Edge Security

Overview
DDoS Protection
- DDoS Protection Overview
- Exclusive DDoS Protection Usage
- Configuration of Exclusive DDoS protection Rules
  - Increase DDoS Protection Level
  - Exclusive DDoS Traffic Alarm
  - Configuration IP blocklist/allowlist
  - Configuration Region Blocking Rule
  - Configuration Port Filtering
  - Configuration Features Filtering
  - Configuration Protocol Blocking Rule
  - Configuration Connections Attack Protection
  - Related References
    - Action
    - Related Concepts Introduction
Web Protection
- Overview
- Configuring Web Protection Policy
- Managed rules
- CC attack defense
- Bandwidth Abuse Protection
- Custom rule
- Custom Rate Limiting Rules
- Exception Rules
- Managed Custom Rules
- Web security monitoring alarm
- Refer
  - Web Protection Request Processing Order
  - Action
  - Match Condition
Bot Management
- Overview
- Bot Intelligent analysis
- Bot Basic Feature Management
- Client Reputation
- Active Detection
- Custom Bot Rule
- Related References
  - Action
Rules Template
IP and IP Segment Grouping
Origin Protection
Custom Response Page
Alarm Notification
SSL/TLS
- Overview
- Deploying/Updating SSL Certificate for A Domain Name
- Configuring A Free Certificate for A Domain Name
- Mutual Authentication
- HTTPS Configuration
  - Forced HTTPS Access
  - Enabling HSTS
  - SSL/TLS Security Configuration
    - Configuring SSL/TLS Security
    - TLS Versions and Cipher Suites
  - Enabling OCSP Stapling
- Refer
  - Using OpenSSL to Generate Self-Signed Certificates
  - Certificate Format Requirements
- Using Keyless Certificate

Origin Protection

Feature Overview
The core of origin protection is to allow EdgeOne to access your origin server through a designated public IP range (origin-pull IP range). You can configure these IP ranges as an "allowlist" in your origin server firewall or security group, thereby only allowing trustworthy origin-pull traffic to pass through. This effectively prevents malicious attackers from bypassing EdgeOne to directly attack the origin server, enhancing origin site security and concealment, and achieving origin protection.
This document introduces how to manually obtain and update EdgeOne's origin-pull IP range, or utilize the API to implement automated updates for configuring origin server firewall rules.
Warning:
1. EdgeOne may update the origin IP range at irregular intervals to enhance network stability and reliability, improve security, handle expansion needs, or respond to compliance requirements. EdgeOne will send notifications via Message Center, SMS, or email 14 days, 7 days, 3 days, and 1 day before the change. To ensure you receive these notifications, please verify that you have selected EdgeOne under Tencent Cloud Message Center Console and enabled product service-related message notifications, with the correct Message Recipient configured. For setup instructions, refer to Message Subscription Management.
2. Upon receiving Tencent's notification about "Origin IP Range Change Notification", please complete the origin IP range update operation by referring to Update Origin IP Range within no more than 14 calendar days. For example, if EO sends the "Origin IP Range Change Notification" at 12:00:00 (GMT+8) on January 1, 2025, you need to complete the origin IP range update operation by 12:00:00 (GMT+8) on January 15, 2025.
3. If you fail to complete the above operations within the agreed time limit, EdgeOne will update the IP range to the latest version according to the origin protection enablement special agreement. Please understand and recognize that you will bear any adverse consequences arising therefrom, such as [origin-pull failure] and [service unavailability]. This situation is not covered by the EdgeOne SLA service availability guarantee.
4. If you are unable to complete the update in time, you can also adopt the origin-pull mutual authentication solution to ensure your origin server security. If needed, please contact us.
Obtaining Origin IP Address Range
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. On the Origin Protection page, click Use Now, carefully read the Origin Protection Enablement Conditions of Use, and click Confirm to Enable after confirming the content of the "Special Agreement" is acceptable.
4. Click the origin protection status switch to set it to enable, select the site acceleration/Layer 4 proxy resource to be protected, and click Submit.
5. After successfully enabled, you can see the current origin-pull IP list used by these resources. Update it to your origin server firewall rules.
6. Log in to the cloud platform or server itself where your origin server is located, and locate the firewall/security group settings. Add inbound rules to allow traffic from all origin-pull IP ranges obtained in the above step 5 to access the ports required by your business (such as 80, 443).
Updating Origin IP Address Range
Note:
The IP range for origin servers is updated every 3-6 months on average.
Upon receiving the notification about the origin IP range change, you need to refer to the following steps to view the updated origin IP and complete the update within 14 calendar days to prevent service disruption caused by origin-pull failure.
1. Log in to the EdgeOne console, enter Service Overview in the left menu bar, and click the site in the Message Center/email that needs to be changed under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. Click Go to update.
﻿
﻿
﻿
4. The console will show the comparison information of old and new IP ranges. After updating the latest origin IP range to the origin server firewall, click I have updated to the latest origin IP range.
﻿
﻿
﻿
5. After confirming the update, the console shows "Origin IP ACL CIDRs is the latest version" to indicate the update is complete.
﻿
﻿
﻿
Automating Updates through API
If you wish to periodically obtain EdgeOne's latest origin IP range through automation scripts to avoid possible service interruption caused by untimely manual updates, you can leverage the API interface provided by EdgeOne to implement the following process:
1. Periodically call the API: Infrequent periodic DescribeOriginACL API calls, recommended every three days.
2. Check update flag: In the interface return data, pay close attention to the NextOriginACL field. If this field returns not null, it indicates new origin IP ranges are available for update.
"NextOriginACL": {
                "Version": "mlc-1.0.1-20250422",
                "PlannedActiveTime": "2014-12-30T10:00:00Z",
                "EntireAddresses": {
                    "IPv4": [
                        "11.11.11.11/24",
                        "22.22.22.22/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                },
                "AddedAddresses": {
                    "IPv4": [
                        "22.22.22.22/24"
                    ],
                    "IPv6": []
                },
                "RemovedAddresses": {
                    "IPv4": [],
                    "IPv6": []
                },
                "NoChangeAddresses": {
                    "IPv4": [
                        "11.11.11.11/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                }
            }
3. Synchronize configuration: After the script detects an update, it should automatically synchronize the new IP range to your origin server firewall or security group policy.
4. Confirm update: After synchronization, continue calling the ConfirmOriginACLUpdate API so that the system stops pushing related change notifications.
﻿
﻿

Feature Overview
Obtaining Origin IP Address Range
Updating Origin IP Address Range
- Automating Updates through API