You can configure a referer blacklist or whitelist to authenticate and authorize visitors. This can restrict access to Dynamic Route for CDN (DCDN) resources and improve DCDN security. This topic describes how the referer-based hotlink protection feature works and how to configure the feature.

Background information

  • Hotlink protection is implemented by the HTTP referer mechanism. The Referer header is used to track and identify where requests come from.
  • Hotlink protection supports blacklist or whitelist configuration. When a DCDN node receives resource requests from users, it will filter requests based on the configured blacklist or whitelist. A request with the domain name in the whitelist will be allowed. A request with the domain name in the blacklist will be rejected and status code 403 will be returned.
Notice
  • Hotlink protection is optional. By default, hotlink protection is disabled.
  • The blacklist and whitelist are mutually exclusive. The most recent configuration takes effect.
  • When a domain name is added to the whitelist or blacklist, a wildcard (*) is automatically prepended to the domain name. For example, if you enter a.com, the domain name that actually takes effect is *.a.com. Hotlink protection takes effect on all the subdomains of a.com.
  • You can select the check box to specify whether to allow requests with an empty referer header to access DCDN resources. If the check box is selected, you can directly access DCDN resources by entering a URL in the address bar of your browser.

Procedure

  1. Log on to the Dynamic Route for CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Configure.
  4. In the left-side navigation pane of the specified domain, click Access Control.
  5. On the Referer Anti-leech tab, click Modify.
  6. Configure a blacklist or whitelist as prompted.
    Parameter Description
    Referer Type
    The following two types are supported:
    • Blacklist

      Requests from the blacklisted domains are not allowed to access the current accelerated domain.

    • Whitelist

      Only requests from the whitelisted domains are allowed to access the current accelerated domain.

    The blacklist and whitelist are mutually exclusive. The most recent configuration takes effect.

    Rules Separate multiple domain names with carriage return characters. You can use wildcards (*) to perform a fuzzy match. For example, a.*b.com can match a.aliyun.b.com or a.img.b.com.
    Referer Anti-leech
  7. Click OK.