Edge Acceleration
  • Site Acceleration
    • Overview
    • Access Control
      • Token authentication
        • Token Authentication
        • Authentication Method A
        • Authentication Method B
        • Authentication Method C
        • Authentication Method D
        • Authentication Method V
    • Smart Acceleration
    • Cache configuration
      • Overview
      • EdgeOne caching rules introduction
        • Content Cache Rules
        • Cache Key Introduction
        • Vary Feature
      • Cache Configuration
        • Custom Cache Key
        • Node Cache TTL
        • Status Code Cache TTL
        • Browser Cache TTL
        • Offline Caching
        • Cache Prefresh
      • Clear and Preheat Cach
        • Cache Purge
        • URL Pre-Warming
        • Prefetch M3U8
      • How to improve the Cache Hit Rate of EdgeOne
    • File Optimization
      • Content Compression
      • Smart Compression
    • Network Optimization
      • HTTP/2
      • HTTP/3(QUIC)
        • Overview
        • Enable HTTP/3
        • QUIC SDK
          • SDK Overview
          • SDK Download and Integration
          • Sample Code
            • Android
            • iOS
          • API Documentation
            • Android
            • iOS
      • IPv6 Access
      • Maximum Upload Size
      • WebSocket
      • Client IP Geolocation Header
      • Client IP Geographical Location
      • gRPC
      • Network Error Logging
    • URL Rewrite
      • Access URL Redirection
      • Origin-Pull URL Rewrite
    • Modifying Header
      • Modifying HTTP Response Headers
      • Modifying HTTP Request Headers
    • Modify response content
      • HTTP Response
      • Custom Error Page
    • Rules Engine
      • Overview
      • Rule Management
      • variables
      • Supported Matching Types and Actions
    • Image and video processing
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Video Just-In-Time Processing
      • VOD Media Origin
    • Speed limit for single connection download
    • Request and Response Actions
      • HTTP Response
      • Processing order
      • Default HTTP Headers of Origin-Pull Requests
      • Default HTTP Response Headers
      • HTTP Restrictions
    • Media Services
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Just-in-Time Media Processing
      • VOD Media Origin
  • L4 Proxy
    • Overview
    • Creating an L4 Proxy Instance
    • Modifying an L4 Proxy Instance
    • Disabling or Deleting an L4 Proxy Instance
    • Batch Configuring Forwarding Rules
    • Obtaining Real Client IPs
      • Obtaining Real TCP Client IPs via TOA
      • Obtaining Real Client IPs Through Protocol V1/V2
        • Overview
        • Method 1: Obtaining Real Client IPs Through Nginx
        • Method 2: Parsing Real Client IPs on Application Server
        • Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
      • Transmitting Client Real IP via SPP Protocol
  • Domain name service and origin server configuration
    • Domain Name Services
      • Overview
      • DNS resolution for managed domains
        • Modifying DNS Servers
        • Configuring DNS Records
        • Batch Importing DNS Records
        • Advanced DNS Configuration
      • Access accelerated domains
        • Adding A Domain Name for Acceleration
        • Ownership Verification
        • Modifying CNAME Records
        • Verify Business Access
      • Traffic scheduling
        • Traffic Scheduling Management
    • HTTPS Certificate
      • Overview
      • Edge HTTPS Certificate
        • Overview
        • Deploying/Updating SSL Certificate for A Domain Name
        • Configuring A Free Certificate for A Domain Name
        • Using Keyless Certificate
      • Edge mTLS Authentication
      • Origin Certificate Validation
      • HTTPS configuration
        • Forced HTTPS Access
        • Enabling HSTS
        • SSL/TLS security configuration
          • Configuring SSL/TLS Security
          • TLS Versions and Cipher Suites
        • Enabling OCSP Stapling
      • Related References
        • Using OpenSSL to Generate Self-Signed Certificates
        • Certificate Format Requirements
        • The Difference Between one-way authentication and Mutual authentication
    • Origin Configuration
      • Load Balancing
        • Overview
        • Quickly Create Load Balancers
        • Health Check Policies
        • Viewing the Health Status of Origin Server
        • Related References
          • Load Balancing-Related Concepts
          • Introduction to Request Retry Strategy
      • Origin Group Configuration
      • Origin configuration
        • Origin-Pull Timeout
        • Configuring Origin-Pull HTTPS
        • Host Header Rewrite
        • Controlling Origin-pull Requests
        • Redirect Following During Origin-Pull
        • HTTP/2 Origin-Pull
        • Range GETs
        • Modify Origin
        • Origin-pull Rate Limiting Policy
      • Origin Protection(Obtaining/Updating Origin IP Address Range)
      • Related References
        • ld Version Origin Group Compatible Related Issues
Docs Overview/
Edge Acceleration/
Domain name service and origin server configuration/
Origin Configuration/
Origin Protection(Obtaining/Updating Origin IP Address Range)/

Origin Protection(Obtaining/Updating Origin IP Address Range)

Feature Overview

The core of origin protection is to allow EdgeOne to access your origin server through a designated public IP range (origin-pull IP range). You can configure these IP ranges as an "allowlist" in your origin server firewall or security group, thereby only allowing trustworthy origin-pull traffic to pass through. This effectively prevents malicious attackers from bypassing EdgeOne to directly attack the origin server, enhancing origin site security and concealment, and achieving origin protection.
This document introduces how to manually obtain and update EdgeOne's origin-pull IP range, or utilize the API to implement automated updates for configuring origin server firewall rules.
Warning:
1. EdgeOne may update the origin IP range at irregular intervals to enhance network stability and reliability, improve security, handle expansion needs, or respond to compliance requirements. EdgeOne will send notifications via Message Center, SMS, or email 14 days, 7 days, 3 days, and 1 day before the change. .Please ensure you have selected Message Center, SMS, and by email in Product notifications > Product service notifications in the Tencent Cloud Message Center console, and configured message recipients correctly. For the setting method, please refer to message subscription management.
2. Upon receiving Tencent's notification about "Origin IP Range Change Notification", please complete the origin IP range update operation by referring to Update Origin IP Range within no more than 14 calendar days. For example, if EO sends the "Origin IP Range Change Notification" at 12:00:00 (GMT+8) on January 1, 2025, you need to complete the origin IP range update operation by 12:00:00 (GMT+8) on January 15, 2025.
3. If you fail to complete the above operations within the agreed time limit, EdgeOne will update the IP range to the latest version according to the origin protection enablement special agreement. Please understand and recognize that you will bear any adverse consequences arising therefrom, such as [origin-pull failure] and [service unavailability]. This situation is not covered by the EdgeOne SLA service availability guarantee.
4. If you are unable to complete the update in time, you can also adopt the origin-pull mutual authentication solution to ensure your origin server security. If needed, please contact us.

Obtaining Origin IP Address Range

1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. On the Origin Protection page, click Use Now, carefully read the Origin Protection Enablement Conditions of Use, and click Confirm to Enable after confirming the content of the "Special Agreement" is acceptable.
4. Click the origin protection status switch to set it to enable, select the site acceleration/Layer 4 proxy resource to be protected, and click Submit.
5. After successfully enabled, you can see the current origin-pull IP list used by these resources. Update it to your origin server firewall rules.
6. Log in to the cloud platform or server itself where your origin server is located, and locate the firewall/security group settings. Add inbound rules to allow traffic from all origin-pull IP ranges obtained in the above step 5 to access the ports required by your business (such as 80, 443).

Updating Origin IP Address Range

Note:
The IP range for origin servers is updated every 3-6 months on average.
Upon receiving the notification about the origin IP range change, you need to refer to the following steps to view the updated origin IP and complete the update within 14 calendar days to prevent service disruption caused by origin-pull failure.
1. Log in to the EdgeOne console, enter Service Overview in the left menu bar, and click the site in the Message Center/email that needs to be changed under Website Security Acceleration.
2. On the site details page, click Security > Origin Protection.
3. Click Go to update.



4. The console will show the comparison information of old and new IP ranges. After updating the latest origin IP range to the origin server firewall, click I have updated to the latest origin IP range.



5. After confirming the update, the console shows "Origin IP ACL CIDRs is the latest version" to indicate the update is complete.




Automating Updates through API

If you wish to periodically obtain EdgeOne's latest origin IP range through automation scripts to avoid possible service interruption caused by untimely manual updates, you can leverage the API interface provided by EdgeOne to implement the following process:
1. Periodically call the API: Infrequent periodic DescribeOriginACL API calls, recommended every three days.
2. Check update flag: In the interface return data, pay close attention to the NextOriginACL field. If this field returns not null, it indicates new origin IP ranges are available for update.
"NextOriginACL": {
                "Version": "mlc-1.0.1-20250422",
                "PlannedActiveTime": "2014-12-30T10:00:00Z",
                "EntireAddresses": {
                    "IPv4": [
                        "11.11.11.11/24",
                        "22.22.22.22/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                },
                "AddedAddresses": {
                    "IPv4": [
                        "22.22.22.22/24"
                    ],
                    "IPv6": []
                },
                "RemovedAddresses": {
                    "IPv4": [],
                    "IPv6": []
                },
                "NoChangeAddresses": {
                    "IPv4": [
                        "11.11.11.11/24"
                    ],
                    "IPv6": [
                        "2001:980:7002:6::/64"
                    ]
                }
            }
3. Synchronize configuration: After the script detects an update, it should automatically synchronize the new IP range to your origin server firewall or security group policy.
4. Confirm update: After synchronization, continue calling the ConfirmOriginACLUpdate API so that the system stops pushing related change notifications.