Add the list of ESA node IP addresses to your origin server's firewall rules. This protects your origin server by allowing access only from whitelisted IP addresses.
Feature overview
To protect your origin server from malicious attacks or unauthorized access, set an IP address whitelist in your firewall rules. This restricts access to specified IP addresses, such as IP addresses of ESA points of presence (POPs) for origin fetch.
After you enable Origin Protection, ESA provides a converged list of POP IP addresses that includes both IPv4 and IPv6 addresses. Add this list of IP addresses to your origin server's access whitelist.
Before you start
The IP list provided by Origin Protection is a converged list of POP IPs. However,
fetch()calls from Functions and Pages use the actual POP IPs. If the website called byfetchdoes not have Origin Protection enabled, the actual origin-fetch IP of the fetch call will not be in converged IP list.ESA is integrated with Cloud Firewall. Enable Origin Protection if all your origin servers are on Alibaba Cloud and you are using Cloud Firewall. Then, enable Auto-apply Origin Fetch IP List to ensure Cloud Firewall automatically updates the origin-fetch IP information.
Enable Origin Protection
In the ESA console, select Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
On the Origin Protection page, click Configure.
Turn on the Status switch. In the dialog box that appears, select I understand the risks and click OK.
Click Enable. The system then lists the converged IP addresses of the ESA POPs. Click
to copy the IP addresses.
Manually add all IP ranges from the IP list to your origin server's whitelist. If your origin server is hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance, see How do I add the IP list in ECS. Modify the inbound rules of a security group to allow only requests from whitelisted IP addresses to access the origin server.
ImportantIf you stop using the ESA service, manually modify your origin server's firewall rules to avoid access failures.
Update the Origin Protection IP list
If the ESA POP IP addresses change, you will receive a notification by internal message or email. Update your origin server's firewall and security group rules. This ensures POPs can access your origin server.
In the ESA console, select Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
In the Origin Protection section, add all IP address ranges from the IP Addresses to your origin server's whitelist, and then click Review.
In the Review Latest IP List panel, click I Have Applied and Confirm to Enable the Latest IP List. In the dialog box that appears, click OK.
NoteThe new IP list takes effect only after you confirm it. Until then, the service continues to use the previously confirmed IP list. To ensure optimal service performance and quality, update your origin server's whitelist with the latest ESA IP list.
Disable Origin Protection
To prevent service interruptions, first delete the IP whitelist from your origin server's firewall. Then, disable Origin Protection.
In the ESA console, select Websites, and in the Website column, click the target website.
In the left navigation pane, choose .
Click Configure. Turn off the Status switch. In the dialog box that appears, select I Acknowledge the Risks and click OK.
In the Origin Protection section, click OK. The origin protection status changes to Disabled.
Supported plans
Entrance | Pro | Premium | Enterprise |
FAQ
Why can't I enable Origin Protection?
For effective protection, Origin Protection can be enabled only when your cache architecture has two or more layers. In addition, you cannot use origin protection if your Tiered Cache policy is set to Edge Tiered Cache. To change this setting, hover over Configure and click Modify in the tooltip to go to the Tiered Cache settings.
On the Tiered Cache configuration page, click Configure and select a suitable tiered cache architecture. You can then enable origin protection.
How do I add the IP list in ECS?
The security group feature of ECS is a virtual firewall that controls inbound and outbound traffic for ECS instances. Add the IP list provided by ESA to the inbound rules of a security group.
Go to the ECS console - Prefix Lists page. Alternatively, go to the ECS console, hover over Network & Security in the navigation bar, and click Prefix Lists and Port Lists.
In the console, switch the region to the one where your origin server's instance is located.
Click Create Prefix List to create a prefix list for IPv4 addresses:
Prefix List Name: Enter a name for the IP list, such as
list-esa-ipv4.Address Family: Select IPv4.
Max Entries: Enter 200.
Prefix List Entries: Click Add Entry. In the CIDR Block column, paste the IPv4 list that you copied in the Enable Origin Protection section, and then click Confirm.
Click Create Prefix List again to create a prefix list for IPv6 addresses:
Prefix List Name: Enter a name for the IP list, such as
list-esa-ipv6.Address Family: Select IPv6.
Max Entries: Enter 200.
Prefix List Entries: Click Add Entry. In the CIDR Block column, paste the IPv6 list that you copied in the Enable Origin Protection section, and then click Confirm.
Go to the ECS console - Security Groups page, and click Create Security Group.
Select the VPC network where the instance is located. Delete the default rules in Access Rule. Click Quick Add. For Authorization Object, select the IPv4 and IPv6 prefix lists that you created. Select the ports that your services use, and then click Create Security Group.
Go to ECS console - Instances.
In the instance list, click the ID of the instance for which you want to enable Origin Protection. Select the Security Groups tab and click Change Security Groups.
On the Change Security Groups page, select only the new security group that you created, and then click OK.
