Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling
이 페이지는 현재 영어로만 제공되며 한국어 버전은 곧 제공될 예정입니다. 기다려 주셔서 감사드립니다.

Match Condition

Overview

Web Protection function is implemented by matching different conditions of requests. The following provides a detailed introduction to various matching condition options, matching condition descriptions, and related configuration methods and limitations.

Using Matching Conditions

You can use the matching conditions of the rule to specify the effective scope of the rule, and control the effective scope of protection exception rules, custom rules, rate limiting, and custom bot rules.
Note:
When multiple matching conditions are configured, the rule takes effect only when all matching conditions are satisfied.

Matching Methods

When the matching field and matching content meet the requirements of the matching method, the matching condition is satisfied.
Note:
For the request header matching fields (such as Referer header and custom headers), if the matching methods such as equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, and regular expression matching are used, the matching condition can be satisfied only when the header exists and is not empty.
Matching Method
Description
Equal to (in the list)
The matching content list contains the full string of the matching field, which is case-insensitive.
The matching content can be configured with multiple values. When the matching field matches any value, the matching condition is satisfied.
Not equal to (not in the list)
The matching content list does not contain the full string of the matching field , which is case-insensitive.
The matching content can be configured with multiple values. When the matching field matches none of the values, the matching condition is satisfied.
Include (keyword)
The matching field string contains any full string included in the matching content list, which is case-insensitive.
The matching content can be configured with multiple values. When any value does not appear in the matching field, the matching condition is satisfied.
Exclude (keyword)
The matching field string does not contain any full string included in the matching content list, which is case-insensitive.
The matching content can be configured with multiple values. When all values do not appear in the matching field, the matching condition is satisfied.
Wildcard matching
The matching content list contains a string for wildcard matching of the matching field, which is case-insensitive. The supported wildcard characters include:
Asterisk * : Matches zero or multiple characters.
Question mark ? : Matches one character.
The matching content can be configured with multiple wildcard expressions. When the matching field matches any wildcard expression, the matching condition is satisfied.
When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Wildcard mismatch
The matching content list does not contain a string for wildcard matching of the matching field, which is case-insensitive. The supported wildcard characters include:
Asterisk * : Matches zero or multiple characters.
Question mark ? : Matches one character.
The matching content can be configured with multiple wildcard expressions. When the matching field matches none of the wildcard expressions, the matching condition is satisfied.
When the matching content does not contain a wildcard, exact matching is used to judge the matching field.
Length greater than
The matching field exists and the data length (calculated by the number of characters in the string) is greater than the specified length.
Length less than
The matching field exists and the data length (calculated by the number of characters in the string) is less than the specified length.
Content is empty
The matching field exists and is an empty string.
Not exist
The matching field does not exist.
Regular expression matching
The matching field data can match the regular expression in the matching content .

Matching Condition Options and Descriptions

Note:
1. The supported matching conditions vary depending on the rule type and the EdgeOne plan you have subscribed to. For support details, refer to the Comparison among EdgeOne Plans.
2. In all the matching content of a single rule, the total number of the matching items should not exceed 128 (including the matching conditions that require matching multiple values simultaneously).
Match Condition options
Match Condition descriptions
Request Client IP
Match the source IP address of the request. Supports matching based on Region, ASN, IP, and CIDR Block.
When using Match, not match logical symbol options, you can match Client IP, CIDR Block, and IP grouping.
A single match condition can configure up to 8 IP groupings.
When using Region inclusion, Region exclusion logical symbol options, you can match the Region of the Client IP.
When using ASN affiliation, ASN affiliation not equal to logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Request Client IP (Prioritize matching XFF Header)
When the request carries a valid XFF (X-Forwarded-For) Header, match the first IP in the XFF Header; otherwise, match the source IP address of the request.
When using Match, not match logical symbol options, you can match Client IP, CIDR Block, and IP grouping.
A single match condition can configure up to 8 IP groupings.
When using Region inclusion, Region exclusion logical symbol options, you can match the Region of the Client IP.
When using ASN affiliation, ASN affiliation not equal to logical symbol options, you can match the BGP autonomous system number (ASN) to which the Client IP belongs.
Custom request header
Match the specified header of the request, providing additional parameter options to match the header value of a specific name.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request URL
Match the request URL. For example: /example.html?region=cn .
Case insensitive.
Exclude Hostname
Include URL query parameters
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Source (Referer Header)
Match the request's Referer header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request content type (Accept Header)
Match the request's Accept header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Request Path
Match the request URL's path section. For example: /example.html or /api/v2/login.
Hostname is not included.
Query parameters are not included.
Case insensitive.
Request Method
Method for matching requests.
Case insensitive.
Supports multiple selections: GET, POST, HEAD, PUT, DELETE, TRACE, OPTIONS, CONNECT.
Request Cookie
Matches specified request Cookie header parameter values. Cookie parameter name must be specified.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
XFF extended headers
Match the request's XFF (X-Forwarded-For) header.
Case insensitive.
Supports equal to, not equal to, include, exclude, wildcard matching, wildcard mismatch, length greater than, length less than, content is empty, no existing, regular expression match.
Network layer protocol
Match the type of IP protocol used in the request.
Support multiple selections: IPv4, IPv6.
Application layer protocol
Match the application layer protocol used in the request.
Support multiple selections: HTTP, HTTPS.
Response status code
Match the HTTP status code of the response.
Only support rate limiting; configuration is supported when selecting based on response statistics.
Supports matching up to 20 status codes simultaneously.
Request body
Match the body of the request.
Only supports matching the first 8 KB data of the request body.