Skip to content

Manage access lists

Shield access lists let you allow or block traffic to your site by IP address, network range, country, and more. Each list has a type (what kind of entry it holds), a list of entries, and an actionAllow or Block. This guide covers creating, editing, and deleting your own lists, and turning on Bunny's ready-made Curated threat lists — all from the site dashboard.

Before you start

  • A site with Shield included in its plan. If Shield isn't part of your plan, the Shield pages show a "not included in your plan" card instead of the controls below.
  • Shield must be activated for the site. If it hasn't been, the Access Lists page shows a "Shield isn't active for this site" message with an Activate Shield button — activate it first.
  • To create, edit, or delete a list you need a role that can make changes to the site. A view-only collaborator can read the lists but not change them.

Open the Access Lists page

  1. Open your site, then in the left sidebar expand Shield. The Shield dropdown lists the section's pages — Overview, WAF, Bot Detection, Rate Limits, Access Lists, and Security Events — so you can click Access Lists directly here.

  2. If you opened a different Shield page, the same pages appear as a sub-navigation that runs across the top of the section. Choose Access Lists there to switch to it.

The page has two tabs: Custom access lists (your own lists — this is the tab you land on) and Curated threat lists (Bunny's managed catalogues).

Create an access list

  1. On the Custom access lists tab, press New access list (the same button appears in the empty state when you have no lists yet).

  2. Fill in the form. The form is titled Access List and has these fields:

    • Name (required) — a label for the list, e.g. Blocked countries.
    • Description (optional) — notes about the list. This field is only shown when creating a new list.
    • Type — what kind of entry the list holds. Choose one of: IP, CIDR, ASN, Country, Organization, or JA4. Changing the type updates the hint shown under the entries box.
    • Action — an Allow / Block toggle. New lists default to Allow.

    • Entries — a text box with one entry per line. The format depends on the type you picked:

      Type One per line Example
      IP An IP address 192.0.2.1
      CIDR A CIDR block 203.0.113.0/24
      ASN An AS number AS13335
      Country A two-letter ISO code US, DE
      Organization An organization name
      JA4 A JA4 fingerprint

    A live count below the box shows how many entries you've added.

  3. Press Save access list. You're returned to the Access Lists page and the new list appears in the table. Press Cancel to discard your changes instead.

Tip

The action (Allow / Block) and the list's entries are stored separately behind the scenes. The form sets both for you in one save, so you don't need to do anything special — just pick the toggle and press save.

Edit or delete a list

Each list in the table shows its Name, Type, entry count, and current Action (a green Allow badge or a red Block badge).

  • Edit — press Edit on the list's row, change any of the fields, and press Save access list. (The Description field isn't shown when editing.)
  • Delete — press Delete on the row. A Delete access list? confirmation appears; confirm to remove it. This cannot be undone.

The same lists are available over the REST API. Create one with a POST:

curl -X POST \
  -H "Authorization: Bearer $SUPERSPACE_TOKEN" \
  -H "X-Auth-Account: $ACCOUNT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Office IPs",
    "type": 0,
    "content": "192.0.2.1\n198.51.100.4"
  }' \
  https://control.superspace.nl/api/sites/$SITE_ID/shield/access_lists

The type field is an integer: 0=IP, 1=CIDR, 2=ASN, 3=Country, 4=Organization, 5=JA4. Create accepts name, description, type, content, and checksum — there is no action field on create. A new list is created with the Allow action by default; to make it a Block list (or change the action later) you set the action on the list's configuration as a separate step. The dashboard form does both for you in one save. List, view, update (PATCH), and delete (DELETE) endpoints are documented in the Shield API reference.

Warning

Deleting a list is permanent and can't be undone. If you only want to stop a list from taking effect, edit it instead.

Turn on curated threat lists

The Curated threat lists tab shows catalogues that Bunny maintains for you — for example VPN providers, datacenters, TOR exit nodes, and botnets. You can't edit their contents, but you can choose whether each one is enabled and what action it applies.

  1. Switch to the Curated threat lists tab.

  2. Read the "Action precedence" panel at the top. When more than one rule matches a request, Shield resolves them in this order: Bypass, then Allow, then Block, then Challenge, then Log.

  3. For a list you want to use, flip its Status switch to Enabled and pick an Action from its dropdown (None, Allow, Block, Challenge, Log, or Bypass). Each change saves on its own as you make it.

Some curated lists need the Advanced (premium) Shield tier

Lists that require a higher plan than your site has show a lock icon and can't be toggled until you upgrade. If your site is on the base tier, the tab shows an Upgrade plan banner with a link to billing. Lists that need a tier SuperSpace doesn't sell aren't shown at all.

Next steps