This topic provides examples of scripts that you can use to configure hotlink protection, whitelists or blacklists, request and response header customization, request rewrites and redirects, and remote authentication.

Hotlink protection | Access control based on blacklists and whitelists | Customize request headers and response headers | Customize rewrites or redirects | Remote authentication

Hotlink protection

Customize authentication algorithms

The following example shows how to customize authentication algorithms:
  • Requirements
    • Request URL format: /path/digest/?.tskey=&t=.
    • For .ts requests, the requirements for customizing hotlink protection are:
      • Rule 1: If the request does not contain the t or key parameter, the HTTP status code 403 is returned and the X-AUTH-MSG response header is added to indicate the cause of the failure.
      • Rule 2: The t parameter specifies the absolute expiration time. If the specified t parameter is earlier than the current time, the HTTP status code 403 is returned and the X-AUTH-MSG response header is added to indicate the cause of the failure.
      • Rule 3: Compare the md5 parameter with the digest parameter. If md5 does not match digest, the HTTP status code 403 is returned.

        Value format of the md5 parameter: Private key + Path + File name.extension.

  • Code:
    if eq(substr($uri, -3, -1), '.ts') {
    
       if or(not($arg_t), not($arg_key)) {
           add_rsp_header('X-AUTH-MSG', 'auth failed - missing necessary arg')
           exit(403)
       }
    
       t = tonumber($arg_t)
       if not(t) {
           add_rsp_header('X-AUTH-MSG', 'auth failed - invalid time')
           exit(403)
       }
    
       if gt(now(), t) {
           add_rsp_header('X-AUTH-MSG', 'auth failed - expired url')
           exit(403)
       }
    
        pcs = capture($request_uri,'^/([^/]+)/([^/]+)/([^?]+)%?(.*)')
        sec1 = get(pcs, 1)
        sec2 = get(pcs, 2)
        sec3 = get(pcs, 3)
    
        if or(not(sec1), not(sec2), not(sec3)) {
            add_rsp_header('X-AUTH-MSG', 'auth failed - malformed url')
            exit(403)
        }
    
        key = 'b98d643a-9170-4937-8524-6c33514bbc23'
        signstr = concat(key, sec1, sec3)
        digest = md5(signstr)
        if ne(digest, sec2) {
            add_rsp_header('X-AUTH-DEBUG', concat('signstr: ', signstr))
            add_rsp_header('X-AUTH-MSG', 'auth failed - invalid digest')
            exit(403)
        }
    
    }

User-Agent blacklists

The following example shows how to configure a User-Agent blacklist:
  • Requirement: If a request carries the User-Agent header that starts with ijkplayer or Ysten, the HTTP status code 403 is returned.
  • Code:
    if and($http_user_agent, match($http_user_agent, '^[ijkplayer|Ysten].*$')) {
        add_rsp_header('X-BLOCKLIST-DEBUG', 'deny')
        exit(403)
    }

Referer whitelists

The following example shows how to configure a Referer whitelist:
  • Requirement: If the Referer header of a request is not http[s]://***alibaba.com***, the HTTP status code 403 is returned.
  • Code:
    if and($http_referer, match($http_referer, '^(http|https)://(.)+\.alibaba\.com.*$')) {
        return true
    }
    
    add_rsp_header('X-WHITELIST-DEBUG', 'missing')
    exit(403)

Access control based on blacklists and whitelists

IP address blacklists

The following example shows how to configure an IP address blacklist:
  • Requirement: If a request is sent from 127.0.0.1 or 10.0.0.1, the HTTP status code 403 is returned.
  • Code:
    if match($remote_addr, '[127.0.0.1|10.0.0.1]') {
        add_rsp_header('X-IPBLOCK-DEBUG', 'hit')
        exit(403)
    }

Customize request headers and response headers

Automatic file renaming

The following example shows how to configure automatic file renaming:
  • Requirement: If the filename parameter is set, the file is automatically renamed the value specified by the filename parameter. If no file name is specified, the default file name is used.
  • Code:
    if $arg_filename {
        hn = 'Content-Disposition'
        hv = concat('attachment;filename=', $arg_filename)
        add_rsp_header(hn, hv)
    }
  • Example:
    add_rsp_header('Content-Disposition', concat('attachment;filename=', tochar(34), filename, tochar(34)))
    Note
    • You can add the response header Content-Disposition:attachment to HTTP responses to have the message body automatically downloaded. In addition, if a response carries the filename parameter, it is automatically renamed filename. If the response does not carry the filename parameter, the default name is used.
    • filename enclosed in double quotation marks (") in ASCII can be converted to a string by using ToChar.
  • Output:
    Content-Disposition: attachment;filename="monitor.apk"

Overwrite response headers

The following example shows how to overwrite a response header:
  • Requirement: Overwrite the response header Content-Type.
  • Code:
    add_rsp_header('Content-Type', 'audio/mpeg')

Customize rewrites or redirects

Rewrite URIs

The following example shows how to rewrite a URI:
  • Requirement: Replace /hello in a client request with /index.html. As a result, the URI of the back-to-origin request is changed to /index.html and the parameters remain unchanged.
  • Code:
    if match($uri, '^/hello$') {
        rewrite('/index.html', 'break')
    }

Rewrite file extensions

The following example shows how to rewrite file extensions:
  • Requirement: Rewrite /1.txt to /1.<URL parameter type>. For example, /1.txt?type=mp4 can be rewritten to /1.mp4?type=mp4 in back-to-origin requests and cached.
  • Code:
    if and(match($uri, '^/1.txt$'), $arg_type) {
         rewrite(concat('/1.', $arg_type), 'break')
    }

Convert file extensions to lowercase letters

The following example shows how to convert file extensions to lowercase letters:
  • Requirement: Convert URI strings to lowercase letters.
  • Code:
    pcs = capture($uri, '^(.+%.)([^.]+)')
    section = get(pcs, 1)
    postfix = get(pcs, 2)
    
    if and(section, postfix) {
        rewrite(concat(section, lower(postfix)), 'break')
    }

Add a URI prefix

The following example shows how to add a URI prefix:
  • Requirement: Rewrite ^/nn_live/(.*) to /3rd/nn_live/$1.
  • Code:
    pcs = capture($uri, '^/nn_live/(.*)')
    sec = get(pcs, 1)
    
    if sec {
         dst = concat('/3rd/nn_live/', sec)
         rewrite(dst, 'break')
    }

Perform 302 redirects

The following example shows how to perform 302 redirects:
  • Requirement: Perform a 302 redirect from the / root directory to /app/movie/pages/index/index.html.
  • Code:
    if eq($uri, '/') {
        rewrite('/app/movie/pages/index/index.html', 'redirect')
    }

Perform a 302 redirect to HTTPS

The following example shows how to perform a 302 redirect to HTTPS
  • Requirement
    Redirect the following URIs that match the ^/$ root directory
    • http://rtmp.cdnpe.com
    • https://rtmp.cdnpe.com
    to https://aliyun.com. You can replace the URI to which you want to redirect with a custom value based on your business requirements.
  • Code:
    if eq($uri, '/') {
        rewrite('https://aliyun.com', 'redirect')
    }

Remote authentication

Customize remote authentication

The following example shows how to customize remote authentication:
  • Requirement: Enforce access control based on request formats. Responses are returned if requests are authenticated.
  • Code:
    auth_addr = 'http://xx.cn/outer/cdn/checkplay?host='
    remote_addr_t = ''
    if $remote_addr {
        remote_addr_t = $remote_addr
    }
    sp = ''
    if $arg_sp {
        sp = $arg_sp
    }
    token = ''
    if $arg_token {
        token = $arg_token
    }
    auth_key = ''
    if $arg_auth_key {
        auth_key = $arg_auth_key
    }
    t_cookie = ''
    if $http_cookie {
        t_cookie = $http_cookie
    }
    referer = ''
    if $http_referer {
        referer = $http_referer
    }
    range = ''
    if $http_range {
        range = $http_range
    }
    
    auth_addr = concat(auth_addr, $host, '&ip=', remote_addr_t, '&sp=', sp, '&token=', token, '&auth_key=', auth_key, '&cookie=', t_cookie, '&referer=', referer, '&range=', range)
    req_info = []
    set(req_info, 'addr', auth_addr)
    set(req_info, 'retry', 1)
    set(req_info, 'timeout', 1000)
    set(req_info, 'method', 'POST')
    req_header = []
    set(req_header, 'Connection', 'close')
    set(req_info, 'send_headers', req_header)
    rs = http_request(req_info)
    if rs {
        code = get(rs, 'code')
        if eq(code, '403') {
            exit(403)
        }
        headers = get(rs, 'headers')
        if headers {
            x_limit_rate_after = get(headers, 'x-limit-rate-after')
            if and(x_limit_rate_after, match_re(x_limit_rate_after, '\d+(k|m|g)$')) {
                num = substr(x_limit_rate_after, 1, -2)
                unit = substr(x_limit_rate_after, -1, -1)
                limit_rate_after(tonumber(num), unit)
            }
            x_speed = get(headers, 'x-speed')
            if and(x_speed, match_re(x_speed, '\d+(k|m|g)$')) {
               num = substr(x_speed, 1, -2)
               unit = substr(x_speed, -1, -1)
               limit_rate(tonumber(num), unit)
            }
        }
    }