How to Use Edge One CDN IP Ranges with SafeLine WAF

1. Background

When deploying SafeLine WAF in front of your applications, one common challenge is identifying real client IP addresses when your site is behind a CDN (Content Delivery Network).

By default, requests reaching your server may appear to come from the CDN’s edge nodes instead of the actual visitors. This makes it difficult to apply precise security policies such as rate limiting, IP blacklisting/allowlisting, and accurate traffic analysis.

To solve this, SafeLine provides the ability to configure a trusted IP library. For websites using Edge One CDN, you can import the full list of Edge One edge node IP ranges into SafeLine, ensuring that the WAF correctly recognizes and extracts the true client IP.

2. About the Edge One IP Library

The Edge One IP library contains the full set of edge node IP ranges officially used by Edge One CDN.

In SafeLine, these IPs should be configured as allowlist entries, so that traffic from these nodes is trusted and processed correctly. Once set up, SafeLine can accurately retrieve the real client IP from the appropriate HTTP headers (such as X-Forwarded-For) instead of misidentifying the CDN IP as the visitor.

Example Rule in SafeLine:

• Type: Allowlist
• Name: Edge One CDN Nodes
• Condition: Source IP belongs to the following ranges
• Version: 7.3.0 and later

The list includes dozens of IP segments, for example:

1.71.146.0/23 101.33.0.0/19 101.33.195.0/24 101.71.100.0/23 101.71.105.0/24 111.20.28.0/23 111.20.30.0/24 111.31.238.0/24 111.32.204.0/23 111.6.217.0/24 111.6.218.0/24 112.13.210.0/24 112.49.30.0/23 112.49.69.0/24 112.84.131.0/24 112.90.154.0/24 113.194.51.0/24 113.200.123.0/24 113.201.154.0/24 113.219.202.0/23 113.219.228.0/22 113.240.66.0/24 113.240.91.0/24 113.240.96.0/24 113.99.138.0/24 114.66.246.0/23 114.66.250.0/24 115.150.39.0/24 116.153.74.0/24 116.153.80.0/21 116.162.122.0/24 116.162.123.0/24 116.162.152.0/23 116.163.46.0/24 116.169.184.0/24 117.147.229.0/24 117.147.230.0/24 117.147.231.0/24 117.162.48.0/21 117.162.56.0/21 117.163.50.0/24 117.163.59.0/24 117.21.29.0/24 117.40.80.0/21 117.44.72.0/21 117.85.64.0/22 119.91.175.0/24 120.226.144.0/24 120.226.145.0/24 120.226.27.0/24 120.232.126.0/24 120.232.149.0/24 120.232.158.0/24 120.232.97.0/24 120.233.43.0/24 120.233.97.0/24 120.240.100.0/24 120.240.94.0/24 122.192.132.0/24 122.246.0.0/24 122.246.30.0/23 123.125.3.0/24 123.138.25.0/24 123.182.162.0/24 124.72.128.0/24 125.39.1.0/24 125.94.246.0/23 125.94.248.0/23 129.227.213.0/24 14.116.245.0/24 150.109.190.0/24 150.109.191.0/24 150.109.192.0/24 150.109.222.0/24 150.109.223.0/24 150.109.88.0/22 156.227.203.0/24 156.229.29.0/24 157.148.124.0/24 157.148.125.0/24 163.177.43.0/24 180.213.52.0/24 183.131.59.0/24 183.201.109.0/24 183.201.110.0/24 183.214.154.0/24 183.56.148.0/24 183.61.174.0/24 203.205.136.0/22 203.205.191.0/24 203.205.220.0/24 203.205.221.0/24 211.152.132.0/24 211.152.148.0/24 211.152.154.0/24 211.97.84.0/24 218.87.12.0/24 219.144.88.0/23 219.144.90.0/24 221.204.26.0/23 221.5.96.0/23 222.189.172.0/24 222.79.116.0/23 222.79.126.0/24 222.94.224.0/23 223.109.0.0/23 223.109.2.0/24 223.109.210.0/24 23.236.104.0/24 27.44.206.0/24 36.150.103.0/24 36.158.202.0/24 36.158.253.0/24 36.159.70.0/24 36.248.57.0/24 36.250.235.0/24 36.250.238.0/24 36.250.5.0/24 36.250.8.0/24 38.60.181.0/24 42.81.252.0/24 43.132.64.0/19 43.137.88.0/22 43.141.10.0/24 43.141.109.0/24 43.141.11.0/24 43.141.110.0/24 43.141.132.0/24 43.141.50.0/24 43.141.9.0/24 43.145.16.0/22 43.145.44.0/23 43.152.0.0/18 43.152.128.0/18 43.159.4.0/24 43.159.64.0/18 43.174.0.0/16 43.175.0.0/16 49.51.64.0/24 58.144.195.0/24 58.212.47.0/24 58.217.176.0/22 58.250.127.0/24 58.251.127.0/24 58.251.87.0/24 59.55.136.0/21 61.240.216.0/24 81.71.192.0/23 101.33.222.0/24 111.33.186.0/24 123.150.77.0/24 125.39.190.0/24 221.178.3.0/24

3. Benefits of Configuring the IP Library

1. Correct Client Identification
   
   Ensures SafeLine obtains the real source IP instead of the CDN node IP.

2. Improved Security Policies
   
   Allows rate limiting, blacklisting, and monitoring to be applied accurately.

3. Reduced False Positives
   
   Prevents SafeLine from mistakenly blocking legitimate traffic routed through the CDN.

4. Future-Proof Updates
   
   As Edge One expands, the IP ranges can be updated in the library to keep rules current.

4. How to Apply in SafeLine

1. Log in to the SafeLine console.
2. Go to Allow & Deny.
3. Create a new Allowlist Rule with type “Source IP in the following CIDR ranges.”
4. Paste the full list of Edge One edge node IP ranges.
5. Save and apply the configuration.

Once completed, SafeLine will treat traffic from these IP ranges as trusted CDN nodes and correctly extract the end-user’s IP.

5. Conclusion

For anyone deploying SafeLine WAF behind Edge One CDN, setting up the official Edge One IP library is a best practice. It ensures accurate client IP recognition, enables precise security rules, and keeps your site protected without interfering with CDN traffic.

By keeping the IP library updated, you can maintain both strong security and reliable service performance.

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community