User-Agent is an HTTP header. It contains the information about the client that makes the request, including the operating system (OS), OS version, browser, and browser version. You can configure a User-Agent blacklist or whitelist to restrict access to Alibaba Cloud CDN resources and improve service security.
Usage notes
The blacklist and whitelist are mutually exclusive and cannot be configured at the same time.
If the value of the User-Agent header in a request matches a value in the User-Agent blacklist, the request can reach the point of presence (POP) but is rejected by the POP. Then, the HTTP 403 status code is returned to the client, and the request is recorded in Alibaba Cloud CDN logs.
You are charged for data transfer that is generated when POPs block malicious requests. If clients request resources over HTTPS, you are also charged for HTTPS requests.
Procedure
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Access Control.
On the page that appears, click the User-Agent Blacklist/Whitelist tab.
On the User-Agent Blacklist/Whitelist tab, click Modify.
Configure a Blacklist or Whitelist as prompted.
Parameter
Description
Type
The following types of lists are supported:
Blacklist
Requests whose User-Agent header matches a value in the blacklist are rejected, and an HTTP 403 status code is returned.
Whitelist
Only requests whose User-Agent header matches a value in the whitelist are allowed to access resources on POPs.
Rules
When you specify User-Agent fields, separate fields with vertical bars (|). The wildcard character (*) is supported. Example:
*curl*|*IE*|*chrome*|*firefox*
.NoteIf you want to enable access control for requests whose User-Agent header is empty, you can use the
this-is-empty-ua
parameter to specify that the User-Agent header is empty.If you specify the
this-is-empty-ua
parameter in the rules of the whitelist, requests that contain an empty User-Agent header are allowed.If you specify the
this-is-empty-ua
parameter in the rules of the blacklist, requests that contain an empty User-Agent header are rejected.
The User-Agent blacklist and whitelist do not support access control for requests that do not contain the User-Agent header. You can use EdgeScript or submit a ticket to enable the feature. For more information, see EdgeScript overview.
Rule Condition
Rule conditions can identify parameters in a request to determine whether a configuration applies to the request.
Do not use conditions
Select the configured rule conditions in Rules Engine. For more information, see Rules engine.
Click OK.
Configuration examples
Example 1: Configure a whitelist
Rules of the whitelist:
*IE*|*firefox*
Expected result: Only requests that are sent from IE or Firefox are allowed to access resources on POPs.
Example 2: Configure a blacklist
Rules of the blacklist:
*IE*|this-is-empty-ua
Expected result: Requests that are sent from IE or contain an empty User-Agent header are rejected.