All Products
Search
Document Center

CDN:Configure a Referer whitelist or blacklist to enable hotlink protection

Last Updated:Nov 27, 2023

Referer-based hotlink protection refers to access control based on the Referer header. For example, you can configure a Referer whitelist to allow only specified requests to access your resources or a blacklist to block specified requests. Referer-based hotlink protection identifies and filters user identities and protects your resources from unauthorized access. This topic describes how to configure a Referer whitelist or blacklist to enable hotlink protection.

Background information

Important
  • By default, this feature is disabled.

  • After you add a domain name to the Referer whitelist or blacklist, the wildcard domain name that matches the domain name is automatically added to the whitelist or blacklist. For example, if you add aliyundoc.com to the whitelist or blacklist, hotlink protection takes effect for all domain names that match *.aliyundoc.com.

  • After you initiate a Range request to a domain name, the browser adds the Referer header to the second Range request. Therefore, you need to add the value of the Referer header to the whitelist.

The Referer header is a component of the header section in HTTP requests and contains information about the source address, including the protocol, domain name, and query string. The Referer header is used to identify the source of a request.

After you configure a Referer whitelist or blacklist, Alibaba Cloud CDN allows or rejects requests based on user identities. If a request is allowed, Alibaba Cloud CDN returns the URL of the requested resource. Otherwise, Alibaba Cloud CDN returns the HTTP 403 status code.

image

Procedure

  1. Log on to the Alibaba Cloud CDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.

    Domain Names

  4. In the left-side navigation pane of the domain name, click Access Control.

  5. On the Hotlink Protection tab, click Modify.

  6. Select Blacklist or Whitelist based on your business requirements.

    Parameter

    Description

    Type

    • Blacklist

      Requests from domain names that are included in the blacklist cannot access resources.

    • Whitelist

      Only the requests from the domain names in the whitelist can access the resources.

    Note

    Blacklists and whitelists are mutually exclusive. You can configure only one type of list at a time.

    Rules

    • You can add multiple domain names to the Referer whitelist or blacklist. Separate domain names with carriage return characters.

    • You can use asterisks (*) as wildcards. For example, if you add *.developer.aliyundoc.com to the whitelist or blacklist, image.developer.aliyundoc.com or video.developer.aliyundoc.com can be matched.

    Note

    The maximum size of the content that you enter in the Rules field cannot exceed 60 KB.

    Redirect URL

    Whitelist:

    Specifies the redirect URL. If the Referer information in the request does not match the whitelist, the HTTP 403 status code is not returned after the request is blocked. Instead, the HTTP 302 status code and the Location header are returned. This parameter is the value of the Location header that starts with http:// or https://, such as http://www.example.com.

    Blacklist:

    Specifies the redirect URL. If the Referer information in the request matches the blacklist, the HTTP 403 status code is not returned after the request is blocked. Instead, the HTTP 302 status code and the Location header are returned. This parameter is the value of the Location header that starts with http:// or https://, such as http://www.example.com.

    Advanced Settings

    Allow resource URL access from browsers

    If you select this checkbox, requests that have empty Referer values or do not contain the Referer field, such as requests that are sent from browsers, are allowed regardless of the Referer whitelist or blacklist.

    Exact Match

    Whitelist: specifies whether to enable exact match for domain names that are included in the whitelist.

    • If Exact Match is selected:

      • Exact match is supported.

        If you add example.com to the whitelist, example.com is matched.

        If you add a*b.example.com to the whitelist, a<Any characters>b.example.com is matched.

      • Suffix match is not supported.

    • If Exact Match is not selected:

      • Exact match is not supported.

      • Suffix match is supported.

        If you add example.com to the whitelist, example.com and <Any characters>.example.com are matched.

        If you add a*b.example.com to the whitelist, a<Any characters>b.example.com and <Any characters>.a<Any characters>b.example.com are matched.

    Blacklist: specifies whether to enable exact match for domain names that are included in the blacklist.

    • If Exact Match is selected:

      • Exact match is supported.

        If you add example.com to the blacklist, example.com is matched.

        If you add a*b.example.com to the blacklist, a<Any characters>b.example.com is matched.

      • Suffix match is not supported.

    • If Exact Match is not selected:

      • Exact match is not supported.

      • Suffix match is supported.

        If you add example.com to the blacklist, example.com and <Any characters>.example.com are matched.

        If you add a*b.example.com to the blacklist, a<Any characters>b.example.com and <Any characters>.a<Any characters>b.example.com are matched.

    Ignore Scheme

    Regardless of whether the Referer blacklist or whitelist is configured:

    • If you select Ignore Scheme and the Referer that is included in the request does not have an HTTP or HTTPS header, the Referer is considered valid. For example, Referers in the format of www.example.com are valid.

    • If you do not select Ignore Scheme and the Referer that is included in the request does not have an HTTP or HTTPS header, the Referer is considered invalid. For example, Referers in the format of www.example.com are invalid. Only Referers in the format of https://www.*.com or http://www.*.com are valid.

    Rule Condition

    Rule conditions can identify parameters in a request to determine whether a configuration takes effect on the request.

    • Do not use conditions

    • Select the configured rule conditions in Rules Engine. For more information, see Rules engine.

  7. Click OK.