All Products
Search
Document Center

Edge Security Acceleration:Match fields

Last Updated:May 09, 2025

Match fields provide multidimensional configuration options.

Field categories

ESA supports three types of match fields:

  • Standard fields: indicate information about standard protocols such as HTTP, IP, and TLS carried in client requests or responses. Standard fields include the hostname, request header, and response header.

  • Extended fields: indicate the calculated values obtained by ESA after performing specific operations on client requests or responses. Extended fields are generally related to threat intelligence of HTTP requests.

  • Original fields: indicate the original property values of client requests retained by ESA. Original fields are generally used to retain the original property values when client requests are transferred among multiple ESA function modules.

Example: (http.host eq "example-1.com")

Standard fields

Standard fields include common fields in HTTP requests and in IP information.

http.cookie

The Cookie header carried in an HTTP request.

  • Field name: Cookie

  • Type: String

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    "sessionid=330688;userid=abc123"

http.host

The hostname used in an HTTP request.

  • Field name: Hostname

  • Type: String

  • Case-insensitive.

  • Empty string not allowed in the match value.

  • Example:

    "www.example.com"

http.referer

The Referer header carried in an HTTP request.

  • Field name: Referer

  • Type: String

  • Case-insensitive.

  • Empty string allowed in the match value.

  • Example:

    "http://www.example.com/index"

http.request.body.form

The request body in form format carried in an HTTP request when the value of the Content-Type header is application/x-www-form-urlencoded, represented as a Map (associative array).

  • Field name: Body Query String

  • Type: Map<Array<String>>

  • Example:

    {"username":["admin"]}

http.request.body.mime

The Multipurpose Internet Mail Extensions (MIME) type detected in the body of an HTTP request. The most common MIME types for common types of resources such as videos, audios, images, applications, and text are supported.

  • Field name: MIME Type

  • Type: String

  • Example:

    "application/json"

http.request.cookies

The Cookie header carried in an HTTP request, represented as a map (associative array).

  • Field name: Cookie Value

  • Type: String

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    {"sessionid":["330668"]}

http.request.full_uri

The complete Uniform Resource Identifier (URI) of an HTTP request, including the protocol, hostname, path, and query string.

  • Field name: Full URI

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    "htt­ps://www.example.com/image/cat.jpg?width=400&height=300&format=webp"

http.request.headers

The headers included in an HTTP request, represented as a map (associative array). All letters in the keys (header names) of the associative array must be lowercase.

  • Field name: Header

  • Type: Object

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    {"content-type":["application/json"]}

http.request.method

The request method used in an HTTP request.

  • Field name: Request Method

  • Type: String

  • Example:

    "GET"

http.request.timestamp.sec

The UNIX timestamp (in seconds) when the ESA point of presence (POP) receives an HTTP request.

  • Field name: Request Timestamp

  • Type: Integer

  • UNIX time: (1735019278)

  • Example:

    1735019278

http.request.uri

The URI of an HTTP request, including the path and query string.

  • Field name: URI

  • Type: String

  • Case-sensitive

  • Empty string not allowed in the match value.

  • Example:

    "/image/cat.jpg?width=400&height=300&format=webp"

http.request.uri.args

The query string in the URI of an HTTP request, represented as a map (associative array).

  • Field name: URI Query String Parameter

  • Type: Map<Array<String>>

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    {"format":["webp"]}

    Note

    You can specify a null value only when you select one of the following match operators:

    • equal to

    • not equal to

    • contains

    • matches regex

http.request.uri.path

The URI path in an HTTP request.

  • Field name: URI Path

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    "/image/cat.jpg"

http.request.uri.path.extension

The file name extension in the URI path in an HTTP request.

  • Field name: File Name Extension

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    URI path

    Field value

    /cat

    ""

    /cat.jpg

    "jpg"

    /.jpg

    ""

    /.cat.jpg

    "jpg"

    /cat.jpg.tar

    "tar"

    /cat.

    ""

    /cat.JPG

    "JPG"

http.request.uri.path.file_name

The file name in the URI path in an HTTP request.

  • Field name: File Name

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    URI path

    Field value

    /cat

    "cat"

    /cat.jpg

    "cat"

    /.jpg

    ""

    /.cat.jpg

    ".cat"

    /cat.jpg.tar

    "cat.jpg"

    /cat.

    "cat"

    /CAT.jpg

    "CAT"

http.request.uri.path.full_file_name

The full file name in the URI path in an HTTP request.

  • Field name: Full File Name

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    "cat.jpg"

http.request.uri.query

The URI query string in an HTTP request.

  • Field name: URI Query String

  • Type: String

  • Case-sensitive.

  • Empty string not allowed in the match value.

  • Example:

    "width=400&height=300&format=webp"

http.request.version

The HTTP version in an HTTP request.

  • Field name: HTTP Version

  • Type: String

  • Example:

    "HTTP/1.0"

    "HTTP/1.1"

    "HTTP/2.0"

    "HTTP/3.0"

http.user_agent

The User-Agent header carried in an HTTP request.

  • Field name: User Agent

  • Type: String

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"

http.x_forwarded_for

The X-Forwarded-For header carried in an HTTP request.

  • Field name: X-Forwarded-For

  • Type: String

  • Case-sensitive.

  • Empty string allowed in the match value.

  • Example:

    "192.168.0.1, 10.10.0.1"

ip.geoip.asnum

The autonomous system number (ASN) of the CIDR block to which the source IP address belongs. For more information, see What is an ASN?

  • Field name: ASN

  • Example value: Number

  • Example:

    37963

ip.geoip.continent

The continent where the request source IP address is located.

  • Field name: Continent

  • Type: String

  • Example:

    AS

Continent name

Continent code

Africa

AF

Antarctica

AN

Asia

AS

Europe

EU

North America

NA

Oceania

OC

South America

SA

ip.geoip.country

The country or region where the request source IP address is located. For more information, see Introduction of the ISO 3166 standard.

  • Field name: Country or Region

  • Type: String

  • Case-insensitive.

  • Empty string not allowed in the match value.

  • Example:

    "CN"

ip.src

The request source IP address.

  • Field name: Client IP

  • Type: IP address

  • Case-insensitive.

  • Empty string not allowed in the match value.

  • Example:

    192.0.2.1

ip.src.isp

The Internet service provider (ISP) of the request source IP address.

  • Field name: ISP

  • Type: String

  • Example

    "100017"

ISP name

ISP code

China Telecom

100017

China Mobile

100025

China Unicom

100026

China Netcom

100016

China Tietong

100020

Great Wall Broadband

100061

China Education and Research Network (CERNET)

100027

China Broadcasting Network

1000139

Beijing Gehua CATV Network

100080

Dr.Peng Group

1000143

Alibaba

100098

Alibaba Cloud

1000323

Tencent

1000401

Baidu

100099

ChinaNetCenter

100093

ip.src.version

The IP version of the request source IP address.

  • Field name: IP Version

  • Type: String

  • Example:

    "IPv4"

    "IPv6"

ip.src.subdivision_1_iso_code

The ISO code of the first-level subdivision area in the geographic location of the request source IP address. For more information, see Introduction of the ISO 3166 standard.

  • Field name: Province

  • Type: String

  • Case-sensitive.

  • Example:

    "CN-ZJ"

ip.src.region_code

The region code of the load balancer in the geographic location of the request source IP address.

  • Field name: Load Balancer Region

  • Type: String

  • Case-sensitive.

  • Example:

    "EAS"

Region name

Region code

Eastern Europe

EEU

Western Europe

WEU

North America

NAM

South America

SAM

Middle East

ME

North Africa

NAF

South Africa

SAF

Oceania

OC

East Asia

EAS

Southeast Asia

SEAS

South Asia

SAS

Chinese Mainland

CNM

ssl

Indicates whether to use the SSL or TLS protocol.

  • Field name: SSL/HTTPS

  • Type: Boolean

  • Example:

    true

Extended fields

Dynamic fields are custom fields provided by ESA in special scenarios.

ali.static_resource

Indicates whether the request is a static request.

  • Field name: Static Request

  • Type: Boolean

  • Example:

    true

ali.tls_hash

The hash value corresponding to the TLS information carried in a request.

  • Field name: TLS Fingerprint

  • Type: String

  • Example:

    ABC123HASH

ali.tls_client_auth.cert_verified

The client certificate has been verified.

  • Field name: Client Certificate Verified

  • Type: Boolean

  • Example:

    true

ali.js_detection.passed

JavaScript verification has been passed.

  • Field name: JavaScript Verified

  • Type: Boolean

  • Example:

    true

Original fields

Original fields ensure that the original property values of client requests are persisted when they are transferred among multiple ESA function modules, preventing loss of source data characteristics due to internal logic processing.

http.request.body.raw

The original body content of an HTTP request.

  • Field name: HTTP Request Body

  • Type: String

  • Example:

    "ABC123"