With HTTP ACL policy, you can customize access control rules to filter HTTP requests by client IP, request URL, and commonly used HTTP fields.
HTTP ACL Policy supports customizing HTTP access control to filter HTTP requests based on a combination of criteria of commonly used HTTP fields, such as IP, URL, Referer, UA, and parameters. This feature applies to different business scenarios, such as anti-leech protection and website admin console protection.
HTTP ACL policy rule
Each HTTP ACL policy rule consists of a Matching condition and Action. When creating a rule, you define the matching condition by configuring matching fields, logical operators, and the corresponding match content, and select the action to be triggered in a match case.
A match condition is composed of matching fields, logical operators, and matching content. The matching content does not support regular expression descriptions, but is allowed to be set to null.
|Matching field||Description||Supported logical operators|
|IP||The client IP address.
Note You can add up to 50 IPs or IP segments, separated by commas (,).
|URL||The requested URL.||
|Referer||The address of the previous web page with a link to the current request page.||
|User-Agent||The user agent string that identifies information about the client's browser.||
|Params||The parameters in the request URL, which start after "?". For example, the parameter of the URL www.abc.com/index.html? action=login is action=login.||
|Cookie||The cookie in the request URL.||
|Content-Type||The Media type of the body of the request (used with POST and PUT requests).||
|X-Forwarded-For||The x-forward-for field in the request URL. X-Forwarded-For (XFF) identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.||
|Content-Length||The length of the request body in octets (8-bit bytes).||
|Post-Body||The response content of the request.||
|Http-Method||The request method, such as GET, POST.||
|Header||The customized header field.||
The following actions can be performed after a rule is matched:
- Block: blocks the request that matches the condition.
- Allow: allows the request that matches the condition.
- Warn: allows the request that matches the condition and triggers an alarm.
Matching rules follow a specific order. The rule with the higher ranking is matched first.
You can adjust the order of the rules to achieve the optimal protection performance.
- Log on to the Alibaba Cloud WAF console.
- Go to the page, and select the region of your WAF instance (Mainland China or International).
- Select the domain to be configured, and click Policies.
- Enable HTTP ACL Policy, and click Settings.
- Click Add Rule, configure the expected rule, and click OK.
- For a created rule, you can either Edit its content or Delete it. If multiple rules are created, you can click Sort Rules to change the default order of them. By using Move up, Move down, Move to top, and Move to bottom, you decide which rule is matched first.
HTTP ACL Policy supports various configuration methods. You can work out the best rules based on your business characteristics. You can also use HTTP ACL policy to fix certain Web vulnerabilities.
Some examples are as follows.
Configure IP blacklist and whitelist
For more information, see Set up IP whitelist and blcaklist.
Block malicious requests
For more information, see Prevent Wordpress pingback attacks.
Block specific URLs