Overview

To prevent data stored in Alibaba Cloud Object Storage Service (OSS) from being hotchained by others, you must configure a Referer whitelist in the hotlinking protection feature of the OSS console. Only domain names in the whitelist can access resources in the bucket. This topic describes the configuration examples of OSS hotlink protection configurations and solutions to common problems.

Details

OSS hotlink protection can be configured by setting bucket attributes in the OSS console or by using the OSS SDK. For more information about hotlink protection, see hotlink protection.

OSS hotlink protection configuration example

Take the help.example.com domain name as an example to configure hotlinking protection. The specific configuration example is as follows:

  • Set the Referer whitelist while the Referer is not allowed to be empty.
    Note: If the Referer whitelist is empty and the Referer whitelist is empty, the Referer field is not checked. Therefore, this setting is invalid. Therefore, you must set the Referer whitelist.
    • Setting method:
      For more information, see Set hotlink protection. In the hotlink protection section, set Not Allowed Referer to Empty. In the Referer box, the Referer whitelist is set as follows:
      • The Referer whitelist is set to http://help.example.com/index.html. However, because the Referer check of OSS is matched by a prefix, other web pages will be inaccessible, such as http://help.example.com/logo.html, so the Referer whitelist can be configured to http://help.example.com/.
      • If there are other domain names that need to be accessed, for example, the http://example.help.example.com/index.html also needs to be accessed, then the Referer whitelist should be added as a http://*.help.example.com/.

    • Anti-theft effect:
      • The access http://[$Bucket_URL]/index.html. Referer is empty and the 403 error code is returned.
        Note:
        • The [$Bucket_URL] is the endpoint of the object in the bucket.
        • Requests with empty Referer are not allowed. Therefore, 403 error codes are returned.
      • The access http://help.example.com/logo.html. The request comes from the origin server and the access is successful.
      • The access http://help.example123.com/index.html. The request comes from the hotlink website. OSS returns a 403 error and hotlink protection is successful.
      • The access http://example.help.example.com/index.html. The request comes from the third-level domain name of the origin. The access is successful.
        Note: If the Referer whitelist contains only http://help.example.com/, OSS returns 403 error codes when the browser simulates access to the third-level domain name and the third-level domain name cannot match the Referer whitelist.
  • Set a Referer whitelist while allowing Referer to be empty
    • Setting method:
      For more information, see Set hotlink protection. In the hotlink protection section, set Allow Referer to null, and in the Referer box, the following example shows how to set the Referer whitelist:
      http://help.example.com/
      http://*.help.example.com/
      If an output similar to the following one is displayed, Python is installed.
    • Anti-theft effect:
      • The access http://[$Bucket_URL]/index.html. Referer is empty and the access is successful.
      • The access http://help.example.com/logo.html. The request comes from the origin server and the access is successful.
      • The access http://help.example123.com/index.html. The request comes from the hotlink website. OSS returns a 403 error and hotlink protection is successful.
      • The access http://example.help.example.com/index.html. The request comes from the third-level domain name of the origin. The access is successful.

FAQ

If you cannot access OSS resources after hotlinking protection is set, check the Referer value of Header in the browser to check whether the configuration is correct. For example, press the F12 key in the Chrome browser to open the Developer tool, view the Referer carried by a specific request in the Network, and check whether it matches the Referer set in the corresponding OSS. If this parameter does not match, check the hotlink protection configurations and reset hotlink protection. For more information, see OSS hotlink protection configuration precautions.

Note: If you set the Referer parameter to leave the Referer parameter blank and an access exception occurs, check the Referer returned by the browser and add the corresponding link in the hotlink protection configuration.

  • Question 1: OSS resources can still be obtained by using the curl command after hotlink protection is configured.
    • Cause: The following reasons why the whitelist does not take effect after OSS is configured with hotlink protection:
      • Bucket permissions are public read /write.
      • If Alibaba Cloud Content Delivery Network acceleration resources are used, Alibaba Cloud Content Delivery Network may be enabled and no Referer in the Alibaba Cloud Content Delivery Network may be configured.
    • Solution: OSS does not take effect after hotlink protection is configured. The solution is as follows:
      1. Check whether the permissions of the bucket are public read /write. We recommend that you change the permissions to private permissions.
      2. Check whether CDN is enabled. The Referer setting of the Alibaba Cloud Content Delivery Network cannot be empty, and the hotlink protection list must be the same as that of OSS. For more information Alibaba Cloud Content Delivery Network how to configure Referer hotlink protection, see Configure Referer hotlink protection.
        Note: If you use Alibaba Cloud Content Delivery Network acceleration, we recommend that you configure Referer on the Alibaba Cloud Content Delivery Network. If the configuration is performed in OSS, the first request on the Alibaba Cloud Content Delivery Network is returned to OSS with Referer, and the normal file is cached on the Alibaba Cloud Content Delivery Network. Even if no Referer is used, the normal file will be responded to. Therefore, we recommend that you configure the file on the Alibaba Cloud Content Delivery Network.
      3. If the problem still cannot be solved, see the solution for access Alibaba Cloud Content Delivery Network returning 403 error due to hotlink protection exception.
        Note: When debugging the Referer of OSS, remove the impact of the Alibaba Cloud Content Delivery Network and debug the Referer of OSS first, and then debug the Referer of the Alibaba Cloud Content Delivery Network.
  • Question 2: When Referer is incorrectly configured, HTTP access prompts 403 errors and OSS prompts "You are denied by bucket referer policy."Error
    If the specified Referer is not allowed to be empty, only the specified Referer can be accessed. Access from other Referers will be blocked. Referer is empty when you directly request the image URL in the browser. Therefore, a 403 error is returned if the request fails. If you do not have special requirements, you can change the setting to Allow Empty Referer. For more information, see A "You are denied by bucket referer policy" error occurs when you access OSS resources after you set up OSS hotlinking protection.
  • Question 3: The *.example.com can match the second-level domain name, but the example.com cannot be matched. In addition, adding a line of example.com has no effect. How to configure it?
    general Referer will contain parameters such as http or https. You can check the requested Referer in the developer mode of Chrome browser and then set it. http:// or https:// need to be added.
  • Question 4: How can I solve the problem that the hotlink protection settings do not take effect?
    Check the Referer of the header in a browser to check whether the configuration is correct. For example, press the F12 key in the Chrome browser to open the developer tool, and view the Referer carried by the specific request in the Network to check whether it matches the Referer set in the corresponding OSS. For more information, see How to verify whether OSS Referer hotlink protection takes effect.

References

Introduction to Referer

OSS hotlink protection is implemented by using Referer, so it is also referred to as referer or referer. For more information about referer and configuration, see hotlink protection. Referer related explanations and descriptions are as follows:

  • What is a Referer
    Referer is part of an HTTP Header that represents the previous page visited by the browser. It can be considered that a link to a previously visited page brings the browser to the current page.
  • Functions of Referer
    • Anti-theft chain: For example, when a website visits its own picture server, the picture server takes Referer to judge whether it is its own domain name. If it is, it will continue to visit, or if it is not, it will be intercepted.
    • Data statistics: for example, statistics from which link users visited.
  • If Referer is empty
    , an empty Referer indicates that the Referer header in the HTTP request is empty, or the Referer header is not included in the HTTP request. The Referer field is considered as empty under either of the following conditions:
    • The resource is not accessed by clicking a link. For example, enter the address directly through the browser to open the page.
    • When accessing an unencrypted HTTP page from a link on an HTTPS page, the Referer cannot be checked on the HTTP page.

Precautions for OSS hotlink protection configuration

When you configure hotlink protection, pay attention to the following items. For more information, see Configure hotlink protection.

  • OSS hotlink protection configuration includes the following two parts:
    • Specifies whether to allow requests with an empty Referer field.
    • Referer Whitelist
  • Note the following points in OSS hotlink protection configurations:
    • Hotlink protection-based verification is required only when you access an object anonymously or by using a signed URL. Hotlink protection-based verification is not required if the request header contains the Authorization field.
    • OSS allows you to add multiple domain names to the Referer whitelist. These domain names are separated by commas (,).
    • The Referer field value can include asterisks (*) and question marks (?) as wildcards.
    • You can configure whether the request that includes the empty Referer field is allowed.
    • If the Referer whitelist is left empty, all requests are allowed regardless of whether the Referer field is left empty in the request.
    • If the Referer whitelist is specified and Allow Empty Referer is turned off, only requests that include domain names added to the Referer whitelist are allowed. Other requests, including the requests that include the empty Referer field are rejected.
    • If the Referer whitelist is specified and Allow Empty Referer is turned on, OSS allows requests whose Referer fields are left empty and requests whose Referer fields are included in the Referer whitelist as required, and rejects all other requests.
    • Hotlink protection-based verification is required when the ACL of a bucket is Private, Public Read, or Public Read/Write.
  • Wildcard description:
    • Asterisk (*): used to replace zero or multiple characters. If you are looking for an object whose name is prefixed with AEW but have forgotten the remaining part, you can enter AEW* to search for all objects whose names start with AEW, such as AEWT.txt, AEWU.EXE, or AEWI.dll. To narrow down the search scope, you can enter AEW*.txt to search for all .txt objects whose names start with AEW, such as AEWIP.txt and AEWDF.txt.
    • Question mark (?): used to replace one character. For example, you can enter love? to search for all objects whose names start with love and end with one character, such as lovey and lovei. To narrow down the search scope, you can enter love?.doc to search for all .docobjects whose names start with love and end with one character, such as lovey.doc and loveh.doc.
  • Typical configurations are described as follows:
    • All requests are allowed to access a bucket.

      • Allow Empty Referer: Turn on this feature to allow requests that include empty Referer fields.
      • Referer Whitelist: Leave it empty.
    • Requests with specified Referer fields or requests without Referer fields can access a bucket.

      • Allow Empty Referer: Turn off this feature so that requests exclude empty Referer fields.
      • Referer Whitelist: http://*.oss-cn-beijing.aliyuncs.com and http://*.aliyun.com.

References

For more information about how to troubleshoot other errors, see Troubleshoot 403 status code when accessing OSS.

Applicable scope

  • Object Storage Service (OSS)