Blacklist/whitelist

Updated at:
Copy as MD

ApsaraVideo VOD lets you configure access policies for your video resources using a Referer blacklist/whitelist, User-Agent blacklist/whitelist, and IP blacklist/whitelist. This feature provides basic protection, is easy to use (requiring only cloud-side configuration), and takes effect quickly.

Referer blacklist/whitelist

Introduction

  • This feature uses the HTTP Referer header to identify the source of a request. You can configure a Referer blacklist or whitelist, which are mutually exclusive, to restrict access to your video resources.

  • Both blacklist and whitelist modes are supported. When a visitor requests a resource, the request reaches a point of presence (POP). The POP then filters the request based on your configured hotlink protection blacklist/whitelist. If the request meets the rules, the video data is served. Otherwise, the request is denied with a 403 HTTP status code.

  • Wildcard domain support is automatically enabled. For example, adding example.com to the list creates an effective rule of *.example.com, which applies to all its subdomains.

  • By default, requests with an empty Referer header are allowed because mobile clients often omit this header. You can disable this option.

  • Because the Referer is an HTTP header, it can be easily spoofed, offering a low level of security.

For detailed instructions, see Configure hotlink protection.

Example

Configure the Referer whitelist for the VOD domain example.cn-shanghai.aliyuncs.com with aliyundoc.com and disallow requests with an empty Referer header. A request is sent as follows:

curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****/5101d1f8-1643f9a****.mp4'
  • Response

    ali-186590dxxx:~ xxxan$ curl -i 'http://xxx.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9axxx/5101d1f8-1643f9axxx.mp4'
    HTTP/1.1 403 Forbidden
    Server: Tengine
    Date: Wed, 27 Jun 2018 04:58:15 GMT
    Content-Type: text/html
    Content-Length: 254
    Connection: keep-alive
    X-Tengine-Error: denied by Referer ACL
    Access-Control-Allow-Origin: *
    Via: cache2.cn491[,403003]
    Timing-Allow-Origin: *
    EagleId: 7b7d12ca153007549506xxx

    If the request includes an allowed Referer, a normal response is returned:

    curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****/5101d1f8-1643f9a****.mp4' \
    -H 'Referer: http://www.aliyundoc.com' 

User-Agent blacklist/whitelist

Introduction

  • The User-Agent is a string header that helps a server identify attributes of the client, such as its operating system, browser, version, and installed plug-ins. You can use a User-Agent blacklist/whitelist to restrict access from specific browsers or devices.

  • Because the User-Agent is an HTTP header, it can be easily spoofed, offering a low level of security.

For detailed instructions, see Configure a User-Agent blacklist/whitelist.

Example

  • For example, the User-Agent for Internet Explorer 9 on a PC:

    User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
  • You can simulate an HTTP request to verify:

    curl -i 'http://example.cn-shanghai.aliyuncs.com/sv/5101d1f8-1643f9a****.mp4' \
    -H 'User-Agent: iPhone OS;MI 5'

IP blacklist/whitelist

Introduction

  • You can add individual IP addresses and CIDR blocks.

    For example, in the CIDR block 172.16.0.0/24, the /24 indicates a 24-bit network prefix. This leaves 32-24=8 bits for host addresses, allowing for 28=256 addresses. Therefore, this CIDR block represents the IP range from 172.16.0.0 to 172.16.0.255.

  • You can choose to use remote_addr or X-Forwarded-For (XFF) as the source IP address of the request, or match both.

  • The IP blacklist/whitelist mechanism is not suitable for widespread content distribution. Additionally, whitelists can be bypassed if an attacker uses an IP address from an allowed range.

For detailed instructions, see Configure an IP blacklist/whitelist.