Blacklist/whitelist
ApsaraVideo VOD lets you configure access policies for your video resources using a Referer blacklist/whitelist, User-Agent blacklist/whitelist, and IP blacklist/whitelist. This feature provides basic protection, is easy to use (requiring only cloud-side configuration), and takes effect quickly.
Referer blacklist/whitelist
Introduction
-
This feature uses the HTTP Referer header to identify the source of a request. You can configure a Referer blacklist or whitelist, which are mutually exclusive, to restrict access to your video resources.
-
Both blacklist and whitelist modes are supported. When a visitor requests a resource, the request reaches a point of presence (POP). The POP then filters the request based on your configured hotlink protection blacklist/whitelist. If the request meets the rules, the video data is served. Otherwise, the request is denied with a 403 HTTP status code.
-
Wildcard domain support is automatically enabled. For example, adding example.com to the list creates an effective rule of *.example.com, which applies to all its subdomains.
-
By default, requests with an empty Referer header are allowed because mobile clients often omit this header. You can disable this option.
-
Because the Referer is an HTTP header, it can be easily spoofed, offering a low level of security.
For detailed instructions, see Configure hotlink protection.
Example
Configure the Referer whitelist for the VOD domain example.cn-shanghai.aliyuncs.com with aliyundoc.com and disallow requests with an empty Referer header. A request is sent as follows:
curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****/5101d1f8-1643f9a****.mp4'
-
Response
ali-186590dxxx:~ xxxan$ curl -i 'http://xxx.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9axxx/5101d1f8-1643f9axxx.mp4' HTTP/1.1 403 Forbidden Server: Tengine Date: Wed, 27 Jun 2018 04:58:15 GMT Content-Type: text/html Content-Length: 254 Connection: keep-alive X-Tengine-Error: denied by Referer ACL Access-Control-Allow-Origin: * Via: cache2.cn491[,403003] Timing-Allow-Origin: * EagleId: 7b7d12ca153007549506xxxIf the request includes an allowed Referer, a normal response is returned:
curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****/5101d1f8-1643f9a****.mp4' \ -H 'Referer: http://www.aliyundoc.com'
User-Agent blacklist/whitelist
Introduction
-
The User-Agent is a string header that helps a server identify attributes of the client, such as its operating system, browser, version, and installed plug-ins. You can use a User-Agent blacklist/whitelist to restrict access from specific browsers or devices.
-
Because the User-Agent is an HTTP header, it can be easily spoofed, offering a low level of security.
For detailed instructions, see Configure a User-Agent blacklist/whitelist.
Example
-
For example, the User-Agent for Internet Explorer 9 on a PC:
User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0; -
You can simulate an HTTP request to verify:
curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****.mp4' \ -H 'User-Agent: iPhone OS;MI 5'
IP blacklist/whitelist
Introduction
-
You can add individual IP addresses and CIDR blocks.
For example, in the CIDR block
172.16.0.0/24, the /24 indicates a 24-bit network prefix. This leaves 32-24=8 bits for host addresses, allowing for 28=256 addresses. Therefore, this CIDR block represents the IP range from 172.16.0.0 to 172.16.0.255. -
You can choose to use remote_addr or X-Forwarded-For (XFF) as the source IP address of the request, or match both.
-
The IP blacklist/whitelist mechanism is not suitable for widespread content distribution. Additionally, whitelists can be bypassed if an attacker uses an IP address from an allowed range.
For detailed instructions, see Configure an IP blacklist/whitelist.