Use PHP SDK to configure Referer-based hotlink protection to prevent other websites from referencing OSS files (PHP SDK V1) - Object Storage Service

OSS hotlink protection controls access to bucket objects based on the Referer request header. Configure a Referer whitelist, a Referer blacklist, and an empty-Referer policy to block unauthorized domains from embedding your objects and reduce unintended egress costs.

Prerequisites

Before you begin, ensure that you have:

Familiarity with hotlink protection. See Hotlink protection
The oss:PutBucketReferer permission to set or clear the configuration
The oss:GetBucketReferer permission to retrieve the configuration
(Optional) A custom RAM user policy if your account requires explicit permission grants. See Grant custom access policies to a RAM user

The examples below use the public endpoint for the China (Hangzhou) region (http://oss-cn-hangzhou.aliyuncs.com). To access OSS from other Alibaba Cloud services in the same region, use the internal endpoint. See Regions and endpoints. To create an OSSClient instance using a custom domain name or Security Token Service (STS), see Create an OSSClient instance.

Set hotlink protection

All examples load credentials from the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables via EnvironmentVariableCredentialsProvider. Set these variables before running any sample.

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

// Load credentials from environment variables.
// Set OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET before running this sample.
$provider = new EnvironmentVariableCredentialsProvider();

// Replace with your endpoint. This example uses China (Hangzhou).
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket   = "examplebucket";

$refererConfig = new RefererConfig();

// Allow requests with an empty Referer (for example, direct browser access).
// Set to false to block requests without a Referer header.
$refererConfig->setAllowEmptyReferer(true);

// Add domains to the Referer whitelist.
// Wildcards are supported: * matches any string, ? matches a single character.
$refererConfig->addReferer("http://wwww.aliyun.com");
$refererConfig->addReferer("https://wwww.aliyun.com");
// $refererConfig->addReferer("http://wwww.www.alibabacloud.com/help");
// $refererConfig->addReferer("http://www.?.aliyuncs.com");

try {
    $config = array(
        "provider"         => $provider,
        "endpoint"         => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"           => "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $ossClient->putBucketReferer($bucket, $refererConfig);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK\n");

Get the hotlink protection configuration

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

$provider = new EnvironmentVariableCredentialsProvider();
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket   = "<yourBucketName>";

$refererConfig = null;
try {
    $config = array(
        "provider"         => $provider,
        "endpoint"         => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"           => "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    // Returns a RefererConfig object with the current whitelist and empty-Referer setting.
    $refererConfig = $ossClient->getBucketReferer($bucket);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK\n");
print($refererConfig->serializeToXml() . "\n");

Clear the hotlink protection configuration

OSS does not provide a direct delete operation for hotlink protection. To clear the configuration, overwrite it with an empty RefererConfig object.

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
use OSS\Model\RefererConfig;

$provider = new EnvironmentVariableCredentialsProvider();
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket   = "<yourBucketName>";

// An empty RefererConfig with no whitelist entries overwrites the existing configuration.
$refererConfig = new RefererConfig();

try {
    $config = array(
        "provider"         => $provider,
        "endpoint"         => $endpoint,
        "signatureVersion" => OssClient::OSS_SIGNATURE_VERSION_V4,
        "region"           => "cn-hangzhou"
    );
    $ossClient = new OssClient($config);

    $ossClient->putBucketReferer($bucket, $refererConfig);
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}
print(__FUNCTION__ . ": OK\n");

References

Full sample code: BucketReferer.php on GitHub
API reference for setting hotlink protection: PutBucketReferer
API reference for retrieving the configuration: GetBucketReferer