MA-LB :: Anti Hotlinking
Last update:2022-06-28 15:35:40
• Entrance
Product → CDN → Media Acceleration Live Broadcast → Configuration → RTMP Livestream → Edit Configuration → Anti Hotlinking
• Introduction
There are three sections under Anti Hotlinking, including:
- Basic Anti-Hotlinking
- Timestamp anti-hotlinking
- Origin Authentication Anti-Hotlinking
1. Basic Anti-Hotlinking
• Introduction
You can setup a whitelist (allow) or/and a blacklist (deny) for access control based on IP address or IP segment or Domain or URL.
Tick Allow or Deny or both, then input the target IP address or IP segment or Domain or URL. Each entry should start with a new line.
For example,
127.0.0.1
1.1.1.0/24
www.test.com
http://www.test.com/index.html
If you tick both Allow and Deny, you will have to make a choice of “Priority Execution” options, Allow or Deny. The chosen one has higher priority.
For example, the settings in the screenshot below, Allow has higher priority, which means that only 1.1.1.1 is in the IP whitelist and requests from any other IP addresses will be rejected. Meanwhile, if the request from IP 1.1.1.1 carries “http://www.domain.com/deny.html” in Referrer header, it will also be rejected.
2. Timestamp anti-hotlinking
• Introduction
The Timestamp anti-hotlinking is time-based access control method with MD5 encryption. After enabling this feature, clients will have to carry token and timestamp in request URL by adding query string parameters. By default, we use wsSecret and wsTime to carry the token and timestamp. The name of the parameter is configurable.
| Items | Required/Optional | Remarks |
|---|---|---|
| Ciphertext parameter name | Optional | The query string parameter name to carry encrypted token in URL. The default name is wsSecret and it is configurable. |
| Time parameter name | Optional | The query string parameter name to carrry timestamp in URL.The default name is wsTime and it is configurable. |
| KEY | Required | The shared key for md5 token calculation. |
| Encrypted time format | Required | UNIX timestamp (decimal) or UNIX time in hexadecimal format |
| Effective time | Required | 1) “By duration”, please enter an integer greater than or equal to 1 and less than or equal to 31622400 (1 year) for duration,that is the validity period. 2)“By absolute time” represent that the timestamp carried in wsTime is the expiration time and usually it is a future time. 3) “By effective time” , when choose this option, request URLs need to carry an additional query string parameter “keeptime” to specify the validity period. For example, keeptime=3600 represents that the URL will be expired after one hour. |
| Error time | Optional | A tolerance of time deviation. |
| Ciphertext combination | Required | This item will decide the string to sign for MD5 encryption. For example, if you choose “key+path+time”, then the MD5 token = md5 {key+path+time}, in which, the key is the shared key and the path is the URI starts with “/” and time is the value carried by wsTime. |
You need to confirm all the changes, then choose Pre-deployment or Deploy Now for next step which will take 3 to 5 minutes for deployment.
3. Origin Authentication Anti Hotlinking
• Introduction
Origin Authentication Anti Hotlinking allows you to pass specific information back to origin for authentication. CDN servers will wait for the green light from the authenticaion server before giving contents to clients. Requests from clients will be rejected if the authentication server returns a negative result. Origin side should has an authentication server independent from content server.
Click Modify and select “On” for Origin Authentication.
When choose GET method, the parameters for authentication will be carried in request URL to origin auth server.
When choose POST method, the parameters for authentication will be carried in message body.
Authentication server address should be provided by customer origin, the address format should follow the pattern below:
{http|https}: //{host:port}{URI}
in which, URI can include fixed parameter. For example,
https://test.example.com/api/live/check?cdn=ws
http://1.1.1.1:8888/api/live/check?cdn=ws
Please tick the parameters need to be passed to origin auth server under “Variable parameters in authentication” option. You can give a different name for each parameter, for example, we use “ip” to carry client IP address as the screenshot shown. In real URL, it will looks like, xxxxx?ip=12.2.3.4
And you can also fill in some customized parameters as you need in “others” box.
This table shows the pre-set parameters:
| Field Name | Default parameter name | Remarks |
|---|---|---|
| CDN node IP | cdnip | Ticked by default.You can also change the default parameter name “cdnip” to what you like, for example, cdnwip |
| Channel | channel | Ticked by default. You can also change the default parameter name “channel” to what you like, for example, domain |
| Client IP | ip | Ticked by default. You can also change the parameter name to what you like, for example, userip |
| HOST | host | Value carried in HOST header |
| Push-pull stream type | type | Ticked by default. |
| Publish Point(Release point) | app | Ticked by default. |
| Others | You can fill in customized parameters. |
You need to confirm all the settings you have changed, then choose Pre-deployment or Deploy Now for next step which will take 3 to 5 minutes.
• Examples
Assume that a domain was configured as below:
