Access Control Lists (ACLs)
Access Control Lists let you control which IP addresses can reach your websites. You can block unwanted traffic, such as aggressive crawlers or abusive bots, or restrict access to a set of known addresses, for example during development or for internal applications.
ACLs are enforced at the edge of the freistilbox infrastructure, so blocked requests never reach your application boxes. This is more efficient than filtering traffic with .htaccess rules, which only take effect at the Apache level.
NOTE: For the legacy .htaccess-based approach, see Limiting website access by IP address.
How ACLs work
An ACL is a named list of IP addresses or network ranges. Each entry belongs to either the allowlist or the denylist:
- Allowlist entries define addresses that are permitted to access the website. When an ACL contains only allowlist entries, all other addresses are blocked.
- Denylist entries define addresses that are denied access. When an ACL contains only denylist entries, all other addresses are permitted.
You can assign one or more ACLs to each website. When multiple ACLs are assigned, their entries are merged: all allowlist entries from all assigned ACLs are combined into one allowlist, and all denylist entries are combined into one denylist.
An ACL with no entries has no effect.
Types of ACLs
There are two types of ACL:
- Global ACLs are provided by freistil and apply platform-wide. They are available to all organisations. You can assign global ACLs to your websites, but you cannot modify them.
- Custom ACLs are created by your organisation. You can create, edit, and delete custom ACLs as needed.
Supported address formats
Each ACL entry takes an IP address or a CIDR network range. Both IPv4 and IPv6 are supported:
| Format | Example | What it matches |
|---|---|---|
| Single IPv4 address | 203.0.113.42 |
One address |
| IPv4 CIDR range | 203.0.113.0/24 |
256 addresses (203.0.113.0 – 203.0.113.255) |
| Single IPv6 address | 2001:db8::1 |
One address |
| IPv6 CIDR range | 2001:db8::/32 |
A /32 network block |
Managing ACLs
Viewing your ACLs
Open the Access Control Lists page in the dashboard. Your ACLs are listed in two sections:
- Global ACLs – platform-wide lists provided by freistil.
- Your Organisation’s ACLs – custom lists created by members of your organisation.
Click on any ACL to open its detail page, where you can see all allowlist and denylist entries.
Creating an ACL
- Open the Access Control Lists page in the dashboard.
- Click Create New Access Control List.
- Enter a Name (for example, “Office Network” or “Blocked Crawlers”). The name must be unique within your organisation.
- Optionally add a Description to explain the purpose of this ACL.
- Add entries to the Allowlist Entries section, the Denylist Entries section, or both. For each entry, provide:
- IP Address or CIDR (required) – for example,
203.0.113.0/24or198.51.100.42. - Comment (optional) – a short note describing the entry, such as “Office subnet” or “CI server”.
- IP Address or CIDR (required) – for example,
- The form starts with three entry rows per section. Click + Add another entry to add more rows as needed.
- Leave entry rows blank if you don’t need them; only rows with an address filled in are saved.
- Click Create ACL.
Every ACL must contain at least one allowlist or denylist entry.
Editing an ACL’s name and description
- Open the ACL from the list to reach its detail page.
- Click Edit Details in the top right corner.
- Change the Name or Description as needed.
- Click Save Changes, or click Cancel to discard your edits.
If the ACL is assigned to any websites, the updated name and description take effect immediately in the dashboard. The access rules themselves are not affected.
Deleting an ACL
- Open the ACL from the list to reach its detail page.
- Click Delete ACL in the top right corner. This button is only shown if the ACL is not assigned to any website.
- Click Confirm to permanently delete the ACL, or Cancel to keep it.
You cannot delete an ACL that is still in use. Remove it from all websites first (see Removing an ACL from a website below), then delete it.
Managing allowlist and denylist entries
The ACL detail page shows entries on two tabs: Allowlist and Denylist. Each tab displays the number of entries next to its label.
Adding entries
- Open the ACL detail page and select the Allowlist or Denylist tab.
- Click + Add Entries.
- Fill in one or more rows:
- IP address or CIDR (required) – the address or range to allow or deny.
- Comment (optional) – a note about this entry.
- Click + Add another entry to add more rows before submitting.
- Click Add Entries to save.
If the ACL is assigned to websites, the new entries are propagated to the edge infrastructure within a few minutes.
Changing an entry
There is no inline edit for individual entries. To change an entry’s address or comment, delete the existing entry and add a new one with the corrected values.
Deleting an entry
- Open the ACL detail page and select the Allowlist or Denylist tab.
- Find the entry you want to remove and click Delete.
- Click Confirm to delete the entry, or Cancel to keep it.
You cannot delete the last remaining entry of an ACL. Every ACL must have at least one allowlist or denylist entry at all times.
If the ACL is assigned to websites, the removal is propagated to the edge infrastructure within a few minutes.
Assigning ACLs to websites
Assigning an ACL to a website
- Open the website’s detail page in the dashboard.
- Scroll to the Access Control Lists section.
- Select an ACL from the dropdown and click Assign.
The ACL’s rules take effect within a few minutes.
You can assign multiple ACLs to the same website. Their entries are merged, so you can combine a global ACL with one or more custom ACLs to build layered access rules.
Removing an ACL from a website
- Open the website’s detail page in the dashboard.
- In the Access Control Lists section, click Remove next to the ACL you want to unassign.
The change takes effect within a few minutes.
Removing an ACL from a website does not delete the ACL itself. It remains available for use with other websites.
Common use cases
Block specific IP addresses
Create an ACL with denylist entries for the addresses you want to block. All other visitors can still access the website.
Example: Block two aggressive crawler IPs.
| List | Address | Comment |
|---|---|---|
| Denylist | 198.51.100.10 |
Aggressive crawler A |
| Denylist | 198.51.100.11 |
Aggressive crawler B |
Restrict access to known addresses
Create an ACL with allowlist entries for the addresses that should have access. Everyone else is blocked.
Example: Limit access to the office network and a CI server during development.
| List | Address | Comment |
|---|---|---|
| Allowlist | 203.0.113.0/24 |
Office network |
| Allowlist | 198.51.100.50 |
CI server |
Combine multiple ACLs
Assign a global ACL that blocks known bad actors together with a custom ACL that restricts access to your team. Both sets of rules are applied.