Skip navigation
All Places > In the Limelight Blog > Authors bmertens

In the Limelight Blog

1 Post authored by: bmertens

Access control is more than a passing fancy for many Limelight customers. In April, 2016, we will have many features in the Orchestrate Platform to help control who can access what, from where. We recently merged two access control features: ACL  (Access Control Lists) and  Geo-Fencing. For quite a while, we have had support for Geo-Fencing and ACLs. Geo-Fencing enables customers to allow/deny access based on an end-user's geographic location. ACLs enable customers to allow/deny access based on end-user IP address or HTTP Method. In the original implementation, Geo-Fencing and ACLs were separate processes and were difficult to use in concert. The new White/Black Listing IP and Geo-Fencing is greater than the sum of its parts.


In the new implementation, Geo-Fencing and IP ACL are combined into a set of access control rules. The new service allows IPs to be organized into "Groups". IP Groups and IP geo-location data are treated in the same manner. Access control rules are processed in the order in which they are written. The first time and IP address is found in a rule determines how that IP will be treated. Mixing and matching IP Groups and geo-location  rules is considerably more flexible than the disparate legacy systems were.


  Feature of the new system include:



HTTP Method

Allow/deny access based on HTTP method. Option: get/head/options/post/put/delete


Allow/deny access based on geographic location of  end-users IP address

IP Groups

Allow/deny access to a group of IP address.   IP ranges in a group can be defined by: get/head/options/post/put/delete

Anonymous  Proxy

Allow/deny access to end-users who are routing their requests through an anonymous proxie


Allow/deny access to all


Example:  has licensed distribution of the World Championship of CalvinBall (WCCB).  Their license limits them to European distribution. Advertising partners paid big bucks to bring WCCB to Europe. The partner offices are spread around the globe and must have access to the WCCB content. The licence agreement is strict and requires the blocking access from anonymous proxies.


An ordered set of access control rules can be constructed to enable  to meet their licence agreement and bring WCCB to Europe.

Calvin Ball.gif

Rule Order





HTTP Method

Allow get/head/options

Because WCCB  is a live video event  HTTP methods will be restricted to  get/head/options



Allow Advertising_Partners_List

Explicitly allows any IP found in the Advertising_Partners_List access to the WCCB Event



Deny Anonymous Proxies

Explicitly denies access to WCCB to any know anonymous proxies



Allow Europe

Explicitly allows access to WCCB event to any IP in Europe



Deny All

Denies access to any end-user who has not been given access by the above rules. ALL should always be the last rule.