An IP blacklist or whitelist filters user requests, and blocks or allows requests from specified IP addresses. The IP list feature can protect Alibaba Cloud CDN points of presence (POPs) from IP theft and attacks. This topic describes how to configure an IP blacklist or whitelist.

Description

  • By default, the IP list feature is disabled. The IP blacklist and whitelist are mutually exclusive. You can configure only one of the lists.
  • You can add up to about 700 IPv6 addresses and up to 2,000 IPv4 addresses to a list. If you want to add more IP addresses, submit a ticket to purchase Alibaba Cloud CDN security features. Security features are designed to block a large number of IP addresses.
  • If an IP address is added to the blacklist, requests from the IP address can still be sent to POPs. However, the POPs reject the requests and return a 403 error. Requests sent from IP addresses that are on the blacklist are recorded in the logs of Alibaba Cloud CDN.
  • The IP blacklist and whitelist identify IP addresses based on Layer 7 HTTP IP recognition techniques. Network traffic may be generated when POPs block malicious requests. If clients access POPs over HTTPS, HTTPS request fees are generated due to resources that are consumed to process requests on the POPs.

IP address verification modes

When a client connects to a POP, whether a proxy is used determines the value of the client IP address and the value of the IP address that is used by the client to connect to the POP. In the following examples, client IP address 10.10.10.10 and proxy IP address 192.168.0.1 are used:
  • If no proxy is used when a client connects to a POP, the following rules apply:
    • The value of the X-Forwarded-For (XFF) header in the client request is 10.10.10.10.
    • The client IP address (10.10.10.10) is the IP address used by the client to connect to the POP. The client IP address is the first IP address in the XFF header.
  • If a proxy is used when a client connects to a POP, the following rules apply:
    • The value of the XFF header in the client request is 10.10.10.10,192.168.0.1.
    • The client IP address (10.10.10.10) is the first IP address in the XFF header.
    • The IP address that is used by the client to connect to a POP is the IP address of the proxy, which is 192.168.0.1.
    • The client IP address, or the first IP address in the XFF header, is not used by the client to connect to the POP.

The IP list feature of Alibaba Cloud CDN can verify three types of IP addresses. By default, the client IP address is verified.

IP address verification mode Description Configuration
Verifies the client IP address This mode verifies only the client IP address. The client IP address is the first IP address in the XFF header in a client request. For information about how to obtain XFF IP addresses, see Retrieve the originating IP addresses of clients.

If a proxy is used when a client connects to a POP, the client uses the proxy IP address to connect to the POP. In this case, access control in this verification mode may be not accurate.

This is the default verification mode. No configuration is required.
Verifies the IP address that is used to connect to the POP This mode verifies only the IP address that is used by a client to connect to a POP. submit a ticket to apply for the IP address.
Verifies the client IP address and the IP address that is used to connect to the POP This mode verifies the following IP addresses:
  • The first IP address in the XFF header.
  • The IP address that is used by a client to connect to a POP.
submit a ticket to apply for the IP addresses.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
    域名管理
  4. In the left-side navigation pane of the domain name, click Access Control.
  5. Click the IP Denylist or Allowlist tab.
  6. In the IP Denylist or Allowlist section, click Modify.
  7. Select Denylist or Allowlist based on your business requirements.
    Parameter Description
    Type The following types of IP list are supported:
    • Blacklist

      Requests from IP addresses on the blacklist are blocked.

    • Whitelist

      Only requests from IP addresses on the whitelist can access resources on the POPs.

    Rules Enter CIDR blocks such as 192.168.0.0/24 or IP addresses such as 192.168.0.1. Make sure that the CIDR blocks are not duplicates. IPv4 and IPv6 addresses are supported. Separate IP addresses with carriage return characters.
    • IPv6: You can add up to about 700 IPv6 addresses to the list. The blacklist and whitelist support IPv6 addresses. The letters in IPv6 addresses must be in uppercase. Examples: FC00:AA3:0:23:3:300:300A:1234 and FC00:0AA3:0000:0023:0003:0300:300A:1234. The notation of an IPv6 address must not be shortened. For example, FC00:0AA3::0023:0003:0300:300A:1234 is invalid. CIDR blocks are supported. Example: FC00:0AA3:0000:0000:0000:0000:0000:0000/48.
    • IPv4: You can add up to about 2,000 IPv4 addresses to the list.
    • The total length of the string that specifies IP addresses cannot exceed 30 KB.
  8. Click OK.

Configuration example

  • Whitelist

    CIDR block: 192.168.2.0/24

    Expected result: Only IP addresses that range from 192.168.2.1 to 192.168.2.254 can access the resources of the specified domain name.

  • Blacklist

    IP address: 192.168.0.1

    Expected result: The IP address 192.168.0.1 cannot access the resources of the specified domain name.

API reference

BatchSetCdnDomainConfig: configures an IP blacklist or whitelist for multiple domain names at the same time. The ip_black_list_set parameter specifies an IP blacklist and the ip_allow_list_set parameter specifies an IP whitelist.