Problem
After you configure IP access rules in the ESA console, the rules do not take effect. IP addresses on the blacklist can still access resources.
Cause
This issue typically occurs for two reasons:
Incorrect IP address: The IP address or CIDR block in the access rule is incorrect.
Intermediate proxies: Your traffic passes through an intermediate proxy (such as another CDN or a load balancer) before reaching ESA. In this case, the IP address retrieved by ESA is the proxy's IP, not the originating client's IP.
Solution
Verify that the IP address configured in in your access rule is correct. If the cause is an intermediate proxy, add the IP addresses in the X-Forwarded-For (XFF) header to your blacklists. For more information about how to obtain the XFF IP address, see Retrieve the originating IP addresses of clients.
When ESA blocks a request based on an IP access rule, it does not prevent the client from sending the request. Instead, ESA respond with a 403 Forbidden error code for requests from any blacklisted IP address. The blocking events are recorded in the standard logs.
Traffic fees are incurred when an error code 403 is returned. Since the requested resource is not delivered, only a small amount of traffic for the 403 response header is generated, resulting in a low cost. For more information, see Basic subscription fees.