This topic provides answers to some commonly asked questions about access control over Alibaba Cloud CDN resources.
When I configure an IP address blacklist or whitelist, the number of IP addresses is limited. Is a CIDR block considered one IP address or multiple IP addresses?
Alibaba Cloud CDN allows you to add up to about 700 IPv6 addresses and 2,000 IPv4 addresses to an IP address blacklist or whitelist.
A CIDR block is considered one IP address.
Can I obtain the IP addresses of POPs that I want to add to the origin whitelist?
If your daily peak bandwidth is higher than 1 Gbit/s, submit a ticket to apply for the permission to call the DescribeL2VipsByDomain operation and obtain the IP addresses of points of presence (POPs).
If you do not meet the requirements, we recommend that you use firewall policies on your origin servers.
Why can I still use an IP address in the IP address blacklist to request resources?
Alibaba Cloud CDN cannot restrict clients from initiating requests. After you configure an IP address blacklist, Alibaba Cloud CDN returns the HTTP 403 status code for requests from IP addresses in the blacklist and records the requests in Alibaba Cloud CDN logs. For information about how to view logs, see Download offline logs.
How do I retrieve the originating IP addresses of clients?
If you use Alibaba Cloud CDN, you can retrieve the originating IP addresses of clients from the X-Forwarded-For header. For more information, see Retrieve the originating IP addresses of clients.
What do I do if HTTP status code 403 is returned due to URL signing exceptions when I access Alibaba Cloud CDN-accelerated resources?
URL signing is used to protect resources on origin servers from unauthorized downloads. After you enable the URL signing feature of Alibaba Cloud CDN, if HTTP status code 403 is returned when you access Alibaba Cloud CDN-accelerated resources, you can view detailed error information in the Response Header by using the developer tool of the browser. The following section describes the errors:
Error message: X-Tengine-Error:denied by req auth: no url arg auth_key
Cause: The URL signing feature of Alibaba Cloud CDN is enabled, but the request URL does not contain authentication parameters.
Solution: For information about how to use the URL signing feature of Alibaba Cloud CDN, see Configure URL signing. If you no longer require the URL signing feature of Alibaba Cloud CDN, log on to the Alibaba Cloud CDN console and disable the URL signing feature.
Error message: X-Tengine-Error: denied by req auth: expired timestamp
Cause: The URL signing feature of Alibaba Cloud CDN is enabled and the URL contains authentication parameters, but the authentication parameters expired.
Solution: Regenerate a signed URL. For more information, see Configure URL signing.
Error message: X-Tengine-Error: denied by req auth: invalid md5hash
Cause: The MD5 value of the authentication parameter is incorrectly calculated.
Solution: We recommend that you use the URL generator in the Alibaba Cloud CDN console to generate a URL and check the URL and your authentication code. For more information, see URL signing examples.
Can I enable the URL signing and remote authentication features of Alibaba Cloud CDN at the same time?
Yes. If you enable the URL signing and remote authentication features at the same time, requests are first authenticated by the URL signing feature and then by the remote authentication feature.
Can I use the internal IP address of an authentication server in remote authentication?
No. A public IP address must be configured for the remote authentication server.
Why does Alibaba Cloud CDN allow a request even if the status code that is returned by the authentication server does not indicate success or failure?
If the HTTP status code that is returned by the authentication server does not indicate whether a request passes or fails the authentication, the POP allows the request. For example, if the HTTP status code that is specified for requests that pass the authentication is 200, but the authentication server returns the HTTP 201 status code for a request, the POP allows the request. This ensures that no request is blocked due to exceptions.
You can configure the Allow Other Status Codes parameter in the console to specify whether to allow requests for which the authentication server returns other status codes.
Does Alibaba Cloud CDN allow all requests if the remote authentication server fails?
No. If the remote authentication server fails and data exchange between Alibaba Cloud CDN and the authentication server times out, requests are allowed or blocked based on the Action After Timeout parameter.