User-Agent is an HTTP header. The header contains information about the client that makes the request, including the OS, OS version, browser, and browser version. You can configure a User-Agent blacklist or whitelist to restrict access to Alibaba Cloud CDN resources and improve service security.
The blacklist and whitelist are mutually exclusive and cannot be configured at the same time.
If the value of the User-Agent header in a request matches a value in the User-Agent blacklist, the request can reach the point of presence (POP) but is rejected by the POP. Then, the HTTP 403 status code is returned to the client, and the request is recorded in Alibaba Cloud CDN logs.
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Access Control.
On the page that appears, click the User-Agent Blacklist/Whitelist tab.
On the User-Agent Blacklist/Whitelist tab, click Modify.
Configure a Blacklist or Whitelist as prompted.
The following types of lists are supported:
Requests whose User-Agent header matches a value in the blacklist are rejected, and an HTTP 403 status code is returned.
Only requests whose User-Agent header matches a value in the whitelist are allowed to access resources on POPs.
When you specify User-Agent values, separate multiple values with vertical bars (|). You can use an asterisk (*) as a wildcard character. Example:
If you want to enable access control for requests whose User-Agent header is empty, you can use the
this-is-empty-uaparameter to specify that the User-Agent header is empty.
If you specify the
this-is-empty-uaparameter in the rules of the whitelist, requests that contain an empty User-Agent header are allowed.
If you specify the
this-is-empty-uaparameter in the rules of the blacklist, requests that contain an empty User-Agent header are rejected.
The User-Agent blacklist and whitelist do not support access control for requests that do not contain the User-Agent header. You can use EdgeScript or submit a ticket to enable the feature. For more information, see EdgeScript overview.
Rule conditions can identify parameters in a request to determine whether a configuration takes effect on the request.
Do not use conditions
Select the configured rule conditions in Rules Engine. For more information, see Rules engine.
Example 1: Configure a whitelist
Rules of the whitelist:
Expected result: Only requests that are sent from IE or Firefox are allowed to access resources on POPs.
Example 2: Configure a blacklist
Rules of the blacklist:
Expected result: Requests that are sent from IE or contain an empty User-Agent header are rejected.