Rules FAQ - Edge Security Acceleration - Alibaba Cloud Documentation Center

This topic answers common questions about rules.

Identify private CIDR block

Some Internet Service Providers (ISPs) in specific regions may assign private IP addresses to clients. As a result, an ESA node might receive a client IP from a private CIDR block. This prevents rules that use parameters like country/region, province, and carrier from accurately identifying these requests. To handle requests from private CIDR blocks, follow the steps below.

Step 1: Create an IP list

Go to Global Settings > Lists. Click Create List and add the following three private IP Address/CIDR Block entries:
- Class A private IP address: 10.0.0.0 to 10.255.255.255, subnet mask: 10.0.0.0/8.
- Class B private IP address: 172.16.0.0 to 172.31.255.255, subnet mask: 172.16.0.0/12.
- Class C private IP address: 192.168.0.0 to 192.168.255.255, subnet mask: 192.168.0.0/16.
After you add the entries, the configuration appears as shown in the following figure. Click OK.

Step 2: Add private CIDR block rule

This example uses a custom rule. On the WAF Custom Rules page, click Create Rule and configure it as shown in the figure below.
After you finish, click OK.

Note

After you add these rule conditions, ESA accurately identifies client requests from private CIDR blocks.

Mini-program image loading failure

Symptoms

After you configure a rate-based rule in ESA (for example, trigger a JS/slider challenge for 1 hour if more than 20 requests are received in 10 seconds), all images in a mini-program fail to load. Deleting the rule resolves the issue.

Cause

When a mini-program loads, it sends many concurrent requests for images. This burst of requests can easily exceed the configured frequency threshold. When the rate-based rule is triggered, it intercepts legitimate image requests and presents a JS/slider challenge. The mini-program environment cannot execute this challenge, which causes all image requests to be blocked.

Solution

To resolve this issue, use one or more of the following methods:

Increase the frequency threshold: Set a higher threshold (for example, 100 requests per 10 seconds) to prevent the rule from being triggered during normal image loading.
Narrow the match scope: In the rule's match condition, exclude image requests by filtering based on URL path or file extension. This ensures the rate-based rule applies only to non-static resource requests.
Configure a whitelist: Add the mini-program's known source IPs or Referer to a whitelist to exempt them from the rate-based rule.
Temporarily delete the rule: If you cannot immediately determine a suitable threshold, first delete the rate-based rule to restore service. Then, use the request analysis feature in the ESA console to identify abnormal IP addresses and configure a more precise rule.