An IP blacklist or whitelist filters user requests and blocks or allows requests from specified IP addresses. IP lists can protect origin servers from IP theft and attacks. This topic describes how to configure an IP blacklist or whitelist.
- By default, the IP list feature is disabled. The IP blacklist and whitelist are mutually exclusive. You can configure only one of them.
- If an IP address is added to the blacklist, requests from the IP address can still be sent to Dynamic Route for CDN (DCDN) points of presence (POPs). However, the POPs will reject the requests and return a 403 error. Requests sent from IP addresses that are on the blacklist are recorded in the logs of DCDN.
- The IP blacklist and whitelist identify IP addresses based on Layer 7 HTTP IP recognition techniques. Network traffic may be generated when the POPs block requests. If clients access the POPs over HTTPS, HTTPS request fees are incurred due to resources consumed for processing requests on the POPs.
- Log on to the DCDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
- In the left-side navigation pane of the domain name, click Access Control.
- Click the IP Denylist or Allowlist tab.
- Turn on IP Denylist or Allowlist, and configure an IP address Denylist or Allowlist as prompted.
Parameter Description Type The following types of IP list are supported:
Requests from IP addresses on the blacklist are blocked.
Only requests from IP addresses on the whitelist are allowed to access resources on the POPs.
Rules Enter CIDR blocks such as 192.0.2.1/24 or IP addresses such as 192.168.0.1. Make sure that the CIDR blocks are not duplicates. Both IPv4 and IPv6 addresses are supported. You can add a maximum of 100 IP addresses to a whitelist or blacklist. Separate IP addresses with carriage return characters.
- IPv6: You can add at most 700 IPv6 addresses to the list. Both the blacklist and whitelist support IPv6 addresses. The letters in IPv6 addresses must be in uppercase, For example: FC00:AA3:0:23:3:300:300A:1234 or FC00:0AA3:0000:0023:0003:0300:300A:1234. The notation of an IPv6 address must not be shortened. For example, FC00:0AA3::0023:0003:0300:300A:1234 is invalid. CIDR blocks are supported. For example: FC00:0AA3:0000:0000:0000:0000:0000:0000/48.
- IPv4: You can add at most 2,000 IPv4 addresses to the list.
- The total length of the string that specifies IP addresses cannot exceed 30 KB.
- Click OK.
CIDR block: 192.0.2.1/24
Expected result: only IP addresses that range from 192.0.2.1 to 192.0.2.254 (192.0.2.1 and 192.0.2.254 included) can access the resources of the accelerated domain name.
IP address: 192.168.0.1
Expected result: The IP address 192.168.0.1 is not allowed to access the resources of the accelerated domain name.