If your site requires custom control over user access policies, such as blocking access from users in specific regions, allowing links from specific external sites to your content, or restricting access to certain resources for specific users only. Custom rules support matching client requests based on either a single rule condition or multiple combined conditions. By allowing, blocking, redirecting, or returning custom pages for matched requests, these rules help your site more flexibly restrict user-accessible content.
Typical Scenarios and Usage Patterns
You can select appropriate rule types based on different scenarios to safeguard your site. Custom rules fall into the following types:
Basic Access Control: Supports single-condition matching requests, handles or observes matched requests, and applies to protection handling in simple scenarios. For example: configure IP address allowlist and blocklist, Referer blocklist, UA allowlist and blocklist, or geographic restrictions.
Exact Match Rule: Supports matching requests based on multiple condition combinations, handles or observes matched requests, and is applicable to protection configurations in complex scenarios. For example: only allow specified users to access files under specified paths.
Managed Custom Policy: Policies customized by Tencent security experts, which cannot be adjusted in the console. For details, see Managed Custom Rules.
Note:
When multiple rules of the same type exist, they take effect in the following order of priority:
1. Rules under Basic Access Control follow this execution order when a request matches multiple rules: Observe > Block.
2. Exact Match Rules are executed in descending order of priority (smaller priority values indicate higher precedence);
Example Scenario 1: Only Allow Access from Specific Countries/Regions
To comply with regulatory requirements in specific business regions, if your business only allows access from non-Chinese mainland regions, you may need to restrict visitor source regions. For such scenarios, you can implement this through region control rules in Basic Access Control. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection>Web Protection. By default, it is the site-level protection policy. If you need to configure differentiated protection policies for specific domains under the current site, please go to the Domain-level Protection Policy Tab, click the corresponding domain to enter the domain-level protection policy configuration page. The subsequent steps are the same.
3. Navigate to the Custom Rules card, and click Add Rule in Basic Access Control.
4. Fill in the rule name, configure matching conditions and enforcement actions. Taking the example scenario, you can set the matching field to Region, and when Region includes Chinese mainland (all), set the enforcement action to Block.
5. After the Save and Publish button is clicked, the rule will be deployed and take effect. At this point, client access requests originating from the Chinese mainland will not be allowed to access the website.
Example Scenario 2: Configuring Referer to Control Access from External Sites
Note:
The HTTP protocol allows the Referer header to use full or partial URLs; configure the matching content based on actual requirements. For details about the Referer header, see RFC9110.
It is recommended to use wildcard matching for the specified domain name URI, for example: https://www.example.com*, which can cover the root path of this domain and all its pages.
To prevent unauthorized sites from accessing resources via links, you can use the Referer Control rule in Basic Access Control to block requests from unauthorized sources. For example: the site service https://www.myexample.com needs to allow requests accessed through its advertising partner's link https://ads.example.com/ads-link, while blocking content access via links from other sites. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, click in the left menu bar to go to the Service Overview, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection>Web Protection. By default, it is the site-level protection policy. Click Domain-level Protection PolicyTab, in the domain-level protection policy, click Target Domain to go to the target domain protection policy configuration page, for example: www.myexample.com.
3. Navigate to the Custom Rules card, and click Add Rule in Basic Access Control.
4. Fill in the rule name, configure matching conditions and enforcement actions. Using the example scenario as an example, you can set the matching field to Referer, when Referer wildcard does not matchhttps://www.myexample.com* or https://ads.example.com/ads-link*, set the enforcement action to Block.
5. After Save and Publish is clicked, the rule will be deployed and take effect.
Example Scenario 3: Configure URL Access Restrictions
When sensitive directories or resources exist in your business, you can use the URL Control rule in Basic Access Control to block unauthorized access. For example: prohibit external access to the /admin/* or /config/*.json directories. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection > Web Protection. By default, it is the site-level protection policy. Click the Domain-level Protection Policy Tab, then in the domain-level protection policy, click Target Domain to go to the target domain protection policy configuration page, for example: www.myexample.com.
3. Navigate to the Custom Rules card, and click Add Rule in Basic Access Control.
4. Fill in the rule name, configure matching conditions and enforcement actions. For example: set the matching field to URL, when the Request URL wildcard matches /admin/* or /config/*.json, set the enforcement action to Block. Where:
Use * to match zero or more characters, use ? to match a single character.
https://www.myexample.com* can match https://www.myexample.com, https://www.myexample.com/, https://www.myexample.com/index.html, https://www.myexample.com/news?id=1 and other request sources.
https://ads.example.com/ads-link* can match https://ads.example.com/ads-link, https://ads.example.com/ads-link/, https://ads.example.com/ads-link?campaign=123 and other request sources.
5. After Save and Publish is clicked, the rule will be deployed and take effect.
Example Scenario 4: Configure IP address Blocklist
When you identify suspicious abnormal client IP addresses in metric analysis or Web security analysis, you can use the Client IP control rule in Basic Access Control to block access requests from abnormal client IP addresses. For example: prohibit access from the network segment 2.2.2.0/24 or the single IP address 1.1.1.1. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection > Web Protection. By default, it is the site-level protection policy. Click the Domain-level Protection Policy Tab, then in the domain-level protection policy, click Target Domain to go to the target domain protection policy configuration page, for example: www.myexample.com.
3. Navigate to the Custom Rules card, and click Add Rule in Basic Access Control.
4. Fill in the rule name, configure matching conditions and enforcement actions. Take the example scenario: set the matching field to ClientIP, when Client IP address equals2.2.2.0/24 or 1.1.1.1, set the enforcement action to Block. The network segment 2.2.2.0/24 represents all IP addresses from 2.2.2.0 to 2.2.2.255.
5. After Save and Publish is clicked, the rule will be deployed and take effect.
Example Scenario 5: Configure User-Agent Blocklist
When you identify suspicious abnormal User-Agents in Metric Analysis or Web Security Analysis, you can use the User-Agent Control rules in Basic Access Control to intercept requests carrying abnormal User-Agents. For example: observe in the Top User-Agent of metric analysis a large number of curl/ requests (such as curl/7.61.1, curl/8.7.1), and User-Agents from crawlers (such as Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)), which do not conform to the normal access patterns of the business and need to be blocked. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection > Web Protection. By default, it is the site-level protection policy. Click the Domain-level Protection Policy Tab, then in the domain-level protection policy, click Target Domain to go to the target domain protection policy configuration page, for example: www.myexample.com.
3. Navigate to the Custom Rules card, and click Add Rule in Basic Access Control.
4. Fill in the rule name, configure matching conditions and enforcement actions. For example: set the matching field to User-Agent , when User-Agent wildcard matchescurl/* or *GPTBot*, set the enforcement action to Block. Where:
Use * to match multiple characters, and use ? to match a single character.
curl/* can match curl/7.61.1, curl/8.7.1, and so on
*GPTBot* can match any User-Agent containing the GPTBot identifier, for example:
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
GPTBot/1.0
CustomClient-GPTBot-Test
5. After Save is clicked, the rule will be deployed and take effect.
Exact match rule
Example scenario: Precise control of the exposure surface for sensitive resources on sites
If you need to control the exposure of sensitive resources on your site (for example: admin pages) and restrict access to specific clients or designated networks, you can use the combination of Client IP address matching and Request URL matching in exactmatching rules. For example: The admin login path for site domain www.example.com is /adminconfig/login, which should only allow access from specified client IP address 1.1.1.1. The procedure is as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. Click Security Protection >Web Protection. By default, it is the site-level protection policy. Click the Domain-level Protection Policy Tab, then in the domain-level protection policy, click Target Domain to go to the target domain protection policy configuration page, for example: www.example.com.
3. Navigate to the Custom Rules card, and click Add Rule in Exact Matching Rules.
4. Go to the Add Rule page, select create a blank rule, enter a rule name, and click Add.
5. Configure matching conditions and enforcement actions. For example: configure rules to target users where the Request Path (Path) equals /adminconfig/login and the Client IP does not match 1.1.1.1, then set the enforcement action to Block.
Note:
Enforcement Priority A lower value indicates a higher priority. When a request matches multiple rules, the enforcement action of the rule with the highest priority (lowest value) takes precedence.
6. After Save and Publish is clicked, the rule will be deployed and take effect.
Reference
Supported matching condition scope
The matching conditions supported by different custom rules are as follows. For descriptions of different matching conditions, see Matching Conditions. For the support levels across different editions, see Edition Comparison.
Protection Rule Type
Supported Matching Conditions
Basic Access Control
Client IP Address
Region.
Referer
User-Agent
ASN
URL
Exact match rule
Request Host (Host)
Request Client IP Address
Request Client IP address (preferentially matches the XFF header)
Request Method (Method)
Request User-Agent Header
Session Cookie
XFF Extension Header
Request Path (Path)
Custom Request Header
Request URL
Request Source (Referer )
Network Layer Protocol
Application Layer Protocol
Request Body
JA3 Fingerprint
JA4 Fingerprint
Supported Disposition Methods
Different custom protection rules support different handling methods. For descriptions of each handling method, see Handling Methods.
You can configure the return custom response content action for a single custom rule (only exact match rules are supported). When a request matches this rule, EdgeOne will return the page and status code you specified. You can also use the Custom Response Page configuration to define the page and status code applied to all custom rules when intercepting requests.
