MA-LB :: Anti Hotlinking

Last update:2022-06-28 15:35:40

• Entrance
Product → CDN → Media Acceleration Live Broadcast → Configuration → RTMP Livestream → Edit Configuration → Anti Hotlinking

• Introduction
There are three sections under Anti Hotlinking, including:

  1. Basic Anti-Hotlinking
  2. Timestamp anti-hotlinking
  3. Origin Authentication Anti-Hotlinking

1. Basic Anti-Hotlinking

• Introduction
You can setup a whitelist (allow) or/and a blacklist (deny) for access control based on IP address or IP segment or Domain or URL.

Self-Service Configuration for China Premium Service Onboarding

Tick Allow or Deny or both, then input the target IP address or IP segment or Domain or URL. Each entry should start with a new line.
For example,
127.0.0.1
1.1.1.0/24
www.test.com
http://www.test.com/index.html

If you tick both Allow and Deny, you will have to make a choice of “Priority Execution” options, Allow or Deny. The chosen one has higher priority.

For example, the settings in the screenshot below, Allow has higher priority, which means that only 1.1.1.1 is in the IP whitelist and requests from any other IP addresses will be rejected. Meanwhile, if the request from IP 1.1.1.1 carries “http://www.domain.com/deny.html” in Referrer header, it will also be rejected.

Self-Service Configuration for China Premium Service Onboarding

2. Timestamp anti-hotlinking

• Introduction
The Timestamp anti-hotlinking is time-based access control method with MD5 encryption. After enabling this feature, clients will have to carry token and timestamp in request URL by adding query string parameters. By default, we use wsSecret and wsTime to carry the token and timestamp. The name of the parameter is configurable.

Items Required/Optional Remarks
Ciphertext parameter name Optional The query string parameter name to carry encrypted token in URL. The default name is wsSecret and it is configurable.
Time parameter name Optional The query string parameter name to carrry timestamp in URL.The default name is wsTime and it is configurable.
KEY Required The shared key for md5 token calculation.
Encrypted time format Required UNIX timestamp (decimal) or UNIX time in hexadecimal format
Effective time Required 1) “By duration”, please enter an integer greater than or equal to 1 and less than or equal to 31622400 (1 year) for duration,that is the validity period. 2)“By absolute time” represent that the timestamp carried in wsTime is the expiration time and usually it is a future time. 3) “By effective time” , when choose this option, request URLs need to carry an additional query string parameter “keeptime” to specify the validity period. For example, keeptime=3600 represents that the URL will be expired after one hour.
Error time Optional A tolerance of time deviation.
Ciphertext combination Required This item will decide the string to sign for MD5 encryption. For example, if you choose “key+path+time”, then the MD5 token = md5 {key+path+time}, in which, the key is the shared key and the path is the URI starts with “/” and time is the value carried by wsTime.

Self-Service Configuration for China Premium Service Onboarding

You need to confirm all the changes, then choose Pre-deployment or Deploy Now for next step which will take 3 to 5 minutes for deployment.

3. Origin Authentication Anti Hotlinking

• Introduction
Origin Authentication Anti Hotlinking allows you to pass specific information back to origin for authentication. CDN servers will wait for the green light from the authenticaion server before giving contents to clients. Requests from clients will be rejected if the authentication server returns a negative result. Origin side should has an authentication server independent from content server.

Self-Service Configuration for China Premium Service Onboarding

Click Modify and select “On” for Origin Authentication.

Self-Service Configuration for China Premium Service Onboarding

When choose GET method, the parameters for authentication will be carried in request URL to origin auth server.
When choose POST method, the parameters for authentication will be carried in message body.

Authentication server address should be provided by customer origin, the address format should follow the pattern below:
{http|https}: //{host:port}{URI}
in which, URI can include fixed parameter. For example,
https://test.example.com/api/live/check?cdn=ws
http://1.1.1.1:8888/api/live/check?cdn=ws

Please tick the parameters need to be passed to origin auth server under “Variable parameters in authentication” option. You can give a different name for each parameter, for example, we use “ip” to carry client IP address as the screenshot shown. In real URL, it will looks like, xxxxx?ip=12.2.3.4
And you can also fill in some customized parameters as you need in “others” box.

This table shows the pre-set parameters:

Field Name Default parameter name Remarks
CDN node IP cdnip Ticked by default.You can also change the default parameter name “cdnip” to what you like, for example, cdnwip
Channel channel Ticked by default. You can also change the default parameter name “channel” to what you like, for example, domain
Client IP ip Ticked by default. You can also change the parameter name to what you like, for example, userip
HOST host Value carried in HOST header
Push-pull stream type type Ticked by default.
Publish Point(Release point) app Ticked by default.
Others You can fill in customized parameters.

You need to confirm all the settings you have changed, then choose Pre-deployment or Deploy Now for next step which will take 3 to 5 minutes.

• Examples
Assume that a domain was configured as below:

Self-Service Configuration for China Premium Service Onboarding

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!