Access Control

Last update:2026-07-02 17:32:06

Access Control lets you control who can access live streams by filtering requests by client IP, HTTP Referer, HTTP User-Agent, signed URL token, or a remote authentication server. Rules can be scoped to a directory, file type, or URL pattern, and each rule can use a priority value to determine evaluation order when more than one rule matches a request.

It includes the following controls:

Control What it filters Protocols
IP Access List Client IP address or CIDR block All
Referer Access List HTTP Referer header HLS, DASH, HTTP-FLV, WebRTC
User-Agent Access List HTTP User-Agent header HLS, DASH, HTTP-FLV, WebRTC
Token Authentication Signed token and timestamp in the URL All
Remote Authentication Your own auth server’s decision All

Before You Begin

  • For Token Authentication, prepare the signing key, URL parameter names, timestamp format, and signature component order.
  • For Remote Authentication, prepare the authentication server URL, expected response status codes, expected response body, timeout policy, and request parameters.

Navigate to Access Control

  1. Go to Media Delivery > Media Acceleration Live Broadcast > Configuration.
  2. Find the domain that you want to configure, then choose Edit Configuration.
  3. In the configuration menu, choose Access Control.
  4. The Access Control page shows IP Access List, Referer Access List, User-Agent Access List, Token Authentication, and Remote Authentication.

Configure IP Access List

IP Access List allows or blocks requests based on the client IP address or CIDR block.

  1. On the Access Control page, next to IP Access List, choose + Add.
  2. In the IP Access List dialog, select an option from Apply to.
Option Target Scope value format
Specific Directory Files under the specified path Path starts and ends with /. Enter one path per line. Example: /live/
Specific File Type Files with the specified extension Enter extensions without dots, separated by semicolons (;). Example: flv;m3u8;ts
URL Pattern (Regex) URLs that match a regular expression Enter the URL path regular expression. Example: live/.*\.(m3u8\|flv)($\|.*)
  1. Enter the scope value.
  2. Under Rule Type, select Blocklist or Allowlist.

Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.

  1. In Blocked IPs and CIDR Blocks or Allowed IPs and CIDR Blocks, enter IP addresses or CIDR blocks separated by semicolons (;). The field supports up to 65,535 characters, which is about 3,000 IP addresses.
  2. In Priority, enter an integer. Rules with a higher value are evaluated first. The default value is 10.
  3. Choose Confirm.

Configure Referer Access List

Referer Access List allows or blocks requests based on the HTTP Referer header. Use it to restrict which websites can embed or link to your live streams.

  1. On the Access Control page, next to Referer Access List, choose + Add.
  2. Select an option from Apply to, then enter the scope value.
  3. Under Rule Type, select Blocklist or Allowlist.

Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.

  1. Choose the input mode:

    • Domain/URL List: Use fixed domain names or full URLs.
    • Regular Expression: Use patterns or wildcard-style matching.
  2. Enter Referer values based on the selected mode.

Domain/URL List mode

Field Format Example
Blocked/Allowed Referers (Domain Only) Domain names without http:// or https://, one per line www.example.com
Blocked/Allowed Referers (Full URL) Full URLs starting with http:// or https://, one per line https://www.example.com/player

Regular Expression mode

Field Required Format Example
Blocked/Allowed Referers (Regex) Yes Regular expressions, one per line ^https?://www\.example\.com/.*
  1. Set Allow Empty Referer. When this option is enabled, requests without a Referer header are allowed.
  2. In Priority, enter an integer. The default value is 10.
  3. Choose Confirm.

Configure User-Agent Access List

User-Agent Access List allows or blocks requests based on the HTTP User-Agent header.

  1. On the Access Control page, next to User-Agent Access List, choose + Add.
  2. Select an option from Apply to, then enter the scope value.
  3. Under Rule Type, select Blocklist or Allowlist.

Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.

  1. In Blocked User-Agent or Allowed User-Agent, enter User-Agent values, one per line.
  2. In Priority, enter an integer. The default value is 10.
  3. Choose Confirm.

Configure Token Authentication

Token Authentication requires playback URLs to include a signature and expiry timestamp. The CDN validates the signature and timestamp before allowing access.

  1. On the Access Control page, next to Token Authentication, choose + Add.
  2. Select an option from Apply to, then enter the scope value.
  3. Configure the token parameters.
Field Required Default Description
Signature Parameter Name No token URL query parameter that carries the signature.
Timestamp Parameter Name No time URL query parameter that carries the expiry timestamp.
KEY Yes Signing key. If you enter multiple keys, separate them with semicolons (;).
Timestamp Format Yes UNIX Timestamp Timestamp format. Options include UNIX Timestamp and Hexadecimal.
Expiration Time Yes Token validity duration in seconds. Maximum: 31536000.
Signature Components Yes KEY+PATH+TIME Order used to concatenate the key, URI path, and timestamp before generating the signature.
  1. For Signature Components, select the option that matches your playback URL signing logic.
Option Concatenation order
KEY+PATH+TIME key → URI path → timestamp
KEY+TIME+PATH key → timestamp → URI path
PATH+KEY+TIME URI path → key → timestamp
PATH+TIME+KEY URI path → timestamp → key
TIME+PATH+KEY timestamp → URI path → key
TIME+KEY+PATH timestamp → key → URI path
  1. Choose Confirm.

Configure Remote Authentication

Remote Authentication forwards request information to your authentication server and allows or denies access based on the server response.

Note: Remote Authentication is not available for HLS origin-pull domains.

  1. On the Access Control page, next to Remote Authentication, choose Edit.
  2. In the Remote Authentication dialog, set Remote Authentication to On.
  3. Under Auth Method, select GET or POST.
  4. In Auth Server URL, enter the full authentication endpoint URL, including protocol, host, port if needed, path, and fixed query parameters. Example: https://auth.example.com/api/check?service=live.
  5. Optional: In Auth Host, enter a Host header value if the Host header sent to the authentication server must be different from the URL hostname.
  6. Under Parameter Retention, select how original URL parameters are forwarded.
Option Behavior
Retain all Forward all query parameters from the original request URL.
Delete all Do not forward original query parameters.
Retain specified Forward only the specified query parameters.
  1. Under Auth Variables, choose Click for configuration, then select the variables to include in the authentication request. You can also customize the parameter name sent to the authentication server.
Variable Default parameter name Description
Client IP ip Client IP address.
Stream Name streamName Live stream name.
Stream Type type Stream protocol type.
HOST host Original request hostname.
CDN Edge IP cdnip CDN edge node IP address.
Application name appName Live application name.
Server IP serverIp CDN server IP address.
Request URL url Original request URL.
Request Referer referer Original request Referer header.
  1. Under Validation Criteria, select Success or Failure, then configure the response match conditions:
    • HTTP status codes: HTTP status codes returned by the authentication server, separated by semicolons (;).
    • Response body: Response body content returned by the authentication server.
  2. In Timeout, enter a value from 1 to 10 seconds. The default value is 5.
  3. In Retry Count, enter a value from 0 to 5. The default value is 0.
  4. Under Action on Timeout, select the action to take when the authentication server does not respond before the timeout:
    • Allow access: Allow the request when authentication times out.
    • Deny access: Deny the request when authentication times out.
  5. Choose Confirm.

Reference

Protocol Support Matrix

Feature HLS DASH HTTP-FLV WebRTC RTMP
IP Access List
Referer Access List
User-Agent Access List
Token Authentication
Remote Authentication
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!