Dynamic Content Delivery Network (DCDN) allows you to configure custom protection policies and create custom access control or rate limiting rules based on precise match conditions. Custom protection policies can be created for different scenarios, such as hotlink protection and website backend protection.
Prerequisites
Web Application Firewall (WAF) is enabled. For more information, see Getting started with WAF (new edition).
The domain name that you want to protect is added to WAF. For more information, see Add a domain name for protection.
Background information
The custom protection policy feature is implemented based on custom protection rules. The following custom protection rules are supported:
Access control rule: You can use the client IP address, request URL, or common request headers to configure match conditions. If requests meet the conditions, Web Application Firewall (WAF) performs a specific action on the requests. For example, you can configure a custom protection rule to block requests that access a specific URI. You can also configure a custom protection rule to allow WAF to verify requests that contain a specific User-Agent string. For information about the match fields that are supported by custom protection rules, see Match conditions.
Rate limiting rule: You can configure match conditions and rate limiting conditions. If the request rate of a statistical object exceeds the threshold value, WAF performs a specified action on the requests from the statistical object. For example, if an IP address or a session frequently meets the match conditions in a short period of time, you can enable rate limiting to block requests that are sent from the IP address or session during a specific period of time.
Create a custom protection policy
Log on to the DCDN console.
In the left-side navigation pane, click .
On the Protection Policies page, click Create Policy.
On the Create Policy page, configure the parameters. The following table describes the parameters.
Section
Parameter
Description
Policy Information
Policy Type
The type of the protection policy. Select Custom Protection Policy.
Policy Name
The name of the protection policy. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
Make Default
Specifies whether the current policy is the default policy of the current policy type.
NoteYou can specify only one default policy for each policy type. After you specify a default policy, you cannot change the default policy.
If you have specified the default policy for the current policy type, this switch is unavailable.
Rule Information
Rule
The information about the current custom protection rule. For more information, see Configure custom protection policies.
NoteYou can create up to 10 rules. To increase the quota, submit a ticket.
Protected Domain Names
Select Association Mode
You can associate a protected domain name with multiple policies of the same type. If you have associated a domain name with a policy of the same type, you can add the current policy or replace the existing policy with the current policy. You can only replace the existing policy with the current policy for domain names that are associated with the default policy. Valid values:
Add and replace the original associated policy: disassociates the associated policy and replaces the policy with the current policy.
Add and keep the original associated policy: adds the current policy and retains the associated policy.
Protected Domain Names
The domain names that you want to associate with the current protection policy.
Click Create Policy.
By default, the protection policy that you created is enabled.
Custom rule parameters
You can create a custom rule when you create a custom protection policy. You can also create a custom rule for an existing custom protection policy.
Parameter | Description |
Rule Name | The name of the rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_). |
Match Condition | The request characteristics for matching. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is considered matched only if all match conditions are met. Each match condition consists of Match Field, Logical Operator, and Match Content. For information about examples on how to configure match conditions, see Match conditions. For information about match fields and logical operators, see Match conditions. |
Rate Limiting | Specifies whether to enable rate limiting. If you enable rate limiting and the requests that are sent from a statistical object frequently match a protection rule, WAF performs a specific action on the requests in a specific period of time. If you enable rate limiting, you need to configure the rate limiting parameters. For more information, see Rate limiting parameters. If you do not enable rate limiting, you do not need to configure the rate limiting parameters. |
Action | The action that you want WAF to perform if a request matches a protection rule. Valid values:
|
If you turn on Rate Limiting, you need to configure the parameters that are described in the following table.
Type | Parameter | Description | Example |
Rate Detection Condition | Statistical Object | The statistical object whose request rate you want to calculate. Valid values:
| For example, you set the Statistical Object parameter to IP, the Statistical Interval (s) parameter to 60, and the Requests Threshold parameter in Threshold to 10. If the requests from the specific client IP address meet the match conditions more than 10 times within 60 seconds, the client IP address is added to the blacklist. Note This threshold is not 100% accurate because DCDN consists of distributed points of presence (POPs). We recommend that you specify a threshold that is slightly lower than the expected value. |
Statistical Interval (s) | The statistical period.
| ||
Threshold |
| ||
Status Code Detection Condition | Status Code | Specifies whether to detect status codes based on the conditions for detecting request rates. If you turn on Status Code, a statistical object is added to the blacklist only if the statistical object matches the conditions for detecting the request rate and the status code. If you turn on Status Code, you need to specify a status code. | For example, you use the preceding conditions for detecting request rates, and set the Status Code parameter to 404, and the By Quantity parameter to 5. If the requests from a specific client IP address match the match conditions more than 10 times within 60 seconds and the number of times that HTTP status code 404 is returned exceeds 5, the client IP address is added to the blacklist. |
By Quantity | The maximum number of times that the specified status code is allowed in the responses within the specified statistical period. Note Select the By Quantity or By Percentage parameter. | ||
By Percentage | The maximum percentage of the specified status code that is allowed in the responses within the specified statistical period. Note Select the By Quantity or By Percentage parameter. | ||
Blacklist Processing | Apply To | The requests on which you want WAF to perform a specific action.
| If the requests from a statistical object match the rate limiting conditions, the statistical object is added to the blacklist and WAF performs a specific action on the requests within a specific period of time. You can configure the Blacklist Timeout Period (s) parameter to specify the period of time during which WAF performs a specific action on the requests and configure the Action parameter to specify the action that you want WAF to perform. You can also configure the Apply To parameter to specify the requests on which you want WAF to perform a specific action. You can specify all requests from the statistical object or only the requests that meet the match conditions. |
Blacklist Timeout Period (s) | The period of time during which you want WAF to perform a specific action on the requests.
|