An acl declaration creates an access control list in VCL code. An ACL contains a flat list of IP addresses and subnets, and is typically used for making a list of bad clients (a 'blocklist') or explicitly allowed clients (an 'allowlist').

This can also be achieved via an API call, using the CLI, or using the web interface.


The following example shows the syntax of an ACL:

acl office_ip_ranges {
""/24; # internal office...
! ""; # ... except for the vending machine
""; # remote VPN office
"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"; # ipv6 address remote

ACL entries may not use hostnames, so "" is not a valid ACL entry.

Entries may include range specifiers, which follow the end of the IP address string. For example, ""/24 will match any address sharing the same first 24 bits as the specified address. Since an IPv4 address is 32 bits long, and each dot-separated number represents 8 bits, /24 means "match the first three segments of the address".

Entries may be negated. Negations are processed after all inclusions, and always take precedence, regardless of the order in which they are listed.


The following example shows how to block IP addresses and ranges using an ACL:

Matching or failure to match an ACL is a common reason to trigger a custom error code and generate a synthetic response. See the error statement for details.