All Products
Search
Document Center

Edge Security Acceleration:Configure custom protection policies

Last Updated:Jan 04, 2024

Dynamic Content Delivery Network (DCDN) allows you to configure custom protection policies and create custom access control or rate limiting rules based on precise match conditions. Custom protection policies can be created for different scenarios, such as hotlink protection and website backend protection.

Prerequisites

Background information

The custom protection policy feature is implemented based on custom protection rules. The following custom protection rules are supported:

  • Access control rule: You can use the client IP address, request URL, or common request headers to configure match conditions. If requests meet the conditions, Web Application Firewall (WAF) performs a specific action on the requests. For example, you can configure a custom protection rule to block requests that access a specific URI. You can also configure a custom protection rule to allow WAF to verify requests that contain a specific User-Agent string. For information about the match fields that are supported by custom protection rules, see Match conditions.

  • Rate limiting rule: You can configure match conditions and rate limiting conditions. If the request rate of a statistical object exceeds the threshold value, WAF performs a specified action on the requests from the statistical object. For example, if an IP address or a session frequently meets the match conditions in a short period of time, you can enable rate limiting to block requests that are sent from the IP address or session during a specific period of time.

Create a custom protection policy

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, click WAF > Protection Policies.

  3. On the Protection Policies page, click Create Policy.

  4. On the Create Policy page, configure the parameters. The following table describes the parameters.

    Section

    Parameter

    Description

    Policy Information

    Policy Type

    The type of the protection policy. Select Custom Protection Policy.

    Policy Name

    The name of the protection policy. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).

    Make Default

    Specifies whether the current policy is the default policy of the current policy type.

    Note
    • You can specify only one default policy for each policy type. After you specify a default policy, you cannot change the default policy.

    • If you have specified the default policy for the current policy type, this switch is unavailable.

    Rule Information

    Rule

    The information about the current custom protection rule. For more information, see Configure custom protection policies.

    Note

    You can create up to 10 rules. To increase the quota, submit a ticket.

    Protected Domain Names

    Select Association Mode

    You can associate a protected domain name with multiple policies of the same type. If you have associated a domain name with a policy of the same type, you can add the current policy or replace the existing policy with the current policy. You can only replace the existing policy with the current policy for domain names that are associated with the default policy. Valid values:

    • Add and replace the original associated policy: disassociates the associated policy and replaces the policy with the current policy.

    • Add and keep the original associated policy: adds the current policy and retains the associated policy.

    Protected Domain Names

    The domain names that you want to associate with the current protection policy.

  5. Click Create Policy.

    By default, the protection policy that you created is enabled.

Custom rule parameters

You can create a custom rule when you create a custom protection policy. You can also create a custom rule for an existing custom protection policy.

Parameter

Description

Rule Name

The name of the rule. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).

Match Condition

The request characteristics for matching.

Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is considered matched only if all match conditions are met.

Each match condition consists of Match Field, Logical Operator, and Match Content. For information about examples on how to configure match conditions, see Match conditions.

For information about match fields and logical operators, see Match conditions.

Rate Limiting

Specifies whether to enable rate limiting. If you enable rate limiting and the requests that are sent from a statistical object frequently match a protection rule, WAF performs a specific action on the requests in a specific period of time.

If you enable rate limiting, you need to configure the rate limiting parameters. For more information, see Rate limiting parameters. If you do not enable rate limiting, you do not need to configure the rate limiting parameters.

Action

The action that you want WAF to perform if a request matches a protection rule. Valid values:

  • Block: blocks the requests that match the rule and returns a block page to the client.

  • JavaScript Validation: returns JavaScript code to the client. The JavaScript code can be automatically executed by the browser that is used by the client. If the client passes the JavaScript verification, WAF allows requests that are sent from the client within a specific time range. The default time range is 30 minutes. If the client fails the JavaScript verification, WAF blocks requests that are sent from the client.

  • Slider CAPTCHA: WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes the slider CAPTCHA verification, WAF allows requests that are sent from the client within a specific time range. The default time range is 30 minutes. If the client fails the slider CAPTCHA verification, WAF blocks requests that are sent from the client.

  • Monitor: records the requests that match the rule in logs without blocking the requests. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs.

    Note

    You need to activate Simple Log Service before you can query logs.

    The first time that you configure a rule, you can set the Action parameter to Monitor to check the protection performance of the rule and whether legitimate requests are blocked. Then, you can determine whether to set the Action parameter to Block based on the check results.

If you turn on Rate Limiting, you need to configure the parameters that are described in the following table.

Type

Parameter

Description

Example

Rate Detection Condition

Statistical Object

The statistical object whose request rate you want to calculate. Valid values:

  • IP: calculates the frequency of requests that are sent from a specific IP address.

  • Custom Header: calculates the number of requests that contain a specific header.

  • Custom Parameter: calculates the frequency of requests that contain a specific parameter.

  • Custom Cookie: calculates the number of requests that contain a specific cookie.

  • Session: calculates the frequency of requests that are sent from a specific session.

For example, you set the Statistical Object parameter to IP, the Statistical Interval (s) parameter to 60, and the Requests Threshold parameter in Threshold to 10. If the requests from the specific client IP address meet the match conditions more than 10 times within 60 seconds, the client IP address is added to the blacklist.

Note

This threshold is not 100% accurate because DCDN consists of distributed points of presence (POPs). We recommend that you specify a threshold that is slightly lower than the expected value.

Statistical Interval (s)

The statistical period.

  • Valid values: 5 to 1800.

  • Unit: seconds.

Threshold

  • Requests Threshold: the maximum number of requests that are allowed from the statistical object during the specified statistical period.

    • Valid values: 2 to 50000.

    • Unit: requests.

    • If this limit is exceeded within the specified statistical period, the statistical object is added to the blacklist.

  • Traffic Threshold: the maximum amount of traffic that is allowed from the statistical object during the specified statistical period.

  • Requests Threshold and Traffic Threshold

Status Code Detection Condition

Status Code

Specifies whether to detect status codes based on the conditions for detecting request rates. If you turn on Status Code, a statistical object is added to the blacklist only if the statistical object matches the conditions for detecting the request rate and the status code.

If you turn on Status Code, you need to specify a status code.

For example, you use the preceding conditions for detecting request rates, and set the Status Code parameter to 404, and the By Quantity parameter to 5. If the requests from a specific client IP address match the match conditions more than 10 times within 60 seconds and the number of times that HTTP status code 404 is returned exceeds 5, the client IP address is added to the blacklist.

By Quantity

The maximum number of times that the specified status code is allowed in the responses within the specified statistical period.

Note

Select the By Quantity or By Percentage parameter.

By Percentage

The maximum percentage of the specified status code that is allowed in the responses within the specified statistical period.

Note

Select the By Quantity or By Percentage parameter.

Blacklist Processing

Apply To

The requests on which you want WAF to perform a specific action.

  • Current Match Condition: WAF performs a specific action on the requests that are matched.

  • Current Domain Name: WAF performs a specific action on all requests.

If the requests from a statistical object match the rate limiting conditions, the statistical object is added to the blacklist and WAF performs a specific action on the requests within a specific period of time. You can configure the Blacklist Timeout Period (s) parameter to specify the period of time during which WAF performs a specific action on the requests and configure the Action parameter to specify the action that you want WAF to perform. You can also configure the Apply To parameter to specify the requests on which you want WAF to perform a specific action. You can specify all requests from the statistical object or only the requests that meet the match conditions.

Blacklist Timeout Period (s)

The period of time during which you want WAF to perform a specific action on the requests.

  • Valid values: 60 to 86400.

  • Unit: seconds.

Related API operations