A conflict that results in an undefined behavior

In this example, we show how setting up conflicting behaviors can result in an "undefined behavior," and offer a suggestion to avoid this.

In this incorrect rule, the following apply:

  • Match Criteria: The URI extension must be “jpg,” “gjf,” or “png” and the request method must be GET.
  • Behaviors: Both an IP whitelist, including a single IP, and an IP blacklist also including a single IP are defined as behaviors. The IP whitelist takes precedence, and all IPs except 198.18.48.212 are denied access to these objects. Since 198.18.48.214 is outside the white list, it is already denied. So, the IP blacklist is unnecessary, making it an "undefined behavior."
{
    "rules" : [
        {
            "matches" : [
                {
                    "name" : "url-extension",
                    "value" : "jpg gif png"
                },
                {
                    "name" : "http-method",
                    "value" : "GET"
                }
            ],
            "behaviors" : [
                {
                    "name" : "ip-whitelist",
                    "value" : "198.18.48.211 198.18.48.212"
                },
                {
                    "name" : "ip-blacklist",
                    "value" : "198.18.48.213 198.18.48.214"
                }
            ]
        }
    ]
}

So, what should I do to fix this?

A more practical use case might be to implement the following: match on URI extension “jpg,” “gjf” or “png,” request method GET and apply a geographic restriction, but where an IP whitelist allows otherwise blocked clients to access the content. The following example will deny all clients inside the United States, except IPs 198.18.48.211 and 198.18.48.212 have been explicitly granted access to these objects.

{
    "rules" : [
        {
            "matches" : [
                {
                    "name" : "url-extension",
                    "value" : "jpg gif png"
                },
                {
                    "name" : "http-method",
                    "value" : "GET"
                }
            ],
            "behaviors" : [
                {
                    "name" : "geo-blacklist",
                    "type" : "country",
                    "value" : "US"
                },
                {
                    "name" : "ip-whitelist",
                    "value" : "198.18.48.211 198.18.48.212"
                }
            ]
        }
    ]
}