FAQ about access control
IP address blacklist and whitelist
How many IP addresses can I add to a blacklist or whitelist?
Each blacklist or whitelist supports up to 2,000 IPv4 addresses and approximately 700 IPv6 addresses. A CIDR block counts as one entry regardless of how many individual addresses it covers.
Can I get the IP addresses of CDN points of presence (POPs) to add to my origin whitelist?
This depends on your daily peak bandwidth:
| Daily peak bandwidth | Action |
|---|---|
| Above 1 Gbit/s | to request permission to call the DescribeL2VipsByDomain API, which returns the POP IP addresses for a specific domain. |
| 1 Gbit/s or below | Configure firewall policies on your origin servers instead. |
Why can a blacklisted IP address still send requests to my CDN domain?
CDN cannot block requests before they reach the network — blacklisting controls what CDN does with those requests, not whether clients can initiate them.
After you add an IP address to the blacklist, CDN returns HTTP 403 for all requests from that IP and records the blocked requests in your CDN logs. To review the logs, see Download offline logs.
How do I get the originating IP address of a client?
Retrieve it from the X-Forwarded-For header. For details, see Retrieve the originating IP addresses of clients.
URL signing
HTTP 403 is returned when accessing CDN-accelerated resources. How do I diagnose the cause?
Open your browser developer tools and check the Response Header for an X-Tengine-Error value. The following table lists the error messages, their causes, and how to fix them.
| Error message | Cause | Fix |
|---|---|---|
X-Tengine-Error: denied by req auth: no url arg auth_key | URL signing is enabled, but the request URL has no authentication parameters. | Add authentication parameters to the request URL. See Configure URL signing. If URL signing is no longer needed, disable it in the Alibaba Cloud CDN console. |
X-Tengine-Error: denied by req auth: expired timestamp | URL signing is enabled and authentication parameters are present, but the timestamp has expired. | Generate a new signed URL. See Configure URL signing. |
X-Tengine-Error: denied by req auth: invalid md5hash | The MD5 hash in the authentication parameters is incorrect. | Use the URL generator in the Alibaba Cloud CDN console to generate a test URL, then compare it against your authentication code to identify the discrepancy. See URL signing examples.  |
Can I enable URL signing and remote authentication at the same time?
Yes. When both are enabled, requests are authenticated by URL signing first, then by remote authentication.
Remote authentication
Can I use an internal IP address for my remote authentication server?
No. The authentication server must have a public IP address.
What happens if the authentication server returns a status code that is neither a pass nor a fail?
The point of presence (POP) allows the request. For example, if HTTP 200 is configured as the pass code but the server returns HTTP 201, the request goes through. This prevents legitimate requests from being blocked due to unexpected server responses.
To change this behavior, configure the Allow Other Status Codes parameter in the Alibaba Cloud CDN console.
Does CDN allow all requests if the remote authentication server times out?
No. The behavior on timeout is controlled by the Action After Timeout parameter, which you configure in the console.