What Security Features Does EdgeOne Have?
EdgeOne provides reverse proxy and protocol-specific security protection for Web application services and TCP/UDP application services.
|
L4 Proxy (TCP/UDP Application Service) | | - | - | - |
L7 Zone(Web Application Service) | | ✓ | ✓ | |
I've already configured a Web Application Firewall (WAF) on my origin server. Do I need to use EdgeOne security protection?
EdgeOne aims to provide integrated acceleration and security capabilities. Therefore, when you connect your application and services to EdgeOne, EdgeOne starts providing protection services. In addition to the protection already in place on your origin server, EdgeOne offers:
Distributed Security Protection: Provides protection resources distributed in multiple independent cleansing centers worldwide, offering efficient redundancy and disaster recovery through a distributed access architecture.
WAF and Web Site Protection: Provides application security protection features such as vulnerability attack detection, rate limiting, and Bot management3. Protection Capability for Cached Resources: Can simultaneously check requests accessing cached resources. The usage of security policies intercepted by EdgeOne is not billed, reducing unnecessary content delivery costs.
Identification of Threats Closest to the Client: Generally, an access request is directly initiated by a client. EdgeOne can collect and analyze L4 connection session characteristics and TLS fingerprint characteristics of the client, which are used together with policies to identify malicious access.
Compatibility with Your Origin Server Security Policies: Supports marking of origin-pull requests 3allowing further analysis of requests at the origin server. Note:
Note 3
: You need to subscribe to and enable Bot Management. Bot Management includes identification headers in origin-pull requests to assist in further analysis. Does EdgeOne Support IP Blocklists/Allowlists?
If you need to configure an IP blocklist (i.e., block specified client IPs), you can configure the Basic Access Control in Custom Rules, select Client IP Control, configure the list of IPs to be blocked, and choose the blocking method.
If you need to configure an IP allowlist (i.e., allow specified client IPs), you can use Exception Rules, select the Client IP matching condition, and choose the security modules to be skipped. Note:
The application scenarios for an IP allowlist may vary:
(1) Allow specified client IPs to pass. In this scenario, configure Exception Rules to skip specified security modules. (2) Only allow specified client IPs to access. In this scenario, configure Basic Access Control rules in Custom Rules to block client IPs not in the specified list. How to configure region blocking? How to block access from regions outside the Chinese mainland?
You can use Basic Access Control in Custom Rules, select Regional Control, configure the list of client regions to be blocked, and choose the blocking method. If you need to block access from regions outside the Chinese mainland, select the Region Mismatch, match the content to Chinese mainland region, and choose the blocking method. How to configure Hotlink Protection? How to allow access only from this domain and specified domains?
Hotlink protection is mainly used to prevent static resources from being loaded by external website pages.
Common Hotlink Protection Techniques
The basic hotlink protection policy judges whether the request comes from page loading through the Referer header, intercepting requests for resources referenced by external sites and requests not accessed directly through page loading (example: directly accessing static resources by entering the URL in the browser). You can use Basic Access Control in Custom Rules to block requests with a Referer header not in the specified domain list.
Further Validation of Data Access Security
Using HTTP header fields can address common hotlinking scenarios, but malicious requests can still generate legitimate HTTP requests through technical means to obtain site resources. To further improve the security of resource access, you can dynamically generate URLs with time-sensitive random signatures. Before providing access to resources, verify the legality and validity of the signature to identify whether the request has permission to access resources. EdgeOne's Rule Engine offers Token Authentication options, assisting in generating signed URLs and providing a signature verification mechanism. You can also use EDGE-FUNCTION to implement custom dynamic access authentication. What is "Monitor," and does the "Monitor" action involve interception?
The "Monitor" action only logs information and does not intercept requests. This is helpful for evaluating policies, as rules set to "Monitor" won't impact your business. Therefore, you can assess the impact on normal business and evaluate matching situations with malicious requests by checking the logs. This helps determine whether to enable interception. See Actions for more details. What is "JavaScript Challenge," and what impact does the "JavaScript Challenge" action have on business?
The "JavaScript Challenge" action responds with a page that verifies whether the requesting client supports Cookie and JavaScript runtime environments. Browsers that meet the verification conditions can proceed with access, while other tools (example, cURL) will be intercepted. This method helps identify some non-browser tools. For more details, refer to action. Note:
1. Most APIs cannot handle JavaScript responses, so they will be blocked by the "JavaScript Challenge" action.
2. Native APP and mini program requests are also API requests and cannot handle JavaScript responses, so they will be blocked by the "JavaScript Challenge" action. For compatibility with the JavaScript Challenge, clients can use a web-view or H5 framework to pass the JavaScript Challenge before accessing APIs, to avoid API access requests from being blocked by the "JavaScript Challenge".
Can the Origin Server Be Accessed Through All Ports Opened by EdgeOne?
By default, ports opened by EdgeOne do not provide access to site business. After access requests are parsed based on the protocol and port configuration of the accessed site, EdgeOne will decide whether to handle requests from specified ports and then respond by blocking or origin-pull based on the security and acceleration configuration.
If no port is enabled or no access protocol is configured for your business, the domain name resource or origin server of the business cannot be accessed from a client through the port or protocol:
For site domain names that have not completed the access process, the domain name business cannot be accessed from EdgeOne through protocols such as HTTP, HTTP/2, and QUIC.
If HTTPS, HTTP/2, and QUIC services or corresponding certificates are not enabled or configured, the corresponding domain name resource or origin server cannot be accessed from a client through HTTPS, HTTP/2, and QUIC protocols.
If no L4 proxy forwarding rule is configured for a specified port, the corresponding port business of the origin server cannot be accessed through the port.
Note:
After domain name service is accessed, EdgeOne by default supports accessing HTTP services of sites through specified ports. For details, see Domain Service FAQs.