Quick start for Bots configuration-Edge Security Acceleration(ESA)-阿里云帮助中心

ESA provides two modes, Smart Mode and Professional Mode, for different protection needs.

Note

Requests blocked by bot rules are not charged and do not consume package quotas.

Use Smart Mode

Simple Mode is a bot and crawler management feature for entry-level users. Unlike Advanced Mode, which requires professional expertise to configure complex rules, Simple Mode categorizes traffic into three types by default and lets you select an action for each category. Available for all plans, though some features have plan restrictions.

Configure global policies

In the ESA console, select Websites. In the Website column, click the target site.
In the navigation pane on the left, choose Security Protection > Bots.
On the Bots page, select Smart Mode, configure the items as described below, and then click Configure.
- Definite Bots: This category includes many malicious crawlers. Set the action to Block or Slider CAPTCHA.
- Likely Bots: Lower risk than Definite Bots but may include malicious crawlers and other traffic. Set the action to Monitor, or to Slider CAPTCHA during high-risk periods.
- Verified Bots: This category usually includes crawlers from search engines that support SEO. Set the action to Allow. To block all search engine crawlers, set the action to Block.

Protect static resources from bots

On an Enterprise plan, configure protection for static resources against malicious bots.

Important

Enabling static resource protection may block legitimate bots that periodically fetch static resources, such as email clients. Enable with caution.

Enable JavaScript detection

On an Enterprise plan, use lightweight and invisible JavaScript detection to collect browser fingerprints and improve bot detection accuracy.

Use Professional Mode

Configure protection rulesets for specific requests with separate effective periods. Advanced Mode also protects mobile applications and lets you apply rulesets to other sites in your account.

In the ESA console, select Websites. In the Website column, click the target site.
In the navigation pane on the left, choose Security > Bots.
On the Bots page, select Professional Mode, and click Create Ruleset.
Enter a Rule Set Name. Set Service Type to Browsers, and set SDK Integration to Automatic Integration (Recommended).
In the If requests match... section, configure a rule expression to match target requests. For example, to protect against bots from the Chinese mainland: (ip.geoip.country in {"CN"}). Supported fields are listed in available rule matching fields for Bots.
Select the protection actions to add.
- For search engine bots:
  - Whitelist: Allow specific search engine bots that you trust.
  - Fake Crawler Interception: Blocks all search engine bots. Use with Legitimate Bot Management to allow only specific bots.
- For known bot libraries:
  - Bot Threat Intelligence Library: An Alibaba Cloud IP library of known malicious bot sources. Enable Slider CAPTCHA to counter them.
  - IDC Blacklist Blocking: If your clients do not connect from public clouds or IDCs, use Data Center Blacklist to block requests from these sources.
- For requests that need to be identified:
  - Identify bots by request characteristics: Identifies non-browser bots by comparing their access features with those of real user browsers.
  - Identify bots by request behavior: ESA analyzes client traffic, automatically trains a machine learning model, and generates protection rules and blacklists. Configure countermeasures based on these rules and blacklists.
  - Custom throttling: If you want to allow some bot requests but prevent them from accessing your site too frequently, you can limit the request rate from a specific IP address or session. A protection action is applied to requests that exceed the specified threshold.
In the Effective Time area, click Edit next to the relevant rule, set the effective period, and then click OK.
After you complete the configuration, click OK.