Configure access control

Click Configure in the left navigation pane, find the domain name that you want to configure, and then click Manage in the Operate column. On the page that appears, click Access control in the left navigatio pane. Click the Refer Anti-leech, Ip Black & White List Configuration, and TimeStampAndRefer tabs to configure access control.

Referer-based hotlinking prevention

Overview

ReferBlack List: If you select ReferBlack List for Anti-leech Types, the HTTP requests that contain the Referer in the black list will be rejected from accessing the current acceleration domain name.
ReferWhite List: If you select ReferWhite List for Anti-leech Types, only the HTTP requests that contain the Referer in the white list are allowed to access the current acceleration domain name.

Procedure

Click the Refer Anti-leech tab and configure Referer-based hotlinking prevention on the tab that appears.

• You can set the Anti-leech Types parameter to ReferBlack List or ReferWhite List.
• You can select Allow The Empty Refer Access to allow users to access resources by entering a URL in the browser.

• A wildcard domain name can be added.

Notes:

• You cannot configure the Referer blacklist and whitelist for a domain name at the same time.
• You can use Allow The Empty Refer Access together with the Referer blacklist or whitelist. If Allow The Empty Refer Access is selected, users can access resources by entering a URL in the browser. Otherwise, users are not allowed to access resources by entering a URL in the browser. By default, Allow The Empty Refer Access is selected.
• You can add multiple Referer URLs to the Referer blacklist or whitelist. Enter a URL in each line. For each domain name, you can configure a maximum of 100 Referer URLs.

Hotlinking prevention based on the IP address blacklist or whitelist

Overview

Ip Black List: If you select Ip Black List for IP Type, the IP addresses in the black list will be rejected from accessing the current acceleration domain name.
Ip White List: If you select Ip White List for IP Type, only the IP addresses in the white list are allowed to access the current acceleration domain name.

Procedure

Click the Ip Black & White List Configuration tab and configure hotlinking prevention based on the IP address blacklist or whitelist on the tab that appears.

• You can set the IP Type parameter to Ip Black List or Ip White List.
  You cannot add a Classless Inter-Domain Routing (CIDR) block to the blacklist or whitelist.

Notes:

• You cannot configure the IP address blacklist and whitelist for a domain name at the same time.
• Enter an IP address in each line. For each domain name, you can configure a maximum of 100 IP addresses in the blacklist or whitelist.

Hotlinking prevention based on the timestamp and shared key

Overview

Hotlinking prevention based on the timestamp and shared key is intended to set a validity period for the URL of each request. This prevents unauthorized users from referencing or downloading resources when the resources are delivered by Kingsoft Cloud CDN. This ensures service security and avoids CDN bandwidth waste.

Principle

When an edge node verifies an access request, the edge node compares the timestamp value in the URL with the current time. If the timestamp value is smaller than the current time, the URL is considered expired, and the authentication fails. Then, the access request is rejected and an HTTP 403 error code is returned. If the timestamp value is greater than the current time, the MD5 hash algorithm in the access request is used to calculate the MD5 value of the key, URI, and timestamp. The edge node compares this MD5 value with the MD5 hash value in the access request. If they are the same, access is allowed. Otherwise, the authentication fails. Then, the access request is rejected and an HTTP 403 error code is returned.

Configuration description

Hotlinking prevention based on the timestamp and shared key takes effect globally. Two types of URLs are supported. You can select a type based on your needs.

Type 1

The encryption string is in the URL parameters, for example,
http://DomainName/FileName?t=timestamp&k=md5hash.

Type 2

The encryption string is in the URL path, for example,
http://DomainName/md5hash/timestamp/FileName.

Authentication fields

1. Shared key: You can configure primary and secondary keys. The primary key is required, and the secondary keys are optional. You can configure up to four secondary keys.
2. Timestamp: the expiration time. You can set the timestamp to the access time or specific expiration time. If you set the timestamp the access time, you must set a validity period, for example, 1800s. If the validity period elapses, user authentication fails. For example, if the access time is set to 2020-08-15 15:00:00, the actual expiration time is 2020-08-15 15:30:00.

Example

1. Select a request object
   Request object: http: //ksyun.cdn.com/test.dat

2. Set shared keys
   Primary key: ksyuncdnexp1. Secondary key: kscdnexp2.

3. Set the timestamp
   Set the access time to 1511107200, which indicates 2017-11-20 00:00:00.

4. Calculate the MD5 value
   Use the primary key to calculate the MD5 value.
   MD5 hash value = MD5 (ksyuncdnexp1/test.dat1511107200) = 2e3c8055078acba25daddbc276e45154

   Type 1 request URL:
   http: //ksyun.cdn.com/test.dat?t=1511107200&k=2e3c8055078acba25daddbc276e45154

   Type 2 request URL:
   http: //ksyun.cdn.com/2e3c8055078acba25daddbc276e45154/1511107200/test.dat

The authentication succeeds if the MD5 hash value calculated is the same as the MD5 hash value in the request. The authentication succeeds if the MD5 hash value calculated based on either the primary key or secondary key is valid.

Procedure

Click the TimeStampAndRefer tab and configure hotlinking prevention based on the timestamp and shared key on the tab that appears.

Notes:

• The shared key must be 6 to 128 characters in length , including uppercase letters, lowercase letters, or digits.

• You can configure primary and secondary keys. The primary key is required, and the secondary keys are optional. You can configure up to four secondary keys. Separate secondary keys with commas (,).

• You must enter the expiration time in seconds. The value must be an integer ranging from 0 to 31536000.