Overview
Menu

Custom rule

Overview

If your site needs to customize the user access policy, such as prohibiting users from specified regions, allowing specified external sites to link to the site content, and allowing only specified users to access certain resources. Custom rules support matching client requests based on single rule matching conditions or multiple matching conditions. By allowing, intercepting, redirecting, and returning custom pages, you can control the request strategy of matched requests, which can help your site more flexibly limit the content that users can access.

Typical Scenarios and Usage

You can choose the appropriate rule type to protect your site according to different scenarios. Custom rules are divided into the following types:
Basic access control: Supports single condition matching requests, disposes or observes matched requests, and is suitable for simple scenario protection, such as configuring IP blocklist/allowlist, Referer blocklist, UA blocklist/allowlist, or regional restrictions.
Precise matching rules: Supports multiple condition combination matching requests, disposes or observes matched requests, and is suitable for complex scenario protection configuration, such as allowing only specified users to access files under specified paths.
Managed custom policy: A policy customized by Tencent security experts, which does not support console adjustment. For details, please see: Managed custom rules.
Note:
When there are multiple rules of the same type, the priority of the rules is as follows:
1. Rules within Basic access control: when a request matches multiple rules, the actions will be executed in the following order: Observe > Block.
2. Precise matching rules will be executed from high to low priority (Priority Value from small to large);
3. For the priority order of Custom rules and other Web Protection capabilities, please refer to: Web Protection Request Processing Order.

Basic Access Control

Example Scenario 1: Only allow access from specific countries/regions

To comply with the legal requirements of specified business regions, if the current business only allows access from non-Chinese mainland regions, you may need to restrict the visitor's source region. For such scenarios, you can use the regional control rules in basic access control to achieve this. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. On the site details page, click on Security > Web Protection, and enter the Web Protection details page on the left side of the protection domain list, and select the domain name to be protected.



3. Find the custom rule card and click on the settings. Enter the custom rule page and click on the add rule in basic access control.



4. In the new basic control rule interface, fill in the rule name, and configure the rule type, matching method, and matching content. The rule type is the matching condition, and the requests matching this rule type will be processed according to the configured action.
In this scenario, you can choose the rule type as region control, the matching method as Client IP region Contain, the matching content as Chinese mainland (all), and the action as Block.



5. After clicking confirm, the rule will be deployed and take effect. At this time, if the client access IP is a Chinese mainland user, they will not be allowed to access the website.

Example Scenario 2: Configure Referer to control external site access

To prevent unauthorized site access and hotlinking, you can use the Referer control rule in basic access control to block access requests with unauthorized Referer headers. For example, the domain name www.myexample.com needs to allow access requests linked through the advertising partner ads.example.com, while denying access to content linked through other sites. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. On the site details page, click on Security > Web Protection, and enter the Web Protection details page on the left side of the protection domain list, and select the domain name to be protected.



3. Find the custom rule card and click on the settings. Enter the custom rule page and click on the add rule in basic access control.



4. In the new basic control rule interface, fill in the rule name, and configure the rule type, matching method, and matching content. The rule type is the matching condition, and the requests matching this rule type will be processed according to the configured action.
In this scenario, you can choose the rule type as Referer control, when the request Referer does not equal to include: www.myexample.com, ads.example.com, the action is Block.



5. After clicking confirm, the rule will be deployed and take effect.

Precise Matching Rules

Example Scenario: Precisely control the exposure surface of sensitive resources on the site

If you need to control the exposure surface of sensitive resources (such as the background management page) on the site and only allow access from specific clients or specified networks. You can use the client IP matching and request URL matching combination in precise matching rules to achieve this.
For example, the current site domain name www.example.com has a management background login address path of /adminconfig/login, and this background is only allowed to be logged in by the specified client IP user 1.1.1.1. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. On the site details page, click on Security protection > Web Protection, and enter the Web Protection details page on the left side of the protection domain list, and select the domain name to be protected.



3. Find the custom rule card and click on the settings. Enter the custom rule page and click on the add rule in precise matching policy.



4. In the new custom protection rule interface, fill in the rule name, and configure the matching field and perform action.
In this scenario, you can configure the matching field as the request path (Path) equal to /adminconfig/login and the client IP matching 1.1.1.1 user, and the perform action as release.
Note:
Click on more configuration to modify the priority of this rule. The lower the value, the higher the priority.



5. After clicking confirm, the rule will be deployed and take effect.

Related References

Supported Matching Condition Range

Custom rules can use matching conditions to control the scope of rule application. The following are the matching conditions supported by different custom rule types:
Basic access control
Rule type
Description
Client IP control
Control access requests based on client IP
Regional control
Control access requests based on client IP location
Referer control
Control access requests based on the Referer header content
User-Agent control
Control access requests based on the User-Agent
ASN control
Control access requests based on the client IP location ASN
URL control
Control access requests based on the request URL, supporting wildcard matching
Precise matching rules
Precise matching rules support the following matching conditions, and the support level for different EdgeOne plans is also not consistent.
Note:
For the description and plan restrictions of supported matching conditions, please refer to: Matching conditions.
Request client IP
Request client IP (priority matching XFF header)
Custom request header
Request URL
Request Referer header
Request User-Agent header
Request path (Path)
Request method (Method)
Request Cookie
XFF extended header
Network layer protocol
Application layer protocol

Supported Actions

Different custom protection rules support the following actions. For the description of different actions, please refer to Actions.
Protection rule type
Supported actions
Basic access control
Observe
Intercept
Precise matching rules
Release
Intercept
Observe
IP blocking rule
Redirect
Return custom error pagesp.s.
JavaScript challenge
Note:

p.s.:
If you want to customize the response request page and status code, custom rules support the following configuration methods:
Use the return custom error pages action: You can configure the return custom error pages action for a single custom rule (only support precise matching rules). When EdgeOne responds to requests that match this rule, it will return the specified page and status code.
Use custom error pages: You can use custom error pages configuration to specify the page and status code used by all custom rules when intercepting requests.