This topic provides some sample scripts that you can use to configure hotlink protection, whitelists or blacklists, request and response header customization, request rewrites and redirects, and remote authentication.
Hotlink protection | Access control based on blacklists and whitelists | Customize request headers and response headers | Customize rewrites and redirects | Remote authentication
Hotlink protection
Customize authentication algorithms
The following example shows how to customize authentication algorithms:
- Requirements:
- Request URL format:
/path/digest/?.ts?key=&t=
. - For
.ts
requests, the requirements for customizing hotlink protection are:- Rule 1: If the request does not contain the
t
orkey
parameter, the HTTP 403 status code is returned and theX-AUTH-MSG
response header is added to indicate the cause of failure. - Rule 2: The
t
parameter specifies the absolute expiration time. If the time specified byt
is earlier than the current time, the HTTP 403 status code is returned and theX-AUTH-MSG
response header is added to indicate the cause of failure. - Rule 3: Compare the
md5
value with thedigest
value. Ifmd5
does not matchdigest
, the HTTP 403 status code is returned.Value format of the md5 value:
Private key + Path + File name.extension
.
- Rule 1: If the request does not contain the
- Request URL format:
- Sample script:
if eq(substr($uri, -3, -1), '.ts') { if or(not($arg_t), not($arg_key)) { add_rsp_header('X-AUTH-MSG', 'auth failed - missing necessary arg') exit(403) } t = tonumber($arg_t) if not(t) { add_rsp_header('X-AUTH-MSG', 'auth failed - invalid time') exit(403) } if gt(now(), t) { add_rsp_header('X-AUTH-MSG', 'auth failed - expired url') exit(403) } pcs = capture($request_uri,'^/([^/]+)/([^/]+)/([^?]+)%?(.*)') sec1 = get(pcs, 1) sec2 = get(pcs, 2) sec3 = get(pcs, 3) if or(not(sec1), not(sec2), not(sec3)) { add_rsp_header('X-AUTH-MSG', 'auth failed - malformed url') exit(403) } key = 'b98d643a-9170-4937-8524-6c33514bbc23' signstr = concat(key, sec1, sec3) digest = md5(signstr) if ne(digest, sec2) { add_rsp_header('X-AUTH-DEBUG', concat('signstr: ', signstr)) add_rsp_header('X-AUTH-MSG', 'auth failed - invalid digest') exit(403) } }
User-Agent blacklists
The following example shows how to configure a User-Agent blacklist:
- Requirements: If a request carries the
User-Agent
header that starts withijkplayer
orYsten
, the HTTP status code 403 is returned. - Sample script:
if and($http_user_agent, match($http_user_agent, '^[ijkplayer|Ysten].*$')) { add_rsp_header('X-BLOCKLIST-DEBUG', 'deny') exit(403) }
Referer whitelists
The following example shows how to configure a Referer whitelist:
- Requirements: If the
Referer
header of a request is nothttp[s]://***alibaba.com***
, the HTTP 403 status code is returned. - Sample script:
if and($http_referer, match($http_referer, '^(http|https)://(.)+\.alibaba\.com.*$')) { return true } add_rsp_header('X-WHITELIST-DEBUG', 'missing') exit(403)
Access control based on blacklists and whitelists
IP blacklists
The following example shows how to configure an IP blacklist:
- Requirements: If a request is sent from
127.0.0.1
or10.0.0.1
, the HTTP 403 status code is returned. - Sample script:
if match($remote_addr, '127.0.0.1|10.0.0.1') { add_rsp_header('X-IPBLOCK-DEBUG', 'hit') exit(403) }
Customize request headers and response headers
Automatic file renaming
The following example shows how to configure automatic file renaming:
- Requirements: If the
filename
parameter is set, the file is automatically renamed the value specified by thefilename
parameter. If no filename is specified, the default filename is used. - Sample script:
if $arg_filename { hn = 'Content-Disposition' hv = concat('attachment;filename=', $arg_filename) add_rsp_header(hn, hv) }
- Example:
add_rsp_header('Content-Disposition', concat('attachment;filename=', tochar(34), filename, tochar(34)))
Note- You can add the response header
Content-Disposition:attachment
to HTTP responses to have the message body automatically downloaded. In addition, if a response carries thefilename
parameter, it is automatically renamed the value offilename
. If the response does not carry the filename parameter, the default name is used. filename
enclosed in double quotation marks (") in ASCII can be converted to a string by using ToChar. The ASCII code for the quotation mark ("") is 34.
- You can add the response header
- Output:
Content-Disposition: attachment;filename="monitor.apk"
Overwrite response headers
The following example shows how to overwrite a response header:
- Requirements: Overwrite the response header
Content-Type
. - Sample script:
add_rsp_header('Content-Type', 'audio/mpeg')
Customize rewrites and redirects
Rewrite URIs
The following example shows how to rewrite a URI:
- Requirements: Replace
/hello
in a client request with/index.html
. As a result, the URI of the back-to-origin request is changed to/index.html
and the parameters remain unchanged. - Sample script:
if match($uri, '^/hello$') { rewrite('/index.html', 'break') }
Rewrite file extensions
The following example shows how to rewrite file extensions:
- Requirements: Rewrite
/1.txt
to/1.<URL parameter type>
. For example,/1.txt?type=mp4
can be rewritten to/1.mp4?type=mp4
in back-to-origin requests and cached. - Sample script:
if and(match($uri, '^/1.txt$'), $arg_type) { rewrite(concat('/1.', $arg_type), 'break') }
Convert file extensions to lowercase letters
The following example shows how to convert file extensions to lowercase letters:
- Requirements: Convert URI strings to lowercase letters.
- Sample script:
pcs = capture($uri, '^(.+%.)([^.]+)') section = get(pcs, 1) postfix = get(pcs, 2) if and(section, postfix) { rewrite(concat(section, lower(postfix)), 'break') }
Add a URI prefix
The following example shows how to add a URI prefix:
- Requirements: Rewrite
^/nn_live/(.*)
to/3rd/nn_live/$1
. - Sample script:
pcs = capture($uri, '^/nn_live/(.*)') sec = get(pcs, 1) if sec { dst = concat('/3rd/nn_live/', sec) rewrite(dst, 'break') }
Perform 302 redirects
The following example shows how to perform 302 redirects:
- Requirements: Perform a 302 redirect from the
/
root directory to/app/movie/pages/index/index.html
. - Sample script:
if eq($uri, '/') { rewrite('/app/movie/pages/index/index.html', 'redirect') }
Perform a 302 redirect to HTTPS
The following example shows how to perform a 302 redirect to HTTPS
- Requirements: Redirect the following URIs that match the
^/$
root directoryhttp://rtmp.cdnpe.com
https://rtmp.cdnpe.com
https://aliyun.com
. You can replace the URI to which you want to redirect with a custom value based on your business requirements. - Sample script:
if eq($uri, '/') { rewrite('https://aliyun.com', 'redirect') }
Remote authentication
Customize remote authentication
The following example shows how to customize remote authentication:
- Requirements: Implement access control based on request formats. The responses determine whether the requests pass the authentication.
- Sample script:
auth_addr = 'http://xx.cn/outer/cdn/checkplay?host=' remote_addr_t = '' if $remote_addr { remote_addr_t = $remote_addr } sp = '' if $arg_sp { sp = $arg_sp } token = '' if $arg_token { token = $arg_token } auth_key = '' if $arg_auth_key { auth_key = $arg_auth_key } t_cookie = '' if $http_cookie { t_cookie = $http_cookie } referer = '' if $http_referer { referer = $http_referer } range = '' if $http_range { range = $http_range } auth_addr = concat(auth_addr, $host, '&ip=', remote_addr_t, '&sp=', sp, '&token=', token, '&auth_key=', auth_key, '&cookie=', t_cookie, '&referer=', referer, '&range=', range) req_info = [] set(req_info, 'addr', auth_addr) set(req_info, 'retry', 1) set(req_info, 'timeout', 1000) set(req_info, 'method', 'POST') req_header = [] set(req_header, 'Connection', 'close') set(req_info, 'send_headers', req_header) rs = http_request(req_info) if rs { code = get(rs, 'code') if eq(code, '403') { exit(403) } headers = get(rs, 'headers') if headers { x_limit_rate_after = get(headers, 'x-limit-rate-after') if and(x_limit_rate_after, match_re(x_limit_rate_after, '\d+(k|m|g)$')) { num = substr(x_limit_rate_after, 1, -2) unit = substr(x_limit_rate_after, -1, -1) limit_rate_after(tonumber(num), unit) } x_speed = get(headers, 'x-speed') if and(x_speed, match_re(x_speed, '\d+(k|m|g)$')) { num = substr(x_speed, 1, -2) unit = substr(x_speed, -1, -1) limit_rate(tonumber(num), unit) } } }