Use Go SDK V2 to configure Referer-based hotlink protection to prevent other websites from hotlinking OSS files - Object Storage Service

You can use the Alibaba Cloud OSS Go SDK to configure access rules based on the Referer request header. These rules allow you to set a Referer whitelist, a Referer blacklist, and specify whether to allow requests with empty Referer headers. This configuration helps you block access from specific Referer headers, prevent other websites from hotlinking your resources, and avoid unnecessary increases in traffic fees.

Precautions

Before you configure hotlink protection, make sure that you understand this feature. For more information, see Hotlink protection.
The sample code in this topic uses the China (Hangzhou) region (cn-hangzhou) and a public endpoint by default. If you access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For more information about the mappings between OSS regions and endpoints, see OSS regions and endpoints.
The sample code in this topic shows how to obtain access credentials from environment variables. For more information about how to configure access credentials, see Configure access credentials.
To set or clear hotlink protection, you must have the oss:PutBucketReferer permission. To retrieve the hotlink protection configuration, you must have the oss:GetBucketReferer permission. For more information, see Grant custom permissions to a RAM user.

Sample code

Set hotlink protection

You can use the following code to set hotlink protection.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set hotlink protection for the bucket.
	request := &oss.PutBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
		RefererConfiguration: &oss.RefererConfiguration{
			AllowEmptyReferer: oss.Ptr(true),
			RefererList: &oss.RefererList{
				Referers: []string{
					"http://www.aliyun.com",
					"https://www.aliyun.com",
					"https://www.www.alibabacloud.com/help",
					"http://www.?.aliyuncs.com",
				},
			}, // Add Referers to the Referer whitelist. The Referer parameter supports the asterisk (*) and question mark (?) wildcard characters.
			RefererBlacklist: &oss.RefererBlacklist{
				Referers: []string{
					"http://www.refuse.com",
					"https://*.hack.com",
					"http://ban.*.com",
					"https://www.?.deny.com",
				},
			}, // Add Referers to the Referer blacklist.
		},
	}

	// Execute the request to set hotlink protection for the bucket.
	result, err := client.PutBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket referer %v", err)
	}

	// Print the result of setting hotlink protection for the bucket.
	log.Printf("put bucket referer result:%#v\n", result)
}

Get hotlink protection settings

You can use the following code to retrieve the hotlink protection configuration.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to get the Referer configuration of the bucket.
	request := &oss.GetBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
	}

	// Execute the operation to get the Referer configuration of the bucket and process the result.
	result, err := client.GetBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to get bucket referer %v", err)
	}

	// Print the result of getting the Referer configuration of the bucket.
	log.Printf("get bucket referer result:%#v\n", result.RefererConfiguration.RefererList.Referers)
}

Clear hotlink protection

You can use the following code to clear the hotlink protection configuration.

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region.
	bucketName string // The bucket name.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set hotlink protection for the bucket.
	request := &oss.PutBucketRefererRequest{
		Bucket: oss.Ptr(bucketName), // The bucket name.
		RefererConfiguration: &oss.RefererConfiguration{
			AllowEmptyReferer: oss.Ptr(true),
			RefererList: &oss.RefererList{
				Referers: []string{}, // An empty Referer list.
			},
		},
	}

	// Execute the request to set hotlink protection for the bucket.
	result, err := client.PutBucketReferer(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket referer %v", err)
	}

	// Print the result of setting hotlink protection for the bucket.
	log.Printf("put bucket referer result:%#v\n", result)
}

References

For more information about the API operation for setting hotlink protection, see PutBucketReferer.
For more information about the API operation for retrieving the hotlink protection configuration, see GetBucketReferer.