All Products
Search
Document Center

CDN:Parameters for configuring features for domain names

Last Updated:Jun 29, 2026

This topic describes the features and parameters that you can configure when calling the BatchSetCdnDomainConfig or SetCdnDomainStagingConfig operation to configure features for domain names. Each feature is identified by a function name and a numeric function ID, and is passed as an element in the Functions array of the request body.

Request structure

When you call BatchSetCdnDomainConfig (production environment) or SetCdnDomainStagingConfig (staging environment) to configure domain name features, the request body contains a Functions array. Each element in the array specifies a functionName, and one or more functionArgs as key-value pairs (argName and argValue).

{
    "Functions": [{
        "functionArgs": [{
            "argName": "<parameter-name>",
            "argValue": "<parameter-value>"
        }],
        "functionName": "<feature-name>"
    }],
    "DomainNames": "example.com"
}
Note

The features described in this topic can be referenced by the following operations: - Production environment: BatchSetCdnDomainConfig, DescribeCdnDomainConfigs, BatchDeleteCdnDomainConfig, and DescribeCdnUserDomainsByFunc.

Staging environment: SetCdnDomainStagingConfig, DescribeCdnDomainStagingConfig, RollbackStagingConfig, and PublishStagingConfigToProduction.

Calling BatchSetCdnDomainConfig or SetCdnDomainStagingConfig generates a unique ConfigId for the configuration. You can use the ConfigId to update or delete the configuration. For more information, see ConfigId Usage Notes. - Some features conflict with each other. Only one feature from a conflicting pair can be configured at a time. Conflict pairs are noted in the corresponding feature sections below.

Network configurations

ipv6

  • Description: Configures IPv6 access.

  • Function ID: 194

  • Parameters:

Parameter

Type

Required

Description

Example

switch

String

Yes

Specifies whether to enable IPv6 access. Valid values: on, off.

on

region

String

Yes

The region where IPv6 is enabled. Use an asterisk (*) for all regions.

*

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "switch",
            "argValue": "on"
        }, {
            "argName": "region",
            "argValue": "*"
        }],
        "functionName": "ipv6"
    }],
    "DomainNames": "example.com"
}

Origin configurations

set_req_host_header

  • Description: Configures the default origin host.

  • Function ID: 18

  • Parameters:

Parameter

Type

Required

Description

Example

domain_name

String

Yes

The origin host header content.

example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "domain_name",
            "argValue": "example.com"
        }],
        "functionName": "set_req_host_header"
    }],
    "DomainNames": "example.com"
}

forward_scheme

  • Description: Configures the origin protocol.

  • Function ID: 47

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable the origin protocol feature. Valid values: on, off.

on

scheme_origin

String

No

The protocol scheme for origin fetch. Valid values: http, https, follow. Default value: follow.

follow

scheme_origin_port

String

No

Custom origin ports. Required when scheme_origin is set to follow (format: httpPort:httpsPort, for example, 80:443).

80:443

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "scheme_origin",
            "argValue": "follow"
        }, {
            "argName": "scheme_origin_port",
            "argValue": "80:443"
        }],
        "functionName": "forward_scheme"
    }],
    "DomainNames": "example.com"
}

l2_oss_key

  • Description: Configures private OSS Bucket origin fetch. When using this feature for the first time, you must enable the default permission policy, which grants CDN read-only access to all OSS Buckets under the same Alibaba Cloud account.

  • Function ID: 85

  • Parameters:

Parameter

Type

Required

Description

Example

private_oss_auth

String

Yes

Specifies whether to enable private OSS Bucket origin fetch. Valid values: on, off. When enabled, the system automatically configures STS security tokens. This only supports CDN domain origin fetch to OSS private Buckets under the same Alibaba Cloud account.

on

perm_private_oss_tbl

String

No

Permanent security token configuration. Format: access_id=123 access_secret=123abc (separated by space). When configured, CDN domain origin fetch to OSS private Buckets under other Alibaba Cloud accounts is also supported.

access_id=123 access_secret=123abc

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "private_oss_auth",
            "argValue": "on"
        }, {
            "argName": "perm_private_oss_tbl",
            "argValue": "access_id=123 access_secret=123abc"
        }],
        "functionName": "l2_oss_key"
    }],
    "DomainNames": "example.com"
}

oss_key_list

  • Description: Configures the OSS origin private key list. You can configure one or more rules representing different OSS private Buckets with their corresponding security tokens.

  • Function ID: 183

  • Parameters:

Parameter

Type

Required

Description

Example

host

String

Yes

The full address of the OSS Bucket.

example.oss-cn-hangzhou.aliyuncs.com

key

String

Yes

Permanent security token configuration. Format: access_id=123 access_secret=123abc (separated by space).

access_id=123 access_secret=123abc

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "host",
            "argValue": "example.oss-cn-hangzhou.aliyuncs.com"
        }, {
            "argName": "key",
            "argValue": "access_id=123 access_secret=123abc"
        }],
        "functionName": "oss_key_list"
    }],
    "DomainNames": "example.com"
}

https_origin_sni

  • Description: Configures the origin SNI (Server Name Indication).

  • Function ID: 114

  • Parameters:

Parameter

Type

Required

Description

Example

enabled

String

Yes

Specifies whether to enable origin SNI. Valid values: on, off.

on

https_origin_sni

String

Yes

The SNI information carried in origin requests (the origin server address that the request needs to access).

origin.example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "https_origin_sni",
            "argValue": "origin.example.com"
        }, {
            "argName": "enabled",
            "argValue": "on"
        }],
        "functionName": "https_origin_sni"
    }],
    "DomainNames": "example.com"
}

forward_timeout

  • Description: Configures the origin request timeout.

  • Function ID: 124

  • Parameters:

Parameter

Type

Required

Description

Example

forward_timeout

Integer

Yes

Request timeout in seconds. We recommend setting a value less than 100 seconds.

30

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "forward_timeout",
            "argValue": "30"
        }],
        "functionName": "forward_timeout"
    }],
    "DomainNames": "example.com"
}

advanced_origin

  • Description: Configures advanced origin fetch, which routes requests to different origin servers based on variables in the user request (such as URI, headers, query parameters, or cookies).

  • Function ID: 235

  • Conflict: Conflicts with origin_dns_host (Function ID: 212). Only one can be configured. If one feature is already configured (including when its switch parameter is set to off), you must delete the existing configuration before configuring the other.

  • Parameters:

Parameter

Type

Required

Description

Example

variable_type

String

Yes

The variable type. Valid values: header (request header), arg (query string parameter), uri (request path), cookie (request cookie).

uri

variable

String

Yes

The variable name. When variable_type is set to uri, the variable must be set to uri.

uri

conditions

String

Yes

The condition operator. Valid values: == (equals), != (not equals).

==

value

String

Yes

The variable value to match.

/image

origin

String

Yes

The origin server domain name to use when the variable matches the specified value.

origin.example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "conditions",
            "argValue": "=="
        }, {
            "argName": "variable_type",
            "argValue": "uri"
        }, {
            "argName": "value",
            "argValue": "/image"
        }, {
            "argName": "origin",
            "argValue": "origin.example.com"
        }, {
            "argName": "variable",
            "argValue": "uri"
        }],
        "functionName": "advanced_origin"
    }],
    "DomainNames": "example.com"
}

follow_302

  • Description: Configures origin 302 redirect following.

  • Function ID: 219

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable origin 302 redirect following. Valid values: on, off.

on

max_tries

Integer

No

Maximum number of 302 redirects to follow. Default value: 2. Valid values: 1-5. The actual maximum number of origin requests is max_tries + 1.

2

retain_args

String

No

Specifies whether to retain original request parameters when following 302 redirects. Valid values: on, off (default).

off

retain_header

String

No

Specifies whether to retain original request headers when following 302 redirects. Valid values: on, off (default).

off

response_header

String

No

The response header name for 302 redirect. Default value: Location.

X-Alicdn-Redirect

retain_host

String

No

Specifies whether to retain the origin host when following 302 redirects. Valid values: on, off (default).

off

modify_host

String

No

Modifies the origin host when following 302 redirects. By default, the origin host is not modified.

example.com

cache

String

No

Specifies whether to cache 302 redirect results for the same URL to improve CDN response performance. Valid values: on, off (default).

off

expired_time

Integer

No

Cache expiration time for 302 redirect results, in seconds. Must be used with the cache parameter. Default value: 3600.

7200

follow_origin_host

String

No

Specifies whether to use the origin server domain name as the origin host (uses the latest origin domain even after primary/standby switching). Valid values: on, off (default).

off

follow_5xx_retry_origin

String

No

Specifies whether to switch to the next available origin server when the current origin responds with a 5xx status code. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "max_tries",
            "argValue": "2"
        }, {
            "argName": "retain_args",
            "argValue": "off"
        }, {
            "argName": "retain_header",
            "argValue": "off"
        }],
        "functionName": "follow_302"
    }],
    "DomainNames": "example.com"
}

set_req_header

  • Description: Configures custom origin HTTP request headers (v1). We recommend using the v2 version: origin_request_header, which supports more features.

  • Function ID: 39

  • Parameters:

Parameter

Type

Required

Description

Example

key

String

Yes

The origin request header name.

Accept-Encoding

value

String

Yes

The origin request header value. To delete a header, set the value to null.

gzip

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "value",
            "argValue": "gzip"
        }, {
            "argName": "key",
            "argValue": "Accept-Encoding"
        }],
        "functionName": "set_req_header"
    }],
    "DomainNames": "example.com"
}

origin_request_header

  • Description: Configures custom origin HTTP request headers (v2). Supports add, delete, modify, and rewrite operations.

  • Function ID: 228

  • Parameters:

Parameter

Type

Required

Description

Example

header_operation_type

String

Yes

The header operation type. Valid values: add, delete, modify, rewrite.

add

header_name

String

Yes

The request header name.

Accept-Encoding

header_value

String

No

The request header value. Multiple values can be separated by commas (,).

gzip

duplicate

String

No

Specifies whether to allow duplicate headers with the same name (when using the add operation). Valid values: on, off.

off

header_source

String

No

The value to search for replacement (when using the rewrite operation). Supports regular expressions.

value1

header_destination

String

No

The replacement value (when using the rewrite operation).

value123

match_all

String

No

The matching mode (when using the rewrite operation). Valid values: on (replace all matches), off (replace first match only).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "header_operation_type",
            "argValue": "add"
        }, {
            "argName": "header_name",
            "argValue": "Accept-Encoding"
        }, {
            "argName": "header_value",
            "argValue": "gzip"
        }, {
            "argName": "duplicate",
            "argValue": "off"
        }],
        "functionName": "origin_request_header"
    }],
    "DomainNames": "example.com"
}

origin_response_header

  • Description: Configures origin HTTP response headers. Supports add, delete, modify, and rewrite operations.

  • Function ID: 229

  • Parameters:

Parameter

Type

Required

Description

Example

header_operation_type

String

Yes

The response header operation type. Valid values: add, delete, modify, rewrite.

add

header_name

String

Yes

The response header name.

Cache-Control

header_value

String

No

The response header value. Multiple values can be separated by commas (,).

no-cache

duplicate

String

No

Specifies whether to allow duplicate headers with the same name (when using the add operation). Valid values: on, off.

off

header_source

String

No

The value to search for replacement (when using the rewrite operation). Supports regular expressions.

value1

header_destination

String

No

The replacement value (when using the rewrite operation).

value123

match_all

String

No

The matching mode (when using the rewrite operation). Valid values: on (replace all matches), off (replace first match only).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "header_operation_type",
            "argValue": "add"
        }, {
            "argName": "header_name",
            "argValue": "Cache-Control"
        }, {
            "argName": "header_value",
            "argValue": "no-cache"
        }, {
            "argName": "duplicate",
            "argValue": "off"
        }],
        "functionName": "origin_response_header"
    }],
    "DomainNames": "example.com"
}

back_to_origin_url_rewrite

  • Description: Configures origin URI rewriting.

  • Function ID: 225

  • Parameters:

Parameter

Type

Required

Description

Example

source_url

String

Yes

The URI to be rewritten.

^/hello$

target_url

String

Yes

The target URI after rewriting.

/hello/test

flag

String

No

The execution rule for the rewrite operation. Valid values: (empty, default) continues to match subsequent rewrite rules after execution; break: stops matching subsequent rules after execution; enhance_break: similar to break but processes parameters together and also works for FLV live streaming.

break

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "flag",
            "argValue": "break"
        }, {
            "argName": "source_url",
            "argValue": "^/hello$"
        }, {
            "argName": "target_url",
            "argValue": "/hello/test"
        }],
        "functionName": "back_to_origin_url_rewrite"
    }],
    "DomainNames": "example.com"
}

back_to_origin_argument_rewrite

  • Description: Configures origin argument rewriting. Rewrites query parameters in the origin request URL. Supports configuring multiple rewrite rules. Operation priority: add > delete > keep > modify.

  • Function ID: 224

  • Parameters:

Parameter

Type

Required

Description

Example

delete_argument

String

No

Arguments to delete, separated by spaces.

code1

save_argument

String

No

Arguments to keep, separated by spaces. Only the listed arguments are retained. Add and delete operations still take effect.

(empty)

ignore_all_argument

String

No

Specifies whether to ignore all arguments. Valid values: on (ignores all arguments; only the add operation remains effective), off (default).

on

add_argument

String

No

Arguments to add (highest priority), separated by spaces.

value=123

modify_argument

String

No

Arguments to modify (lowest priority), separated by spaces. If an argument is deleted, it will not be retained.

value=321

enable

String

Yes

Specifies whether to enable origin argument rewriting. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "delete_argument",
            "argValue": ""
        }, {
            "argName": "save_argument",
            "argValue": ""
        }, {
            "argName": "add_argument",
            "argValue": ""
        }, {
            "argName": "modify_argument",
            "argValue": ""
        }, {
            "argName": "ignore_all_argument",
            "argValue": "on"
        }, {
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "back_to_origin_argument_rewrite"
    }],
    "DomainNames": "example.com"
}

aws_s3_bucket

  • Description: Configures Amazon S3 authenticated Bucket origin fetch.

  • Function ID: 186

  • Parameters:

Parameter

Type

Required

Description

Example

enabled

String

Yes

Specifies whether to enable Amazon S3 authenticated Bucket. Valid values: l2 (enable), off (disable).

l2

bucketname

String

No

The Amazon S3 Bucket name.

/

accesskey

String

Yes

AWS AccessKey.

123456789

secretkey

String

Yes

AWS SecretKey.

12345678

region

String

Yes

The Amazon S3 storage region.

us-east-2

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enabled",
            "argValue": "l2"
        }, {
            "argName": "accesskey",
            "argValue": "123456789"
        }, {
            "argName": "secretkey",
            "argValue": "123456789"
        }, {
            "argName": "region",
            "argValue": "us-east-2"
        }],
        "functionName": "aws_s3_bucket"
    }],
    "DomainNames": "example.com"
}

origin_certificate_verification

  • Description: Configures origin certificate verification (SNI whitelist).

  • Function ID: 223

  • Parameters:

Parameter

Type

Required

Description

Example

enabled

String

Yes

Specifies whether to enable origin certificate verification. Valid values: on, off.

on

common_name_whitelist

String

No

Certificate whitelist domain names, separated by commas (,). Certificates matching these whitelisted domains pass verification.

example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "common_name_whitelist",
            "argValue": "example.com"
        }],
        "functionName": "origin_certificate_verification"
    }],
    "DomainNames": "example.com"
}

origin_dns_host

  • Description: Configures conditional origin server. Works with the rule engine feature (condition, Function ID: 250) to route requests to specified origin servers based on path, URL parameters, request headers, and other information. Before configuring, you must first create at least one rule engine condition.

  • Function ID: 212

  • Conflict: Conflicts with advanced_origin (Function ID: 235). Only one can be configured. If one feature is already configured (including when its switch parameter is set to off), you must delete the existing configuration before configuring the other.

  • Parameters:

Parameter

Type

Required

Description

Example

ali_origin_dns_host

String

Yes

The domain name used for origin DNS resolution.

example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ali_origin_dns_host",
            "argValue": "example.com"
        }],
        "functionName": "origin_dns_host",
        "parentId": 30119730104
    }],
    "DomainNames": "example.com"
}

origin_host

  • Description: Configures origin host for a specified origin server.

  • Function ID: 242

  • Parameters:

Parameter

Type

Required

Description

Example

origin

String

Yes

The origin server address. Set to all to apply to all origin servers.

example.com

host

String

Yes

The host header value. Set to ali_follow_origin to use the origin server address as the host value.

host.example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "origin",
            "argValue": "example.com"
        }, {
            "argName": "host",
            "argValue": "host.example.com"
        }],
        "functionName": "origin_host"
    }],
    "DomainNames": "example.com"
}

ali_origin_port_scheme

  • Description: Configures origin port and protocol.

  • Function ID: 276

  • Parameters:

Parameter

Type

Required

Description

Example

port

String

Yes

The origin port. When scheme is set to follow, use the format http:80|https:443.

80

scheme

String

Yes

The origin protocol. Valid values: http, https, follow (follow the client protocol), https_sm (HTTPS with Chinese national cryptographic algorithms), follow_sm (follow the client protocol, supporting both international and national cryptographic algorithms).

http

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "port",
            "argValue": "80"
        }, {
            "argName": "scheme",
            "argValue": "http"
        }],
        "functionName": "ali_origin_port_scheme"
    }],
    "DomainNames": "example.com"
}

origin_sni

  • Description: Configures origin SNI for a specified origin server.

  • Function ID: 262

  • Parameters:

Parameter

Type

Required

Description

Example

origin

String

Yes

The origin server address. Set to all to apply to all origin servers.

example.com

sni_host

String

Yes

The SNI host value. Can be a fixed value, ali_follow_origin (follow the origin server address), or ali_follow_host (follow the origin host).

example.org

keepalive_sni

String

No

Specifies whether to enable keepalive SNI matching. Valid values: on, off. When enabled, different origin SNI values use separate keepalive connections.

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "origin",
            "argValue": "origin.example.com"
        }, {
            "argName": "sni_host",
            "argValue": "host.example.com"
        }],
        "functionName": "origin_sni"
    }],
    "DomainNames": "example.com"
}

source_group

  • Description: Configures origin server groups.

  • Function ID: 294

  • Parameters:

Parameter

Type

Required

Description

Example

source_group_name

String

Yes

The origin server group name. Supports lowercase letters, digits, and underscores. Maximum length: 128 bytes.

example_origin

source_info

String

Yes

Origin server information in the format: address_priority_weight_port. Separate multiple origin servers with commas (,). Priority: 1-65535 (lower value = higher priority). Weight: 1-100. Port: 1-65535.

192.168.0.1_10_33_80,192.0.2.1_10_67_80

retry_times

Integer

No

The number of origin retry attempts.

3

retry_status_rule

Integer

No

The retry status codes. Supported values: 4xx, 5xx, 404, 404-or-5xx, 4xx-or-5xx.

404-or-5xx

failback_source

String

No

Specifies whether to fall back to the basic origin server configuration when all servers in the group are unavailable. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "source_group_name",
            "argValue": "test_origin"
        }, {
            "argName": "source_info",
            "argValue": "192.168.0.1_10_33_80,192.0.2.1_10_67_80"
        }, {
            "argName": "retry_times",
            "argValue": "3"
        }, {
            "argName": "retry_status_rule",
            "argValue": "404-or-5xx"
        }, {
            "argName": "failback_source",
            "argValue": "on"
        }],
        "functionName": "source_group"
    }],
    "DomainNames": "example.com"
}

ipv6_origin

  • Description: Configures IPv6 origin fetch.

  • Function ID: 265

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable IPv6 origin fetch. Valid values: on, off. When enabled, CDN uses IPv6 for origin connections when both the CDN node and origin server have available IPv6 addresses.

on

follow

String

Yes

Specifies whether to follow the client IP protocol version for origin fetch. Valid values: on, off. When enabled, CDN follows the client request protocol: IPv6 client requests prefer IPv6 origin servers; IPv4 client requests prefer IPv4 origin servers.

on

ipv6_v4_mix_used

String

No

Specifies whether to enable IPv4/IPv6 round-robin origin fetch. Valid values: on, off. When enabled, IPv6 origin and follow features become ineffective. All requests use round-robin across all origin addresses regardless of client protocol.

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "follow",
            "argValue": "on"
        }],
        "functionName": "ipv6_origin"
    }],
    "DomainNames": "example.com"
}

cos_auth

  • Description: Configures Tencent Cloud COS authenticated Bucket origin fetch.

  • Function ID: 288

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable Tencent Cloud COS authenticated Bucket. Valid values: on, off.

on

cos_valid_period

String

No

The authentication signature validity period in seconds. Default value: 3600.

3600

cos_secret_id

String

Yes

The Tencent Cloud authentication ID.

123456789

cos_secret_key

String

Yes

The Tencent Cloud authentication key.

12345678

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "cos_secret_id",
            "argValue": "123456789"
        }, {
            "argName": "cos_secret_key",
            "argValue": "123456789"
        }],
        "functionName": "cos_auth"
    }],
    "DomainNames": "example.com"
}

oss_auth

  • Description: Configures the OSS authentication bucket information used by CDN for origin fetch. This configuration is automatically added when you configure an OSS-type origin server for an accelerated domain name. Do not manually delete this configuration, as it may cause billing issues for CDN origin traffic and authentication failures for private Bucket access.

  • Function ID: 10

  • Parameters:

Parameter

Type

Required

Description

Example

oss_bucket_id

String

Yes

The public endpoint of the OSS Bucket.

cdn-test.oss-cn-hongkong.aliyuncs.com

oss_pri_buckets

String

Yes

The public endpoint of the OSS Bucket and its corresponding Bucket name, separated by a pipe (|).

cdn-test.oss-cn-hongkong.aliyuncs.com|cdn-test

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "oss_bucket_id",
            "argValue": "cdn-test.oss-cn-hongkong.aliyuncs.com"
        }, {
            "argName": "oss_pri_buckets",
            "argValue": "cdn-test.oss-cn-hongkong.aliyuncs.com|cdn-test"
        }],
        "functionName": "oss_auth"
    }],
    "DomainNames": "example.com"
}

Access control

referer_white_list_set

  • Description: Configures a Referer whitelist.

  • Function ID: 1

  • Conflict: Conflicts with referer_black_list_set (Function ID: 5). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

refer_domain_allow_list

String

Yes

The whitelist of Referer domains, separated by commas (,).

example.aliyundoc.com,demo.aliyundoc.com

allow_empty

String

No

Specifies whether to allow empty Referer fields. Valid values: on, off (default).

off

redirect_url

String

No

The redirect URL for unmatched requests (must start with http:// or https://).

http://www.example.com

disable_ast

String

No

Exact matching mode. Valid values: on (exact match), off (suffix match, default).

off

ignore_scheme

String

No

Specifies whether to ignore the HTTP or HTTPS scheme in the Referer. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "refer_domain_allow_list",
            "argValue": "example.aliyundoc.com,demo.aliyundoc.com"
        }],
        "functionName": "referer_white_list_set"
    }],
    "DomainNames": "example.com"
}

referer_black_list_set

  • Description: Configures a Referer blacklist.

  • Function ID: 5

  • Conflict: Conflicts with referer_white_list_set (Function ID: 1). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

refer_domain_deny_list

String

Yes

The blacklist of Referer domains, separated by commas (,).

example.aliyundoc.com,demo.aliyundoc.com

allow_empty

String

No

Specifies whether to allow empty Referer fields. Valid values: on, off.

off

redirect_url

String

No

The redirect URL for matched requests.

http://www.example.com

disable_ast

String

No

Exact matching mode. Valid values: on (exact match), off (suffix match, default).

off

ignore_scheme

String

No

Specifies whether to ignore the HTTP or HTTPS scheme in the Referer. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "refer_domain_deny_list",
            "argValue": "example.aliyundoc.com,demo.aliyundoc.com"
        }],
        "functionName": "referer_black_list_set"
    }],
    "DomainNames": "example.com"
}

ip_allow_list_set

  • Description: Configures an IP whitelist.

  • Function ID: 69

  • Conflict: Conflicts with ip_black_list_set (Function ID: 13). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

ip_list

String

Yes

The list of IP addresses or CIDR blocks, separated by commas (,). You can configure up to 700 IPv6 addresses or 2,000 IPv4 addresses. The total string length of the IP addresses cannot exceed 30 KB. CIDR blocks are supported (for example, 127.0.0.0/24). Case is not significant in IPv6 addresses. The :: shorthand is not supported.

192.168.0.1/24

customize_response_status_code

String

No

Custom response status code. Default value: 403.

429

ip_acl_xfwd

String

No

The IP matching mode. Valid values: on (use X-Forwarded-For header, default), off (use TCP connection IP), all (use both).

all

ip_list_notes

String

No

Notes for the IP list.

192.x.x.1 (malicious IP)

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ip_list",
            "argValue": "192.168.0.1/24"
        }],
        "functionName": "ip_allow_list_set"
    }],
    "DomainNames": "example.com"
}

ip_black_list_set

  • Description: Configures an IP blacklist.

  • Function ID: 13

  • Conflict: Conflicts with ip_allow_list_set (Function ID: 69). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

ip_list

String

Yes

The list of IP addresses or CIDR blocks, separated by commas (,). You can configure up to 700 IPv6 addresses or 2,000 IPv4 addresses. The total string length of the IP addresses cannot exceed 30 KB. CIDR blocks are supported (for example, 127.0.0.0/24). Case is not significant in IPv6 addresses. The :: shorthand is not supported.

192.168.0.1

customize_response_status_code

String

No

Custom response status code. Default value: 403.

429

ip_acl_xfwd

String

No

The IP matching mode. Valid values: on (use X-Forwarded-For header, default), off (use TCP connection IP), all (use both).

all

ip_list_notes

String

No

Notes for the IP list.

192.x.x.1 (malicious IP)

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ip_list",
            "argValue": "192.168.0.1"
        }],
        "functionName": "ip_black_list_set"
    }],
    "DomainNames": "example.com"
}

aliauth

  • Description: Configures URL authentication.

  • Function ID: 25

  • Parameters:

Parameter

Type

Required

Description

Example

auth_m3u8

String

No

Enables m3u8 content rewriting. When enabled, authentication parameters are appended to TS segments in the m3u8 file to prevent TS access authentication failures. Valid values: on (default), off.

on

auth_type

String

Yes

Authentication type. Valid values: no_auth, type_a, type_b, type_c, type_d, type_e, type_f. For details about each type, see the URL authentication documentation.

type_a

auth_key1

String

Yes

Authentication key 1 (16-128 characters, letters and digits only).

1234567890123456789

auth_key2

String

No

Authentication key 2 (16-128 characters, letters and digits only).

1234567890123456789

ali_auth_delta

Integer

No

Valid duration of the authenticated URL, in seconds. Default value: 1800.

1800

req_auth_ip_white

String

No

Whitelist IP addresses that are exempt from authentication. Separate multiple IP addresses with commas (,).

192.168.0.1

req_auth_ip_acl_xfwd

String

No

The method to extract the client IP for whitelist exemption. Valid values: on (default, uses the first IP from the X-Forwarded-For header), off (uses the TCP connection IP), all (uses both).

all

sign_param

String

No

The name of the sign parameter. Only valid when auth_type is set to type_f.

sign

time_param

String

No

The name of the timestamp parameter. Only valid when auth_type is set to type_f.

time

time_format

String

No

The format of the timestamp. Only valid when auth_type is set to type_f. Valid values: dec (decimal), hex (hexadecimal).

hex

path_encoding

String

No

Specifies whether to enable URL encoding. Only valid when auth_type is set to type_f. Valid values: on, off.

on

  • Example 1 (Authentication type A):

{
    "Functions": [{
        "functionArgs": [{
            "argName": "auth_type",
            "argValue": "type_a"
        }, {
            "argName": "auth_key1",
            "argValue": "1234567890123456789"
        }, {
            "argName": "auth_key2",
            "argValue": "1234567890123456789"
        }, {
            "argName": "ali_auth_delta",
            "argValue": 1800
        }, {
            "argName": "req_auth_ip_white",
            "argValue": "192.168.0.1"
        }, {
            "argName": "req_auth_ip_acl_xfwd",
            "argValue": "all"
        }],
        "functionName": "aliauth"
    }],
    "DomainNames": "example.com"
}
  • Example 2 (Authentication type F):

{
    "Functions": [{
        "functionArgs": [{
            "argName": "auth_type",
            "argValue": "type_f"
        }, {
            "argName": "auth_key1",
            "argValue": "1234567890123456789"
        }, {
            "argName": "auth_key2",
            "argValue": "1234567890123456789"
        }, {
            "argName": "ali_auth_delta",
            "argValue": 1800
        }, {
            "argName": "sign_param",
            "argValue": "sign"
        }, {
            "argName": "time_param",
            "argValue": "time"
        }, {
            "argName": "time_format",
            "argValue": "hex"
        }, {
            "argName": "path_encoding",
            "argValue": "on"
        }],
        "functionName": "aliauth"
    }],
    "DomainNames": "example.com"
}

cdn_remote_auth

  • Description: Configures remote authentication.

  • Function ID: 258

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable remote authentication. Valid values: on, off.

on

remote_auth_addr

String

Yes

The authentication server address. Format: https://cdn.aliyun.com/auth or http://10.10.10.10/auth.

https://example.aliyundoc.com/auth

remote_auth_method

String

Yes

The request method. Valid values: GET, POST, HEAD.

get

remote_auth_type

String

Yes

The file type to authenticate. Set to all for all types. Multiple types are separated by pipes (|), case-sensitive.

all

remote_auth_reserve_args

String

Yes

Reserved request parameters, separated by pipes (|), case-insensitive. Set to all to reserve all parameters, or ali_delete_all_args to delete all URL parameters.

all

remote_auth_custom_args

String

No

Custom parameters to add, separated by pipes (|), case-sensitive.

(empty)

remote_auth_reserve_header

String

Yes

Reserved request headers, separated by pipes (|), case-insensitive. Set to all to reserve all headers, or ali_delete_all_headers to delete all headers.

all

remote_auth_custom_header

String

No

Custom request headers to add, separated by pipes (|), case-insensitive.

(empty)

remote_auth_success_code

Integer

Yes

The authentication success status code returned by the authentication server. Multiple codes are separated by commas.

200

remote_auth_fail_code

Integer

Yes

The authentication failure status code returned by the authentication server. Multiple codes are separated by commas.

403,404

remote_auth_other_code_act

String

No

The action for other status codes (neither success nor failure). Valid values: pass (default, allow the request), reject (deny the request).

pass

remote_auth_fail_resp_code

Integer

Yes

The status code that CDN returns to the client when authentication fails.

403

remote_auth_timeout

Integer

Yes

The authentication timeout in milliseconds. Maximum value: 3000.

500

remote_auth_timeout_action

String

Yes

The action when authentication times out. Valid values: pass (allow the request), reject (return the failure response code).

pass

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "remote_auth_addr",
            "argValue": "https://example.aliyundoc.com/auth"
        }, {
            "argName": "remote_auth_method",
            "argValue": "get"
        }, {
            "argName": "remote_auth_type",
            "argValue": "all"
        }, {
            "argName": "remote_auth_reserve_args",
            "argValue": "all"
        }, {
            "argName": "remote_auth_reserve_header",
            "argValue": "all"
        }, {
            "argName": "remote_auth_success_code",
            "argValue": "200"
        }, {
            "argName": "remote_auth_fail_code",
            "argValue": "403"
        }, {
            "argName": "remote_auth_fail_resp_code",
            "argValue": "403"
        }, {
            "argName": "remote_auth_timeout",
            "argValue": "500"
        }, {
            "argName": "remote_auth_timeout_action",
            "argValue": "pass"
        }],
        "functionName": "cdn_remote_auth"
    }],
    "DomainNames": "example.com"
}

ali_ua

  • Description: Configures User-Agent access restrictions.

  • Function ID: 58

  • Parameters:

Parameter

Type

Required

Description

Example

ua

String

Yes

User-Agent values. Supports wildcard * (matches any string) and multiple values separated by pipes (|).

*curl*|*IE*|*chrome*|*firefox*

type

String

Yes

The list type. Valid values: black (blacklist), white (whitelist). Blacklist and whitelist are mutually exclusive; only one can be active at a time.

black

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ua",
            "argValue": "*curl*|*IE*|*chrome*|*firefox*"
        }, {
            "argName": "type",
            "argValue": "black"
        }],
        "functionName": "ali_ua"
    }],
    "DomainNames": "example.com"
}

Cache configurations

filetype_based_ttl_set

  • Description: Configures file expiration time.

  • Function ID: 6

  • Parameters:

Parameter

Type

Required

Description

Example

ttl

Integer

Yes

Cache duration in seconds. Valid values: 1-99999999.

500000

file_type

String

Yes

File types, separated by commas (,). Case-sensitive. For example, jpg,txt.

jpg

weight

Integer

No

Priority. Valid values: 1-99. Default value: 1 (higher value = higher priority).

1

swift_origin_cache_high

String

No

Specifies whether to prioritize the origin cache policy. When enabled, the cache policy from origin response headers (such as Cache-Control and Pragma) takes priority. Valid values: on, off (default).

off

swift_no_cache_low

String

No

Specifies whether to ignore origin no-cache response headers. When enabled, the following origin response headers are ignored: Cache-Control: no-store, Cache-Control: no-cache, Cache-Control: max-age=0, Pragma: no-cache. Valid values: on, off (default).

off

swift_follow_cachetime

String

No

Specifies whether the client follows the CDN cache policy. When enabled, the final effective CDN cache policy is sent in the response to the client. Valid values: on, off (default).

off

force_revalidate

String

No

Specifies whether to force content validation when the TTL is 0. Valid values: on (when TTL is 0, content is cached on the CDN node and revalidated with the origin on each request), off (default, when TTL is 0, content is not cached and is fetched from the origin on each request).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ttl",
            "argValue": "500000"
        }, {
            "argName": "file_type",
            "argValue": "jpg"
        }],
        "functionName": "filetype_based_ttl_set"
    }],
    "DomainNames": "example.com"
}

ali_return_code

  • Description: Custom HTTP response. Constructs an HTTP response with a custom HTTP status code and HTTP body. The constructed response is returned directly to the client.

  • Function ID: 56

  • Parameters:

Note

Pre-origin response mode (exit_after_return_code set to on): CDN does not fetch from the origin. It intercepts the request directly and returns the response status code and response body (if configured) to the client.

Post-origin response mode (exit_after_return_code set to return_code_phase or empty): CDN first fetches content from the origin, then returns both the response status code and the origin response content to the client. This setting does not take effect by default in post-origin mode; the response body is always the content returned by the origin. To replace the origin response body, you must also enable ali_body_filter_switch.

Parameter

Type

Required

Description

Example

return_code

Integer

Yes

The response status code. Sets the HTTP status code that the CDN node ultimately returns to the client.

302

exit_after_return_code

String

No

The response mode, which controls when the CDN returns the response to the client. Valid values: on: Pre-origin response. CDN does not fetch from the origin. It intercepts the request directly and returns the response status code and response body (if configured) to the client. return_code_phase: Post-origin response. CDN first fetches content from the origin, then returns both the response status code and the origin response content to the client (default mode, used when this parameter is empty).

on

resp_body_ct

String

No

The response body content (HTTP Body) to customize what is returned to the client. In pre-origin response mode: if specified, this content is returned as the response body; if not specified, only the status code is returned. In post-origin response mode: this setting does not take effect by default; the response body is always the content returned by the origin.

example

ali_body_filter_switch

String

No

Switch to modify the origin response content. This setting takes effect only in post-origin response mode. When enabled, CDN replaces the origin response body with the specified response content and returns the response status code plus the response content to the client. Valid values: on: Enable. off: Disable.

on

ali_body_filter_code

Integer

No

Matches the origin response status code. This setting takes effect only in post-origin response mode and when modify origin response content is enabled. When specified, CDN only triggers the response content replacement logic when the origin returns the specified status code. If the status code does not match, no replacement is performed.

404

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "return_code",
            "argValue": "403"
        }, {
            "argName": "exit_after_return_code",
            "argValue": "on"
        }, {
            "argName": "resp_body_ct",
            "argValue": "null"
        }, {
            "argName": "ali_body_filter_switch",
            "argValue": "on"
        }, {
            "argName": "ali_body_filter_code",
            "argValue": "333"
        }],
        "functionName": "ali_return_code"
    }],
    "DomainNames": "example.com"
}

path_based_ttl_set

  • Description: Configures directory-based cache expiration time.

  • Function ID: 7

  • Parameters:

Parameter

Type

Required

Description

Example

ttl

Integer

Yes

Cache duration in seconds. Valid values: 1-99999999.

500000

path

String

Yes

The directory path, which must start with a forward slash (/).

/example/demo

weight

Integer

No

Priority. Valid values: 1-99. Default value: 1 (higher value = higher priority).

1

swift_origin_cache_high

String

No

Specifies whether to prioritize the origin cache policy. Valid values: on, off (default).

off

swift_no_cache_low

String

No

Specifies whether to ignore origin no-cache response headers. Valid values: on, off (default).

off

swift_follow_cachetime

String

No

Specifies whether the client follows the CDN cache policy. Valid values: on, off (default).

off

force_revalidate

String

No

Specifies whether to force content validation when the TTL is 0. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "path",
            "argValue": "/example/demo"
        }, {
            "argName": "weight",
            "argValue": "1"
        }, {
            "argName": "ttl",
            "argValue": "500000"
        }],
        "functionName": "path_based_ttl_set"
    }],
    "DomainNames": "example.com"
}

filetype_force_ttl_code

  • Description: Configures file type-based status code cache expiration time.

  • Function ID: 63

  • Parameters:

Parameter

Type

Required

Description

Example

file_type

String

Yes

File types, case-sensitive, separated by commas (,).

jpg

code_string

String

Yes

Status codes and their cache durations in seconds (1-99999999), separated by commas. Format: code=ttl.

403=10

swift_code_origin_cache_high

String

No

Specifies whether to prioritize the origin cache policy. Valid values: on, off (default).

off

swift_code_no_cache_low

String

No

Specifies whether to ignore origin no-cache response headers. Valid values: on, off (default).

off

swift_code_follow_cachetime

String

No

Specifies whether the client follows the CDN cache policy. Valid values: on, off (default).

off

force_revalidate

String

No

Specifies whether to force content validation when the TTL is 0. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "file_type",
            "argValue": "jpg"
        }, {
            "argName": "code_string",
            "argValue": "403=10"
        }],
        "functionName": "filetype_force_ttl_code"
    }],
    "DomainNames": "example.com"
}

path_force_ttl_code

  • Description: Configures path-based status code cache expiration time.

  • Function ID: 65

  • Parameters:

Parameter

Type

Required

Description

Example

path

String

Yes

The directory path, which must start with a forward slash (/).

/example/demo

code_string

String

Yes

Status codes and their cache durations in seconds (1-99999999), separated by commas. Format: code=ttl.

403=10,404=15

swift_code_origin_cache_high

String

No

Specifies whether to prioritize the origin cache policy. Valid values: on, off (default).

off

swift_code_no_cache_low

String

No

Specifies whether to ignore origin no-cache response headers. Valid values: on, off (default).

off

swift_code_follow_cachetime

String

No

Specifies whether the client follows the CDN cache policy. Valid values: on, off (default).

off

force_revalidate

String

No

Specifies whether to force content validation when the TTL is 0. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "path",
            "argValue": "/example/demo"
        }, {
            "argName": "code_string",
            "argValue": "403=10,404=15"
        }],
        "functionName": "path_force_ttl_code"
    }],
    "DomainNames": "example.com"
}

default_ttl_code

  • Description: Configures status code cache expiration time (origin priority).

  • Function ID: 207

  • Parameters:

Parameter

Type

Required

Description

Example

default_ttl_code

String

Yes

Status codes and their cache durations in seconds (1-99999999), separated by commas. Format: code=ttl.

4xx=3,200=3600,5xx=1

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "default_ttl_code",
            "argValue": "4xx=3,200=3600,5xx=1"
        }],
        "functionName": "default_ttl_code"
    }],
    "DomainNames": "example.com"
}

set_resp_header

  • Description: Configures custom HTTP response headers.

  • Function ID: 27

  • Parameters:

Parameter

Type

Required

Description

Example

key

String

Yes

The response header name.

Cache-Control

value

String

Yes

The response header value. Multiple values are separated by commas (,). To delete a header, set the value to null.

no-cache

header_operation_type

String

No

The header operation type. Valid values: add, delete, modify, rewrite.

add

duplicate

String

No

Specifies whether to allow duplicate headers (when using the add operation). Valid values: on, off.

off

header_source

String

No

The value to search for replacement (when using rewrite). Supports regular expressions.

value1

header_destination

String

No

The replacement value (when using rewrite).

value123

match_all

String

No

The matching mode (when using rewrite). Valid values: on (replace all), off (replace first only).

off

access_origin_control

String

No

Specifies whether to enable cross-origin validation. Valid values: on, off.

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "header_operation_type",
            "argValue": "add"
        }, {
            "argName": "key",
            "argValue": "Cache-Control"
        }, {
            "argName": "value",
            "argValue": "no-cache"
        }, {
            "argName": "duplicate",
            "argValue": "off"
        }],
        "functionName": "set_resp_header"
    }],
    "DomainNames": "example.com"
}

error_page

  • Description: Configures custom error pages.

  • Function ID: 15

  • Parameters:

Parameter

Type

Required

Description

Example

error_code

Integer

Yes

The error status code.

404

rewrite_page

String

Yes

The redirect page URL.

http://example.aliyundoc.com/error404.html

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "error_code",
            "argValue": "404"
        }, {
            "argName": "rewrite_page",
            "argValue": "http://example.aliyundoc.com/error404.html"
        }],
        "functionName": "error_page"
    }],
    "DomainNames": "example.com"
}

host_redirect

  • Description: Configures URI rewrite rules.

  • Function ID: 43

  • Parameters:

Parameter

Type

Required

Description

Example

regex

String

Yes

The URI to be rewritten. Must start with /. Supports PCRE regular expressions.

^/hello$

replacement

String

Yes

The target URI. When flag is set to break, only supports paths starting with /. When flag is set to redirect, can include protocol and domain name. Supports PCRE regular expressions ($1, $2 for capture groups).

/hello/test

flag

String

No

The execution rule. Valid values: (empty, default) continues matching subsequent rules; break: stops matching subsequent rules, rewrites the URI without modifying parameters; redirect: returns a 302 redirect to the client, continues matching subsequent rules; enhance_break: similar to break but modifies the entire URL including parameters; enhance_redirect: similar to redirect but modifies the entire URL including parameters.

redirect

rewrite_method

String

No

The redirect method. Valid values: 302 (default, request method may change to GET), 303 (request method changes to GET, body is lost), 307 (request method and body are preserved).

302

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "flag",
            "argValue": "redirect"
        }, {
            "argName": "regex",
            "argValue": "^/hello$"
        }, {
            "argName": "replacement",
            "argValue": "/hello/test"
        }, {
            "argName": "rewrite_method",
            "argValue": "302"
        }],
        "functionName": "host_redirect"
    }],
    "DomainNames": "example.com"
}

self_defined_cachekey

  • Description: Configures custom cache keys.

  • Function ID: 227

  • Parameters:

Parameter

Type

Required

Description

Example

uri

Array of String

No

Rewrites the source URI to a target URI for the cache key. Use uri_to_rewrite for the source and ai_uri_regex for the target.

[{"uri_to_rewrite":"/hello","ai_uri_regex":"/hello/test"}]

args

Array of String

No

Performs add, delete, modify, or keep operations on request parameters for the cache key.

[{"args":"test=123","args_operation_type":"add"}]

headers

String

No

HTTP headers to include in the cache key, separated by spaces.

example

variable

Array of String

No

Custom variables extracted from request URL parameters, HTTP headers, cookies, or URI using regular expressions to append to the cache key.

[]

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "uri",
            "argValue": [{"uri_to_rewrite": "/hello", "ai_uri_regex": "/hello/test"}]
        }, {
            "argName": "args",
            "argValue": [{"args": "test=123", "args_operation_type": "add"}]
        }, {
            "argName": "headers",
            "argValue": ""
        }, {
            "argName": "variable",
            "argValue": []
        }],
        "functionName": "self_defined_cachekey"
    }],
    "DomainNames": "example.com"
}

rewrite_host

  • Description: Configures shared cache (cache key rewrite).

  • Function ID: 54

  • Parameters:

Parameter

Type

Required

Description

Example

share_host

String

Yes

The target domain name that can share cache with the current domain. This does not modify the origin host in user requests. It only uses the share_host value to generate the cache key for cache lookups.

example.com

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "share_host",
            "argValue": "example.com"
        }],
        "functionName": "rewrite_host"
    }],
    "DomainNames": "example.com"
}

serving_stale_content

  • Description: Configures stale content serving. Serves cached content that has expired when the origin server is unavailable.

  • Function ID: 260

  • Parameters:

Parameter

Type

Required

Description

Example

origin_error_status_code

String

No

Custom origin error status codes that trigger stale content serving. By default (when not specified), origin errors are defined as timeouts plus all 5xx status codes. Supports fuzzy matching (4xx, 5xx) and exact matching (502, 504). Multiple codes are separated by commas.

502

extend_expiration_time

Integer

No

The maximum time (in seconds) to keep stale cached content after expiration. Default value: 3600 (1 hour).

60

origin_first

String

No

Specifies whether to prioritize the origin stale-if-error policy. When enabled (on), if the origin response includes Cache-Control: stale-if-error=xx, the stale-if-error time takes precedence over extend_expiration_time. Valid values: on, off (default).

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "origin_error_status_code",
            "argValue": "502"
        }, {
            "argName": "extend_expiration_time",
            "argValue": "60"
        }, {
            "argName": "origin_first",
            "argValue": "off"
        }],
        "functionName": "serving_stale_content"
    }],
    "DomainNames": "example.com"
}

HTTPS configurations

https_option

  • Description: Configures HTTPS basic parameters.

  • Function ID: 78

  • Parameters:

Parameter

Type

Required

Description

Example

http2

String

No

Specifies whether to enable HTTP/2. Valid values: on, off.

on

ocsp_stapling

String

No

Specifies whether to enable OCSP Stapling. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "http2",
            "argValue": "on"
        }],
        "functionName": "https_option"
    }],
    "DomainNames": "example.com"
}

https_force

  • Description: Configures HTTPS redirect.

  • Function ID: 44

  • Conflict: Conflicts with http_force (Function ID: 45). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable HTTPS redirect. Valid values: on, off.

on

https_rewrite

String

No

Redirect method. Valid values: 301, 308.

301

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "https_rewrite",
            "argValue": "301"
        }],
        "functionName": "https_force"
    }],
    "DomainNames": "example.com"
}

http_force

  • Description: Configures forced HTTP redirect.

  • Function ID: 45

  • Conflict: Conflicts with https_force (Function ID: 44). Only one can be configured. If one feature is already configured (including when its switch parameter is set to off), you must delete the existing configuration before configuring the other.

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable forced HTTP redirect. Valid values: on, off.

on

http_rewrite

String

No

The redirect method. Valid values: 301 (GET request method unchanged, other methods may change to GET), 308 (request method and body are preserved).

301

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "http_rewrite",
            "argValue": "301"
        }],
        "functionName": "http_force"
    }],
    "DomainNames": "example.com"
}

https_tls_version

  • Description: Configures TLS protocol versions.

  • Function ID: 110

  • Parameters:

Parameter

Type

Required

Description

Example

tls10

String

No

Specifies whether to enable TLS 1.0. Valid values: on (default), off.

on

tls11

String

No

Specifies whether to enable TLS 1.1. Valid values: on (default), off.

on

tls12

String

No

Specifies whether to enable TLS 1.2. Valid values: on (default), off.

on

tls13

String

No

Specifies whether to enable TLS 1.3. Valid values: on (default), off.

on

ciphersuitegroup

String

No

The cipher suite group. Valid values: all (default, all cipher suites), strict (strong cipher suites only), custom (custom cipher suites).

all

ciphersuite

String

No

Custom cipher suites. Used with ciphersuitegroup set to custom. Multiple cipher suites are separated by commas.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "tls10",
            "argValue": "on"
        }, {
            "argName": "tls11",
            "argValue": "on"
        }, {
            "argName": "tls12",
            "argValue": "on"
        }, {
            "argName": "tls13",
            "argValue": "off"
        }, {
            "argName": "ciphersuitegroup",
            "argValue": "all"
        }],
        "functionName": "https_tls_version"
    }],
    "DomainNames": "example.com"
}

HSTS

  • Description: Configures HTTP Strict Transport Security (HSTS).

  • Function ID: 112

  • Parameters:

Parameter

Type

Required

Description

Example

enabled

String

Yes

Specifies whether to enable HSTS. Valid values: on, off.

on

https_hsts_max_age

Integer

Yes

The expiration time in seconds. Recommended value: 5184000 (60 days).

5184000

https_hsts_include_subdomains

String

No

Specifies whether to include subdomains in the HSTS header. Valid values: on, off. Before enabling, ensure all subdomains have HTTPS enabled; otherwise, subdomain access may fail.

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enabled",
            "argValue": "on"
        }, {
            "argName": "https_hsts_max_age",
            "argValue": "5184000"
        }, {
            "argName": "https_hsts_include_subdomains",
            "argValue": "off"
        }],
        "functionName": "HSTS"
    }],
    "DomainNames": "example.com"
}

https_client_cert

  • Description: Configures client certificate authentication.

  • Function ID: 111

  • Parameters:

Parameter

Type

Required

Description

Example

client_certificate_verify

String

Yes

Specifies whether to enable client certificate authentication. Valid values: on, off.

on

client_certificate

String

Yes

The client certificate (public key) to use for authentication. The CA certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

-----BEGIN PUBLIC KEY-----***-----END PUBLIC KEY-----

client_verify_depth

String

No

The certificate chain verification depth (number of certificate levels from the client certificate to the root CA). Default value: 1.

1

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "client_certificate_verify",
            "argValue": "on"
        }, {
            "argName": "client_certificate",
            "argValue": "-----BEGIN PUBLIC KEY-----***-----END PUBLIC KEY-----"
        }],
        "functionName": "https_client_cert"
    }],
    "DomainNames": "example.com"
}

Performance optimization

gzip

  • Description: Enables page Gzip compression.

  • Function ID: 35

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable Gzip compression. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "gzip"
    }],
    "DomainNames": "example.com"
}

tesla

  • Description: Configures HTML page optimization.

  • Function ID: 16

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable page optimization. Valid values: on, off.

on

trim_js

String

No

Specifies whether to optimize inline JS code in HTML. Valid values: on, off (default).

off

trim_css

String

No

Specifies whether to optimize inline CSS code in HTML. Valid values: on, off (default).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "trim_css",
            "argValue": "off"
        }, {
            "argName": "trim_js",
            "argValue": "off"
        }],
        "functionName": "tesla"
    }],
    "DomainNames": "example.com"
}

brotli

  • Description: Configures Brotli compression.

  • Function ID: 97

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable Brotli compression. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "brotli"
    }],
    "DomainNames": "example.com"
}

set_hashkey_args

  • Description: Configures URL parameter filtering (retain mode).

  • Function ID: 19

  • Conflict: Conflicts with ali_remove_args (Function ID: 75). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

hashkey_args

String

No

The list of parameters to retain, separated by commas (,). Maximum: 10 parameters.

key1,key2

disable

String

Yes

Specifies whether to ignore all parameters. Valid values: on (ignore all, only the add operation remains effective), off (default). Ignoring all parameters has lower priority than the retain parameter list.

on

keep_oss_args

String

Yes

Specifies whether to retain parameters for origin requests. Valid values: on (retain all parameters), off (origin parameters match the cache key parameters).

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "hashkey_args",
            "argValue": ""
        }, {
            "argName": "keep_oss_args",
            "argValue": "on"
        }, {
            "argName": "disable",
            "argValue": "on"
        }],
        "functionName": "set_hashkey_args"
    }],
    "DomainNames": "example.com"
}

ali_remove_args

  • Description: Configures URL parameter filtering (delete mode).

  • Function ID: 75

  • Conflict: Conflicts with set_hashkey_args (Function ID: 19). Only one can be configured.

  • Parameters:

Parameter

Type

Required

Description

Example

ali_remove_args

String

Yes

The parameters to delete, separated by spaces. Remaining parameters are used as the URL args portion of the cache key.

test

keep_oss_args

String

Yes

Specifies whether to retain parameters for origin requests. Valid values: on (retain all parameters), off (origin parameters match the cache key parameters).

off

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ali_remove_args",
            "argValue": "test"
        }, {
            "argName": "keep_oss_args",
            "argValue": "off"
        }],
        "functionName": "ali_remove_args"
    }],
    "DomainNames": "example.com"
}

image_transform

  • Description: Configures CDN image transformation.

  • Function ID: 239

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable image transformation. Valid values: on, off.

on

filetype

String

Yes

Supported image formats for transcoding, separated by pipes (|). Valid values: JPEG, JPG, PNG, WEBP, BMP, GIF, TIFF, JP2.

jpg|jpeg|png

webp

String

No

Specifies whether to enable adaptive WebP conversion. Valid values: on, off.

on

orient

String

No

Specifies whether to enable automatic image rotation. Valid values: on, off. Only applies to images with rotation attributes.

on

slim

Integer

No

Image slimming percentage. Valid values: 0-100. Reduces image quality without changing resolution, size, or format to save bandwidth.

10

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "filetype",
            "argValue": "jpg|jpeg|png"
        }, {
            "argName": "webp",
            "argValue": "on"
        }, {
            "argName": "orient",
            "argValue": "on"
        }, {
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "image_transform"
    }],
    "DomainNames": "example.com"
}

Video

range

  • Description: Configures Range-based origin fetch.

  • Function ID: 31

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable Range-based origin fetch. Valid values: on, off, force (force enable).

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "range"
    }],
    "DomainNames": "example.com"
}

video_seek

  • Description: Configures video seeking (drag and play).

  • Function ID: 30

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable video seeking. Valid values: on, off.

on

flv_seek_by_time

String

No

Specifies whether to enable FLV time-based seeking. Valid values: on, off.

on

mp4_seek_start

String

No

Custom MP4 start parameter name.

mp4starttime

mp4_seek_end

String

No

Custom MP4 end parameter name.

mp4endtime

flv_seek_start

String

No

Custom FLV start parameter name.

flvstarttime

flv_seek_end

String

No

Custom FLV end parameter name.

flvendtime

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "video_seek"
    }],
    "DomainNames": "example.com"
}

ali_video_split

  • Description: Configures audio extraction from video.

  • Function ID: 204

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable audio extraction. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "ali_video_split"
    }],
    "DomainNames": "example.com"
}

ali_video_preview

  • Description: Configures video preview (trial viewing).

  • Function ID: 205

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable video preview. Valid values: on, off. Supports TS and MP3 file formats. For FLV and MP4, use the video seeking feature.

on

ali_video_preview_argument

String

Yes

The custom preview parameter name. The parameter value unit must be in seconds.

fds

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "ali_video_preview_argument",
            "argValue": "fds"
        }],
        "functionName": "ali_video_preview"
    }],
    "DomainNames": "example.com"
}

hls_token_rewrite

  • Description: Configures M3U8 standard encryption rewriting.

  • Function ID: 253

  • Parameters:

Parameter

Type

Required

Description

Example

enable

String

Yes

Specifies whether to enable M3U8 standard encryption rewriting. Valid values: on, off.

on

hls_token_arg_name

String

No

The custom HLS token parameter name. Default value: MtsHlsUriToken.

example

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "enable",
            "argValue": "on"
        }],
        "functionName": "hls_token_rewrite"
    }],
    "DomainNames": "example.com"
}

Traffic limiting

limit_rate

  • Description: Configures per-request rate limiting.

  • Function ID: 72

  • Parameters:

Parameter

Type

Required

Description

Example

ali_limit_rate

String

Yes

The rate limit value for a single request (for example, 200 KByte/s or 1 MByte/s). The value must be in the format of number + unit (k for KByte/s, m for MByte/s). Minimum value: 100k. Values below 100k are treated as 100k.

1m

ali_limit_rate_after

String

No

The data volume threshold before rate limiting starts. The value must be in the format of number + unit (k or m), in bytes.

1000

traffic_limit_arg

String

No

The rate limit parameter name extracted from the request URL. When specified, the rate limit is based on the value of this parameter in the URL. When the request does not contain this parameter, the default rate limit (ali_limit_rate) is used. To disable rate limiting when the parameter is absent, set ali_limit_rate to 0k.

rate

traffic_limit_unit

String

No

The unit for the traffic_limit_arg parameter value. Valid values: m (MByte/s), k (KByte/s). For example, if the unit is set to m and the request URL contains rate=1, the actual rate limit is 1 MByte/s. Minimum value: 100k. Values below 100k are treated as 100k.

k

ali_limit_start_hour

Integer

No

Rate limit start hour. Valid values: 0-24 (24-hour format). Default value: 0.

20

ali_limit_end_hour

Integer

No

Rate limit end hour. Valid values: 0-24 (must be greater than the start hour). Default value: 24.

23

  • Example 1:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ali_limit_rate",
            "argValue": "1m"
        }],
        "functionName": "limit_rate"
    }],
    "DomainNames": "example.com"
}
  • Example 2: Set a default rate limit of 1 MByte/s. If the request URL contains the parameter rate, the rate limit follows the value of that parameter. For example, if the URL contains rate=200, the actual rate limit is 200 KByte/s.

{
    "Functions": [{
        "functionArgs": [{
            "argName": "ali_limit_rate",
            "argValue": "1m"
        }, {
            "argName": "traffic_limit_arg",
            "argValue": "rate"
        }, {
            "argName": "traffic_limit_unit",
            "argValue": "k"
        }],
        "functionName": "limit_rate"
    }],
    "DomainNames": "example.com"
}

EdgeScript and edge functions

edge_function

  • Description: Configures EdgeScript rules.

  • Function ID: 180

  • Parameters:

Parameter

Type

Required

Description

Example

rule

String

Yes

DSL rule.

if eq($uri, '/') { rewrite('https://example.com/index.html', 'redirect') }

pri

Integer

Yes

Priority. Valid values: 0-999 (lower value = higher priority). The priorities of head and foot execution positions are independent.

0

enable

String

Yes

Specifies whether the rule is effective. Valid values: on, off.

on

name

String

Yes

Rule name (letters and underscores only).

test

pos

String

No

Execution position. Valid values: head (default, intercept at the beginning of request processing), foot (intercept at the end of request processing).

head

brk

String

No

Specifies whether to break execution. Valid values: on (skip remaining rules at the current execution position after this rule is matched), off (default, continue executing remaining rules).

off

option

String

No

Extension field.

(empty)

grammar

String

No

Rule syntax. Valid values: es2 (default), js.

es2

jsmode

String

No

JS execution mode. Valid values: redirect (intercept mode), bypass (default, bypass mode).

bypass

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "rule",
            "argValue": "if eq($uri, '/') { rewrite('https://example.com/index.html', 'redirect') }"
        }, {
            "argName": "pri",
            "argValue": "0"
        }, {
            "argName": "enable",
            "argValue": "on"
        }, {
            "argName": "name",
            "argValue": "test"
        }],
        "functionName": "edge_function"
    }],
    "DomainNames": "example.com"
}

Edge functions

edgeroutine

  • Description: Configures Edge Routine (edge functions).

  • Function ID: 275

Note

This feature requires an application to enable. You must apply to activate this feature before use.

Rule engine

condition

  • Description: Configures the rule engine. Allows graphical configuration of condition rules that identify various parameters in user requests (such as client IP, URI, headers, cookies) to determine whether a configuration applies to a specific request. This enables more flexible and precise control of CDN configuration policies.

  • Function ID: 250

  • Parameters:

Note

This feature requires an application to enable. You must apply to activate this feature before use.

Parameter

Type

Required

Description

Example

rule

Array

Yes

The rule condition content, including name, status, logic, and criteria. The criteria object contains: matchType (the type of request information to match), matchObject (further refinement of the match type), matchOperator (the match action, such as equals), matchValue (the value to match against), negate (whether to negate the result, true or false).

{"match":{"logic":"and","criteria":[{"matchType":"clientipVer","matchObject":"CONNECTING_IP","matchOperator":"equals","matchValue":"v6","negate":false}]},"name":"example","status":"enable"}

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "rule",
            "argValue": "{\"match\":{\"logic\":\"and\",\"criteria\":[{\"matchType\":\"clientipVer\",\"matchObject\":\"CONNECTING_IP\",\"matchOperator\":\"equals\",\"matchValue\":\"v6\",\"negate\":false}]},\"name\":\"example\",\"status\":\"enable\"}"
        }],
        "functionName": "condition"
    }],
    "DomainNames": "example.com"
}

Security

ali_location

  • Description: Configures region-based access blocking.

  • Function ID: 57

  • Parameters:

Parameter

Type

Required

Description

Example

location

String

Yes

The regions to apply the blocking policy. Supports two-letter country codes (ISO 3166 standard), separated by spaces. Also supports global for worldwide blocking.

CN

type

String

Yes

The blocking policy type. Valid values: black (blacklist, block client IPs from the specified regions), white (whitelist, block client IPs from regions not in the list).

black

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "location",
            "argValue": "CN"
        }, {
            "argName": "type",
            "argValue": "black"
        }],
        "functionName": "ali_location"
    }],
    "DomainNames": "example.com"
}

QUIC

iquic

  • Description: Configures QUIC protocol basic parameters.

  • Function ID: 281

  • Parameters:

Parameter

Type

Required

Description

Example

iquic_enable

String

Yes

Specifies whether to enable the QUIC protocol. Valid values: on, off.

on

  • Example:

{
    "Functions": [{
        "functionArgs": [{
            "argName": "iquic_enable",
            "argValue": "on"
        }],
        "functionName": "iquic"
    }],
    "DomainNames": "example.com"
}