What matches and behaviors are supported?

Several match criteria ("matches") and behaviors are supported for use in a policy rule.

Matches

Click the "Name" entry for a match to access the ACE API documentation to review requirements and access a schema example.

Requirements and schema example Description
client-ip Include this to match using the IP address assigned to the requesting client. You can specify individual IP addresses, or CIDR blocks (that express a range of addresses).
cookie Include this match to define specific cookie names for use when matching on an incoming request.
geography Use this match to test the requesting client's location, either by continent, country, region, or designated market area (DMA). Each subcustomer policy can include up to ten geography matches.
header Associated behaviors are applied if a header or header value you specify in this match criteria are included with a request.
host-name Include this to match on hostnames listed in the incoming request's Host header.
http-method Include this to match on a set of HTTP methods.
url-extension Include this to match on the extension in the incoming request. This match criteria has no effect on URL paths that do not include a file extension.
url-filename Include this to match on the extension in the incoming request. This match criteria has no effect on URL paths that do not include a file extension.
url-path Include this to match on the first path component in the incoming request. The first path component is the section directly after the base URL.
url-querystring Include this to match on the protocol or scheme (HTTP or HTTPS) of an incoming request.
url-scheme Include this to match on a combination of query string parameters and their values.
url-wildcard Include this to use wildcards when matching on the incoming request path, minus any query strings. This match type only supports the * wildcard.

Behaviors

Click the "Name" entry for a behavior to access the ACE API documentation to review requirements and usage, and access a schema example.

Name Description
access-control Include this to deny client requests based on the selected match conditions.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Access Control set to "On" in the Subcustomer Enablement behavior.
cachekey-query-args Include this to specify how to handle query-string arguments in incoming requests.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Cache Key Query Arguments set to "On" in the Subcustomer Enablement behavior.
caching Include this to provide time-to-live (TTL) cache settings for subcustomers.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Caching set to "On" in the Subcustomer Enablement behavior.
content-char-dynamic-web If you're using Integrated Cloud Acceleration, this uses SureRoute to optimize the forward path to the origin server. It controls embedded object prefetching, and situational image compression.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Dynamic Web Content set to "On" in the Subcustomer Enablement behavior. (By default, this is set to "Off.")
content-char-large-file Include this to optimize the delivery of large file downloads of up to 1.8 GB. This behavior uses partial object caching with pre-fetched object data. As a best practice, only use this behavior if you serve large files. Otherwise, the Akamai platform may send additional requests to your origin. When using Large File Optimization, if an object doesn't meet the minimum size criterion of 10 MB, the platform requests the entire object from the origin.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Large File Delivery set to "On" in the Subcustomer Enablement behavior. (By default, this is set to "Off.")
content-char-streaming Include this to optimize cache and network timeout conditions for on-demand video content. The Akamai platform examines the URI file extension and path for the media format then automatically optimizes: cache efficiency, time-to-live, automated failover, downstream Content-Type headers, and network timeout settings.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Streaming Video On-demand Delivery set to "On" in the Subcustomer Enablement behavior. (By default, this is set to "Off.")
content-compression Include this in your policy to provide compression settings. You can enable gzip compression, decompress objects before delivering them to the client, or maintain the origin's compression settings.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Content Compressor set to "On" in the Subcustomer Enablement behavior.
content-refresh Include this to invalidate CDN cache at an explicit date and time. This behavior uses epoch time to denote when a request should receive a new copy of the object or a revalidated one.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Content Refresh set to "On" in the Subcustomer Enablement behavior.
downstream-caching Include this to control downstream caching of alternate content. Only use this behavior if site failover is enabled for the alternate hostname property. If you do not include this behavior, the subcustomer policy uses the downstream caching settings specified in the alternate hostname property. To enable site failover, use the Subcustomer Enablement behavior in Property Manager.
geo-blacklist nclude this to block access to content based on the continent, country, region/state, or designated marketing area (DMA) of the requesting IP address. All other geographic areas are allowed.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Geo Allow/Block set to "On" in the Subcustomer Enablement behavior.
geo-whitelist Include this to allow access to content based on the continent, country, region/state, or designated marketing area (DMA) of the requesting IP address. All other geographic areas are denied.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Geo Allow/Block set to "On" in the Subcustomer Enablement behavior.
ip-blacklist Include this to block access based on the requesting IP address. All specified IP addresses are blocked.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have IP Allow/Block set to "On" in the Subcustomer Enablement behavior.
ip-whitelist Include this to allow access based on the requesting IP address. Only the IP addresses listed are allowed access.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have IP Allow/Block set to "On" in the Subcustomer Enablement behavior.
modify-outgoing-request-header Include this to modify the outgoing request headers sent from Akamai to an origin. This also works on request headers sent from a client if the request is sent back to the origin, but not a cache hit.
modify-outgoing-request-path Include this to provide options for altering the request URL before it is sent to origin.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Modify Forward Path set to "On" in the Subcustomer Enablement behavior.
modify-outgoing-response-header Include this to modify the outgoing response headers sent from the Edge server back to the client.
origin Inlcude this to provide origin settings for the specific subcustomer. You need to include the origin DNS hostname, forward host header, and cache key. Optional settings include the origin base path and ports.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Origin set to "On" in the Subcustomer Enablement behavior.
origin-characteristics Include this if you have Integrated Cloud Acceleration (ICA), to select the type of origin supporting your ACE implementation. Use the origin behavior to configure origin settings for subcustomers at the policy level.
origin-failover This feature identifies primary origin connection failures based on a type you specify and marks that origin as “bad” after connections to all its IPs fail repeatedly. Rather than issuing a redirect to the end user, requests are failed over to a backup origin you call out. This improves response times, because the end user doesn’t have to wait several seconds for a connect-timeout on the forward request. Additionally, you specify a duration of time the primary origin is marked as bad. During this time, all requests are failed over to your backup origin. This relieves pressure on the primary by reducing the number of connection attempts, at a time when it appears to be having difficulties.
referer-blacklist Include this to block access based on the Referer request header. This behavior helps verify that the client is a browser that supports RFC 2616, section 14.36, and that the referring HTML page is served from a domain trusted by the content owner.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Referrer Allow/Block set to "On" in the Subcustomer Enablement behavior.
referer-whitelist Include this to allow access based on the Referer request header. This behavior helps verify that the client is a browser that supports RFC 2616, section 14.36, and that the referring HTML page is served from a domain trusted by the content owner.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Referrer Allow/Block set to "On" in the Subcustomer Enablement behavior.
site-failover Include this to define the alternate hostname and path to use when the Edge server can't contact the origin server.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Site Failover set to "On" in the Subcustomer Enablement behavior.
token-auth Include this to use tokens to control access to content. You can choose to transmit the token in a cookie, header, or query parameter.
Note: To set this in a policy, the base configuration a subcustomer is assigned to must have Token Authentication set to "On" in the Subcustomer Enablement behavior.
url-redirect Include this behavior to configure redirect responses for specific client requests, and stop them from contacting the origin.