Configure whitelist-based protection policies with DCDN WAF - Edge Security Acceleration

Dynamic Content Delivery Network (DCDN) allows you to configure a whitelist to allow requests that have specific characteristics based on your business requirements. This way, the requests can bypass the checks of specific or all protection modules, such as basic protection rules and custom protection rules.

Prerequisites

Web Application Firewall (WAF) is enabled. For more information, see Getting started with WAF (new edition).
The domain name that you want to protect is added to WAF. For more information, see Add a domain name for protection.

Create a protection policy

Log on to the DCDN console.
In the left-side navigation pane, choose WAF > Protection Policies.
On the Protection Policies page, click Create Policy.

On the Create Policy page, configure the parameters. The following table describes the parameters.

Section	Parameter	Description
Policy Information	Policy Type	The type of the protection policy. Select Whitelist.
	Policy Name	The name of the protection policy. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
	Make Default	Specifies whether the current policy is the default policy of the current policy type. Note You can specify only one default policy for each policy type. After you specify a default policy, you cannot change the default policy. If you have specified the default policy for the current policy type, this switch is unavailable.
Rule Information	Rule	The information about the current whitelist rule. For more information, see Whitelist rule parameters . Note You can add up to 10 rules. To increase the quota, contact your account manager or contact us by other means. For more information, see Contact us.
Protected Domain Names	Select Association Mode	You can associate a protected domain name with multiple policies of the same type. If you have associated a domain name with a policy of the same type, you can add the current policy or replace the existing policy with the current policy. You can only replace the existing policy with the current policy for domain names that are associated with the default policy. Valid values: Add and replace the original associated policy: disassociates the associated policy and replaces the policy with the current policy. Add and keep the original associated policy: adds the current policy and retains the associated policy.
Protected Domain Names	Protected Domain Names	The domain names that you want to associate with the current protection policy.

Click Create Policy.
By default, the protection policy that you created is enabled.

Whitelist rule parameters

You can create a whitelist rule when you create a whitelist. You can also create a whitelist rule for an existing whitelist. The following table describes the parameters.

白名单规则

Parameter	Description
Rule Name	The name of the rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
Match Condition	The request characteristics for matching. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is considered matched only if all match conditions are met. Each match condition consists of Match Field, Logical Operator, and Match Content. For information about examples on how to configure match conditions, see Match conditions. For information about match fields and logical operators, see Match conditions.
Module	The protection modules that do not check requests that match the specified match conditions. Valid values: All Modules: All protection modules do not check the requests that match the specified match conditions and directly forward the requests to the origin server. You can select All Modules if you want to allow trusted requests to bypass the check. The trusted requests include requests from trusted vulnerability scanners and the endpoints of authenticated third-party systems. Custom Module: The requests that match the specified match conditions are not checked based on specific protection rules. Basic Protection Rule: The requests that match the specified match conditions are not checked based on specific basic protection rules. If you select Basic Protection Rule, you must specify the rules that you want to ignore. All Rules: All protection rules in the basic protection rule module are not used to check the requests that match the specified match conditions. This is the default value. Specified Basic Web Protection Subrules: The rules of specific IDs in the basic protection rule module are not used to check the requests that match the specified match conditions. You must specify the ID of the rule. Each rule ID contains six digits. You can specify up to 50 rule IDs. Separate multiple IDs with commas (,). Specified Rule Type: The rules of specific types in the basic protection rule module are not used to check the requests that match the specified match conditions. The rule types include SQL Injection, XSS, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, Custom Rule, and Others. Custom Rule: The requests that match the specified match conditions are not checked based on custom rules. IP Blacklist: The requests from specific IPv4 addresses, IPv6 addresses, or CIDR blocks are blocked. Region Blacklist: Requests from specific regions are blocked. Bot Management: Anti-crawler rules for websites and apps can be configured. Scan Protection: Attackers and scanners are prevented from scanning sites on a large scale.

Edge Security Acceleration:Configure a whitelist

Prerequisites

Create a protection policy

Whitelist rule parameters

Related API operations