Configure an IP blacklist or whitelist - CDN - Alibaba Cloud Documentation Center

An IP blacklist or whitelist filters user requests, and blocks or allows requests from specified IP addresses. The IP list feature can protect Alibaba Cloud CDN points of presence (POPs) from IP theft and attacks. This topic describes how to configure an IP blacklist or whitelist.

Usage notes

By default, the IP list feature is disabled. The IP blacklist and whitelist are mutually exclusive. You can configure only one of the lists.
You can add up to about 700 IPv6 addresses and up to 2,000 IPv4 addresses to a list. If you want to block more IP addresses, enable Alibaba Cloud DCDN security features. Security features are designed to block a large number of IP addresses. For more information, see Activate DCDN.
If an IP address is added to the blacklist, requests from the IP address can still be sent to POPs. However, the POPs reject the requests and return a 403 error. Requests sent from IP addresses that are on the blacklist are recorded in the logs of Alibaba Cloud CDN.
The IP blacklist and whitelist identify IP addresses based on Layer 7 HTTP IP recognition techniques. Network traffic may be generated when POPs block malicious requests. If clients access POPs over HTTPS, HTTPS request fees are generated due to resources that are consumed to process requests on the POPs.

IP address verification modes

When a client connects to a POP, whether a proxy is used determines the value of the client IP address and the value of the IP address that is used by the client to connect to the POP. In the following examples, client IP address 10.10.10.10 and proxy IP address 192.168.0.1 are used:

If no proxy is used when a client connects to a POP, the following rules apply:
- The value of the X-Forwarded-For (XFF) header in the client request is 10.10.10.10.
- The client IP address (10.10.10.10) is the IP address used by the client to connect to the POP. The client IP address is the first IP address in the XFF header.
If a proxy is used when a client connects to a POP, the following rules apply:
- The value of the XFF header in the client request is 10.10.10.10,192.168.0.1.
- The client IP address (10.10.10.10) is the first IP address in the XFF header.
- The IP address that is used by the client to connect to a POP is the IP address of the proxy, which is 192.168.0.1.
- The client IP address, or the first IP address in the XFF header, is not used by the client to connect to the POP.

The IP list feature of Alibaba Cloud CDN can verify three types of IP addresses. By default, the client IP address is verified.


IP address verification mode	Description	Configuration
Verifies the client IP address	This mode verifies only the client IP address. The client IP address is the first IP address in the XFF header in a client request. For information about how to obtain XFF IP addresses, see Retrieve the originating IP addresses of clients. If a proxy is used when a client connects to a POP, the client uses the proxy IP address to connect to the POP. In this case, access control in this verification mode may be not accurate.	This is the default verification mode. No configuration is required.
Verifies the IP address that is used to connect to the POP	This mode verifies only the IP address that is used by a client to connect to a POP.	Enable DCDN security features. For more information, see Activate DCDN.
Verifies the client IP address and the IP address that is used to connect to the POP	This mode verifies the following IP addresses: The first IP address in the XFF header. The IP address that is used by a client to connect to a POP.	Enable DCDN security features. For more information, see Activate DCDN.

Procedure

Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation pane of the domain name, click Access Control.
Click the IP Blacklist or Whitelist tab.
In the IP Blacklist or Whitelist section, click Modify.

Select Blacklist or Whitelist based on your business requirements.


Parameter	Description
Type	The following types of IP list are supported: Blacklist Requests from IP addresses on the blacklist are blocked. Whitelist Only requests from IP addresses on the whitelist can access resources on the POPs.
Rules	Enter CIDR blocks such as 192.168.0.0/24 or IP addresses such as 192.168.0.1. Make sure that the CIDR blocks are not duplicates. IPv4 and IPv6 addresses are supported. Separate IP addresses with carriage return characters. IPv6: You can add up to about 700 IPv6 addresses to the list. The blacklist and whitelist support IPv6 addresses. The letters in IPv6 addresses are not case-sensitive. Example: FC00:AA3:0:23:3:300:300A:1234 or fc00:0aa3:0000:0023:0003:0300:300a:1234. The notation of an IPv6 address cannot be shortened. For example, FC00:0AA3::0023:0003:0300:300A:1234 is invalid. CIDR blocks are supported. Example: FC00:0AA3:0000:0000:0000:0000:0000:0000/48. IPv4: You can add up to about 2,000 IPv4 addresses to the list. The total length of the string that specifies IP addresses cannot exceed 30 KB.

Click OK.

Sample configurations

Whitelist
CIDR block: 192.168.2.0/24
Expected result: Only IP addresses that range from 192.168.2.1 to 192.168.2.254 can access the resources of the specified domain name.
Blacklist
IP address: 192.168.0.1
Expected result: The IP address 192.168.0.1 cannot access the resources of the specified domain name.

Related API operations

BatchSetCdnDomainConfig: configures an IP blacklist or whitelist for multiple domain names at the same time. The ip_black_list_set parameter specifies an IP blacklist and the ip_allow_list_set parameter specifies an IP whitelist.