Edge Server Control with EdgeRules

You can create 100% custom EdgeRules or use and modify the other recipes shown here. You can use the following options which are laid out in a simple user friendly format:

• Match type: e.g. Exact, Literal (and many more)
• Match location: The URI
• Match location case sensitive: yes or no
• Directive: e.g. Status code, Ignore query string, Deny (many more plus custom directives)
• Directive value
• Optional conditional: $variable and Relational operator (and value)
• Multiple sets of directives and conditionals (points 4-6)
• Rule priority
• Purge cache: yes or no
• Realtime activation or save and finish later

Some applications add this header to all HTTP responses and it often contains the application name and version which can be a security risk. This recipe allows you to hide it.

Match Type Default
Features HIDE HEADER X-Powered-By

Amazon S3 by default adds lots of useless to the user HTTP headers. You can remove them to minimize the transferred data.

Match Type Default
Features HIDE HEADER x-amz-id-2
HIDE HEADER x-amz-meta-s3fox-filesize
HIDE HEADER x-amz-meta-s3fox-modifiedtime
HIDE HEADER x-amz-request-id

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

Match Type Default
Features ADD HEADER X-XSS-Protection "1; mode=block"

This will allow the customer to block certain Countries. In this example we will return a 403 when a visitor is coming from China (CN).

Match Type Default
Features if ( $geoip_city_country_code = CN ) {
    STATUS CODE 403
}

To improve your SEO scores you can redirect all bots that hit the CDN to your origin.

Match Type Exact
Features if ( $http_user_agent ~* ~(crawl|Googlebot|Slurp|spider| bingbot|tracker|click|parser|spider) ) {
    REWRITE RULE ^ http://static.origin.com$request_uri permanent
}

You can use this recipe to disallow bots to index different parts of your website. A flexible alternative to robots.txt file.

Match Type Regex
Location \.(?:pdf|htm?l|png|jpe?g|gif)$
Features ADD HEADER X-Robots-Tag "noindex"
ADD HEADER X-Robots-Tag "googlebot: nofollow"

Cross-Origin resource sharing allows other websites to request content from your domain using JavaScript or CSS. Required for web fonts to work.

Match Type Regex
Location \.(ttf|ttc|otf|eot|woff|font.css|css)$
Features ADD HEADER Access-Control-Allow-Origin "*"

This recipe allows you to hide the Server header from all HTTP responses.

Match Type Default
Features HIDE HEADER Server

Forces the use of HTTPS connections. All HTTP requests will be redirected to HTTPS.

Match Type Default Location /example.html
Features if ( $scheme = http ) {
    REWRITE RULE ^ https://$http_host$request_uri permanent
}

This header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>

Match Type Default
Features ADD HEADER X-Frame-Options SAMEORIGIN
ADD HEADER X-Frame-Options DENY
ADD HEADER X-Frame-Options "ALLOW-FROM $uri"

You can redirect all users that come from a specific website. This rule can be used to ban websites that steal bandwidth or show different content from visitors from other websites.

Match Type Exact
Location /example.html
Features if ( $http_referer ~ http://domain.com ) {
    REWRITE RULE ^ https://example.com/banned.html permanent
}

This will allow the customer to redirect certain Countries. In this example we will redirect users from the United States and United Kingdom to an English version of the website they are visiting.

Match Type Default
Features if ( $geoip_city_country_code ~* (US|UK) ) {
    REWRITE RULE ^ https://english.$http_host$request_uri$1 permanent
}

Allows you to specify the original domain that should be attributed with the SEO score instead of the CDN accelerated one.

Match Type Regex
Location \.(?:pdf|htm?l|png|jpe?g|gif)$
Features ADD HEADER