This topic provides some sample scripts that you can use to configure hotlink protection, whitelists or blacklists, request and response header customization, request rewrites and redirects, and remote authentication.

Hotlink protection | Access control based on blacklists and whitelists | Customize request headers and response headers | Customize rewrites and redirects | Remote authentication

Hotlink protection

Customize authentication algorithms

The following example shows how to customize authentication algorithms:
  • Requirements:
    • Request URL format: /path/digest/?.ts?key=&t=.
    • For .ts requests, the requirements for customizing hotlink protection are:
      • Rule 1: If the request does not contain the t or key parameter, the HTTP 403 status code is returned and the X-AUTH-MSG response header is added to indicate the cause of failure.
      • Rule 2: The t parameter specifies the absolute expiration time. If the time specified by t is earlier than the current time, the HTTP 403 status code is returned and the X-AUTH-MSG response header is added to indicate the cause of failure.
      • Rule 3: Compare the md5 value with the digest value. If md5 does not match digest, the HTTP 403 status code is returned.

        Value format of the md5 value: Private key + Path + File name.extension.

  • Sample script: 
    if eq(substr($uri, -3, -1), '.ts') {

   if or(not($arg_t), not($arg_key)) {
       add_rsp_header('X-AUTH-MSG', 'auth failed - missing necessary arg')
       exit(403)
   }

   t = tonumber($arg_t)
   if not(t) {
       add_rsp_header('X-AUTH-MSG', 'auth failed - invalid time')
       exit(403)
   }

   if gt(now(), t) {
       add_rsp_header('X-AUTH-MSG', 'auth failed - expired url')
       exit(403)
   }

    pcs = capture($request_uri,'^/([^/]+)/([^/]+)/([^?]+)%?(.*)')
    sec1 = get(pcs, 1)
    sec2 = get(pcs, 2)
    sec3 = get(pcs, 3)

    if or(not(sec1), not(sec2), not(sec3)) {
        add_rsp_header('X-AUTH-MSG', 'auth failed - malformed url')
        exit(403)
    }

    key = 'b98d643a-9170-4937-8524-6c33514bbc23'
    signstr = concat(key, sec1, sec3)
    digest = md5(signstr)
    if ne(digest, sec2) {
        add_rsp_header('X-AUTH-DEBUG', concat('signstr: ', signstr))
        add_rsp_header('X-AUTH-MSG', 'auth failed - invalid digest')
        exit(403)
    }

}

User-Agent blacklists

The following example shows how to configure a User-Agent blacklist:
  • Requirements: If a request carries the User-Agent header that starts with ijkplayer or Ysten, the HTTP status code 403 is returned.
  • Sample script: 
    if and($http_user_agent, match($http_user_agent, '^[ijkplayer|Ysten].*$')) {
    add_rsp_header('X-BLOCKLIST-DEBUG', 'deny')
    exit(403)
}

Referer whitelists

The following example shows how to configure a Referer whitelist:
  • Requirements: If the Referer header of a request is not http[s]://***alibaba.com***, the HTTP 403 status code is returned.
  • Sample script: 
    if and($http_referer, match($http_referer, '^(http|https)://(.)+\.alibaba\.com.*$')) {
    return true
}

add_rsp_header('X-WHITELIST-DEBUG', 'missing')
exit(403)

Access control based on blacklists and whitelists

IP blacklists

The following example shows how to configure an IP blacklist:
  • Requirements: If a request is sent from 127.0.0.1 or 10.0.0.1, the HTTP 403 status code is returned.
  • Sample script: 
    if match($remote_addr, '127.0.0.1|10.0.0.1') {
    add_rsp_header('X-IPBLOCK-DEBUG', 'hit')
    exit(403)
}

Customize request headers and response headers

Automatic file renaming

The following example shows how to configure automatic file renaming:
  • Requirements: If the filename parameter is set, the file is automatically renamed the value specified by the filename parameter. If no filename is specified, the default filename is used.
  • Sample script:
    if $arg_filename {
    hn = 'Content-Disposition'
    hv = concat('attachment;filename=', $arg_filename)
    add_rsp_header(hn, hv)
}
  • Example:
    add_rsp_header('Content-Disposition', concat('attachment;filename=', tochar(34), filename, tochar(34)))
    Note
    • You can add the response header Content-Disposition:attachment to HTTP responses to have the message body automatically downloaded. In addition, if a response carries the filename parameter, it is automatically renamed the value of filename. If the response does not carry the filename parameter, the default name is used.
    • filename enclosed in double quotation marks (") in ASCII can be converted to a string by using ToChar. The ASCII code for the quotation mark ("") is 34.
  • Output:
    Content-Disposition: attachment;filename="monitor.apk"

Overwrite response headers

The following example shows how to overwrite a response header:
  • Requirements: Overwrite the response header Content-Type.
  • Sample script:
    add_rsp_header('Content-Type', 'audio/mpeg')

Customize rewrites and redirects

Rewrite URIs

The following example shows how to rewrite a URI:
  • Requirements: Replace /hello in a client request with /index.html. As a result, the URI of the back-to-origin request is changed to /index.html and the parameters remain unchanged.
  • Sample script: 
    if match($uri, '^/hello$') {
    rewrite('/index.html', 'break')
}

Rewrite file extensions

The following example shows how to rewrite file extensions:
  • Requirements: Rewrite /1.txt to /1.<URL parameter type>. For example, /1.txt?type=mp4 can be rewritten to /1.mp4?type=mp4 in back-to-origin requests and cached.
  • Sample script: 
    if and(match($uri, '^/1.txt$'), $arg_type) {
     rewrite(concat('/1.', $arg_type), 'break')
}

Convert file extensions to lowercase letters

The following example shows how to convert file extensions to lowercase letters:
  • Requirements: Convert URI strings to lowercase letters.
  • Sample script:
    pcs = capture($uri, '^(.+%.)([^.]+)')
section = get(pcs, 1)
postfix = get(pcs, 2)

if and(section, postfix) {
    rewrite(concat(section, lower(postfix)), 'break')
}

Add a URI prefix

The following example shows how to add a URI prefix:
  • Requirements: Rewrite ^/nn_live/(.*) to /3rd/nn_live/$1.
  • Sample script:
    pcs = capture($uri, '^/nn_live/(.*)')
sec = get(pcs, 1)

if sec {
     dst = concat('/3rd/nn_live/', sec)
     rewrite(dst, 'break')
}

Perform 302 redirects

The following example shows how to perform 302 redirects:
  • Requirements: Perform a 302 redirect from the / root directory to /app/movie/pages/index/index.html.
  • Sample script:
    if eq($uri, '/') {
    rewrite('/app/movie/pages/index/index.html', 'redirect')
}

Perform a 302 redirect to HTTPS

The following example shows how to perform a 302 redirect to HTTPS
  • Requirements:
    Redirect the following URIs that match the ^/$ root directory
    • http://rtmp.cdnpe.com
    • https://rtmp.cdnpe.com
    to https://aliyun.com. You can replace the URI to which you want to redirect with a custom value based on your business requirements.
  • Sample script: 
    if eq($uri, '/') {
    rewrite('https://aliyun.com', 'redirect')
}

Remote authentication

Customize remote authentication

The following example shows how to customize remote authentication:
  • Requirements: Implement access control based on request formats. The responses determine whether the requests pass the authentication.
  • Sample script:
    auth_addr = 'http://xx.cn/outer/cdn/checkplay?host='
remote_addr_t = ''
if $remote_addr {
    remote_addr_t = $remote_addr
}
sp = ''
if $arg_sp {
    sp = $arg_sp
}
token = ''
if $arg_token {
    token = $arg_token
}
auth_key = ''
if $arg_auth_key {
    auth_key = $arg_auth_key
}
t_cookie = ''
if $http_cookie {
    t_cookie = $http_cookie
}
referer = ''
if $http_referer {
    referer = $http_referer
}
range = ''
if $http_range {
    range = $http_range
}

auth_addr = concat(auth_addr, $host, '&ip=', remote_addr_t, '&sp=', sp, '&token=', token, '&auth_key=', auth_key, '&cookie=', t_cookie, '&referer=', referer, '&range=', range)
req_info = []
set(req_info, 'addr', auth_addr)
set(req_info, 'retry', 1)
set(req_info, 'timeout', 1000)
set(req_info, 'method', 'POST')
req_header = []
set(req_header, 'Connection', 'close')
set(req_info, 'send_headers', req_header)
rs = http_request(req_info)
if rs {
    code = get(rs, 'code')
    if eq(code, '403') {
        exit(403)
    }
    headers = get(rs, 'headers')
    if headers {
        x_limit_rate_after = get(headers, 'x-limit-rate-after')
        if and(x_limit_rate_after, match_re(x_limit_rate_after, '\d+(k|m|g)$')) {
            num = substr(x_limit_rate_after, 1, -2)
            unit = substr(x_limit_rate_after, -1, -1)
            limit_rate_after(tonumber(num), unit)
        }
        x_speed = get(headers, 'x-speed')
        if and(x_speed, match_re(x_speed, '\d+(k|m|g)$')) {
           num = substr(x_speed, 1, -2)
           unit = substr(x_speed, -1, -1)
           limit_rate(tonumber(num), unit)
        }
    }
}