All Products
Search
Document Center

Edge Security Acceleration:FAQ about access control

Last Updated:Apr 18, 2024

This topic provides answers to some commonly asked questions about access control over Dynamic Content Delivery Network (DCDN) resources.

When I configure an IP address blacklist or whitelist, the number of IP addresses is limited. Is a CIDR block considered one IP address or multiple IP addresses?

Dynamic Content Delivery Network (DCDN) allows you to add up to 700 IPv6 addresses and 2,000 IPv4 addresses to an IP address blacklist or whitelist.

A CIDR block is considered one IP address.

Why can I still use an IP address in the IP address blacklist to request resources?

DCDN cannot restrict clients from initiating requests. After you configure an IP address blacklist, DCDN returns the HTTP 403 status code for requests from IP addresses in the blacklist and records the requests in DCDN logs. For information about how to view logs, see Download offline logs.

How do I retrieve the originating IP addresses of clients?

If you use DCDN, you can retrieve the originating IP addresses of clients from the X-Forwarded-For header. For more information, see Retrieve the originating IP addresses of clients.

Can I obtain the IP addresses of POPs that I want to add to the origin whitelist?

You can submit a ticket to apply for the permission to call the DescribeDcdnL2Ips operation and obtain the IP addresses of points of presence (POPs).

What do I do if HTTP status code 403 is returned due to URL signing exceptions when I access DCDN-accelerated resources?

URL signing is used to protect resources on origin servers from unauthorized downloads. After you enable the URL signing feature of DCDN, if HTTP status code 403 is returned when you access DCDN-accelerated resources, you can view detailed error information in the Response Header by using the developer tool of the browser. The following section describes the errors:

Error message: X-Tengine-Error:denied by req auth: no url arg auth_key

  • Cause: The URL signing feature of DCDN is enabled, but the request URL does not contain authentication parameters.

  • Solution: Correctly use URL signing by following instructions in Configure URL signing. If you no longer need it, disable the feature on the DCDN console.

Error message: X-Tengine-Error: denied by req auth: expired timestamp

  • Cause: The URL signing feature of DCDN is enabled and the URL contains authentication parameters, but the authentication parameters expired.

  • Solution: Regenerate a signed URL by following instructions in Configure URL signing.

Error message: X-Tengine-Error: denied by req auth: invalid md5hash

  • Cause: The MD5 value in signing parameters is incorrectly calculated.

  • Solution: We recommend that you generate an encrypted URL in the DCDN console and compare the URL with the one that is generated by using your own signing code. For more information, see URL signing examples.