Hotlink protection
Object Storage Service (OSS) lets you configure hotlink protection for a CloudBox bucket. This feature creates a referer whitelist to prevent unauthorized use of your OSS resources.
OSS console
Log on to the OSS console.
In the left-side navigation pane, choose Data Service > OSS on CloudBox Buckets. Then, in the bucket list, click the target bucket.
In the left-side navigation pane, choose Content Security > Hotlink Protection.
On the Hotlink Protection page, enable Hotlink Protection.
In the Referer Whitelist field, enter the following content.
When you configure multiple referers in the console, separate them with line breaks.
https://www.aliyun.com http://www.aliyun.comFor more information about referer configuration rules, see Referer configuration rules.
Leave the Referer Blacklist field empty.
ImportantIf both a whitelist and a blacklist are configured, OSS checks the blacklist first and then the whitelist. For more information about the validation process, see Hotlink protection.
In the Allow Empty Referer section, select Allow.
Yes: Allows requests that do not include a Referer header or have an empty Referer header.
No: Requests must include a non-empty Referer header. If you select No, you cannot directly access OSS resources by entering their URLs in a browser.
In the Truncate QueryString area, select Allow.
Yes: OSS truncates the query string from the referer before matching. For example, if the referer is
http://www.example.com/?action=nop, OSS useshttp://www.example.com/for the match.No: OSS does not truncate the query string from the referer before matching. For example, if the referer is
http://www.example.com/?action=nop, OSS uses the full stringhttp://www.example.com/?action=nopfor the match. For more information about how query strings are parsed, see QueryString parsing rules.
Click Save.
Alibaba Cloud SDK
You can configure hotlink protection only using the OSS SDK for Java. The SDK version must be 3.15.0 or later.
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.BucketReferer;
import java.util.ArrayList;
import java.util.List;
import com.aliyun.oss.common.auth.DefaultCredentialProvider;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.auth.CredentialsProviderFactory;
import com.aliyun.oss.common.auth.EnvironmentVariableCredentialsProvider;
public class Demo {
public static void main(String[] args) throws Exception {
// Specify the data endpoint of the CloudBox bucket.
String endpoint = "https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com";
// Retrieve access credentials from environment variables. Before running this sample, ensure the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the CloudBox bucket, e.g., examplebucket.
String bucketName = "examplebucket";
// Specify the region where the CloudBox bucket is located.
String region = "cn-hangzhou";
// Specify the ID of the CloudBox.
String cloudBoxId = "cb-f8z7yvzgwfkl9q0h****";
// Create an OSSClient instance.
// When you are finished with the OSSClient, call its shutdown() method to release resources.
ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
conf.setSignatureVersion(SignVersion.V4);
OSS ossClient = OSSClientBuilder.create()
.endpoint(endpoint)
.credentialsProvider(new DefaultCredentialProvider(credentialsProvider.getCredentials()))
.clientConfiguration(conf)
.region(region)
.cloudBoxId(cloudBoxId)
.build();
try {
List<String> refererList = new ArrayList<String>();
// Add referers to the whitelist. The referer parameter supports the asterisk (*) and question mark (?) wildcard characters.
refererList.add("http://www.aliyun.com");
refererList.add("http://www.*.com");
refererList.add("http://www.?.aliyuncs.com");
// Configure the referer list. Set the first parameter to true to allow requests with an empty Referer field, or false to block them.
BucketReferer br = new BucketReferer(true, refererList);
ossClient.setBucketReferer(bucketName, br);
} catch (OSSException oe) {
System.out.println("Caught an OSSException. This means your request reached OSS but was rejected with an error.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}ossutil
When specifying multiple referers with ossutil, separate them with commas (,).
For more information about how to use ossutil to configure hotlink protection, see put-bucket-referer.
REST API
When specifying multiple referers with a REST API, separate them with commas (,).
For a high level of customization, you can make direct REST API requests, which requires you to write your own signature calculation code. For more information, see PutBucketReferer.