Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Custom rule

Overview

If your site needs to customize the user access policy, such as prohibiting users from specified regions, allowing specified external sites to link to the site content, and allowing only specified users to access certain resources. Custom rules support matching client requests based on single rule matching conditions or multiple matching conditions. By allowing, intercepting, redirecting, and returning custom pages, you can control the request strategy of matched requests, which can help your site more flexibly limit the content that users can access.

Typical Scenarios and Usage

You can choose the appropriate rule type to protect your site according to different scenarios. Custom rules are divided into the following types:
Basic access control: Supports single condition matching requests, disposes or observes matched requests, and is suitable for simple scenario protection, such as configuring IP blocklist/allowlist, Referer blocklist, UA blocklist/allowlist, or regional restrictions.
Precise matching rules: Supports multiple condition combination matching requests, disposes or observes matched requests, and is suitable for complex scenario protection configuration, such as allowing only specified users to access files under specified paths.
Managed custom policy: A policy customized by Tencent security experts, which does not support console adjustment. For details, please see: Managed custom rules.
Note:
When there are multiple rules of the same type, the priority of the rules is as follows:
1. Rules within Basic access control: when a request matches multiple rules, the actions will be executed in the following order: Observe > Block.
2. Precise matching rules will be executed from high to low priority (Priority Value from small to large);
3. For the priority order of Custom rules and other Web Protection capabilities, please refer to: Web Protection Request Processing Order.

Basic Access Control

Example Scenario 1: Only allow access from specific countries/regions

To comply with the legal requirements of specified business regions, if the current business only allows access from non-Chinese mainland regions, you may need to restrict the visitor's source region. For such scenarios, you can use the regional control rules in basic access control to achieve this. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and then click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. Locate the Custom rules tab and click Add rule in Basic access control .
4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Region Control , select the matching method as Include and the matching content as Chinese mainland (All) , and set the action to Block .

5. Click Save . The rule will be deployed and take effect. At this time, if the client access IP is from the Chinese mainland, the access to the website is denied.

Example Scenario 2: Configure Referer to control external site access

Note:
The HTTP protocol allows the Referer header to use a full URL or partial URL. You should configure the matching content according to the actual situation. For details about the Referer header, see RFC 9110.
To prevent unauthorized site access, you can use the Referer control rules in basic access control to block access requests with unauthorized Referer headers. For example, if the service at the https://www.myexample.com site needs to allow access requests through the advertising partner's link https://ads.example.com/ads-link and reject access through other site links, you can take the following steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.myexample.com , to enter the configuration page for the security policy of the target domain name.
3. Locate the Custom rules tab and click Add rule in Basic access control.
4. Enter the rule name and configure the control type, matching method, and control range. In this example scenario, you can set the control type to Referer control , and select the action as Block when the request Referer does not equal https://www.myexample.com or https://ads.example.com/ads-link.

5. Click Save. The rule will be deployed and take effect.

Precise Matching Rules

Example Scenario: Precisely control the exposure surface of sensitive resources on the site

If you need to control the exposure surface of sensitive resources (such as the background management page) on the site and only allow access from specific clients or specified networks. You can use the client IP matching and request URL matching combination in precise matching rules to achieve this.
For example, the current site domain name www.example.com has a management background login address path of /adminconfig/login, and this background is only allowed to be logged in by the specified client IP user 1.1.1.1. The operation steps are as follows:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as www.example.com, to enter the configuration page for the security policy of the target domain name.
3. Locate the Custom rules tab and click Add rule in Precise matching rules .
4. On the rule adding page, select creating a blank rule, enter the rule name, and click Add.
5. Configure the judgment conditions and actions. In this example scenario, you can configure the matching fields as Request path (Path) equals /adminconfig/login and Client IP not matching 1.1.1.1 , and set the action to Block.
Note:
Priority: The lower the value, the higher the priority. When a request matches multiple rules, the action of the rule with the higher priority (lower numerical value) applies.

6. Click Save and publish . The rule will be deployed and take effect.

Related References

Supported Matching Condition Range

Custom rules can use matching conditions to control the scope of rule application. The following are the matching conditions supported by different custom rule types:
Basic access control
Rule type
Description
Client IP control
Control access requests based on client IP
Regional control
Control access requests based on client IP location
Referer control
Control access requests based on the Referer header content
User-Agent control
Control access requests based on the User-Agent
ASN control
Control access requests based on the client IP location ASN
URL control
Control access requests based on the request URL, supporting wildcard matching
Precise matching rules
Precise matching rules support the following matching conditions, and the support level for different EdgeOne plans is also not consistent.
Note:
For the description and plan restrictions of supported matching conditions, please refer to: Matching conditions.
Request domain name (Host)
Request client IP
Request client IP (prioritizing XFF header)
Request method (Method)
Request User-Agent header
Session cookie
XFF extended header
Request path (Path)
Custom request header
Request URL
Request source (Referer)
Network layer protocol
Application layer protocol
Request body
JA3 fingerprint

Supported Actions

Different custom protection rules support the following actions. For the description of different actions, please refer to Actions.
Protection rule type
Supported actions
Basic access control
Observe
Intercept
Precise matching rules
Release
Intercept
Observe
IP blocking rule
Return custom response content Annotation
Redirect to URL
JavaScript challenge
Note:
Annotation: You can configure the return custom response content action for a single custom rule (only precise matching rules are supported). When a request matches the rule, EdgeOne will return the specified page and status code. You can also configure the custom response page to specify the page and status code used for all custom rules to block requests.