloud CDN POP. However, the request is rejected by the POP, an HTTP 403 status code is returned, and the request is recorded in Alibaba Cloud CDN logs.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
    Domain Names
  4. In the left-side navigation pane of the domain name, click Access Control.
  5. Click the User-Agent Blacklist/Whitelist tab.
  6. On the User-Agent Blacklist/Whitelist tab, click Modify.
  7. Set Type to Blacklist or Whitelist based on your business requirements.
    Configure Blacklist or Whitelist
    ParameterDescription
    Type
    The following two types of lists are supported:
    • Blacklist

      Requests whose User-Agent header is in the blacklist are rejected.

    • Whitelist

      Only requests whose User-Agent header is in the whitelist are allowed to access resources on POPs.

    RulesWhen you specify User-Agent fields, separate fields with vertical bars (|). The wildcard character (*) is supported. Example: *curl*|*IE*|*chrome*|*firefox*.
    Note
    • If you want to enable access control for requests that contain a User-Agent header with an empty value, you can use the this-is-empty-ua parameter to indicate that the User-Agent value is empty.
      • For the whitelist, if the this-is-empty-ua parameter is defined in the rules, which indicates that the request contains a User-Agent header with an empty value, the request is allowed.
      • For the blacklist, if the this-is-empty-ua parameter is defined in the rules, which indicates that the request contains a User-Agent header with an empty value, the request is rejected.
    • User-Agent blacklist and whitelist do not support access control on requests that do not contain a User-Agent header. You can use EdgeScript or https://workorder-intl.console.aliyun.com/?spm=5176.2020520001.aliyun_topbar.18.dbd44bd3e4f845#/ticket/createIndex to enable the feature. For more information, see EdgeScript overview.
  8. Click OK.

Configuration examples

  • Example 1: Configure a whitelist

    Rule: *IE*|*firefox*

    Expected result: Only requests sent from IE or Firefox are allowed to access resources on CDN POPs.

  • Example 2: Configure a blacklist

    Rule: *IE*|this-is-empty-ua

    Expected result: Requests that are sent from IE or contain a User-Agent header with an empty value are rejected.