Configuration Group Syntax Explanation
Last updated: 2025-12-05 14:21:00
This document is a detailed syntax explanation of the module configuration group structure in version management. Among them, the Condition structure and variable definition details can be further checked in the corresponding document chapter, with the link as follows:
Nested rules and syntax details of conditional expressions: Condition
Dynamic extraction rules for request data: Variable
Common Unit Standard
All time value units must be in seconds (s), all file size units must be in bytes (B), and the value must be pure digits.
Unit Type | Configuration Example and Description |
Time (seconds) | Set a 30-minute cache: 30 * 60 = 1800 |
Size (bytes) | Set a 10MB size limit: 10 * 1024 * 1024 = 10485760 |
Configuration Group Overview
The version file for each site contains the following fields, with descriptions as follows:
Configuration Field | Type | Required | Corresponding Configuration Group | Description |
FormatVersion | String | Yes | Global Configuration | Syntax version, defaults to 1.0. Input other value error will be reported. |
ZoneConfig | No | Site Acceleration Configuration Group | Site-level configuration includes all configuration items in Site Acceleration, and all are required unless the configuration is invalid. | |
Rules | Array of Rules | No | Site Acceleration Configuration Group | Rule-level configuration includes all rules in the rule engine, and the array can be empty, indicating no rules are enabled. |
WebSecurity | No | Web protection configuration group | Web security protection settings, supported features in the corresponding console under "Security Protection - Web Protection". For details, see WebSecurity. |
Data Types
AccelerateMainlandParameters
Accelerate optimization and configuration in mainland China.
Name | Type | Required | Description |
Switch | String | No | Accelerate and optimize configurations in the Chinese mainland toggle on/off, values are as follows: on: Enable. off: Disable. |
AccessURLRedirectParameters
Access URL redirection configuration parameters.
Name | Type | Required | Description |
StatusCode | Integer | No | Status code, value is one of 301, 302, 303, 307, 308. |
Protocol | String | No | Target request protocol, values as follows: http: target request protocol http. https: target request protocol HTTPS. follow: Follow request. |
HostName | No | Target HostName. Note: this field may return null, which indicates a failure to obtain a valid value. | |
URLPath | No | Target path. Note: this field may return null, which indicates a failure to obtain a valid value. | |
QueryString | No | Query string. Note: this field may return null, which indicates a failure to obtain a valid value. |
AccessURLRedirectQueryString
Access URL redirection configuration parameters.
Name | Type | Required | Description |
Action | String | No | Execution action. The values are as follows: full: retain all. ignore: ignore all. |
AdaptiveFrequencyControl
adaptive frequency control
Name | Type | Required | Description |
Enabled | String | Yes | Is adaptive frequency control enabled? Values are as follows: on: enable. off: disable. |
Sensitivity | String | No | The restriction level of adaptive frequency control. This field is required when Enabled is on. Values are as follows: Loose: Loose. Moderate: Moderate. Strict: Strict. |
Action | No | The handling method of adaptive frequency control. This field is required when Enabled is on. SecurityAction Name supports: Monitor: Monitor. Deny: Block. |
AllowActionParameters
Web security Allow additional parameter
Name | Type | Required | Description |
MinDelayTime | String | No | Minimum latency response time. When configured as 0s, it means no delay and direct response. Supported measurement units: s: seconds, value ranges from 0 to 5. |
MaxDelayTime | String | No | Maximum latency response time. Supported measurement units: s: seconds. s: seconds, value ranges from 5 to 10. |
AuthenticationParameters
Token authentication configuration parameters.
Name | Type | Required | Description |
AuthType | String | No | Authentication type. Values as follows: TypeA: authentication method a type, for specific meaning please refer to Authentication Method A. TypeB: authentication method b type, for specific meaning please refer to, see Authentication Method B. TypeC: authentication method c type, for specific meaning please refer to Authentication Method C. TypeD: Authentication method type D. For specific meaning, see Authentication Method D. TypeVOD: Authentication method type V. For specific meaning, see Authentication Method V. |
SecretKey | String | No | Primary authentication key, consisting of 6–40 uppercase/lowercase letters or numbers, cannot contain " and $. |
Timeout | Integer | No | Valid duration of the authentication URL, in seconds, value: 1–630720000. Used to judge if the client access request is expired. If the current time exceeds "timestamp + validity period", it is an expired request, and a 403 is returned directly. If the current time does not exceed "timestamp + validity period", the request is not expired, and the md5 string is further validated. Note: when authtype is one of typea, typeb, typec, or typed, this field is required. |
BackupSecretKey | String | No | Backup authentication key, consisting of 6–40 uppercase/lowercase letters or numbers, cannot contain " and $. |
AuthParam | String | No | Authentication parameter name. The node will validate the corresponding value of this parameter name. It consists of 1–100 uppercase/lowercase letters, numbers, or underscores. Note: this field is required when authtype is either typea or typed. |
TimeParam | String | No | Authentication timestamp, which cannot be the same as the field value of AuthParam. Note: this field is required when authtype is typed. |
TimeFormat | String | No | Authentication time format. Values as follows: dec: decimal. hex: hexadecimal. Note: this field is required when authtype is typed. the default is hex. |
BandwidthAbuseDefense
Bandwidth abuse protection (applicable only to Chinese mainland) configuration.
Name | Type | Required | Description |
Enabled | String | Yes | Traffic Anti-Fraud (applicable only to Chinese mainland) is enabled or not. Values are as follows: on: Enable. off: Disable. |
Action | No | The handling method of Traffic Anti-Fraud (applicable only to Chinese mainland). This field is required when Enabled is on. SecurityAction Name supports: Monitor: Monitor. Deny: Block. Challenge: Challenge, where ChallengeActionParameters.Name only supports JSChallenge. |
BlockIPActionParameters
Web security IP blocking additional parameter
Name | Type | Required | Description |
Duration | String | Yes | The penalty duration for blocking IP. Supported measurement units are as follows: s: seconds, value ranges from 1 to 120. m: minutes, value ranges from 1 to 120. h: hr, value ranges from 1 to 48. |
BotManagement
Web security BOT rule structure.
Name | Type | Required | Description |
ClientAttestationRules | No |
CacheConfigCustomTime
Node cache TTL custom cache time configuration parameters.
Name | Type | Required | Description |
Switch | String | No | Custom cache time switch, valid values: on: Enable. off: Disable. |
CacheTime | Integer | No | Custom cache time value, unit: seconds. value range: 0-315360000. Note:this field is required when switch is on; when switch is off, this field is not required and will not take effect if filled. |
CacheConfigParameters
Node cache TTL config.
Name | Type | Required | Description |
FollowOrigin | No | Follow the origin site cache config. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. | |
NoCache | No | No cache configuration. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. | |
CustomTime | No | Custom cache time configuration. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. |
CacheKeyConfigParameters
Cache key configuration.
Name | Type | Required | Description |
FullURLCache | String | No | Whether full path cache is enabled, values as follows: on: Enable full path cache (ignore parameter disabled). off: Disable full path cache (ignore parameter enabled). |
IgnoreCase | String | No | Whether case-insensitive cache is enabled, values as follows: on: Ignore. off: Do not ignore. |
QueryString | No | The query string retention config. This field and FullURLCache must be set simultaneously but cannot both be on. |
CacheKeyCookie
Custom Cache Key Cookie config.
Name | Type | Required | Description |
Switch | String | No | Feature switch, values as follows: on: Enable. off: Disable. |
Action | String | No | Cache action, values are as follows: full: Retain all. ignore: Ignore all. includeCustom: Retain specified parameters. excludeCustom: Ignore specified parameters. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
Values | Array of String | No | Custom Cache Key Cookie name list. Note: This field is required when Action is includeCustom or excludeCustom. When Action is full or ignore, it is not required. If filled, it does not take effect. |
CacheKeyHeader
Custom Cache Key HTTP request header configuration.
Name | Type | Required | Description |
Switch | String | No | Feature switch, values as follows: on: Enable. off: Disable. |
Values | Array of String | No | Custom Cache Key HTTP request header list. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
CacheKeyParameters
Custom Cache Key config. The configuration parameters FullURLCache and QueryString use a composite expression. For example, see:
Retain all query strings. Enable case-insensitive.
{"CacheKey": {"FullURLCache": "on","QueryString": {"Switch": "off"},"IgnoreCase": "on"}}
Ignore all query strings. Enable case-insensitive.
{"CacheKey": {"FullURLCache": "off","QueryString": {"Switch": "off"},"IgnoreCase": "on"}}
Retain specified parameters in the query string. Disable case-insensitive.
{"CacheKey": {"FullURLCache": "off","QueryString": {"Switch": "on","Action": "includeCustom","Values": ["name1","name2","name3"]},"IgnoreCase": "off"}}
Ignore specified parameters in the query string. Disable case-insensitive.
{"CacheKey": {"FullURLCache": "off","QueryString": {"Switch": "on","Action": "excludeCustom","Values": ["name1","name2","name3"]},"IgnoreCase": "off"}}
Name | Type | Required | Description |
FullURLCache | String | No | Retain all query strings switch, values as follows: on: Enable. off: Disable. Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. This field and QueryString.Switch must be set simultaneously but cannot both be on. |
QueryString | No | The query string retention config. This field and FullURLCache must be set simultaneously but cannot both be on. Note: This field may return null, indicating no valid value. | |
IgnoreCase | String | No | Case-insensitive switch, values as follows: on: Enable. off: Disable. Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. |
Header | No | HTTP request header configuration parameters. At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. Note: This field may return null, indicating no valid value. | |
Scheme | String | No | Request protocol switch, values as follows: on: Enable. off: Disable. Note: At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. |
Cookie | No | Cookie configuration parameter. At least one configuration must be set among FullURLCache, IgnoreCase, Header, Scheme, and Cookie. Note: This field may return null, indicating no valid value. |
CacheKeyQueryString
Custom Cache Key query string configuration parameter.
Name | Type | Required | Description |
Switch | String | No | Query string retain/ignore specified parameter switch, values as follows: on: Enable. off: Disable. |
Action | String | No | Query string retain/ignore specified parameter action. Values are as follows: includeCustom: Retain some parameters. excludeCustom: Ignore some parameters. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
Values | Array of String | No | List of parameter names to retain/ignore in the query string. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
CacheParameters
Node cache TTL config.
Name | Type | Required | Description |
FollowOrigin | No | Follow the origin site cache. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. | |
NoCache | No | No cache. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. | |
CustomTime | No | Custom cache time. Leave unset means this configuration is unset. Only one of FollowOrigin, NoCache, or CustomTime can be configured with Switch set to on. Note: This field may return null, indicating no valid value. |
CachePrefreshParameters
Cache pre-refresh. Config.
Name | Type | Required | Description |
Switch | String | No | Cache pre-refresh switch, values are as follows: on: Enable. off: Disable. |
CacheTimePercent | Integer | No | The pre-refresh time is set to a percentage value of the node cache time, values: 1–99. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
ChallengeActionParameters
Web security Challenge additional parameter
Name | Type | Required | Description |
ChallengeOption | String | Yes | Safe execution challenge action. The values are as follows: InterstitialChallenge: Interstitial challenge. InlineChallenge: Embedded challenge. JSChallenge: JavaScript challenge. ManagedChallenge: Managed challenge. |
Interval | String | No | Time interval for repeated challenges. This field is required when Name is InterstitialChallenge/InlineChallenge. Default value is 300s. Supported units are as follows: s: seconds, value ranges from 1 to 60. m: minutes, value ranges from 1 to 60. h: hr, value ranges from 1 to 24. |
AttesterId | String | No | Client authentication method ID. This field is required when Name is InterstitialChallenge/InlineChallenge. |
ClientAttestationRule
Client authentication rule
Name | Type | Required | Description |
Id | String | No | Rule ID of the client authentication rule. Different rule configurations can be supported through the rule ID: Add new rule: ID is empty or no specified ID parameter. Modify existing rule: specify the rule ID to be updated/modified. Delete existing rules: Existing rules not included in the ClientAttestationRule list of BotManagement parameters will be deleted. |
Name | String | No | Name of the client authentication rule. |
Enabled | String | No | Whether the rule is enabled. Values as follows: on: Enable. off: Disable. |
Priority | Integer | No | Rule priority. A smaller value indicates higher priority execution, ranging from 0 to 100. Default is 0. |
Condition | String | No | The rule content must comply with expression grammar. For details, refer to the product document. |
AttesterId | String | No | Client authentication Option ID. |
DeviceProfiles | Array of DeviceProfile | No | Client device configuration. If the DeviceProfiles parameter value is not specified in ClientAttestationRules: Keep the existing client device configuration and do not modify it. |
InvalidAttestationAction | No | Client authentication failed handling method. SecurityAction Name parameter supports: Deny: Block. Monitor: Monitor. Redirect: Redirect. Challenge: Challenge. Default value: Monitor. |
ClientAttestationRules
Client authentication configuration.
Name | Type | Required | Description |
Rules | Array of ClientAttestationRule | No | List of client authentication. Use ModifySecurityPolicy to modify Web protection configuration: If the Rules parameter in SecurityPolicy.BotManagement.ClientAttestationRules is not specified or has a length of zero: Clear all client authentication rule configurations. If the ClientAttestationRules parameter value is not specified in SecurityPolicy.BotManagement: Keep the existing client authentication rule configuration and do not modify it. |
ClientFiltering
intelligent client filter
Name | Type | Required | Description |
Enabled | String | Yes | Intelligent client filtering is enabled or not. Values are as follows: on: Enable. off: Disable. |
Action | No | The handling method of intelligent client filtering. This field is required when Enabled is on. SecurityAction Name supports: Monitor: Monitor. Deny: Block. Challenge: Challenge, where ChallengeActionParameters.Name only supports JSChallenge. |
ClientIPCountryParameters
Carry regional information of the client IP in back-to-origin requests. The value format is ISO-3166-1 two-letter code.
Name | Type | Required | Description |
Switch | String | No | Configuration switch, values as follows: on: Enable. off: Disable. |
HeaderName | String | No | The request header name for storing regional information of the client IP. Valid when Switch=on. If empty, use the default value: EO-Client-IPCountry. |
ClientIPHeaderParameters
Storage of client request IP header information configuration.
Name | Type | Required | Description |
Switch | String | No | Configuration switch, values as follows: on: Enable. off: Disable. |
HeaderName | String | No | The request header name containing client IP during origin pull. When Switch is on, this parameter is required. X-Forwarded-For cannot be filled in. |
CompressionParameters
Intelligent compression configuration.
Name | Type | Required | Description |
Switch | String | No | Intelligent compression configuration switch, values as follows: on: Enable. off: Disable. |
Algorithms | Array of String | No | Supported compression algorithm list. When Switch is on, this field is required, otherwise it is ineffective. Values are as follows: brotli: the brotli algorithm. gzip: the gzip algorithm. |
ContentCompressionParameters
Content compression configuration.
Name | Type | Required | Description |
Switch | String | Yes | Content compression configuration switch, values as follows: on: Enable. off: Disable. When the Switch is on, it simultaneously supports the brotli and gzip compression algorithms. |
CustomRule
Web security custom rule
Name | Type | Required | Description |
Name | String | Yes | Custom rule name. |
Condition | String | Yes | The custom rule content must comply with expression grammar. For details, refer to the product document. |
Action | Yes | Execution action of the custom rule. Supported Name values for SecurityAction: Deny: Block. Monitor: Monitor. ReturnCustomPage: Use the specified page to block. Redirect: Redirect to URL. BlockIP: IP block JSChallenge: JavaScript challenge. ManagedChallenge: Managed challenge. Allow: pass. | |
Enabled | String | Yes | Whether the custom rule is enabled. Values as follows: on: Enable off: Disable |
Id | String | No | Custom rule ID. Different rule configurations can be supported through the rule ID: Add new rule: ID is empty or no specified ID parameter. Modify existing rule: specify the rule ID to be updated/modified. Delete existing rules: Existing rules not included in the Rules list of CustomRules parameters will be deleted. |
RuleType | String | No | Custom rule type. Values as follows: BasicAccessRule: basic access control PreciseMatchRule: exact matching rule, default; ManagedAccessRule: expert custom rule, output only. Default is PreciseMatchRule. |
Priority | Integer | No | Priority of custom rules, ranging from 0 to 100. Default is 0. Only supports exact matching rules (PreciseMatchRule). |
CustomRules
Web security custom rule architecture
Name | Type | Required | Description |
Rules | Array of CustomRule | No | Custom rule definition list. Use ModifySecurityPolicy to modify Web protection configuration: If the Rules parameter is not specified or has a length of zero: Clear all custom rule configurations. If the CustomRules parameter value is not specified in SecurityPolicy: Keep the existing custom rule configuration and do not modify it. |
CustomTime
Node cache TTL custom cache time parameter configuration.
Name | Type | Required | Description |
Switch | String | No | Custom cache time switch, values are as follows: on: Enable. off: Disable. |
IgnoreCacheControl | String | No | Ignore origin server CacheControl switch, values are as follows: on: Enable. off: Disable. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
CacheTime | Integer | No | Custom cache time value in seconds, range: 0–315360000. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
DenyActionParameters
Additional parameter for safe execution action as ban.
Name | Type | Required | Description |
BlockIp | String | No | Whether to extend the ban on the source IP. Values as follows: on: Enable. off: Disable. Enabled, the client IP that triggers the rule will be continuously blocked. When this option is enabled, you must specify the BlockIpDuration parameter simultaneously. Note: This option cannot intersect with the ReturnCustomPage or Stall option. |
BlockIpDuration | String | No | When BlockIP is on, the ban duration for IP. |
ReturnCustomPage | String | No | whether to use a custom page. values as follows: on: Enable. off: Disable. Enabled, use custom page content to block requests. When this option is enabled, ResponseCode and ErrorPageId parameters must be simultaneously designated. Note: This option cannot intersect with the BlockIp or Stall option. |
ResponseCode | String | No | Status code of the custom page. |
ErrorPageId | String | No | PageId of the custom page. |
Stall | String | No | Whether to suspend the request source without processing. Values are as follows: on: Enable. off: Disable. Enabled, it no longer responds to requests in the current connection session and does not actively disconnect. Used for crawler combat to consume client connection resources. Note: This option cannot intersect with the BlockIp or ReturnCustomPage option. |
DeviceProfile
Client device configuration
Name | Type | Required | Description |
ClientType | String | Yes | Client device type. Values are as follows: iOS Android WebView |
HighRiskMinScore | Integer | No | The minimum value to determine a request as high-risk ranges from 1–99. The larger the value, the higher the request risk, resembling a request initiated by a Bot client. The default value is 50, corresponding to 51–100 as high-risk. |
HighRiskRequestAction | No | Handling method for high-risk requests. SecurityAction Name parameter supports: Deny: Block. Monitor: Monitor. Redirect: Redirect. Challenge: Challenge. Default value: Monitor. | |
MediumRiskMinScore | Integer | No | The minimum value to determine a request as medium-risk ranges from 1–99. The larger the value, the higher the request risk, resembling a request initiated by a Bot client. The default value is 15, corresponding to 16–50 as medium-risk. |
MediumRiskRequestAction | No | Handling method for medium-risk requests. SecurityAction Name parameter supports: Deny: Block. Monitor: Monitor. Redirect: Redirect. Challenge: Challenge. Default value: Monitor. |
ErrorPage
Custom error page
Name | Type | Required | Description |
StatusCode | Integer | Yes | Status code. Support scope: 400, 403, 404, 405, 414, 416, 451, 500, 501, 502, 503, 504. |
RedirectURL | String | Yes | Redirect URL, need to be a complete jump path, such as https://www.test.com/error.html. |
ErrorPageParameters
Custom error page configuration parameters.
Name | Type | Required | Description |
ErrorPageParams | Array of ErrorPage | No | Custom error page configuration list. Note: This field may return null, indicating no valid value. |
ExceptionRule
Web security exception rule
Name | Type | Required | Description |
Id | String | No | Exception rule ID. Different rule configurations can be supported through the rule ID: Add new rule: ID is empty or no specified ID parameter. Modify existing rule: specify the rule ID to be updated/modified. Delete existing rules: Existing rules not included in the Rules list of ExceptionRules parameters will be deleted. |
Name | String | No | Exception rule name. |
Condition | String | No | The exception rule content must comply with expression grammar. For details, refer to the product document. |
SkipScope | String | No | Exception rule execution option, values are as follows: WebSecurityModules: The security protection module that designates exception rules. ManagedRules: Designate managed rules. |
SkipOption | String | No | Skip request specific type, values are as follows: SkipOnAllRequestFields: Skip all requests; SkipOnSpecifiedRequestFields: Skip specified request fields. Valid when SkipScope is ManagedRules. |
WebSecurityModulesForException | Array of String | No | Security protection module with specified exception rules. Valid when SkipScope is WebSecurityModules. Valid values: websec-mod-managed-rules: managed rules; websec-mod-rate-limiting: rate limit; websec-mod-custom-rules: custom rule; websec-mod-adaptive-control: adaptive frequency control, intelligent client filter, slow attack protection, traffic theft protection; websec-mod-bot: bot management. |
ManagedRulesForException | Array of String | No | Specific managed rules for designated exception rules. Valid only when SkipScope is ManagedRules, and at this point, you cannot specify ManagedRuleGroupsForException. |
ManagedRuleGroupsForException | Array of String | No | Managed rule groups for exception rules. Valid only when SkipScope is ManagedRules, and at this point, you cannot specify ManagedRulesForException. |
RequestFieldsForException | Array of RequestFieldsForException | No | Specify exception rules to skip specific request fields. Valid only when SkipScope is ManagedRules and SkipOption is SkipOnSpecifiedRequestFields. |
Enabled | String | No | Whether the exception rule is enabled. Values as follows: on: Enable off: Disable |
ExceptionRules
Web security exception rule
Name | Type | Required | Description |
Rules | Array of ExceptionRule | No | Definition list of exception rules. Use ModifySecurityPolicy to modify the Web protection configuration: If the Rules parameter is not specified or has a length of zero: Clear all exception rule configurations. If the ExceptionRules parameter value is not specified in SecurityPolicy: Keep the existing exception rule configuration and do not modify it. |
FollowOrigin
Follow the origin site configuration for cache.
Name | Type | Required | Description |
Switch | String | Yes | Follow the origin site configuration switch, values as follows: on: Enable. off: Disable. |
DefaultCache | String | No | Cache/no-cache switch when the origin server does not return a Cache-Control header. When Switch is on, this field is required. When Switch is off, no need to specify this field. If filled, it does not take effect. Values are as follows: on: Cache. off: Do not cache. |
DefaultCacheStrategy | String | No | Use/do not use default caching policy switch when the origin server does not return a Cache-Control header. When DefaultCache is on, this field is required, otherwise it is ineffective. When DefaultCacheTime is not 0, this field must be off. Values are as follows: on: Use default caching policy. off: Do not use default caching policy. |
DefaultCacheTime | Integer | No | Default cache time in seconds when the origin server does not return a Cache-Control header. Value range: 0-315360000. When DefaultCache is on, this field is required, otherwise it is ineffective. When DefaultCacheStrategy is on, this field must be 0. |
ForceRedirectHTTPSParameters
Access protocol forced HTTPS redirect configuration.
Name | Type | Required | Description |
Switch | String | No | Access forced redirection configuration switch, values as follows: on: Enable. off: Disable. |
RedirectStatusCode | Integer | No | Redirection status code. When Switch is on, this field is required, otherwise it is ineffective. Values are as follows: 301: 301 redirect. 302: 302 redirect. |
FrequentScanningProtection
High-frequency scan protection configuration options. When a visitor's frequent requests hit a managed rule configured for interception, all requests from that visitor will be blocked within a period of time.
Name | Type | Required | Description |
Enabled | String | No | Whether the high-frequency scan protection rule is enabled. Values are as follows: on: Enable high frequency scan protection rule to take effect. off: Disable high frequency scan protection rule. |
Action | No | Handling action for high-frequency scan protection. This field is required when Enabled is on. SecurityAction Name supports: Deny: Block and respond with an interception page. Monitor: Observe without processing requests, record security events in logs. JSChallenge: JavaScript challenge, respond with a JavaScript challenge page. | |
CountBy | String | No | Request statistics match mode. This field is required when Enabled is on. Values are as follows: http.request.xff_header_ip: client ip (priority match xff header); http.request.ip: client IP. |
BlockThreshold | Integer | No | This parameter specifies the threshold for high-frequency scan protection, which is the cumulative number of interceptions when managed rules configured as blocklist are hit within the time range set by CountingPeriod. The value ranges from 1 to 4294967294, such as 100. When exceeding this statistical value, subsequent requests will trigger the handling action set by Action. This field is required when Enabled is on. |
CountingPeriod | String | No | This parameter specifies the statistical time window for high-frequency scan protection, which is the time window for counting requests that hit managed rules configured as blocklist. The value ranges from 5 to 1800, and the measurement unit is only supported in seconds (s), such as 5s. This field is required when Enabled is on. |
ActionDuration | String | No | This parameter specifies the duration of the handling Action set by the Action parameter for high-frequency scan protection. The value ranges from 60 to 86400, and the unit is only supported in seconds (s), such as 60s. This field is required when Enabled is on. |
GrpcParameters
gRPC configuration item.
Name | Type | Required | Description |
Switch | String | No | gRPC configuration switch, values as follows: on: Enable. off: Disable. |
HeaderAction
HTTP header setting rule.
Name | Type | Required | Description |
Action | String | Yes | HTTP header setting method. Values are as follows: set: Set. Update the specified header to the configured value. del: Delete. Remove the specified header parameter. add: Add. Add the specified header parameter. |
Name | String | Yes | HTTP header name. |
Value | String | No | HTTP header value. This parameter is required when Action is set or add; not required when Action is del. |
HostHeaderParameters
Host Header rewrite config
Name | Type | Required | Description |
Action | String | No | Execution action. The values are as follows: followOrigin: Follow source site domain. custom: Custom. Customize. |
ServerName | String | No | Host Header rewrite, need to fill in complete domain name. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
HostName
Access URL redirection HostName configuration parameters.
Name | Type | Required | Description |
Action | String | No | Target HostName configuration. Values are as follows: follow: Follow request. custom: Custom. Customize. |
Value | String | No | Target HostName custom value, maximum length 1024. Note: This field is required when Action is custom. When Action is follow, it is ineffective. |
HostPolicy
The following is the field description for the HostPolicy object in the site security configuration group.
Configuration Field | Type | Required | Description |
Host | String | Yes | Site-level policy, a policy that takes effect for all domain names under the site. For details, see Site-level Policy. |
PolicyType | String | Yes | Policy type used by the current domain ZoneDefault: Use site-level policy, which is the policy configuration defined in ZoneDefaultPolicy. Custom: Use domain-level policy. When using this option, both Policy field must be configured to specify policy settings. Template: Use policy template. When using this option, both TemplateId field must be configured to designate the policy template used by current domain. |
Policy | Object | No | When PolicyType is Custom, this field is the policy configuration for the current domain and takes effect on it. |
TemplateId | String | No | When PolicyType is Template, this field specifies the policy Template Id used by the current domain. If cross-site binding is needed, append the site Id where the policy Template resides after the Template Id with "@" as the identifier. |
HSTSParameters
HSTS configuration parameters.
Name | Type | Required | Description |
Switch | String | No | HSTS toggle on/off, values as follows: on: Enable. off: Disable. |
Timeout | Integer | No | Cache HSTS header time in seconds, range: 1-31536000. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
IncludeSubDomains | String | No | Whether to allow other subdomains to inherit the same HSTS header, values as follows: on: Allow other subdomains to inherit the same HSTS header. off: Do not allow other subdomains to inherit the same HSTS header. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
Preload | String | No | Whether to allow the browser to preload HSTS header, values are as follows: on: Allow the browser to preload HSTS header. off: Do not allow the browser to preload HSTS header. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
HTTP2Parameters
HTTP2 access configuration parameters.
Name | Type | Required | Description |
Switch | String | No | HTTP2 access configuration switch, values are as follows: on: Enable. off: Disable. |
HttpDDoSProtection
HTTP DDOS protection configuration.
Name | Type | Required | Description |
AdaptiveFrequencyControl | No | Specific configuration of adaptive frequency control. | |
ClientFiltering | No | Specific configuration of intelligent client filter. | |
BandwidthAbuseDefense | No | Specific configuration of bandwidth abuse protection. | |
SlowAttackDefense | No | Specific configuration of slow attack protection. |
HTTPResponseParameters
HTTP response configuration parameters.
Name | Type | Required | Description |
StatusCode | Integer | No | Response status code. Support 2XX, 4XX, 5XX, excluding 499, 514, 101, 301, 302, 303, 509, 520-599. |
ResponsePage | String | No | Response page ID. |
HTTPUpstreamTimeoutParameters
Layer 7 origin pull timeout configuration.
Name | Type | Required | Description |
ResponseTimeout | Integer | No | HTTP response timeout, in seconds, value: 5–600. |
IPv6Parameters
IPv6 access configuration.
Name | Type | Required | Description |
Switch | String | No | IPv6 access feature configuration, values as follows: on: Enable IPv6 access feature. off: Disable IPv6 access feature. |
ManagedRuleAction
Managed rule configuration
Name | Type | Required | Description |
RuleId | String | Yes | Specific items under the managed rule group, used to rewrite the configuration content of this single rule. Refer to product documentation. |
Action | Yes | Specify the handling action for the managed rule item in RuleId. Supported Name values for SecurityAction: Deny: Block and respond with an interception page. Monitor: Observe without processing requests, record security events in logs. Disabled: Not activated, skip scan requests, skip the rule. |
ManagedRuleAutoUpdate
Managed rule automatic update option
Name | Type | Required | Description |
AutoUpdateToLatestVersion | String | Yes | Whether automatic update to the latest version is enabled. Values are as follows: on: Enable off: Disable |
RulesetVersion | String | No | Currently used version, format compliant with ISO 8601 standard, such as 2023-12-21T12:00:32Z, empty by default, output only. |
ManagedRuleDetail
Managed rule detail
Name | Type | Required | Description |
RuleId | String | No | Managed rule Id |
RiskLevel | String | No | Protection level of managed rule. Values are as follows: low: Low risk, this rule poses lower risk and is suitable for access scenarios under strict control. This severity rule may cause considerable false alarms. medium: Medium-risk, means this rule poses normal risk and applies to strict protection scenarios. high: High-risk, means this rule poses relatively high risk and will not generate false alarms in most scenarios. extreme: Ultra-high risk, means this rule poses extremely high risk and will not generate false alarms. |
Description | String | No | Rule description. |
Tags | Array of String | No | Rule tag. Some types of rules do not have tags. |
RuleVersion | String | No | Rule ownership version. |
ManagedRuleGroup
Managed rule group configuration.
Name | Type | Required | Description |
GroupId | String | Yes | The group name of the managed rule. Unspecified configuration rules will be processed based on the default configuration. Refer to product documentation for the specific value of GroupId. |
SensitivityLevel | String | Yes | Protection level of the managed rule group. Values are as follows: loose: Loose, only contains ultra-high-risk rules. At this point, Action requires configuration and RuleActions are invalid. normal: Normal, contains ultra-high-risk and high-risk rules. At this point, Action requires configuration and RuleActions are invalid. strict: Strict, contains ultra-high-risk, high-risk, and medium-risk rules. At this point, Action requires configuration and RuleActions are invalid. extreme: Ultra-strict, contains ultra-high-risk, high-risk, medium-risk, and low-risk rules. At this point, Action requires configuration and RuleActions are invalid. custom: Custom, refined strategy. Configure disposal method by individual rule. At this point, the Action field is invalid. Use RuleActions to configure refined strategy for single rules. |
Action | Yes | Handling actions for the managed rule group. Supported Name values for SecurityAction: Deny: Block and respond with an interception page. Monitor: Observe without processing requests, record security events in logs. Disabled: Not activated, skip scan requests and the rule. | |
RuleActions | Array of ManagedRuleAction | No | Configuration of rule items under the managed rule group takes effect only when SensitivityLevel is set to custom. |
MetaData | No | Managed rule group information, only returned in SecurityAction |
ManagedRuleGroupMeta
Managed rule group information
Name | Type | Required | Description |
GroupDetail | String | No | Managed rule group description, only returned in output. |
GroupName | String | No | Managed rule group name, only returned in output. |
RuleDetails | Array of ManagedRuleDetail | No | Information of all sub-rules under the current managed rule group, only returned in output. |
ManagedRules
Name | Type | Required | Description |
Enabled | String | Yes | Whether the managed rule is enabled. Values as follows: on: turn on, all managed rules take effect as configured. off: turn off, all managed rules are disabled. |
DetectionOnly | String | Yes | Whether the evaluation mode is enabled. Valid when the Enabled parameter is on. Values are as follows: on: enable, indicating all managed rules take effect in observation mode. off: turn off, indicating all managed rules take effect with actual configuration. |
SemanticAnalysis | String | No | Whether the semantic analysis option for managed rules is enabled. Valid when the Enabled parameter is on. Values are as follows: on: enable, perform semantic analysis on the request and process it. off: turn off, skip semantic analysis and process the request directly. Default off. |
AutoUpdate | No | Managed rule automatic update option. | |
ManagedRuleGroups | Array of ManagedRuleGroup | No | Configuration of managed rule groups. If this structure passes an empty array or GroupId is not included in the list, it will be handled based on the default method. |
FrequentScanningProtection | No | High-frequency scan protection configuration options. When a visitor's frequent requests hit a managed rule configured for interception, all requests from that visitor will be blocked within a period of time. |
MaxAgeParameters
Browser cache TTL config.
Name | Type | Required | Description |
FollowOrigin | String | No | Follow the origin server Cache-Control switch, values as follows: on: follow the origin site, ignore CacheTime time setting. off: do not follow the origin site, use CacheTime time setting. |
CacheTime | Integer | No | Custom cache time value in seconds, range: 0–315360000. Note: When FollowOrigin is off, it means not following the origin server and using CacheTime to set the cache time, otherwise it is ineffective. |
MinimalRequestBodyTransferRate
Minimum Body Transfer Rate threshold configuration.
Name | Type | Required | Description |
MinimalAvgTransferRateThreshold | String | Yes | Minimum Body Transfer Rate threshold, only supports bps. |
CountingPeriod | String | Yes | Statistical time range for Minimum Body Transfer Rate, values are as follows: 10s: 10 seconds 30s: 30 seconds 60s: 60 seconds 120s: 120 seconds |
Enabled | String | Yes | Whether the Minimum Body Transfer Rate threshold is enabled. Values are as follows: on: Enable. off: Disable. |
ModifyOriginParameters
Modify origin server configuration parameters.
Name | Type | Required | Description |
OriginType | String | No | Origin server type. Values as follows: IPDomain: IPV4, IPV6, or domain type origin server; OriginGroup: Origin server group type origin server; LoadBalance: Load balancing. This feature is in beta test. If needed, submit a ticket; Tencent Cloud COS: Cloud Object Storage origin server; AWSS3: Supports ALL object storage origin servers with AWS S3 protocol. |
Origin | String | No | Origin server address is divided into following scenarios based on OriginType value. When OriginType = IPDomain, specify this parameter as IPV4 addresses, IPV6 addresses, or domain name; When OriginType = COS, specify this parameter as the cos bucket access domain; When OriginType = AWSS3, specify this parameter as the S3 bucket access domain; When OriginType = OriginGroup, specify this parameter as the origin server group ID; When OriginType = LoadBalance, specify this parameter as the Cloud Load Balancer instance ID. This feature is currently available to allowlist only. |
OriginProtocol | String | No | Protocol configuration for origin request. This parameter is required when OriginType value is IPDomain, OriginGroup, or LoadBalance. Valid values: http: use HTTP protocol; https: use HTTPS protocol; follow: follow protocol. |
HTTPOriginPort | Integer | No | HTTP origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is http or follow. |
HTTPSOriginPort | Integer | No | HTTPS origin port, value ranges from 1 to 65535. This parameter must be filled in when the origin-pull protocol OriginProtocol is https or follow. |
PrivateAccess | String | No | Whether access to the private Cloud Object Storage origin server is allowed. This parameter is required when the origin server type OriginType = COS or AWSS3. Valid values: on: enable private authentication; off: Do not use private authentication. |
PrivateParameters | No | Private authentication parameter. This parameter is valid only when OriginType = AWSS3 and PrivateAccess = on. Note: This field may return null, indicating no valid value. |
ModifyRequestHeaderParameters
Modify HTTP back-to-origin request header configuration.
Name | Type | Required | Description |
HeaderActions | Array of HeaderAction | No | HTTP header setting rule list. Note: This field may return null, indicating no valid value. |
ModifyResponseHeaderParameters
Modify HTTP node response header configuration.
Name | Type | Required | Description |
HeaderActions | Array of HeaderAction | No | HTTP origin-pull header rule list. Note: This field may return null, indicating no valid value. |
NoCache
No cache configuration
Name | Type | Required | Description |
Switch | String | Yes | No cache configuration switch, values as follows: on: Enable. off: Disable. |
OCSPStaplingParameters
OCSP stapling configuration parameters.
Name | Type | Required | Description |
Switch | String | No | OCSP stapling configuration switch, values as follows: on: Enable. off: Disable. |
OfflineCacheParameters
Whether offline cache is enabled.
Name | Type | Required | Description |
Switch | String | No | Offline cache switch, values as follows: on: Enable. off: Disable. |
OriginPrivateParameters
COS origin server private authentication parameter.
Name | Type | Required | Description |
AccessKeyId | String | Yes | Access Key ID. |
SecretAccessKey | String | Yes | Secret Access Key. |
SignatureVersion | String | Yes | Authentication version. Valid values: v2: v2 version. v4: v4 version. |
Region | String | No | bucket region |
OriginPullProtocolParameters
HTTPS back-to-origin configuration parameters.
Name | Type | Required | Description |
Protocol | String | No | Origin-pull protocol configuration, values as follows: http: use HTTP protocol for origin retrieval. https: use HTTPS protocol for origin retrieval. follow: follow protocol. |
PostMaxSizeParameters
POST request upload file streaming transmission maximum limit.
Name | Type | Required | Description |
Switch | String | No | Whether to enable file upload limit for POST requests, in bytes. The platform default limit is 32 * 220 bytes. Values are as follows: on: Enable limitation. off: Disable limit. |
MaxSize | Integer | No | Maximum limit for file streaming transmission in POST requests. This field is valid only when Switch is on, with a value between 1MB and 800MB in bytes. |
QUICParameters
QUIC configuration item.
Name | Type | Required | Description |
Switch | String | No | QUIC configuration switch, values as follows: on: Enable. off: Disable. |
RangeOriginPullParameters
Range-based origin pull configuration parameters.
Name | Type | Required | Description |
Switch | String | No | Range-based origin pull switch, values as follows: on: Enable. off: Disable. |
RateLimitingRule
Specific rate limit configuration.
Name | Type | Required | Description |
Id | String | No | Precise rate limit ID. Different rule configurations can be supported through the rule ID: Add new rule: ID is empty or no specified ID parameter. Modify existing rule: specify the rule ID to be updated/modified. Delete existing rules: Existing rules not included in the Rules list of RateLimitingRules parameters will be deleted. |
Name | String | No | Name of the precise rate limit. |
Condition | String | No | The specific content of precise rate limiting must comply with expression grammar. Please refer to the product document for detailed specifications. |
CountBy | Array of String | No | Rate threshold request feature match mode. This field is required when Enabled is on. When there are multiple conditions, composite conditions will be used to perform statistics calculation. The maximum of conditions is 5. Valid values: http.request.ip: client IP; http.request.xff_header_ip: client ip (priority match xff header); http.request.uri.path: request access path; http.request.cookies['session']: Cookie named session, where session can be replaced with your own parameter; http.request.headers['user-agent']: HTTP header named user-agent, where user-agent can be replaced with your specified parameter; http.request.ja3: request JA3 fingerprint; http.request.uri.query['test']: URL query parameter named test, where test can be replaced with your specified parameter. |
MaxRequestThreshold | Integer | No | Precise rate limiting intercept count within the specified time range. The value ranges from 1 to 100000. |
CountingPeriod | String | No | Statistical time window. Valid values: 1s: 1 second 5s: 5 seconds; 10s: 10 seconds; 20s: 20 seconds; 30s: 30 seconds; 40s: 40 seconds; 50s: 50 seconds; 1m: 1 minute; 2m: 2 minutes; 5m: 5 minutes; 10m: 10 minutes; 1h: 1 hour. |
ActionDuration | String | No | Duration of Action. Supported measurement units: s: seconds, value ranges from 1 to 120. m: minutes, value ranges from 1 to 120. h: hr, value ranges from 1 to 48. d: days, value ranges from 1 to 30. |
Action | No | Precision rate limiting handling method. Valid values: Monitor: Monitor. Deny: Block, where DenyActionParameters.Name supports Deny and ReturnCustomPage. Challenge: Challenge, where ChallengeActionParameters.Name supports JSChallenge and ManagedChallenge. Redirect: Redirect to URL. | |
Priority | Integer | No | Priority of precision rate limiting, ranging from 0 to 100. Default is 0. |
Enabled | String | No | Precision rate limiting rule is enabled or not. Valid values: on: Enable. off: Disable. |
RateLimitingRules
Precision rate limiting configuration
Name | Type | Required | Description |
Rules | Array of RateLimitingRule | No | Definition list of precision rate limiting. Use ModifySecurityPolicy to modify Web protection configuration: If the Rules parameter is not specified or has a length of zero: Clear all precision rate limiting configurations. If the RateLimitingRules parameter value is not specified in SecurityPolicy: Keep the existing custom rule configuration and do not modify it. |
RedirectActionParameters
Web security redirect additional parameter
Name | Type | Required | Description |
URL | String | Yes | Redirect URL. |
RequestBodyTransferTimeout
Body transfer timeout duration configuration.
Name | Type | Required | Description |
IdleTimeout | String | Yes | Body transfer timeout duration takes value from 5 to 120, and the measurement unit is only supported in seconds (s). |
Enabled | String | Yes | Whether body transfer timeout is enabled. Valid values: on: Enable. off: Disable. |
RequestFieldsForException
Skip field configuration in exception rule
Name | Type | Required | Description |
Scope | String | Yes | Skip specific field. Supported values: body.json: parameter content in JSON requests. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "body.json", "Condition": "", "TargetField": "key"}, which means ALL parameters in JSON requests skip WAF scan. cookie: Cookie. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "cookie", "Condition": "${key} in ['account-id'] and ${value} like ['prefix-']", "TargetField": "value"}, which means cookie parameter name equals account-id and parameter value wildcard matches prefix- skip WAF scan. header: HTTP header parameters. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "header", "Condition": "${key} like ['x-auth-']", "TargetField": "value"}, which means header parameter name wildcard matches x-auth- skip WAF scan. uri.query: URL encoded content/query parameters. At this point, Condition supports key and value, TargetField supports key and value, such as {"Scope": "uri.query", "Condition": "${key} in ['action'] and ${value} in ['upload', 'delete']", "TargetField": "value"}, which means URL encoded content/query parameter name equals action and parameter value equals upload or delete skip WAF scan. uri: Request path URI. At this point, Condition must be empty, TargetField supports query, path, and fullpath, such as {"Scope": "uri", "Condition": "", "TargetField": "query"}, which indicates the request path URI only skips WAF scan for query parameters. body: Request body content. At this point, Condition must be empty, TargetField supports fullbody and multipart, such as {"Scope": "body", "Condition": "", "TargetField": "fullbody"}, which means request body content as full request body skips WAF scan. |
Condition | String | Yes | Skip specific field expression must comply with expression grammar. Condition supports expression configuration syntax. Write filter conditions in syntax writing, with support for references to key and value. Supports in, like operators, and logical combination with and. For example: ${key} in ['x-trace-id']: Parameter name equals x-trace-id. ${key} in ['x-trace-id'] and ${value} like ['Bearer *']: Parameter name equals x-trace-id and parameter value wildcard match Bearer *. |
TargetField | String | Yes | When the Scope parameter takes different values, the supported values in the TargetField expression are as follows: body.json: supports key, value cookie: supports key, value header: supports key, value uri.query: supports key, value uri: supports path, query, fullpath body: supports fullbody, multipart |
ResponseSpeedLimitParameters
Download speed limit configuration parameter for single connection.
Name | Type | Required | Description |
Mode | String | Yes | Download speed limit mode. Valid values: LimitUponDownload: download speed limit for the entire process LimitAfterSpecificBytesDownloaded: starts rate limiting after downloading specific bytes at full speed LimitAfterSpecificSecondsDownloaded: starts rate limiting after downloading for a specified time at full speed. |
MaxSpeed | String | Yes | Speed limit, specify the speed limit size, fill in the value or variable with unit. Currently supported units: KB/s. |
StartAt | String | No | Speed limit start value can be download size or specified duration. Fill in the value or variable with unit, assign download size or specify duration. When Mode value is LimitAfterSpecificBytesDownloaded, valid values for measurement unit: KB. When Mode value is LimitAfterSpecificSecondsDownloaded, valid values for measurement unit: s. |
ReturnCustomPageActionParameters
Web security custom page additional parameter
Name | Type | Required | Description |
ResponseCode | String | Yes | Response status code. |
ErrorPageId | String | Yes | Response custom page ID. |
RuleBranch
Sub-rule branch.
Name | Type | Required | Description |
Condition | String | No | |
Actions | Array of RuleEngineAction | No | Note: Actions and SubRules cannot be empty at the same time. Note: This field may return null, indicating no valid value. |
SubRules | Array of RuleEngineSubRule | No | Sub-rule list. Multiple rules exist in the list and execute in order from top to bottom. Note: SubRules and Actions cannot be empty at the same time. Currently only support one level of SubRules. Note: This field may return null, indicating no valid value. |
RuleEngineAction
Rule engine operation.
Name | Type | Required | Description |
Name | String | Yes | Operation name. The name must correspond to the parameter structure, for example, if Name=Cache, then CacheParameters is required. Cache: node cache TTL; CacheKey: custom Cache Key; CachePrefresh: cache pre-refresh AccessURLRedirect: URL redirection; UpstreamURLRewrite: origin-pull URL rewrite; QUIC:QUIC; WebSocket:WebSocket; Authentication: Token authentication; MaxAge: browser cache TTL; StatusCodeCache: status code cache TTL; OfflineCache: Offline cache; SmartRouting: Smart acceleration; RangeOriginPull: range-based origin pull; UpstreamHTTP2: HTTP2 origin pull; HostHeader: host header rewrite; ForceRedirectHTTPS: access protocol forced HTTPS redirect configuration; OriginPullProtocol: HTTPS origin pull; Compression: intelligent compression configuration; HSTS:HSTS; ClientIPHeader: Storage of client request IP header information configuration; OCSPStapling: OCSP stapling; HTTP2: HTTP2 integration; PostMaxSize: Maximum limit configuration for POST request upload file streaming transmission; ClientIPCountry: Carry client IP region information during origin pull; UpstreamFollowRedirect: Parameter configuration for upstream follow redirect; UpstreamRequest: Origin-pull request parameter; TLSConfig: SSL/TLS security ModifyOrigin: Modify origin server; HTTPUpstreamTimeout: Layer 7 origin pull timeout configuration; HttpResponse: HTTP response; ErrorPage: Custom error page; ModifyResponseHeader: Modify HTTP node response header; ModifyRequestHeader: Modify HTTP node request header; ResponseSpeedLimit: Download speed limit for a single connection; SetContentIdentifier: Set content identifier; Vary: Vary feature configuration. |
CacheParameters | No | Node cache TTL config. When Name value is Cache, this parameter is required. Note: This field may return null, indicating no valid value. | |
CacheKeyParameters | No | Custom Cache Key config. When Name value is CacheKey, this parameter is required. Note: This field may return null, indicating no valid value. | |
CachePrefreshParameters | No | Cache pre-refresh config. When Name value is CachePrefresh, this parameter is required. Note: This field may return null, indicating no valid value. | |
AccessURLRedirectParameters | No | Access URL redirection configuration parameter. When Name value is AccessURLRedirect, this parameter is required. Note: This field may return null, indicating no valid value. | |
UpstreamURLRewriteParameters | No | Origin-pull URL rewrite configuration parameter. When Name value is UpstreamURLRewrite, this parameter is required. Note: This field may return null, indicating no valid value. | |
QUICParameters | No | QUIC configuration parameter. When Name value is QUIC, this parameter is required. Note: This field may return null, indicating no valid value. | |
WebSocketParameters | No | WebSocket configuration parameter. When Name value is WebSocket, this parameter is required. Note: This field may return null, indicating no valid value. | |
AuthenticationParameters | No | Token authentication configuration parameter. When Name value is Authentication, this parameter is required. Note: This field may return null, indicating no valid value. | |
MaxAgeParameters | No | Browser cache TTL config. When Name value is MaxAge, this parameter is required. Note: This field may return null, indicating no valid value. | |
StatusCodeCacheParameters | No | Status code cache TTL config. When Name value is StatusCodeCache, this parameter is required. Note: This field may return null, indicating no valid value. | |
OfflineCacheParameters | No | Offline cache config. When Name value is OfflineCache, this parameter is required. Note: This field may return null, indicating no valid value. | |
SmartRoutingParameters | No | Smart acceleration config. When Name value is SmartRouting, this parameter is required. Note: This field may return null, indicating no valid value. | |
RangeOriginPullParameters | No | Fragment-based origin pull configuration parameters. When Name value is RangeOriginPull, this parameter is required. Note: This field may return null, indicating no valid value. | |
UpstreamHTTP2Parameters | No | HTTP2 origin-pull configuration parameter. When Name value is UpstreamHTTP2, this parameter is required. Note: This field may return null, indicating no valid value. | |
HostHeaderParameters | No | Host Header rewrite config. When Name value is HostHeader, this parameter is required. Note: This field may return null, indicating no valid value. | |
ForceRedirectHTTPSParameters | No | Access protocol forced HTTPS redirect configuration. When Name value is ForceRedirectHTTPS, this parameter is required. Note: This field may return null, indicating no valid value. | |
OriginPullProtocolParameters | No | HTTPS back-to-origin configuration parameters. When Name value is OriginPullProtocol, this parameter is required. Note: This field may return null, indicating no valid value. | |
CompressionParameters | No | Intelligent compression configuration. When Name value is Compression, this parameter is required. Note: This field may return null, indicating no valid value. | |
HSTSParameters | No | HSTS configuration parameters. When Name value is HSTS, this parameter is required. Note: This field may return null, indicating no valid value. | |
ClientIPHeaderParameters | No | Storage of client request IP header information configuration. When Name value is ClientIPHeader, this parameter is required. Note: This field may return null, indicating no valid value. | |
OCSPStaplingParameters | No | OCSP stapling configuration parameters. When Name value is OCSPStapling, this parameter is required. Note: This field may return null, indicating no valid value. | |
HTTP2Parameters | No | HTTP2 access configuration parameter. When Name value is HTTP2, this parameter is required. Note: This field may return null, indicating no valid value. | |
PostMaxSizeParameters | No | POST request upload file streaming transmission maximum limit configuration. When Name value is PostMaxSize, this parameter is required. Note: This field may return null, indicating no valid value. | |
ClientIPCountryParameters | No | Back-to-origin configuration parameter carrying client IP address regional information. When Name value is ClientIPCountry, this parameter is required. Note: This field may return null, indicating no valid value. | |
UpstreamFollowRedirectParameters | No | Upstream Follow Redirect parameter configuration. When Name value is UpstreamFollowRedirect, this parameter is required. Note: This field may return null, indicating no valid value. | |
UpstreamRequestParameters | No | Upstream Request parameter configuration. When Name value is UpstreamRequest, this parameter is required. Note: This field may return null, indicating no valid value. | |
TLSConfigParameters | No | SSL/TLS security configuration parameters. When Name value is TLSConfig, this parameter is required. Note: This field may return null, indicating no valid value. | |
ModifyOriginParameters | No | Modify origin server configuration parameters. When Name value is ModifyOrigin, this parameter is required. Note: This field may return null, indicating no valid value. | |
HTTPUpstreamTimeoutParameters | No | Layer-7 origin-pull timeout. When Name value is HTTPUpstreamTimeout, this parameter is required. Note: This field may return null, indicating no valid value. | |
HttpResponseParameters | No | HTTP response configuration parameter. When Name value is HttpResponse, this parameter is required. Note: This field may return null, indicating no valid value. | |
ErrorPageParameters | No | Custom error page configuration parameter. When Name value is ErrorPage, this parameter is required. Note: This field may return null, indicating no valid value. | |
ModifyResponseHeaderParameters | No | Modify HTTP node response header configuration. When Name value is ModifyResponseHeader, this parameter is required. Note: This field may return null, indicating no valid value. | |
ModifyRequestHeaderParameters | No | Modify HTTP node request header configuration. When Name value is ModifyRequestHeader, this parameter is required. Note: This field may return null, indicating no valid value. | |
ResponseSpeedLimitParameters | No | Download speed limit configuration parameter for single connection. When Name value is ResponseSpeedLimit, this parameter is required. Note: This field may return null, indicating no valid value. | |
SetContentIdentifierParameters | No | Content identification configuration parameter. When Name value is SetContentIdentifier, this parameter is required. Note: This field may return null, indicating no valid value. | |
VaryParameters | No | Vary feature configuration parameter. When Name value is Vary, this parameter is required. | |
ContentCompressionParameters | No | Content compression configuration parameter. When Name value is ContentCompression, this parameter is required. This parameter is an allowlist feature. If needed, contact Tencent Cloud Engineers. |
RuleEngineSubRule
Sub-rule.
Name | Type | Required | Description |
Branches | Array of RuleBranch | No | Sub-rule branch Note: This field may return null, indicating no valid value. |
Description | Array of String | No | Rule annotation. |
Rules
Rules are matched and executed in top-down order. Matching stops once a minimum unit is matched. Lower rules can override settings for the same configuration items in higher rules. Rule Engine Configuration is enabled by default after import.
RuleName | String | No | Rule name. The name length limit is no more than 255 characters. |
Description | Array of String | No | Rule annotation. Multiple annotations can be filled. |
Branches | Array of RuleBranch | No | Sub-rule branch. This list currently only supports filling in one rule. Multiple entries are invalid. Note: This field may return null, indicating no valid value. |
SecurityAction
Secure execution action.
Name | Type | Required | Description |
Name | String | Yes | Safe execution actions. Valid values: Deny: Block and block request access to site resources. Monitor: Monitor, only record logs. Redirect: Redirect to URL. Disabled: Not enabled, disable specified rule. Allow: Allow access, but delay processing requests. Challenge: Challenge, respond to challenge content. BlockIP: To be deprecated, IP block. ReturnCustomPage: To be deprecated, use the specified page to block. JSChallenge: To be deprecated, JavaScript challenge. ManagedChallenge: To be deprecated, managed challenge. |
DenyActionParameters | No | Additional parameters when Name is Deny. | |
RedirectActionParameters | No | Additional parameters when Name is Redirect. | |
AllowActionParameters | No | Additional parameters when Name is Allow. | |
ChallengeActionParameters | No | Additional parameters when Name is Challenge. | |
BlockIPActionParameters | No | To be deprecated, additional parameters when Name is BlockIP. | |
ReturnCustomPageActionParameters | No | To be deprecated, additional parameters when Name is ReturnCustomPage. |
SecurityPolicy
Configuration for the security policies.
Name | Type | Required | Description |
CustomRules | No | Custom rule configuration. | |
ManagedRules | No | Managed rule configuration. | |
HttpDDoSProtection | No | HTTP DDoS protection configuration. | |
RateLimitingRules | No | Rate limiting rule configuration. | |
ExceptionRules | No | Exception rule configuration. | |
BotManagement | No | Bot management configuration. |
SetContentIdentifierParameters
Content identification configuration parameters.
Name | Type | Required | Description |
ContentIdentifier | String | No | Content identifier ID |
SlowAttackDefense
Specific configuration of slow attack protection.
Name | Type | Required | Description |
Enabled | String | Yes | Slow attack protection is enabled. Valid values: on: Enable. off: Disable. |
Action | No | The handling method of slow attack protection. This field is required when Enabled is on. SecurityAction Name supports: Monitor: Monitor. Deny: Block. | |
MinimalRequestBodyTransferRate | No | Minimum Body Transfer Rate threshold configuration. This field is required when Enabled is on. | |
RequestBodyTransferTimeout | No | Body transfer timeout duration configuration. This field is required when Enabled is on. |
SmartRoutingParameters
Intelligent acceleration configuration.
Name | Type | Required | Description |
Switch | String | No | Smart acceleration configuration switch. Valid values: on: Enable. off: Disable. |
StandardDebugParameters
Debug the struct.
Name | Type | Required | Description |
Switch | String | No | Debug feature switch, valid values: on: Enable. off: Disable. |
AllowClientIPList | Array of String | No | Allowed client source. Supports filling in IPv4 and IPv6 IP ranges. 0.0.0.0/0 indicates that all IPv4 clients are allowed for debugging; ::/0 indicates that all IPv6 clients are allowed for debugging. 127.0.0.1 cannot be filled in. Note: When the Switch field is on, this field is required and the number of writes must be 1–100. When Switch is off, this field is not required. If filled, it does not take effect. |
Expires | No | Debug feature expiry time. If the set time is exceeded, the feature will be disabled. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
StatusCodeCacheParam
Status code cache TTL config internal structure.
Name | Type | Required | Description |
StatusCode | Integer | No | Status code, value is one of 400, 401, 403, 404, 405, 407, 414, 500, 501, 502, 503, 504, 509, 514. |
CacheTime | Integer | No | Cache time value in seconds, range: 0–31536000. |
StatusCodeCacheParameters
Status code cache TTL config.
Name | Type | Required | Description |
StatusCodeCacheParams | Array of StatusCodeCacheParam | No | Status code cache TTL. Note: This field may return null, indicating no valid value. |
Templates
Field description for the Templates object in site security configuration.
Configuration Field | Type | Required | Description |
Id | String | Yes | Policy template ID |
Policy | Object | Yes | Policy settings of the policy template take effect for ALL domain names associated with it. For details, see SecurityPolicy. |
TLSConfigParameters
SSL/TLS security configuration parameters.
Name | Type | Required | Description |
Version | Array of String | No | TLS version. At least one must be filled in. If multiple, they need to be consecutive version numbers, for example: enable TLS 1, 1.1, 1.2, and 1.3. You cannot only enable 1 and 1.2 while disabling 1.1. Valid values: TLSv1: TLSv1 version. TLSv1.1: TLSv1.1 version. TLSv1.2: TLSv1.2 version. TLSv1.3: TLSv1.3 version. |
CipherSuite | String | No | Valid values: loose-v2023: loose-v2023 cipher suite. general-v2023: general-v2023 cipher suite. strict-v2023: strict-v2023 cipher suite. |
UpstreamFollowRedirectParameters
Upstream Follow Redirect parameter configuration.
Name | Type | Required | Description |
Switch | String | No | Upstream Follow Redirect configuration switch, values as follows: on: Enable. off: Disable. |
MaxTimes | Integer | No | Maximum number of redirects. Value is 1-5. Note: When Switch is on, this field is required. When Switch is off, this field is not required. If filled, it does not take effect. |
UpstreamHTTP2Parameters
HTTP2 origin-pull configuration.
Name | Type | Required | Description |
Switch | String | No | HTTP2 origin-pull configuration switch, values are as follows: on: Enable. off: Disable. |
UpstreamRequestCookie
Cookie configuration for origin-pull request parameters.
Name | Type | Required | Description |
Switch | String | No | Cookie configuration switch for origin-pull request parameters, values are as follows: on: Enable. off: Disable. |
Action | String | No | Cookie mode for origin-pull request parameters. When Switch is on, this parameter is required. Values are as follows: full: Retain all. ignore: Ignore all. includeCustom: Retain some parameters. excludeCustom: Ignore some parameters. |
Values | Array of String | No | Specify parameter values. This parameter takes effect only when the query string mode Action is includeCustom or excludeCustom, used to specify parameters to keep or ignore. Supports a maximum of 10 parameters. |
UpstreamRequestParameters
Configuration parameters for origin-pull requests.
Name | Type | Required | Description |
QueryString | No | Query string configuration. Optional configuration. Leave blank for no configuration. Note: This field may return null, indicating no valid value. | |
Cookie | No | Cookie configuration. Optional configuration. Leave blank for no configuration. Note: This field may return null, indicating no valid value. |
UpstreamRequestQueryString
Parameter query for origin-pull request string configuration.
Name | Type | Required | Description |
Switch | String | No | Parameter query string configuration switch for origin-pull requests, values as follows: on: Enable. off: Disable. |
Action | String | No | Query string mode. When Switch is on, this parameter is required. Values are as follows: full: Retain all. ignore: Ignore all. includeCustom: Retain some parameters. excludeCustom: Ignore some parameters. |
Values | Array of String | No | Specify parameter values. This parameter takes effect only when the query string mode Action is includeCustom or excludeCustom, used to specify parameters to keep or ignore. Supports a maximum of 10 parameters. |
UpstreamURLRewriteParameters
Origin-pull URL rewrite configuration parameters.
Name | Type | Required | Description |
Type | String | No | Origin-pull URL rewrite type. Only supports filling in Path. |
Action | String | No | Origin-pull URL rewrite action. Values as follows: replace: replace the full Path. Use to replace the complete request URL Path with the specified Path. addPrefix: add path prefix. Use to add specified path prefix to request URL Path. rmvPrefix: remove path prefix. Use to remove specified path prefix from request URL Path. regexReplace: replace full path with regular expression. Use to match and replace the complete path using Google RE2 regular expressions. |
Value | String | No | Origin-pull URL rewrite value. Should meet URL Path standard and ensure the rewritten Path starts with / to prevent modification of the origin-pull URL Host, length range 1–1024. When Action is addPrefix, it cannot end with /; when Action is rmvPrefix, * cannot exist; when Action is regexReplace, $NUM can be used to refer to a regular expression capture group, where NUM represents the group number, such as $1, supporting up to $9. |
Regex | String | No | Origin-pull URL rewrite is used for regex replacement to match the full path regular expression. Should meet Google RE2 specification, length range 1–1024. When Action is regexReplace, this field is required, otherwise not required. |
URLPath
Access URL redirection path configuration parameters.
Name | Type | Required | Description |
Action | String | No | Execution action. The values are as follows: follow: Follow request. custom: Custom. Customize. regex: Regular expression matching. |
Regex | String | No | Regular expression matching, length range 1–1024. Note: This field is required when Action is regex. When Action is follow or custom, no need to specify this field. If filled, it does not take effect. |
Value | String | No | Target URL for redirection, length range 1–1024. Note: This field is required when Action is regex or custom. When Action is follow, no need to specify this field. If filled, it does not take effect. |
VaryParameters
Vary feature configuration parameter.
Name | Type | Required | Description |
Switch | String | Yes | Vary feature configuration switch, values as follows: on: Enable. off: Disable. |
WebSecurity
The following is the field description for the WebSecurity object in the site security configuration group.
Configuration Field | Type | Required | Description |
ZoneDefaultPolicy | Object | Yes | |
HostPolicy | Array of HostPolicy | Yes | The policy used by each domain name under the current site, including domain names using policy templates, site-level policies, and domain-level policies. For details, refer to domain-level policy HostPolicy. Domain names not in the list will use the site-level policy (ZoneDefaultPolicy) by default. |
Templates | Array of RuleBranch | Yes | Detailed configuration of all policy templates under the current site. For details, refer to Templates. |
WebSocketParameters
WebSocket configuration.
Name | Type | Required | Description |
Switch | String | No | WebSocket timeout configuration switch. Valid values: on: Use Timeout as the WebSocket timeout period. off: The platform still supports WebSocket connections, using the system default 15-second timeout period. |
Timeout | Integer | No | Timeout period in seconds, maximum timeout time 120 seconds. Note: When Switch is on, this field is required, otherwise it is ineffective. |
ZoneConfig
Site Acceleration Configuration.
Name | Type | Required | Description |
SmartRouting | No | Intelligent acceleration configuration. Note: This field may return null, indicating no valid value. | |
Cache | No | Cache expiration time configuration. Note: This field may return null, indicating no valid value. | |
MaxAge | No | Browser cache configuration. Note: This field may return null, indicating no valid value. | |
CacheKey | No | Node cache key configuration. Note: This field may return null, indicating no valid value. | |
CachePrefresh | No | Cache pre-refresh configuration. Note: This field may return null, indicating no valid value. | |
OfflineCache | No | Offline cache configuration. Note: This field may return null, indicating no valid value. | |
Compression | No | Intelligent compression configuration. Note: This field may return null, indicating no valid value. | |
ForceRedirectHTTPS | No | Access protocol forced HTTPS redirect configuration. Note: This field may return null, indicating no valid value. | |
HSTS | No | HSTS configuration. Note: This field may return null, indicating no valid value. | |
TLSConfig | No | TLS configuration. Note: This field may return null, indicating no valid value. | |
OCSPStapling | No | OCSP stapling configuration. Note: This field may return null, indicating no valid value. | |
HTTP2 | No | HTTP2 configuration. Note: This field may return null, indicating no valid value. | |
QUIC | No | QUIC access configuration. Note: This field may return null, indicating no valid value. | |
UpstreamHTTP2 | No | HTTP2 origin-pull configuration. Note: This field may return null, indicating no valid value. | |
IPv6 | No | IPv6 access configuration. Note: This field may return null, indicating no valid value. | |
WebSocket | No | WebSocket configuration. Note: This field may return null, indicating no valid value. | |
PostMaxSize | No | POST request transmission configuration. Note: This field may return null, indicating no valid value. | |
ClientIPHeader | No | Client IP HTTP Request Headers configuration. Note: This field may return null, indicating no valid value. | |
ClientIPCountry | No | Configuration for whether to carry client IP address regional information during back-to-origin. Note: This field may return null, indicating no valid value. | |
Grpc | No | The gRPC protocol supports configuration. Note: This field may return null, indicating no valid value. | |
AccelerateMainland | No | Accelerate and optimize configurations in the Chinese mainland. Note: This field may return null, indicating no valid value. | |
StandardDebug | No | Standard Debug configuration. Note: This field may return null, indicating no valid value. |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback