ApsaraVideo Live allows you to implement access control by configuring a Referer blacklist or whitelist, User-Agent blacklist or whitelist, and IP address blacklist or whitelist. This topic describes the access control feature of ApsaraVideo Live, the scenarios in which you can use this feature, and how to configure it.
Overview
The access control feature allows you to configure access policies on the cloud to provide basic protection for video resources. The access control feature has a low learning curve and immediately takes effect. The feature requires only simple configuration on the cloud. No additional development is required. The regular access control policies include:
Referer blacklist or whitelist
User-Agent blacklist or whitelist
IP address blacklist or whitelist
You cannot configure a User-Agent blacklist or whitelist in the ApsaraVideo Live console due to cumbersome configuration and the risk of misoperation. If you need to configure a User-Agent blacklist or whitelist, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.
Scenarios
The access control feature requires only simple configuration, which makes the feature easy to use. The access control feature can provide basic protection, especially for access from web browsers.
Both Referer and User-Agent blacklists or whitelists are based on HTTP headers that are prone to forgery and have low security.
An IP address blacklist or whitelist has its limitations in terms of the management of a large number of users, and therefore is not suitable for large-scale content distribution.
Referer blacklist or whitelist
Overview
Referer is used to track and identify where requests come from based on the HTTP protocol. You can configure a Referer blacklist or whitelist to identify and filter requests. This allows you to control access to video resources.
After a request is sent to a Alibaba Cloud CDN point of presence (POP), the POP authenticates the request based on the preset Referer whitelist or blacklist. If the request passes the authentication, the video data is returned. Otherwise, the HTTP status code 403 is returned.
By default, no Referer blacklist or whitelist is enabled. You can configure a Referer blacklist or whitelist based on your business requirements.
When you configure a Referer blacklist or whitelist, wildcard domain names are supported. For example, if you specify
example.com, the Referer blacklist or whitelist takes effect for the wildcard domain name*.example.com, which includes all its subdomain names.You can specify whether to allow requests that have an empty Referer header. If you allow these requests, users can directly access resources by entering the resource URLs in the address bar of a browser.
Configuration methods
Console: For more information, see Configure hotlink protection.
API: Call the BatchSetLiveDomainConfigs operation to configure multiple domain names at a time, including configuration of the Referer blacklist or whitelist.
Add the dependency for Java SDK in the pom.xml file.
<dependency> <groupId>com.aliyun</groupId> <artifactId>alibabacloud-live20161101</artifactId> <version>2.0.3</version> </dependency>Sample code for configuring Referer-based hotlink protection:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // The service endpoint. Refer to https://api.alibabacloud.com/product/live. .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }NoteIn the preceding sample code, the DomainNames parameter specifies the streaming domain for which the Referer whitelist is configured. The referer_white_domain_list field specifies the domain names that you want to add to the Referer whitelist. The allow_empty parameter is set to off, which specifies that an empty Referer header is not allowed.
For information about the server SDK for Java, see Use the server SDK for Java.
Usage notes
ImportantThe blacklist and whitelist are mutually exclusive and cannot be used at the same time.
By default, mobile clients allow access requests that have an empty Referer header. If you want to deny requests with an empty Referer header, you can configure a trusted Referer header for mobile clients by using ApsaraVideo Player.
If you deny requests that have an empty Referer header, you must configure HTTPS secure acceleration and URL redirection to forcibly redirect requests from HTTP to HTTPS. URL redirection helps prevent access failures that occur when browsers remove the Referer header from HTTPS requests for HTTP resources.
Example
You configure a Referer whitelist that includes
example.comfor the streaming domaindemo.developer.aliyundoc.comand deny requests that have an empty Referer header.Sample request:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000'Sample error response:
X-Tengine-Error:denied by Referer ACLSample request with the trusted Referer header:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'Referer: http://www.example.com'
User-Agent blacklist or whitelist
Overview
The User-Agent header is a characteristic string that allows servers to identify the operating system and browser information. You can configure a User-Agent blacklist or whitelist to control access from specific browsers or devices.
Configuration methods
To configure a User-Agent blacklist or whitelist, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.
Example
Sample User-Agent header indicating that the request comes from Internet Explorer 9 on a PC:
User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;Sample request with a User-Agent header:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'User-Agent: iPhone OS;MI 5'
IP address blacklist or whitelist
Overview
ApsaraVideo Live allows you to configure an IP address blacklist or whitelist to deny or allow only access from specific IP addresses.
If an IP address blacklist is configured, the IP addresses in the blacklist are not allowed to access the accelerated domain name.
If an IP address whitelist is configured, only IP addresses in the whitelist can access the accelerated domain name.
You can add a list of IP addresses or a CIDR block.
For example, you can add 127.0.0.0/24 to the IP address blacklist or whitelist. "/24" is the subnet mask, indicating that the first 24 bits of the 32-bit block are the network portion of the block and the remaining 8 bits are the host portion. Because the subnet can accommodate 254 (calculated from 28-2) hosts, the specified IP addresses are 127.0.0.0 to 127.0.0.254.
Configuration methods
Console: For more information, see Configure an IP address blacklist or whitelist.
API: Call the BatchSetLiveDomainConfigs operation to configure multiple domain names at a time, including configuration of the IP address blacklist or whitelist.
The following sample code provides an example on how to configure an IP address whitelist by using the server SDK for Java:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // The service endpoint. Refer to https://api.alibabacloud.com/product/live. .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }NoteIn the preceding sample code, the DomainNames parameter specifies the streaming domain for which the whitelist is configured. The IP addresses in the 127.0.0.0/24 CIDR block are added to the whitelist.
For information about the server SDK for Java, see Use the server SDK for Java.
Usage notes
ImportantThe blacklist and whitelist are mutually exclusive and cannot be used at the same time.
You can add up to 1,000 IPv6 addresses or 3,000 IPv4 addresses. IPv6 addresses are not case-sensitive. The notation of an IPv6 address cannot be shortened.