An IP blacklist or whitelist filters user requests and blocks or allows requests from specified IP addresses. IP lists can protect origin servers from IP theft and attacks. This topic describes how to configure an IP blacklist or whitelist.

Precautions

  • By default, the IP list feature is disabled. The IP blacklist and whitelist are mutually exclusive. You can configure only one of them.
  • You can add at most 700 IPv6 addresses and at most 2,000 IPv4 addresses to a list. If you want to add more IP addresses, submit a ticket to purchase Alibaba Cloud CDN security features. Security features are designed to block a large number of IP addresses.
  • If an IP address is added to the blacklist, requests from the IP address can still be sent to Alibaba Cloud CDN edge nodes. However, the edge nodes will reject the requests and return a 403 error. Requests sent from IP addresses that are on the blacklist are recorded in the logs of Alibaba Cloud CDN.
  • The IP blacklist and whitelist identify IP addresses based on Layer 7 HTTP IP recognition techniques. Network traffic may be generated when the edge nodes block requests. If clients access the edge nodes over HTTPS, HTTPS request fees are incurred due to resources consumed for processing requests on the edge nodes.

IP verification modes

When a client connects to an edge node, whether a proxy is used determines whether a direct connection is established between the client and the edge node. Assume that the client IP address is 10.10.10.10, and the proxy IP address is 192.168.0.1.
  • The proxy is not used
    • The value of the X-Forwarded-For (XFF) header in the user request is 10.10.10.10.
    • The client IP address, which is the first IP address 10.10.10.10 in the XFF header, is used to connect to the edge node.
  • The proxy is used
    • The value of the XFF header in the user request is 10.10.10.10,192.168.0.1.
    • The client IP address, which is the first IP address in the XFF header, is 10.10.10.10.
    • The IP address that is used to connect to the edge node is the IP address of the proxy, which is 192.168.0.1.
    • The client IP address, which is the first IP address in the XFF header, is not used to connect to the edge node.

The IP list feature of Alibaba Cloud CDN provides three verification modes to verify the IP addresses of different objects. The default mode verifies client IP addresses.

IP verification mode Description Configuration method
Verifies only client IP addresses This mode verifies the first IP address in the XFF header. This IP address is the IP address of the client that initiates the request. For more information about how to retrieve XFF IP addresses, see Retrieve actual IP addresses of clients.

If the user uses a proxy, the IP address that is used to connect to the edge node is the IP address of the proxy. In this case, the default verification mode may decrease the effectiveness of access control.

The default mode. No configuration is required.
Verifies the IP address that is used to connect to the edge node This mode verifies the IP address that is used to connect to the edge node. submit a ticket.
Verifies the client IP address and the IP address that are used to connect to the edge node This mode verifies the following IP addresses:
  • The first IP address in the XFF header.
  • The IP address that is used to connect to the edge node.
submit a ticket.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
  4. In the left-side management pane of the domain name, click Access Control.
  5. Click the IP Blacklist/Whitelist tab.
  6. In the IP Blacklist/Whitelist section, click Modify.
  7. Select Blacklist or Whitelist based on your business requirements.
    Parameter or option Description
    Type The following types of IP list are supported:
    • IP address blacklist

      Requests from IP addresses on the blacklist are blocked.

    • Whitelist

      Only requests from IP addresses on the whitelist are allowed to access resources on the edge nodes.

    Rules Enter CIDR blocks such as 192.168.0.0/24 or IP addresses such as 192.168.0.1. Make sure that the CIDR blocks are not duplicates. Both IPv4 and IPv6 addresses are supported. Separate IP addresses with carriage return characters.
    • IPv6: You can add at most 700 IPv6 addresses to the list. Both the blacklist and whitelist support IPv6 addresses. The letters in IPv6 addresses must be in uppercase, for example, 2001:DB8:0:23:8:800:200C:**** or 2001:0DB8:0000:0023:0008:0800:200C:****. The notation of an IPv6 address must not be shortened. For example, 2001:0DB8::0008:0800:200C:**** is invalid.
    • IPv4: You can add at most 2,000 IPv4 addresses to the list.
    • The total length of the string that specifies IP addresses cannot exceed 30 KB.
  8. Click OK.

Configuration examples

  • Whitelist

    CIDR block: 192.168.2.0/24

    Expected result: only IP addresses that range from 192.168.2.1 to 192.168.2.254 (192.168.2.1 and 192.168.2.254 included) can access the resources of the accelerated domain name.

  • Blacklist

    IP address: 192.168.0.1

    Expected result: The IP address 192.168.0.1 is not allowed to access the resources of the accelerated domain name.

Related API operations

BatchSetCdnDomainConfig: configures an IP blacklist or whitelist for multiple domain names at a time. The ip_black_list_set parameter specifies an IP blacklist and the ip_allow_list_set parameter specifies an IP whitelist.