All Products
Search

This Product

    CDN:Configure a User-Agent blacklist or whitelist

    Document Center

    CDN:Configure a User-Agent blacklist or whitelist

    Last Updated:Feb 06, 2024

    User-Agent is an HTTP header. The header contains information about the client that makes the request, including the OS, OS version, browser, and browser version. You can configure a User-Agent blacklist or whitelist to restrict access to Alibaba Cloud CDN resources and improve service security.

    Usage notes

    • The blacklist and whitelist are mutually exclusive and cannot be configured at the same time.

    • If the value of the User-Agent header in a request matches a value in the User-Agent blacklist, the request can reach the point of presence (POP) but is rejected by the POP. Then, the HTTP 403 status code is returned to the client, and the request is recorded in Alibaba Cloud CDN logs.

    Procedure

    1. Log on to the Alibaba Cloud CDN console.

    2. In the left-side navigation pane, click Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.

    4. In the left-side navigation tree of the domain name, click Access Control.

    5. On the page that appears, click the User-Agent Blacklist/Whitelist tab.

    6. On the User-Agent Blacklist/Whitelist tab, click Modify.

    7. Configure a Blacklist or Whitelist as prompted.

      Parameter

      Description

      Type

      The following types of lists are supported:

      • Blacklist

        Requests whose User-Agent header matches a value in the blacklist are rejected, and an HTTP 403 status code is returned.

      • Whitelist

        Only requests whose User-Agent header matches a value in the whitelist are allowed to access resources on POPs.

      Rules

      When you specify User-Agent values, separate multiple values with vertical bars (|). You can use an asterisk (*) as a wildcard character. Example: *curl*|*IE*|*chrome*|*firefox*.

      Note

      • If you want to enable access control for requests whose User-Agent header is empty, you can use the this-is-empty-ua parameter to specify that the User-Agent header is empty.

        • If you specify the this-is-empty-ua parameter in the rules of the whitelist, requests that contain an empty User-Agent header are allowed.

        • If you specify the this-is-empty-ua parameter in the rules of the blacklist, requests that contain an empty User-Agent header are rejected.

      • The User-Agent blacklist and whitelist do not support access control for requests that do not contain the User-Agent header. You can use EdgeScript or submit a ticket to enable the feature. For more information, see EdgeScript overview.

      Rule Condition

      Rule conditions can identify parameters in a request to determine whether a configuration takes effect on the request.

      • Do not use conditions

      • Select the configured rule conditions in Rules Engine. For more information, see Rules engine.

    8. Click OK.

    Configuration examples

    • Example 1: Configure a whitelist

      Rules of the whitelist: *IE*|*firefox*

      Expected result: Only requests that are sent from IE or Firefox are allowed to access resources on POPs.

    • Example 2: Configure a blacklist

      Rules of the blacklist: *IE*|this-is-empty-ua

      Expected result: Requests that are sent from IE or contain an empty User-Agent header are rejected.