Edge Security

Overview
DDoS Protection
- DDoS Protection Overview
- Exclusive DDoS Protection Usage
- Configuration of Exclusive DDoS protection Rules
  - Increase DDoS Protection Level
  - Exclusive DDoS Traffic Alarm
  - Configuration IP blocklist/allowlist
  - Configuration Region Blocking Rule
  - Configuration Port Filtering
  - Configuration Features Filtering
  - Configuration Protocol Blocking Rule
  - Configuration Connections Attack Protection
  - Related References
    - Action
    - Related Concepts Introduction
Web Protection
- Overview
- Managed rules
- CC attack defense
- Custom rule
- Custom Rate Limiting Rules
- Exception Rules
- Managed Custom Rules
- Web security monitoring alarm
- Refer
  - Web Protection Request Processing Order
  - Action
  - Match Condition
Bot Management
- Overview
- Bot Intelligent analysis
- Bot Basic Feature Management
- Client Reputation
- Active Detection
- Custom Bot Rule
- Bot Exception Rule
- Related References
  - Action
Rules Template
IP and IP Segment Grouping
Origin Protection
Custom Response Page
Alarm Notification
SSL/TLS
- Overview
- Deploying/Updating SSL Certificate for A Domain Name
- Configuring A Free Certificate for A Domain Name
- HTTPS Configuration
  - Forced HTTPS Access
  - Enabling HSTS
  - SSL/TLS Security Configuration
    - Configuring SSL/TLS Security
    - TLS Versions and Cipher Suites
  - Enabling OCSP Stapling

Match Condition

Overview
Web Protection function is implemented by matching different conditions of requests. The following provides a detailed introduction to various matching condition options, matching condition descriptions, and related configuration methods and limitations.
Using Matching Conditions
You can use the matching conditions of the rule to specify the effective scope of the rule, and control the effective scope of protection exception rules, custom rules, rate limiting, and custom bot rules.
Note:
When multiple matching conditions are configured, the rule takes effect only when all matching conditions are satisfied.
Matching Methods
When the matching field and matching content meet the requirements of the matching method, the matching condition is satisfied.
 Note:
For the request header matching fields (such as Referer header and custom headers), if the matching methods such as equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, and regular expression matching are used, the matching condition can be satisfied only when the header exists and is not empty.
Matching Method
Description
Equal to (in the list)
 The matching content  list contains the full string of the matching field, which is case-insensitive.
The matching content can be configured with multiple values. When the matching field matches any value, the matching condition is satisfied.
Not equal to (not in the list)
 The matching content  list does not contain the full string of the matching field , which is case-insensitive.
The matching content can be configured with multiple values. When the matching field matches none of the values, the matching condition is satisfied.
Include (keyword)
 The matching field  string contains any full string included in the  matching content  list, which is case-insensitive.
The matching content can be configured with multiple values. When any value does not appear in the matching field, the matching condition is satisfied.
Exclude (keyword)
 The matching field  string does not contain any full string included in the  matching content  list, which is case-insensitive.
The matching content can be configured with multiple values. When all values do not appear in the matching field, the matching condition is satisfied.
Wildcard matching
 The matching content  list contains a string for wildcard matching of the  matching field, which is case-insensitive. The supported wildcard characters include:
Asterisk * : Matches zero or multiple characters.
Question mark ? : Matches one character.
The matching content can be configured with multiple wildcard expressions. When the matching field matches any wildcard expression, the matching condition is satisfied.
When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Wildcard mismatch
 The matching content  list does not contain a string for wildcard matching of the  matching field, which is case-insensitive. The supported wildcard characters include:
Asterisk * : Matches zero or multiple characters.
Question mark ? : Matches one character.
The matching content can be configured with multiple wildcard expressions. When the matching field matches none of the wildcard expressions, the matching condition is satisfied.
When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Length greater than
 The matching field  exists and the data length (calculated by the number of characters in the string) is greater than the specified length.
Length less than
 The matching field  exists and the data length (calculated by the number of characters in the string) is less than the specified length.
Content is empty
 The matching field  exists and is an empty string.
Not exist
 The matching field  does not exist.
Regular expression matching
 The matching field  data can match the regular expression in the  matching content .
Matching Condition Options and Descriptions
Note:
1. The supported matching conditions vary depending on the rule type and the EdgeOne plan you have subscribed to. For support details, refer to the Comparison among EdgeOne Plans.
2. In all the matching content of a single rule, the total number of the matching items should not exceed 128 (including the matching conditions that require matching multiple values simultaneously).
Match Condition options
Match Condition descriptions
Request Client IP
Match the source IP address of the request. Supports matching based on Region, ASN, IP, and CIDR Block.
When using Match, not match logical symbol options, you can match Client IP, CIDR Block, and IP grouping.
A single match condition can configure up to 8 IP groupings.
When using Region inclusion, Region exclusion logical symbol options, you can match the Region of the Client IP.
When using ASN affiliation, ASN affiliation not equal to logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Request Client IP (Prioritize matching XFF Header)
When the request carries a valid XFF (X-Forwarded-For) Header, match the first IP in the XFF Header; otherwise, match the source IP address of the request.
When using Match, not match logical symbol options, you can match Client IP, CIDR Block, and IP grouping.
A single match condition can configure up to 8 IP groupings.
When using Region inclusion, Region exclusion logical symbol options, you can match the Region of the Client IP.
When using ASN affiliation, ASN affiliation not equal to logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Custom request header
Match the specified header of the request, providing additional parameter options to match the header value of a specific name.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request URL
Match the request URL. For example: /example.html?region=cn .
Case insensitive.
Exclude Hostname
Include URL query parameters
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Source (Referer Header)
Match the request's Referer header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request content type (Accept Header)
Match the request's Accept header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Path
Match the request URL's path section. For example: /example.html or /api/v2/login.
Hostname is not included.
Query parameters are not included.
Case insensitive.
Request Method
Method for matching requests.
Case insensitive.
Supports multiple selections: GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, CONNECT.
Request Cookie
Matches specified request Cookie header parameter values. Cookie parameter name must be specified.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
XFF extended headers
Match the request's XFF (X-Forwarded-For) header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Network layer protocol
Match the type of IP protocol used in the request.
Support multiple selections: IPv4, IPv6.
Application layer protocol
Match the application layer protocol used in the request.
Support multiple selections: HTTP, HTTPS.
Response status code
Match the HTTP status code of the response.
Only support rate limiting; configuration is supported when selecting based on response statistics.
Supports matching up to 20 status codes simultaneously.
Request body
Match the body of the request.
Only supports matching the first 8 KB data of the request body.
﻿

Overview
Using Matching Conditions
Matching Methods
Matching Condition Options and Descriptions

Matching Method	Description
Equal to (in the list)	The matching content list contains the full string of the matching field, which is case-insensitive. The matching content can be configured with multiple values. When the matching field matches any value, the matching condition is satisfied.
Not equal to (not in the list)	The matching content list does not contain the full string of the matching field , which is case-insensitive. The matching content can be configured with multiple values. When the matching field matches none of the values, the matching condition is satisfied.
Include (keyword)	The matching field string contains any full string included in the matching content list, which is case-insensitive. The matching content can be configured with multiple values. When any value does not appear in the matching field, the matching condition is satisfied.
Exclude (keyword)	The matching field string does not contain any full string included in the matching content list, which is case-insensitive. The matching content can be configured with multiple values. When all values do not appear in the matching field, the matching condition is satisfied.
Wildcard matching	The matching content list contains a string for wildcard matching of the matching field, which is case-insensitive. The supported wildcard characters include: Asterisk `*` : Matches zero or multiple characters. Question mark `?` : Matches one character. The matching content can be configured with multiple wildcard expressions. When the matching field matches any wildcard expression, the matching condition is satisfied. When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Wildcard mismatch	The matching content list does not contain a string for wildcard matching of the matching field, which is case-insensitive. The supported wildcard characters include: Asterisk `*` : Matches zero or multiple characters. Question mark `?` : Matches one character. The matching content can be configured with multiple wildcard expressions. When the matching field matches none of the wildcard expressions, the matching condition is satisfied. When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Length greater than	The matching field exists and the data length (calculated by the number of characters in the string) is greater than the specified length.
Length less than	The matching field exists and the data length (calculated by the number of characters in the string) is less than the specified length.
Content is empty	The matching field exists and is an empty string.
Not exist	The matching field does not exist.
Regular expression matching	The matching field data can match the regular expression in the matching content .

Match Condition options	Match Condition descriptions
Request Client IP	Match the source IP address of the request. Supports matching based on Region, ASN, IP, and CIDR Block. When using `Match`, `not match` logical symbol options, you can match Client IP, CIDR Block, and IP grouping. A single match condition can configure up to 8 IP groupings. When using `Region inclusion`, `Region exclusion` logical symbol options, you can match the Region of the Client IP. When using `ASN affiliation`, `ASN affiliation not equal to` logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Request Client IP (Prioritize matching XFF Header)	When the request carries a valid XFF (X-Forwarded-For) Header, match the first IP in the XFF Header; otherwise, match the source IP address of the request. When using `Match`, `not match` logical symbol options, you can match Client IP, CIDR Block, and IP grouping. A single match condition can configure up to 8 IP groupings. When using `Region inclusion`, `Region exclusion` logical symbol options, you can match the Region of the Client IP. When using `ASN affiliation`, `ASN affiliation not equal to` logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Custom request header	Match the specified header of the request, providing additional parameter options to match the header value of a specific name. Case insensitive. Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request URL	Match the request URL. For example: /example.html?region=cn . Case insensitive. Exclude Hostname Include URL query parameters Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Source (Referer Header)	Match the request's Referer header. Case insensitive. Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request content type (Accept Header)	Match the request's Accept header. Case insensitive. Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Path	Match the request URL's path section. For example: /example.html or /api/v2/login. Hostname is not included. Query parameters are not included. Case insensitive.
Request Method	Method for matching requests. Case insensitive. Supports multiple selections: GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, CONNECT.
Request Cookie	Matches specified request Cookie header parameter values. Cookie parameter name must be specified. Case insensitive. Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
XFF extended headers	Match the request's XFF (X-Forwarded-For) header. Case insensitive. Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Network layer protocol	Match the type of IP protocol used in the request. Support multiple selections: IPv4, IPv6.
Application layer protocol	Match the application layer protocol used in the request. Support multiple selections: HTTP, HTTPS.
Response status code	Match the HTTP status code of the response. Only support rate limiting; configuration is supported when selecting based on response statistics. Supports matching up to 20 status codes simultaneously.
Request body	Match the body of the request. Only supports matching the first 8 KB data of the request body.