To protect your origin server, you can obtain the back-to-origin IP addresses of Alibaba Cloud CDN POPs and add them to a whitelist on your origin server. This configuration ensures that only back-to-origin traffic from Alibaba Cloud CDN can access your origin server.
Edge node IP addresses vs. origin IP addresses
Alibaba Cloud CDN uses two types of IP addresses. Understanding the difference helps you configure the correct whitelist or troubleshoot issues.
Type | Description | Use case | How to obtain |
Back-to-origin IP (L2 node) | The IP address used by CDN POPs to fetch content from your origin server. Dynamically allocated. | Configure origin server whitelists (ECS security groups, SLB access control, Cloud Firewall). | Call the DescribeL2VipsByDomain operation. Requires a daily peak bandwidth of 1 Gbps or higher. Submit a ticket to request access. |
Edge node IP (L1 node) | The IP address that end users connect to when accessing CDN-accelerated content. Dynamically allocated. | Client-side troubleshooting, compliance requirements. | Call the |
You can also run nslookup or dig commands to resolve your accelerated domain name and obtain the edge node IP addresses currently assigned by the scheduling system. These results represent only a point-in-time snapshot.
nslookup your-domain.example.com
# or
dig your-domain.example.comAlibaba Cloud CDN dynamically allocates IP addresses for its POPs during origin requests. Therefore, we strongly advise against configuring a fixed IP whitelist on your origin server, as this can lead to failed back-to-origin requests.
If you must configure a whitelist for special requirements, such as having security software like SafeDog installed on your origin server, call the Query L2 POP IP Addresses operation to get the latest list of back-to-origin POP IP addresses. Add this list to the whitelist on your origin server to ensure proper access.
Note: This API is available only to users with a daily peak bandwidth of 1 Gbps or higher. If you meet this requirement, you must submit a ticket to request access.
Origin server security best practices
Because CDN back-to-origin IP addresses are dynamically allocated, relying solely on IP whitelists is not recommended. Consider the following alternatives:
HTTP header identification: During back-to-origin requests, CDN adds the
ali-cdn-real-ipHTTP header that contains the actual client IP address. Your origin server can identify and allow legitimate CDN back-to-origin requests by checking for this header, rather than depending on IP whitelists.Referer-based hotlink protection: Configure Referer whitelists or blacklists to control access to your resources. This method does not depend on IP addresses.
URL signing: Enable URL signing to generate time-limited, signed URLs. Only requests with valid signatures can access your origin server.
Timestamp-based authentication: Add timestamp parameters to URLs so that access expires after a specified period.
These methods are better suited to CDN's dynamic IP allocation model and provide more reliable origin server protection.
FAQ
What are the limitations of the DescribeL2VipsByDomain API?
The DescribeL2VipsByDomain API has the following limitations:
Limitation | Description |
Bandwidth threshold | Only users with a daily peak bandwidth of 1 Gbps or higher can call this API. You must submit a ticket to request access. |
Query granularity | This API does not support batch queries for multiple domains. You can query only one accelerated domain name per request. |
Scope | This API returns L2 back-to-origin node IP addresses only. It is intended for scenarios where you need to configure whitelists on origin servers (such as ECS security groups, SLB access control lists, or Cloud Firewall rules). |
How do I configure CDN origin fetch allow rules in Cloud Firewall or WAF?
If your origin server is protected by Cloud Firewall or Web Application Firewall (WAF), configure the following rules to allow CDN or ESA back-to-origin traffic:
Obtain origin IP addresses:
For CDN, call the DescribeL2VipsByDomain operation.
For ESA, go to the ESA console and navigate to site management to view and export the back-to-origin IP list. ESA provides its own origin protection feature with a built-in IP list.
Configure inbound rules: In Cloud Firewall or WAF, create inbound allow rules for the back-to-origin IP addresses. If no custom back-to-origin port is configured, the default ports are 80 (HTTP) and 443 (HTTPS).
Configure outbound rules (if applicable): If your network has outbound traffic control policies, also configure outbound allow rules for the origin IP addresses.
If CDN origin requests are being blocked by WAF and you cannot provide fixed IP addresses for whitelisting, consider migrating to ESA. ESA integrates WAF protection and supports more flexible origin server IP management.
Why do the IP addresses in CDN access logs or origin server logs differ from the actual client IP address?
This is expected behavior caused by the CDN back-to-origin mechanism:
When a CDN edge node does not have the requested content cached (cache miss), a back-to-origin node (L2 node) sends a request to the origin server on behalf of the user. The IP address recorded in the origin server logs is the back-to-origin node IP, not the actual client IP.
CDN access logs also record the back-to-origin node IP for such requests rather than the end-user IP.
To obtain the actual client IP address, parse the following HTTP headers instead of relying on the connection IP:
X-Forwarded-For: Contains the client IP and the IP addresses of proxy servers along the request path. The first IP address is typically the actual client IP.ali-cdn-real-ip: An Alibaba Cloud CDN-specific header that contains the actual client IP address.
Does Alibaba Cloud provide a static CDN or API service IP address list?
CDN IP addresses: Alibaba Cloud does not provide a static list of CDN IP addresses (domestic or global). CDN IP addresses are dynamically allocated and change in real time. Customer support cannot provide a static IP list.
CDN API endpoint IP addresses: The CDN API service endpoints do not have fixed IP addresses. If your network environment has strict outbound restrictions, configure a proxy server and add the proxy server IP address to your whitelist. Route API requests through the proxy.