DocsICP FilingConsole
官方文档
首页

Origin Protection

更新时间:
复制 MD 格式
产品详情
我的收藏

Add the list of ESA node IP addresses to the firewall rules of your origin server. This protects your origin server by allowing only requests or traffic from the IP addresses in the allowlist to access it.

Feature overview

To protect your origin server from malicious attacks or unauthorized access, you can configure an IP address whitelist in your firewall rules to restrict access to only specified IP addresses, such as the IP addresses of ESA POPs, thereby providing Origin Protection.

After you enable the Origin Protection feature, ESA provides a consolidated list of POP IP addresses (including IPv4 and IPv6). You must add these IP addresses to the IP address whitelist on your origin server to enable Origin Protection.

Usage notes

  • The IP list provided by Origin Protection consists of converged node IPs, while fetch() calls from Function and Pages actually use pre-convergence node IPs. If a website called by fetch does not have Origin Protection enabled, the actual origin-pull IP addresses of the fetch call are not in this list of converged node IPs.

  • ESA is now integrated with Cloud Firewall. If all your origin servers are on Alibaba Cloud and you use Cloud Firewall, you must enable Origin Protection and then enable the Auto-apply Latest Origin Fetch IP List switch. This ensures that Cloud Firewall can automatically update the origin-fetch IP information.image

Enable Origin Protection

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left-side navigation pane, choose Security > Origin Protection.

  3. On the Origin Protection page, click Configure.

    image

  4. Turn on the Status switch. In the dialog box that appears, select I understand the risks and click OK.

    image

  5. Click OK. After Origin Protection is enabled, the system displays the consolidated origin-fetch IP list for ESA. Click image to copy the IP addresses.

    image

  6. Manually add all IP address ranges from the list to your origin server's IP address whitelist. If your origin server is an Alibaba Cloud ECS instance, you can refer to How do I add the origin-fetch IP list to an ECS instance? to configure an inbound rule in a security group. This allows access only from the whitelisted IP addresses.

    Important

    If you stop using the ESA service, you must manually remove these rules from your origin server's firewall to prevent access disruptions.

Update the origin-fetch IP list

When the ESA POP IP addresses change, ESA notifies you by internal message or email. You must update your origin server's firewall or security group rules to ensure that ESA POPs can continue to access your origin server.

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left-side navigation pane, choose Security > Origin Protection.

  3. In the Origin Protection section, add all IP address ranges from the IP Addresses to your origin server's whitelist, and then click Review.

    image

  4. In the Review Latest IP List panel, click I Have Applied and Confirm to Enable the Latest IP List. In the dialog box that appears, click OK.

    Note

    The new IP list takes effect only after you confirm it. Until then, your service continues to use the previously confirmed IP list. To ensure service performance and quality, regularly update your origin server's whitelist with the latest ESA IP list.

    image

Disable Origin Protection

To prevent service interruptions, first remove the IP address whitelist from your origin server's firewall, and then disable Origin Protection.

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left-side navigation pane, choose Security > Origin Protection.

  3. Click Configure and turn off the Status switch. In the dialog box that appears, select I understand the risks and click OK.

    image

  4. In the Origin Protection section, click OK. The status changes to Disabled.

Plan availability

Feature category

Detailed feature

Free (CNY 0/month)

Basic (CNY 9.9/month)

Standard (CNY 375/month)

Advanced (CNY 3600/month)

Enterprise (Contact sales for custom pricing)

Origin protection

Not supported

Supported

Supported

Supported

Supported

FAQ

Configuration prerequisites

Origin Protection requires a caching architecture with at least two tiers. You cannot enable Origin Protection if your Tiered Cache policy is set to Edge Tiered Cache. To change this, hover over the Configure button and click Modify in the tooltip to navigate to the Tiered Cache configuration page.

image

On the Tiered Cache page, click Configure, select a suitable tiered caching architecture, and then you can enable Origin Protection.

image

ECS IP list setup

A security group for an ECS instance is a virtual firewall that controls inbound and outbound traffic for the instance. To quickly configure Origin Protection, add the origin-fetch IP list provided by ESA to the inbound rules of a security group.

  1. Go to the ECS console - Prefix lists page. Alternatively, in the ECS console, hover over Network & Security in the navigation pane and click Prefix lists.image

  2. Switch to the region where your origin server instance is located, for example, `China (Hangzhou)`.

    image

  3. Click Create prefix list to create a prefix list for IPv4 addresses:

    • Prefix list name: Enter a name for the list, such as `list-esa-ipv4`.

    • Address family: Select IPv4.

    • Max entries: Enter 200.

    • Prefix list entries: Click Add Entry. In the CIDR block column, paste the IPv4 list you obtained when you enabled Origin Protection, and then click OK.image

  4. Click Create prefix list to create a prefix list for IPv6 addresses:

    • Prefix list name: Enter a name for the list, such as `list-esa-ipv6`.

    • Address family: Select IPv6.

    • Max entries: Enter 200.

    • Prefix list entries: Click Add Entry. In the CIDR block column, paste the IPv6 list you obtained when you enabled Origin Protection, and then click OK.image

  5. Go to the ECS console - Security groups page. Click Create security group. In the Rules section, click Add rule and configure the parameters as described below:

    • Keep the default values for Traffic direction, Authorization policy, Priority, and Version.

    • For Source, select Prefix list and then select the IPv4 and IPv6 prefix lists that you created.

    • For Destination port (this instance), select the ports used by your service, such as `HTTP(80) and HTTPS(443)`.

      image

  6. After you configure the rule, enter a Security group name, such as `sg-esa-ip`. For Network, select the same VPC as your origin server. In the Rules section, delete all other default inbound rules, keeping only the prefix list rule you just added. Then, click Confirm creation.image

  7. Go to ECS console - Instances.

  8. In the instance list, click the ID of the instance for which you want to configure Origin Protection. Go to the Security groups tab and click Change security groups.image

  9. On the Change security groups page, select only the security group that you just created, and then click OK.image

fetch() call failures

Symptom: When the example.com website does not have Origin Protection enabled (because the plan does not support it or the website is not added to ESA), and the IP allowlist of its origin server is configured to include only the ESA Origin Protection IP list, calls to example.com may fail if you use the fetch() function from ESA's Function and Pages.

Solution:

  • If the example.com website is added to ESA, you can enable the Origin Protection feature.

  • If the example.com website is not added to ESA, add the website to ESA, or modify the IP whitelist of the origin server.

Previous:SettingsNext:Account security