Custom rule
Overview
If your site needs to customize the user access policy, such as prohibiting users from specified regions, allowing specified external sites to link to the site content, and allowing only specified users to access certain resources. Custom rules support matching client requests based on single rule matching conditions or multiple matching conditions. By allowing, intercepting, redirecting, and returning custom pages, you can control the request strategy of matched requests, which can help your site more flexibly limit the content that users can access.
Typical Scenarios and Usage
You can choose the appropriate rule type to protect your site according to different scenarios. Custom rules are divided into the following types:
Basic access control: Supports single condition matching requests, disposes or observes matched requests, and is suitable for simple scenario protection, such as configuring IP blocklist/allowlist, Referer blocklist, UA blocklist/allowlist, or regional restrictions.
Precise matching rules: Supports multiple condition combination matching requests, disposes or observes matched requests, and is suitable for complex scenario protection configuration, such as allowing only specified users to access files under specified paths.
Managed custom policy: A policy customized by Tencent security experts, which does not support console adjustment. For details, please see: Managed custom rules.
Note:
When there are multiple rules of the same type, the priority of the rules is as follows:
1. Rules within Basic access control: when a request matches multiple rules, the actions will be executed in the following order: Observe > Block.
2. Precise matching rules will be executed from high to low priority (Priority Value from small to large);
3. For the priority order of Custom rules and other Web Protection capabilities, please refer to: Web Protection Request Processing Order.
Basic Access Control
Example Scenario 1: Only allow access from specific countries/regions
To comply with the legal requirements of specified business regions, if the current business only allows access from non-Chinese mainland regions, you may need to restrict the visitor's source region. For such scenarios, you can use the regional control rules in basic access control to achieve this. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and then click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. Locate the Custom rules tab and click Add rule in Basic access control .
4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Region Control , select the matching method as Include and the matching content as Chinese mainland (All) , and set the action to Block .
5. Click Save . The rule will be deployed and take effect. At this time, if the client access IP is from the Chinese mainland, the access to the website is denied.
Example Scenario 2: Configure Referer to control external site access
Note:
The HTTP protocol allows the Referer header to use a full URL or partial URL. You should configure the matching content according to the actual situation. For details about the Referer header, see RFC 9110.
To prevent unauthorized site access, you can use the Referer control rules in basic access control to block access requests with unauthorized Referer headers. For example, if the service at the
https://www.myexample.com
site needs to allow access requests through the advertising partner's link https://ads.example.com/ads-link
and reject access through other site links, you can take the following steps:1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as
www.myexample.com
, to enter the configuration page for the security policy of the target domain name.3. Locate the Custom rules tab and click Add rule in Basic access control.
4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Referer control , and select the action as Block when the request Referer does not equal
https://www.myexample.com
or https://ads.example.com/ads-link
.
5. Click Save. The rule will be deployed and take effect.
Precise Matching Rules
Example Scenario: Precisely control the exposure surface of sensitive resources on the site
If you need to control the exposure surface of sensitive resources (such as the background management page) on the site and only allow access from specific clients or specified networks. You can use the client IP matching and request URL matching combination in precise matching rules to achieve this.
For example, the current site domain name
www.example.com
has a management background login address path of /adminconfig/login
, and this background is only allowed to be logged in by the specified client IP user 1.1.1.1
. The operation steps are as follows:1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as
www.example.com
, to enter the configuration page for the security policy of the target domain name.3. Locate the Custom rules tab and click Add rule in Precise matching rules .
4. On the rule adding page, select creating a blank rule, enter the rule name, and click Add.
5. Configure the judgment conditions and actions. In this example scenario, you can configure the matching fields as Request path (Path) equals
/adminconfig/login
and Client IP not matching 1.1.1.1
, and set the action to Block. Note:
Priority: The lower the value, the higher the priority. When a request matches multiple rules, the action of the rule with the higher priority (lower numerical value) applies.
6. Click Save and publish . The rule will be deployed and take effect.
Related References
Supported Matching Condition Range
Custom rules can use matching conditions to control the scope of rule application. The following are the matching conditions supported by different custom rule types:
Basic access control
Rule type | Description |
Client IP control | Control access requests based on client IP |
Regional control | Control access requests based on client IP location |
Referer control | Control access requests based on the Referer header content |
User-Agent control | Control access requests based on the User-Agent |
ASN control | Control access requests based on the client IP location ASN |
URL control | Control access requests based on the request URL, supporting wildcard matching |
Precise matching rules
Precise matching rules support the following matching conditions, and the support level for different EdgeOne plans is also not consistent.
Note:
For the description and plan restrictions of supported matching conditions, please refer to: Matching conditions.
Request domain name (Host)
Request client IP
Request client IP (prioritizing XFF header)
Request method (Method)
Request User-Agent header
Session cookie
XFF extended header
Request path (Path)
Custom request header
Request URL
Request source (Referer)
Network layer protocol
Application layer protocol
Request body
JA3 fingerprint
Supported Actions
Different custom protection rules support the following actions. For the description of different actions, please refer to Actions.
Protection rule type | Supported actions |
Basic access control | Observe Intercept |
Precise matching rules | Release Intercept Observe IP blocking rule Return custom response content Annotation Redirect to URL JavaScript challenge |
Note:
Annotation: You can configure the return custom response content action for a single custom rule (only precise matching rules are supported). When a request matches the rule, EdgeOne will return the specified page and status code. You can also configure the custom response page to specify the page and status code used for all custom rules to block requests.