Not all web traffic is welcome traffic. Between aggressive bots, scrapers, and bad actors, your websites face a constant stream of requests that waste resources and can impact performance for real visitors. Starting today, you have a new tool to deal with them: Access Control Lists.
Access Control Lists are available to early-access customers starting today and will be generally available to all customers on December 8.
What Are Access Control Lists?
Access Control Lists—or ACLs—let you define rules for which IP addresses can reach your websites. You can create allow lists, deny lists, or both, giving you fine-grained control over who gets through the door and who gets turned away.
How It Works
ACLs work at the edge of our infrastructure, which means unwanted requests get blocked before they even reach your content cache, let alone your application servers. This keeps your site fast and responsive for legitimate visitors while reducing unnecessary load on your stack.
Setting up an ACL is straightforward. You define a list of IP addresses or CIDR ranges, specify whether those addresses should be allowed or denied, and assign the list to one or more of your sites. Changes take effect within minutes.
You can create multiple lists for different purposes and apply them as needed. A site might use one list to block known bad actors and another to restrict access during a staging phase.
Practical Use Cases
Blocking Bot Networks
Some bots are helpful—search engine crawlers, uptime monitors, and the like. Others are not. Scrapers, credential stuffers, and DDoS participants can hammer your site with thousands of requests per minute. With an ACL deny list, you can block entire IP ranges associated with malicious traffic and stop the problem at the source.
Restricting Access to CDN Nodes
If you’re using a content delivery network like Myra or Fastly, you might want to ensure that all traffic flows through the CDN rather than hitting your origin directly. An ACL allow list lets you permit only your CDN’s IP ranges, so direct requests to your origin get rejected. This protects your site from attacks that try to bypass CDN-level protections.
Staging and Development Environments
Sometimes you need to keep a site private while you’re still working on it. Instead of relying solely on HTTP authentication or application-level access controls, you can use an ACL to limit access to your office network or VPN. Only requests from approved IP addresses will get through.
Client-Specific Access
Working on a project that only certain people should see? Add their IP addresses to an allow list and keep everyone else out until launch day.
Getting Started
You’ll find the new Access Control Lists section in your freistilbox dashboard. From there, you can create lists, add IP addresses or ranges, and assign lists to your sites.
If you’re not sure which IP addresses to block, your site’s access logs are a good place to start. Look for patterns—repeated requests from the same ranges, unusual user agents, or traffic spikes that don’t match real user behaviour.
Need help setting things up? Our team is here to assist. We’ve dealt with every kind of traffic problem over the past 15 years, and we’re happy to help you figure out the right approach for your situation.
Your Sites, Your Rules
Access Control Lists give you another layer of control over how your websites handle incoming traffic. Whether you’re defending against bots, tightening security around your CDN setup, or just keeping a staging site private, ACLs make it simple.
Log in to your dashboard and give it a try. And as always, please let us know what you think—your feedback helps us build the features you actually need.
