Access Control
When you need to restrict access to CDN resources, you can learn how to configure and what to be aware of from this article.
Referer Anti-Theft Chain
You can identify and control user requests by configuring a Referer anti-theft chain blacklist and whitelist, which enhances the security of the acceleration domain name and prevents malicious users from stealing chains.
- The Referer anti-theft chain identifies and judges based on the value of the referer field in the HTTP Request Header. According to the policy set by the user, access user filtering is performed.
- Currently, the Referer anti-theft chain is divided into two mechanisms, blacklist and whitelist. It is not enabled by default.
- Whether to allow resource access with an empty Referer field can be set, i.e., direct resource URL access through the browser address bar is allowed.
- Up to 100 can be set, multiple are separated by carriage return; regular expressions are not supported; when referer is a wildcard domain, please start with *., for example: *.example2.com, including any matched host header and empty host header.
Referer Anti-Theft Chain
IP Blacklist
You can identify and control user requests by configuring IP blacklists, enhancing the security of the acceleration domain name and preventing malicious user access.
- IP blacklist, IPs within the blacklist cannot access resources, by default, the blacklist is empty.
- Supports adding IP ranges, such as 10.0.0.1/24. Note: IP range blocking only supports /24 and above, for example, blocking ranges of 10.0.0.0/8 or 10.0.0.0/20 will not take effect.
IP Blacklist
MD5 Anti-Theft Chain
You can prevent your site’s resources from being misused by illegal users by configuring MD5 anti-theft chain, thus avoiding the sharp increase in bandwidth and cost due to theft.
MD5 anti-theft chain cannot be configured through the console at the moment. Configuration requires secret keys and expiration times. Please contact architects or technical support for configuration.
Configuration instructions:
k = md5(secret key + file URI + expiration time t)
1、k:Parameter name in the URL, md5(string), the string generated by md5 is 32 bits.
2、t:Expiration time, for example, if the current time is 2012-04-23 16:20:00, and the valid duration is set to 2 hours, then the expiration time is 2012-04-23 18:20:00, converted to seconds based on 1970, it is 1335176400, which is the value of parameter t.
3. Secret key: user provides secret key string.
Example: URL:http://tysxtest.ufile.abc.com.cn/test/3e2_teacher_720p.mp4
Secret key: whaty321;
Expiration time:2 hours. For example, expires at 2019-07-01 12:00, after conversion t=1561953600;
k=md5(whaty321/test/3e2_teacher_720p.mp41561953600)=1100bda530528404109eaa80bd9fb9d8
URL with added anti-theft chain: http://tysxtest.ufile.abc.com.cn/test/3e2_teacher_720p.mp4?k=1100bda530528404109eaa80bd9fb9d8&t=1561953600
The URL using anti-theft chain can be accessed normally, if the value of k does not match, the access will fail, if the check finds the time t has exceeded the valid duration, the check will fail as well.
Operation steps:
1.Enter the UCDN product console and select the domain name to be configured on the Domain Management page.
2.Enter the domain configuration details page, select Domain Configuration → Basic Settings → Access Control, and make the related configurations.
3.Enable configurations like Referer Anti-Theft Chain, IP Blacklist.
After finishing the configuration, you must click on Confirm configuration to successfully modify the configuration.