• UID625
  • Fans1
  • Follows1
  • Posts68

OSS Anti-Leech Referer Configuration and Error Elimination

More Posted time:Sep 13, 2016 16:35 PM
What is a referer?
An HTTP referrer is a part of the header. When your browser sends a request to a web server, it usually has a referer telling the server which page the link came from.
The English word is often spelled incorrectly as referrer. Due to the large number of people making this mistake, the mistake has been passed on to writers.
Applications of a referer
• Anti-leech: For example, a website accesses your picture server and the picture server fetches the referer to determine whether it is your domain name. If it is your domain name, it will continue accessing the picture server. If not, it will be intercepted.
• Data statistics: For example, statistics on the source of links users access.
When is the referer blank?
A blank referer is defined as either a referer header in an HTTP request that has no content, or when there is no referer header in an HTTP request.
The referer is blank in the following two scenarios:
• When a request isn't triggered by a link. For example, directly entering an address in the address bar to open a page;
• Accessing a non-encrypted HTTP page from a link on an HTTPs page and finding that there is no referer on the HTTP page.
What is the difference between allowing blank referers in the anti-leech referer settings and not allowing blank referers?
If a designated name in the whitelist of the anti-leech referer whitelist settings contains a blank referer, this means that the source URL can be directly accessed using the browser address bar.

However, if the referer that should be blank is not designated, this means that direct access is forbidden using the browser.

OSS referer configuration
OSS referers include:
• Requests for access with invalid blank referer segments
• Whitelists with referer segments
Configure the settings bucket properties using the console or SDK configurations.
Noteworthy points about OSS referers
Noteworthy points about OSS referer configuration:
• Anti-leech verification will be performed only when users access objects through URL signatures or anonymously. If the request header has an authorization segment, it won't perform anti-leech referer verification;
• A bucket can support multiple referer parameters. These parameters are separated by a comma (,);
• The referer parameters support wildcard characters (*) and (?).
• Users can set whether they allow access for requests with blank referer segments.
• When the whitelist is blank, a referer won't be checked to see whether it is blank (or all requests would be rejected).
• When whitelists that are not blank and are set with rules to not allow blank referer segments, only referers with whitelist requests that are allowed can be accessed. Other requests (including blank referer requests) will be rejected.
• If the whitelist is not blank but the settings have rules to allow blank referer segments, a blank referer request or request that satisfies the whitelist will be allowed. Other requests will be rejected.
• All the three permissions bucket has (private, public-read and public-read-write) will check the referer segment.
Wildcard characters:
• Asterisk (*): This symbol can be used to replace 0 or multiple characters. If you are checking for a file starting with AEW but you can't remember the rest of the file name, enter AEW* to check file names for all file types starting with AEW, such as AEWT.txt, AEWU.EXE, or AEWI.dll. To narrow the search, enter AEW*.txt to check all .txt extension file names that start with AEW, such as AEWIP.txt or AEWDF.txt.
• Question mark (?): This symbol can be used to replace a character. If you enter love?, you can check for all file types starting with the characters love plus one character, such as lovey, or lovei. To narrow the search, enter love?.doc to check for all .doc extension file types starting with love plus one character, such as lovey.doc or loveh.doc.
Classic configuration
Access for all requests
o Blank referer: allows blank referers
o Referer list:  blank
Access for specified referers only
o Blank referer: to not allow blank referers
o Referer lists: http://*.oss-cn-beijing.aliyuncs.com, http://*.aliyun.com
Access for requests with specified referers and access for requests without referers
o Blank referer: allows blank referers
o Referer lists: http://*.oss-cn-beijing.aliyuncs.com, http://*.aliyun.com
Common errors
When a referer is configured with an error, the HTTP code 403, OSS is sent back with the following error:
<Message>You are denied by bucket referer policy.</Message>

Possible issues:
• A blank referer, access header without a referer segment, or blank referer segment.
• A referer that is not within the referer range of the rules. Note the following points:
o Check whether the configuration is for http://*.aliyun.com or http://*.aliyun.com
o a.aliyun.com and b.aliyun.com match with http://domain.com and http://*.domain.com
o domain.com matches with http://domain.com and not http://*.domain.com
• When the object is saved as OSS -> Bucket -> Bucket properties -> Anti-leech referer configured for a referer;
• When debugging with browser caching;
• OSS referer only supports a whitelist and does not currently support a blacklist.
Other Problems
• After the anti-leech referer is set, use curl to capture videos.  Check if CDN is enabled and whether the CDN layer is set for a referer that is not allowed to be blank. When debugging the OSS referer, first eliminate the effect of CDN. Adjust the OSS referer before the CDN referer.