EdgeNext
Documentation home

EdgeNext Documentation

Product guides, setup instructions, and technical references.

Security CDN

Granular Access Control

Granular Access Control supports multi-dimensional access policies based on IP, geographic location, request path, User-Agent, request rate, and more, enabling users to flexibly identify and manage requests from different sources, effectively mitigating malicious access, business abuse, and abnormal traffic, thereby enhancing overall security protection.

Match Fields and Logic

Match Field Description Matching Logic
URL Request URL without domain name. For example, for https://www.edgenext.com/index.html?a=1&b=2, the URL is /index.html?a=1&b=2. Contains
Does not Contain
Equal to
Does not Equal to
IP Client IP accessing the Security CDN edge node ($remote_addr). Supports IPv4, IPv6, and CIDR (e.g., 1.1.1.0/24). Equal to
Does not Equal to
In IP list
Not in IP list
In the last seven days of the white list
Not on the white list in the last seven days
Referer Origin URL of the request, e.g., https://www.google.com/search?a=1. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
Referer Domain Name Domain used by the visitor to access or search for the destination domain. Equal to
Does not Equal to
Request Region Geographical location of the client. Supports continent, region, country, province. Belongs
Does not belong
User-Agent Client’s browser signature, rendering engine, version, etc. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
There is a garbled code
There is no garbled code
Request Type Type of resource requested, either static or dynamic. Belongs
Does not belong
URL Request Parameters Includes Host, Content-Type, Cookie, Content-Length, etc. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
POST Request Parameters POST body parameters for x-www-form-urlencoded content-type. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
URL Query String The portion of the URL after ?, e.g., a=1&b=2. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
Request Header HTTP request header field, which can specify a field setting policy. Contains
Does not Contain
Equal to
Does not Equal to
Does not exist
Length larger than
Length equal to
Length smaller than
Request Time Time the request reaches the SCDN edge node. Belongs
Does not belong
Request Method Request method (HEAD, GET, POST, PUT, DELETE, OPTIONS, PATCH, PURGE). Equal to
Does not Equal to
Request Protocol Protocol used (HTTP, HTTPS, WebSocket, etc.). Belongs
Does not belong
Device Type Terminal type (e.g., QQ browser, WeChat browser, PC browser, etc.). Equal to
Does not Equal to
IP Type IP classification (search engine, partner, IDC, botnet, etc.). Equal to
Does not Equal to
Suffix File suffix in request URL (e.g., .jpg, .png, .php). Equal to
Does not Equal to
Server Port Server port on the SCDN edge node (e.g., 80, 443). Equal to
Does not Equal to
IP Request Frequency Request rate from the same client IP. Larger than X Second Y Times
Request frequency per IP per URL Request rate to the same URL from the same IP. Larger than X Second Y Times
Origin response code Status code returned by origin server (e.g., 403, 404). Status code Larger than X Second Y Times
IP Behavior Analysis AI-based IP behavior profiling for scenario-specific protection. Belongs
Does not belong
JA4 Fingerprint An identifier generated by hashing a set of client characteristics observed during the TLS handshake—such as the TLS version, cipher suites, and extensions. Equal to
Does not Equal to
JA4H Fingerprint A fingerprint generated by hashing client-side HTTP request attributes—such as the User-Agent and Accept headers—to complement JA4 and assist in detecting spoofed clients. Equal to
Does not Equal to

Disposal Method

Operation Method Description
General Apply basic Layer 7 DDoS protection for matched requests. Requests will continue to be processed by WAF/Layer 7 DDoS modules.
Observation Only logs matched requests (no blocking). Results will appear in reports. If “continue evaluation” is enabled, subsequent rule sets will still be checked.
Release Allow explicitly matched requests to pass. All subsequent security modules will be bypassed for these requests.
Block Immediately block matched requests and return an error page.
Ban Block matched requests and add the request source to a denylist, temporarily preventing further access.
Man-Machine Verification Cookie Verification: According to the cookie record of the client, the security CDN node will do a cookie check for the visitor when the visitor makes a request;
JS Verification: In the case of normal requests, guest requests will bring JS to the secure CDN node, and this process will also do a JS validation;
Intelligent verification code: When guest visits the request page, a CAPTCHA prompt box will pop up, and they need to pass the verification code before they can normally request the website.
Note:Cookie validation and JS validation types are not aware of visitor requests, and smart Captchas have a certain impact on user experience.
Whitening Whitelist matched IPs for the domain. These IPs will bypass Granular Access Control and App-Layer DDoS protection but still go through WAF. Whitelisting is time-limited and cannot be revoked by deleting rules. Optional: still perform WAF inspection on first access.
Honeynet Traction Redirect matched requests (HTTP 302) to a honeypot server. If configured, traffic will first pass through WAF/Layer 7 DDoS/rule sets before redirection.
Redirect Redirect matched requests (HTTP 301) to a specified URL.

Rule Priority

  • Rules are evaluated top-down in list order.

  • New rules are added to the top by default and have the highest priority.

  • Paused rules are skipped during evaluation and are not executed.

  • You can adjust rule order to change priority manually.

    精准访问控制6.png

How to Add a Rule Set

  1. Log in to the Security CDN Console.

  2. In the left navigation pane, go to Security > Web Security.

    精准访问控制1.png

  3. On the Global Security Policy page, scroll to Access Control > Granular Access Control.

  4. Click Add Rule Set to open the creation window.

    精准访问控制2.png

  5. After creation, click Manage to open the rule list.

  6. Click Add Rule, configure Matching condition and Disposal Method, and then click Save.

    精准访问控制3.png

5. How to Apply an Existing Rule Set

  1. Log in to the Security CDN Console.

  2. In the left navigation pane, go to Security > Web Security.

  3. On the Global Security Policy page, scroll to Access Control > Granular Access Control.

  4. Click Reference Rule Set to open the selection window.

    精准访问控制4.png

  5. Select an existing rule set and click Save.

    精准访问控制5.png

  6. Manually adjust the parameters in the rules as needed based on your actual business scenarios.

Note: This feature is available only for Business Edition and above.

Need help? Contact our support team at support@edgenext.com.

Back to documentation home