All Products
Search
Document Center

ApsaraVideo VOD:Configure an IP address blacklist or whitelist

Last Updated:Jul 17, 2024

An IP address blacklist or whitelist filters user requests, and blocks or allows requests from specific IP addresses. The IP list feature can restrict access sources and protect points of presence (POPs) from IP theft and attacks.

Usage notes

  • By default, the IP list feature is disabled. The IP address blacklist and whitelist are mutually exclusive. You can configure only one of the lists.

  • You can specify up to about 700 IPv6 addresses or 2,000 IPv4 addresses.

  • If an IP address is added to the blacklist, requests from the IP address can still be sent to POPs. However, the POPs reject the requests and return a 403 error. Requests sent from IP addresses that are in the blacklist are recorded in the logs of the corresponding domain name.

  • The IP address blacklist and whitelist identify IP addresses based on Layer 7 HTTP IP recognition techniques. You are charged for network traffic that is generated when POPs block malicious requests. If clients access POPs over HTTPS, you are also charged for HTTPS requests.

  • Some Internet service providers (ISPs) may assign private IP addresses to clients in specific regions. Therefore, POPs may receive requests from private IP addresses.

    Note

    Private IP addresses are of the following types:

    • Type-A private IP addresses: 10.0.0.0 to 10.255.255.255. Subnet mask: 10.0.0.0/8.

    • Type-B private IP addresses: 172.16.0.0 to 172.31.255.255. Subnet mask: 172.16.0.0/12.

    • Type-C private IP addresses: 192.168.0.0 to 192.168.255.255. Subnet mask: 192.168.0.0/16.

IP address verification modes

When a client connects to a POP, the client IP address and the IP address that is used by the client to connect to the POP are determined based on whether a proxy is used. For example, the client IP address is 10.10.10.10, and the proxy IP address is 192.168.0.1.

  • If no proxy is used when a client connects to a POP, the following rules apply:

    • The value of the X-Forwarded-For (XFF) header in the user request is 10.10.10.10.

    • The client IP address 10.10.10.10 is the IP address that is used by the client to connect to the POP.

  • If a proxy is used when a client connects to a POP, the following rules apply:

    • The value of the XFF header in the user request is 10.10.10.10,192.168.0.1.

    • The client IP address 10.10.10.10 is the first IP address in the XFF header.

    • The IP address that is used by the client to connect to a POP is the IP address of the proxy, which is 192.168.0.1.

    • The client IP address is not the IP address that is used by the client to connect to the POP.

The IP list feature of ApsaraVideo VOD can verify three types of IP addresses.

IP address verification mode

Description

Determine based on the XFF header

This is the default mode. This mode verifies only the client IP address. The client IP address is the first IP address in the XFF header in a client request.

If a proxy is used when a client connects to a POP, the client uses the IP address of the proxy to connect to the POP. In this case, access control in this verification mode may not be accurate.

Determine based on the IP address that is used to connect to the POP

This mode verifies only the IP address that is used by a client to connect to a POP.

Determine based on the XFF header and the IP address that is used to connect to the POP

This mode verifies the following IP addresses:

  • The first IP address in the XFF header, which is the client IP address.

  • The IP address that is used by a client to connect to a POP.

Procedure

  1. Log on to the ApsaraVideo VOD console.

  2. In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.

  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.

  4. In the left-side navigation tree, choose Resource Access Control.

  5. On the IP Address Blacklists/Whitelists tab, click Modify in the IP Address Blacklists/Whitelists section.

  6. In the dialog box that appears, configure an IP Blacklist or IP Whitelist.

    Parameter

    Description

    Type

    • Blacklist

      Requests from IP addresses in the blacklist are blocked.

    • Whitelist

      Only requests from IP addresses in the whitelist can access resources on the POPs.

    Rules

    Enter CIDR blocks, such as 192.168.0.0/24, or IP addresses, such as 192.168.0.1. Make sure that no duplicate CIDR blocks exist. IPv4 and IPv6 addresses are supported. Separate IP addresses with carriage return characters.

    Note

    The value of Rules can be up to 30 KB in size. You can enter up to about 700 IPv6 addresses or 2,000 IPv4 addresses in this field.

    • IPv6: You can add up to about 700 IPv6 addresses to the list. The blacklist and whitelist support IPv6 addresses. The letters in IPv6 addresses are not case-sensitive. Examples: FC00:AA3:0:23:3:300:300A:1234 and fc00:0aa3:0000:0023:0003:0300:300a:1234. The notation of an IPv6 address must not be shortened. For example, FC00:0AA3::0023:0003:0300:300A:1234 is invalid. CIDR blocks are supported. Example: FC00:0AA3:0000:0000:0000:0000:0000:0000/48.

    • IPv4: You can add up to about 2,000 IPv4 addresses to the list.

    • The total length of the string that specifies IP addresses cannot exceed 30 KB in size.

    Note

    You cannot use 0.0.0.0/0 to specify all IP addresses.

    • To specify all IPv4 addresses, use the following subnets:

      • 0.0.0.0/1

      • 128.0.0.0/1

    • To specify all IPv6 addresses, use the following subnets:

      • 0000:0000:0000:0000:0000:0000:0000:0000/1

      • 8000:0000:0000:0000:0000:0000:0000:0000/1

    IP Rules

    You can select one of the following rules:

    • Determine based on the XFF header

    • Determine based on the IP address that is used to connect to the POP

    • Determine based on the XFF header and the IP address that is used to connect to the POP.

    If the XFF header does not include an IP address, determine based on the IP address that is used to connect to the POP.

  7. Click OK.

Configuration examples

  • Whitelist

    Rules: 192.168.2.0/24

    Expected result: Only IP addresses that range from 192.168.2.1 to 192.168.2.254 can access the resources of the specified domain name.

  • Blacklist

    Rules: 192.168.0.1

    Expected result: The IP address 192.168.0.1 is not allowed to access the resources of the specified domain name.

FAQ

Related API operations

BatchSetVodDomainConfigs: You can call this operation to configure one or more domain names for CDN. You can specify an IP address blacklist or whitelist by configuring the ip_black_list_set or ip_allow_list_set parameter.