Object Storage Service:Configure a Referer whitelist or blacklist to prevent other websites from linking to your OSS objects
Last Updated:Mar 13, 2024
To prevent unexpected storage costs that are generated when other websites link to your objects in Object Storage Service (OSS), you can include specified domain names in the Referer whitelist to allow linking only from these domain names.
A Referer misconfiguration can block your websites from linking to your OSS objects or prevent your users from accessing your OSS objects directly from a browser. We recommend that you apply Referer configurations to a bucket in the test environment and test the configurations before you apply the Referer configurations to the bucket in the production environment.
Procedure
Use the OSS console
For example, to allow only www.aliyun.com to link to objects in a bucket and allow users to request objects in the bucket by using object URLs in a browser, perform the following steps:
If both a Referer whitelist and blacklist exist, OSS checks a Referer request header first against the blacklist and then against the whitelist. For more information, see Process.
For Allow Empty Referer, select Yes.
Yes: allows requests that have an empty Referer header or do not contain the Referer header.
No: denies requests that have an empty Referer header or do not contain the Referer header. If you select No for Allow Empty Referer, objects in the bucket cannot be accessed by entering object URLs in the address bar of a browser.
For Truncate QueryString, select Yes.
Yes: Query strings in Referers are removed. For example, if a Referer is set to http://www.example.com/?action=nop, the query string is removed and http://www.example.com/ is used to match Referers.
No: Query strings in Referers are not removed. For example, if a Referer is set to http://www.example.com/?action=nop, http://www.example.com/?action=nop is used to match Referers. For more information about query string parsing, see Query string parsing rules.
Click Save.
Use OSS SDKs
For example, you want to allow only www.alibabacloud.com to link to objects in a bucket and allow users to request objects in the bucket by using object URLs in a browser. The following sample code provides an example on how to configure hotlink protection for this purpose by using OSS SDKs.
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.BucketReferer;
import java.util.ArrayList;
import java.util.List;
public class Demo {
public static void main(String[] args) throws Exception {
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the source bucket. Example: examplebucket.
String bucketName = "examplebucket";
// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
try {
List<String> refererList = new ArrayList<String>();
// Add Referers to the Referer whitelist. You can use asterisks (*) and question marks (?) as wildcards in Referers.
refererList.add("http://www.aliyun.com");
refererList.add("https://www.aliyun.com");
// refererList.add("http://www.help.alibabacloud.com");
// refererList.add("http://www.?.aliyuncs.com");
// Configure a Referer whitelist of the bucket. If true is specified, requests with empty Referer fields are allowed. If false is specified, requests with empty Referer fields are not allowed.
BucketReferer br = new BucketReferer(true, refererList);
ossClient.setBucketReferer(bucketName, br);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\OssClient;
use OSS\Core\OssException;
use OSS\Model\RefererConfig;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$accessKeyId = getenv("OSS_ACCESS_KEY_ID");
$accessKeySecret = getenv("OSS_ACCESS_KEY_SECRET");
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket= "examplebucket";
$refererConfig = new RefererConfig();
// Allow empty Referers.
$refererConfig->setAllowEmptyReferer(true);
// Specify a Referer whitelist. You can use asterisks (*) and question marks (?) as wildcards in Referers.
$refererConfig->addReferer("http://wwww.aliyun.com");
$refererConfig->addReferer("https://wwww.aliyun.com");
// $refererConfig->addReferer("http://wwww.help.alibabacloud.com");
// $refererConfig->addReferer("http://www.?.aliyuncs.com");
try{
$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint);
$ossClient->putBucketReferer($bucket, $refererConfig);
} catch(OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
const OSS = require('ali-oss')
const client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: 'yourregion',
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
// Specify the name of the bucket.
bucket: 'examplebucket'
});
async function putBucketReferer () {
try {
const result = await client.putBucketReferer(bucket, true, [
'http://www.aliyun.com',
'https://www.aliyun.com'
]);
console.log(result);
} catch (e) {
console.log(e);
}
}
putBucketReferer();
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
from oss2.models import BucketReferer
# Obtain access credentials from environment variables. Before you run the code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
// Specify the bucket name.
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'examplebucket')
# Specify that empty Referer fields are allowed.
allow_empty_referer = True
# Specify a Referer whitelist.
referers = ['http://www.aliyun.com', 'https://www.aliyun.com']
# Specify a Referer blacklist.
# black_referers = ['http://example.com', 'http://*.example.com']
# Specify that query strings can be truncated.
allow_truncate_query_string = True
# Configure hotlink protection.
bucket.put_bucket_referer(BucketReferer(allow_empty_referer=allow_empty_referer, referers=referers, black_referers=black_referers,allow_truncate_query_string=allow_truncate_query_string))
using Aliyun.OSS;
using Aliyun.OSS.Common;
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
var endpoint = "yourEndpoint";
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
var accessKeyId = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_ID");
var accessKeySecret = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET");
// Specify the name of the bucket.
var bucketName = "examplebucket";
// Create an OSSClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret);
try
{
var refererList = new List<string>();
// Add a Referer whitelist. You can use asterisks (*) and question marks (?) as wildcard characters in Referers.
refererList.Add("http://www.aliyun.com");
refererList.Add("https://www.aliyun.com");
// refererList.Add("http://www.help.alibabacloud.com");
// refererList.Add("http://www.?.aliyuncs.com");
var srq = new SetBucketRefererRequest(bucketName, refererList);
// Configure hotlink protection.
client.SetBucketReferer(srq);
Console.WriteLine("Set bucket:{0} Referer succeeded ", bucketName);
}
catch (OssException ex)
{
Console.WriteLine("Failed with error code: {0}; Error info: {1}. \nRequestID:{2}\tHostID:{3}",
ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
}
catch (Exception ex)
{
Console.WriteLine("Failed with error info: {0}", ex.Message);
}
PutBucketRefererRequest request = new PutBucketRefererRequest();
request.setBucketName("examplebucket");
// Specify a Referer whitelist. You can use asterisks (*) and question marks (?) as wildcard characters in Referers.
ArrayList<String> referers = new ArrayList<String>();
referers.add("http://www.aliyun.com");
referers.add("https://www.aliyun.com");
// referers.add("http://www.help.alibabacloud.com");
// referers.add("http://www.?.aliyuncs.com");
request.setReferers(referers);
OSSAsyncTask task = oss.asyncPutBucketReferer(request, new OSSCompletedCallback<PutBucketRefererRequest, PutBucketRefererResult>() {
@Override
public void onSuccess(PutBucketRefererRequest request, PutBucketRefererResult result) {
OSSLog.logInfo("code: " + result.getStatusCode());
}
@Override
public void onFailure(PutBucketRefererRequest request, ClientException clientException, ServiceException serviceException) {
OSSLog.logError("error: "+serviceException.getRawMessage());
}
});
task.waitUntilFinished();
package main
import (
"fmt"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
"os"
)
func main() {
// Specify the name of the bucket.
bucketName := "examplebucket"
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
provider, err := oss.NewEnvironmentVariableCredentialsProvider()
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Create an OSSClient instance.
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint.
client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
var setBucketReferer oss.RefererXML
// Add Referers to the Referer whitelist and specify that an empty Referer field is not allowed. You can use an asterisk (*) or a question mark (?) as a wildcard to set the Referer parameter.
setBucketReferer.RefererList = []string{
"http://www.aliyun.com",
"https://www.aliyun.com",
// "https://www.help.alibabacloud.com",
// "http://www.?.aliyuncs.com",
}
// Add a Referer blacklist. OSS SDK for Go V2.2.8 or later supports Referer blacklist settings.
// setBucketReferer.RefererBlacklist = &oss.RefererBlacklist{
[]string{
"http://www.refuse.com",
"https://*.hack.com",
"http://ban.*.com",
"https://www.?.deny.com",
},
}
setBucketReferer.AllowEmptyReferer = true
boolFalse := false
setBucketReferer.AllowTruncateQueryString = &boolFalse
err = client.SetBucketRefererV2(bucketName,setBucketReferer)
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
fmt.Println("Set Bucket Referer Success")
}
#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
/* Configure hotlink protection. */
SetBucketRefererRequest request(BucketName);
request.addReferer("http://www.aliyun.com");
request.addReferer("https://www.aliyun.com");
/* request.addReferer("https://help.alibabacloud.com");*/
/* request.addReferer("http://www.?.aliyuncs.com");*/
request.setAllowEmptyReferer(true);
auto outcome = client.SetBucketReferer(request);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "SetBucketReferer fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources such as network resources. */
ShutdownSdk();
return 0;
}
#include "oss_api.h"
#include "aos_http_io.h"
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
const char *endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
const char *bucket_name = "examplebucket";
void init_options(oss_request_options_t *options)
{
options->config = oss_config_create(options->pool);
/* Use a char* string to initialize aos_string_t. */
aos_str_set(&options->config->endpoint, endpoint);
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
aos_str_set(&options->config->access_key_id, getenv("OSS_ACCESS_KEY_ID"));
aos_str_set(&options->config->access_key_secret, getenv("OSS_ACCESS_KEY_SECRET"));
/* Specify whether to use CNAME. The value 0 indicates that CNAME is not used. */
options->config->is_cname = 0;
/* Configure network parameters such as the timeout period. */
options->ctl = aos_http_controller_create(options->pool, 0);
}
int main(int argc, char *argv[])
{
/* Call the aos_http_io_initialize method in main() to initialize global resources, such as network resources and memory resources. */
if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
exit(1);
}
/* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code that is used to create a memory pool is included in the APR library. */
aos_pool_t *pool;
/* Create a memory pool. The value of the second parameter is NULL. This value specifies that the pool does not inherit other memory pools. */
aos_pool_create(&pool, NULL);
/* Create and initialize options. This parameter specifies global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
oss_request_options_t *oss_client_options;
/* Allocate memory resources in the memory pool to the options. */
oss_client_options = oss_request_options_create(pool);
/* Initialize oss_client_options. */
init_options(oss_client_options);
/* Initialize parameters. */
aos_string_t bucket;
aos_table_t *resp_headers = NULL;
aos_status_t *resp_status = NULL;
oss_referer_config_t referer_config;
aos_str_set(&bucket, bucket_name);
aos_list_init(&referer_config.referer_list);
oss_create_and_add_refer(pool, &referer_config, "http://www.aliyun.com");
oss_create_and_add_refer(pool, &referer_config, "https://www.aliyun.com");
referer_config.allow_empty_referer = 1;
/* Add Referers to the Referer whitelist. You can use asterisks (*) and question marks (?) as wildcard characters in Referers. */
resp_status = oss_put_bucket_referer(oss_client_options, &bucket, &referer_config, &resp_headers);
if (aos_status_is_ok(resp_status)) {
printf("put bucket referer succeeded\n");
} else {
printf("put bucket referer failed\n");
}
/* Release the memory pool to release the memory resources allocated for the request. */
aos_pool_destroy(pool);
/* Release the allocated global resources. */
aos_http_io_deinitialize();
return 0;
}
require 'aliyun/oss'
client = Aliyun::OSS::Client.new(
# In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
endpoint: 'https://oss-cn-hangzhou.aliyuncs.com',
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
access_key_id: ENV['OSS_ACCESS_KEY_ID'],
access_key_secret: ENV['OSS_ACCESS_KEY_SECRET']
)
# Specify the name of the bucket. Example: examplebucket.
bucket = client.get_bucket('examplebucket')
# Configure a Referer whitelist for the bucket.
bucket.referer = Aliyun::OSS::BucketReferer.new(
allow_empty: true, whitelist: ['http://www.aliyun.com', 'https:www.aliyun.com'])
If you specify multiple Referers by using OSS SDKs, separate them with commas (,).
For more information about how to configure hotlink protection for a bucket by using OSS SDKs for other programming languages, see Overview.
Use ossutil
For example, you want to allow only www.aliyun.com to link to objects in a bucket and allow users to request objects in the bucket by using object URLs in a browser. Sample command:
./ossutil64 referer --method put oss://examplebucket http://www.aliyun.com https://www.aliyun.com
If you use ossutil to configure multiple Referers, separate them with spaces.
If you specify multiple Referers by calling RESTful API operations, separate them with commas (,).
If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketReferer.
Referer configurations
When you configure a Referer whitelist or blacklist, take note of the following items:
Item
Description
The scheme part of URLs is not ignored.
For example, if you include the http://www.aliyun.com record in your Referer configurations, the record can match URLs that contain the http://www.aliyun.com part, such as http://www.aliyun.com/123 and http://www.aliyun.com.cn. However, https://www.aliyun.com/123, https://www.aliyun.com.cn, and www.aliyun.com are not matched with the record.
An asterisk (*) can be used in a Referer record to represent zero or more characters.
If you set the Referer whitelist or blacklist to *, all domain names and IP addresses are matched.
If you include the *www.example.com record in your Referer configurations, the record can match URLs that contain www.example.com string, such as http://www.example.com, https://www.example.com, and www.example.com.
If you include the *.example.com record in your Referer configurations, the record can match http://help.example.com, https://help.example.com, http://www.example.com, and https://www.example.com.
A question mark (?) can be used in a Referer record to represent a character.
If you include the http://www.aliyun?.com record in your Referer configurations, the record can match http://www.aliyunc.com.
Referer configurations support domain names and IP addresses with port numbers.
For example, you can include the following records in your Referer configurations: http://www.example.com:8080 and 10.10.10.10:8080.
Query string parsing rules
If you disable query string truncation, OSS processes query strings in requests based on the following rules:
Rule
Description
Query strings are not decoded.
If the request URL is http://www.example.com/?job_id=task$01 and http://www.example.com/?job_id=task%2401 is in the Referer whitelist or Referer blacklist, the request URL does not match the Referer in the Referer whitelist or Referer blacklist.
Fields included in query strings are not case-sensitive.
If the request URL is http://www.examplecom/?ACTION=NOP and http://www.example.com/?action=nop is in the Referer whitelist or Referer blacklist, the request URL matches the Referer in the Referer whitelist or Referer blacklist.
Fields included in query strings are not parsed.
If the request URL is http://example.com/?b=c&a=b and http://example.com/?a=b&b=c is in the Referer whitelist or Referer blacklist, the request URL does not match the Referer in the Referer whitelist or Referer blacklist.