Referer Access Rules

Last update:2024-07-12 18:12:15

When a client sends a request to a web server, it typically carries a Referer header, indicating to the web server which page the request originated from. Therefore, access control can be performed based on this header. When a CDN edge server receives a client request, it checks the information in the Referer field of the HTTP request header, and then allows or denies user requests that comply with specific rules. This is suitable for scenarios where the content is only allowed to be accessed from specific pages, such as when users are only allowed to access resources by clicking on links from specific pages.

How to Set Up the Referer Access Rule

  1. Log in to the CDNetworks Console and select the appropriate product.
  2. Go to the Configuration, locate the domain you wish to configure, and click Edit Configuration[Feature Upgrade] Advanced Access Control.
  3. Navigate to Hotlinking Protection - Referer Anti-hotlinking in the left sidebar and click Add.
  4. Configure the settings as follows based on your needs.

Effective Range
This defines the range of requests that Referer rules will apply to. You can choose from the following options:

Setting Description
All Requests The access control rule applies to all types of requests.
Only Homepage Applies only to the root directory of the domain, such as http://domain/ or https://domain/.
Specified File Type Applies only to specific types of files. You can select from the predefined file types on the left or define custom file types. Separate multiple custom types with a semicolon ;.(e.g., jpg;png).
Specified URI Applies only to requests for content at a specific URI. Two URI matching options are available:
Exact matching: Complete URI, including parameters.(e.g., path/index.html?abc=123).
Ignore the parameter matching: URI without query parameters.(e.g., path/index.html).
Specified Directory Applies to requests under specific directories. For example, /file/abc/ applies to all content under http://domain/file/abc/*.
Note: Directories must start and end with /, and can only contain letters, numbers, and certain special characters (underscore, hyphen, percent sign, dot). Multiple directories are supposed to be seperated with line breaks.
URL Pattern Uses regular expressions to control the range of requests that the rules will be applied to. For example, the pattern *.jpg$ ensures that access control applies to all URLs ending with .jpg.

Referer Type
You can set either a Referer blacklist or whitelist:

Setting Description
Blacklist Two options are available:
Referer blacklist (Domain): Access is denied if the Referer contains the specified domain. For example, www.test.com.
No need to add http:// or https:// at the begin of the domain.
Referer blacklist (URL): Access is denied if the Referer contains the specified URL. For example, http://www.test.com/index.html.
Whitelist Two options are available:
Referer whitelist (Domain): Access is allowed only if the Referer contains the specified domain. For example, www.test.com.
No need to add http:// or https:// at the begin of the domain.
Referer whitelist (URL): Access is allowed only if the Referer contains the specified URL. For example, http://www.test.com/index.html.

Tips
Blacklists and whitelists can include multiple domains or URLs, separated by line breaks.
The system supports only one whitelist rule. If multiple Referer values are needed, they must all be included within this single whitelist.
Wildcard domains are now allowed in the whitelist or blacklist.

Action
When the Referer does not meet the set rules, and a request is denied by the CDN, choose whether to return an error code directly or redirect to another URL:

  • Deny Access: The CDN rejects the request with a 403 error.
  • Redirect URL: The CDN redirects the requests to another URL.

Allow NULL Referer
Enabling this allows users to access your content directly by typing the URL in their browser’s address bar, even when there is no Referer.

Priority
When multiple access control rules are configured, the CDN prioritizes them based on their numerical value, executing higher numbers first.

After you have completed setting the configurations, please click OK and then select Next to submit your settings. To minimize any potential disruptions to your production environment, we strongly recommend conducting a Pre-deploy test in a staging environment. This crucial step ensures that your configurations are accurate before they go live. Once you have verified the accuracy of the settings, click Deploy Now to implement them in the live environment. The configurations typically become effective within 3-5 minutes. For comprehensive guidance on pre-deployment testing and to verify the effectiveness of your configurations, please consult the tutorial Deploy the Configurations to Staging Environment for Validation.

Best Practices

Example 1: Configure a Referer Blacklist
This example demonstrates how to deny access to all requests under a domain if the request’s Referer contains www.cdnetworks.com or dash.cdnetworks.com. The configuration is as follows:

Example 2: Configure a Referer Whitelist
This example shows how to allow access to all requests under a domain only if the request’s Referer contains www.cdnetworks.com or dash.cdnetworks.com. The configuration is as follows:

Notes

Please DO NOT configure both Referer blacklists and whitelists simultaneously. The Referer is checked against both lists sequentially, which could potentially lead to all CDN access being denied, potentially impacting your business. For example, configuring both a Referer blacklist and whitelist as shown below will result in all accesses being denied by the CDN.

Why would all requests be denied?

  1. Requests with a Referer containing www.test.com will be denied access by the CDN due to matching the blacklist rule.
  2. Requests without www.test.com in the Referer, although not denied by the blacklist, will also be denied because they do not match the whitelist criteria, which only allows access for requests with a Referer of www.test.com.

If you need to configure both a blacklist and a whitelist, please contact our technical support for assistance to ensure proper setup.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!