tencent cloud

Feedback

Custom rule

Last updated: 2024-08-26 09:31:35

    Overview

    If your site needs to customize the user access policy, such as prohibiting users from specified regions, allowing specified external sites to link to the site content, and allowing only specified users to access certain resources. Custom rules support matching client requests based on single rule matching conditions or multiple matching conditions. By allowing, intercepting, redirecting, and returning custom pages, you can control the request strategy of matched requests, which can help your site more flexibly limit the content that users can access.

    Typical Scenarios and Usage

    You can choose the appropriate rule type to protect your site according to different scenarios. Custom rules are divided into the following types:
    Basic access control: Supports single condition matching requests, disposes or observes matched requests, and is suitable for simple scenario protection, such as configuring IP blocklist/allowlist, Referer blocklist, UA blocklist/allowlist, or regional restrictions.
    Precise matching rules: Supports multiple condition combination matching requests, disposes or observes matched requests, and is suitable for complex scenario protection configuration, such as allowing only specified users to access files under specified paths.
    Managed custom policy: A policy customized by Tencent security experts, which does not support console adjustment. For details, please see: Managed custom rules.
    Note:
    When there are multiple rules of the same type, the priority of the rules is as follows:
    1. Rules within Basic access control: when a request matches multiple rules, the actions will be executed in the following order: Observe > Block.
    2. Precise matching rules will be executed from high to low priority (Priority Value from small to large);
    3. For the priority order of Custom rules and other Web Protection capabilities, please refer to: Web Protection Request Processing Order.

    Basic Access Control

    Example Scenario 1: Only allow access from specific countries/regions

    To comply with the legal requirements of specified business regions, if the current business only allows access from non-Chinese mainland regions, you may need to restrict the visitor's source region. For such scenarios, you can use the regional control rules in basic access control to achieve this. The operation steps are as follows:
    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. Click Security > Web Security . By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and then click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
    3. Locate the Custom rules tab and click Add rule in Basic access control .
    4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Region Control , select the matching method as Include and the matching content as Chinese mainland (All) , and set the action to Block .
    
    5. Click Save . The rule will be deployed and take effect. At this time, if the client access IP is from the Chinese mainland, the access to the website is denied.

    Example Scenario 2: Configure Referer to control external site access

    Note:
    The HTTP protocol allows the Referer header to use a full URL or partial URL. You should configure the matching content according to the actual situation. For details about the Referer header, see RFC 9110.
    To prevent unauthorized site access, you can use the Referer control rules in basic access control to block access requests with unauthorized Referer headers. For example, if the service at the https://www.myexample.com site needs to allow access requests through the advertising partner's link https://ads.example.com/ads-link and reject access through other site links, you can take the following steps:
    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.myexample.com , to enter the configuration page for the security policy of the target domain name.
    3. Locate the Custom rules tab and click Add rule in Basic access control.
    4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Referer control , and select the action as Block when the request Referer does not equal https://www.myexample.com or https://ads.example.com/ads-link.
    
    5. Click Save. The rule will be deployed and take effect.

    Precise Matching Rules

    Example Scenario: Precisely control the exposure surface of sensitive resources on the site

    If you need to control the exposure surface of sensitive resources (such as the background management page) on the site and only allow access from specific clients or specified networks. You can use the client IP matching and request URL matching combination in precise matching rules to achieve this.
    For example, the current site domain name www.example.com has a management background login address path of /adminconfig/login, and this background is only allowed to be logged in by the specified client IP user 1.1.1.1. The operation steps are as follows:
    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.example.com, to enter the configuration page for the security policy of the target domain name.
    3. Locate the Custom rules tab and click Add rule in Precise matching rules .
    4. On the rule adding page, select creating a blank rule, enter the rule name, and click Add.
    5. Configure the judgment conditions and actions. In this example scenario, you can configure the matching fields as Request path (Path) equals /adminconfig/login and Client IP not matching 1.1.1.1 , and set the action to Block.
    Note:
    Priority: The lower the value, the higher the priority. When a request matches multiple rules, the action of the rule with the higher priority (lower numerical value) applies.
    
    6. Click Save and publish . The rule will be deployed and take effect.

    Related References

    Supported Matching Condition Range

    Custom rules can use matching conditions to control the scope of rule application. The following are the matching conditions supported by different custom rule types:
    Basic access control
    Rule type
    Description
    Client IP control
    Control access requests based on client IP
    Regional control
    Control access requests based on client IP location
    Referer control
    Control access requests based on the Referer header content
    User-Agent control
    Control access requests based on the User-Agent
    ASN control
    Control access requests based on the client IP location ASN
    URL control
    Control access requests based on the request URL, supporting wildcard matching
    Precise matching rules
    Precise matching rules support the following matching conditions, and the support level for different EdgeOne plans is also not consistent.
    Note:
    For the description and plan restrictions of supported matching conditions, please refer to: Matching conditions.
    Request domain name (Host)
    Request client IP
    Request client IP (prioritizing XFF header)
    Request method (Method)
    Request User-Agent header
    Session cookie
    XFF extended header
    Request path (Path)
    Custom request header
    Request URL
    Request source (Referer)
    Network layer protocol
    Application layer protocol
    Request body
    JA3 fingerprint

    Supported Actions

    Different custom protection rules support the following actions. For the description of different actions, please refer to Actions.
    Protection rule type
    Supported actions
    Basic access control
    Observe
    Intercept
    Precise matching rules
    Release
    Intercept
    Observe
    IP blocking rule
    Return custom response content Annotation
    Redirect to URL
    JavaScript challenge
    Note:
    Annotation: You can configure the return custom response content action for a single custom rule (only precise matching rules are supported). When a request matches the rule, EdgeOne will return the specified page and status code. You can also configure the custom response page to specify the page and status code used for all custom rules to block requests.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support