All Products
Search
Document Center

Access control

Last Updated: Jul 11, 2019

Overview

The access control service allows you to configure access policies in the cloud to provide basic protection for video resources. The access control service requires only cloud-based configuration without any extra development, making it easy to use. In addition, the configuration takes effect quickly. The common access control policies include:

  • Referer access control: You can configure a referer blacklist or whitelist. For more information, see Referer hotlinking protection.
  • IP address access control: You can configure an IP address blacklist or whitelist. For more information about how to configure an IP address blacklist and whitelist, see IP address blacklist and whitelist.
  • User-Agent access control: You can configure a User-Agent blacklist or whitelist.
  • Restrictions on the number of access times: You can configure the maximum number of times that a video URL can be accessed in a certain period and the maximum number of unique IP addresses that are granted access to the video URL after deduplication.

The configurations of ``User-Agent access control and restrictions on the number of access times are complicated and prone to misoperations. Currently, you cannot configure these access control policies in the ApsaraVideo for VOD console. If you need to configure these policies, submit a ticket or contact Alibaba Cloud after-sales.

Referer blacklist and whitelist

  • You can use the Referer header in HTTP requests to determine the referer (the page that led the user to the current page). You can configure a referer blacklist or whitelist (but not both) to control access to video resources.
  • After a visitor initiates a resource access request, the request is sent to a CDN node. The CDN node checks the referer in the request based on the preset referer blacklist or whitelist. If the referer is allowed, the CDN node allows the access. If the referer is forbidden, the CDN node rejects the request and returns HTTP response code 403.
  • After you configure a referer blacklist or whitelist, wildcard domain names are automatically supported. For example, if you enter a.com, the actual configuration *.a.com takes effect. That is, all sub-domain names take effect.
  • Generally, mobile terminals cannot obtain the Referer header. Therefore, access requests without the Referer header are currently allowed by default. You can choose to disable the access from such requests.

For more information, see Referer hotlinking protection.

Examples

Add aliyun.com to the referer whitelist for the ApsaraVideo for VOD domain name vod-test1.cn-shanghai.aliyuncs.com, and disable the access from requests without the Referer header. Construct the following request:

  1. curl -i 'http://vod-test1.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9ab241/5101d1f8-1643f9ab241.mp4'

Response

refer-acl

After you add the referer that matches the whitelist to the request, the access is allowed.

  1. curl -i 'http://vod-test1.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9ab241/5101d1f8-1643f9ab241.mp4' \
  2. -H 'Referer: http://www.aliyun.com'

User-Agent blacklist and whitelist

User-Agent is a special string header. It helps the server identify the operating system type and version, CPU type, browser type and version, browser rendering engine, language, and plug-in used by users. You can configure a User-Agent blacklist or whitelist to control access from specific browsers or terminals.For example, the User-Agent header for Internet Explorer 9.0 on a Windows PC is as follows:

  1. User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;

Simulate the following HTTP request for verification:

  1. curl -i 'http://vod-test1.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9ab241/5101d1f8-1643f9ab241.mp4' \
  2. -H 'User-Agent: iPhone OS;MI 5'

IP address blacklist and whitelist

ApsaraVideo for VOD allows you to configure an IP address blacklist or whitelist to reject or allow only access from specific IP addresses.

  • You can add a list of IP addresses or a CIDR block such as 127.0.0.1/24 to the IP address blacklist or whitelist.

    In CIDR block 127.0.0.1/24, 24 indicates that the first 24 bits (most significant bits) in the subnet mask represent the network part, while the remaining 8 (32 - 24) bits represent the host part. This subnet can accommodate 254 (2^8 - 2) hosts, so the CIDR block represents the following IP addresses: 127.0.0.1~127.0.0.255.

  • You can choose whether to preferentially use remote_addr or X-Forwarded-For to determine the IP address of origin for requests. You can also use both remote_addr and X-Forwarded-For.

Restrictions on the number of access times and the number of unique IP addresses

ApsaraVideo for VOD allows you to configure the maximum number of times that media resources can be accessed in a certain period (such as one day) and the maximum number of unique IP addresses that are granted access to media resources. The core principle is as follows: All requests are first sent to the centralized access count service for verification. The access count service checks whether the specified threshold is exceeded. If so, the access count service rejects a request and returns HTTP response code 403.

  • The restrictions are imposed on access to a URL (containing the file URL and signature information), not to a file. However, you can configure the system to ignore certain parameters in URLs. The restriction threshold values can be set independently for each domain name.
  • The access count service is a centralized service deployed across multiple regions. Access requests to a URL are dispatched to only one of the regions to ensure centralized counting.
  • After receiving a request, a CDN edge node accesses the centralized access count service for counting and verification.

Summary

  • The access control service requires only simple configuration, making it easy to use. It can provide basic protection, especially for access from web browsers.
  • Referer and User-Agent are common HTTP headers, which are prone to forgery and have low security.
  • IP address access control and restrictions on the number of access times hinder the distribution of content to a large number of consumers. Therefore, they are unsuitable for widespread content consumption. In addition, illegal access may still occur even when the restriction threshold values are not exceeded.