ApsaraVideo Live supports access control through Referer, User-Agent, and IP address blacklists or whitelists to restrict unauthorized access to your video resources.
Overview
Access control lets you configure cloud-side policies that protect video resources. It requires only console configuration with no additional development and takes effect immediately. Supported policies:
-
Referer blacklist or whitelist
-
User-Agent blacklist or whitelist
-
IP address blacklist or whitelist
User-Agent blacklist or whitelist configuration is unavailable in the ApsaraVideo Live console due to complexity and misconfiguration risks. To configure one, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.
Scenarios
-
Simple to configure and effective for basic protection, especially against browser-based unauthorized access.
-
Referer and User-Agent controls rely on HTTP headers, which are prone to forgery and provide limited security.
-
IP-based controls are difficult to manage at scale and unsuitable for large-scale content distribution.
Referer blacklist or whitelist
-
Overview
-
The HTTP Referer header identifies request origins. Configure a Referer blacklist or whitelist to filter requests and control access to video resources.
-
When a request reaches an Alibaba Cloud CDN point of presence (POP), the POP checks it against the Referer list. Matching requests receive the video data; non-matching requests receive HTTP 403.
-
No Referer blacklist or whitelist is enabled by default. Configure one based on your business requirements.
-
Wildcard domain names are supported. For example, if you specify
example.com, the list matches the wildcard domain name*.example.comand all its subdomains. -
You can specify whether to allow requests with an empty Referer header. Allowing empty headers lets users access resources by entering URLs directly in a browser.
-
-
Configuration methods
-
Console: For more information, see Configure hotlink protection.
-
API: Call the BatchSetLiveDomainConfigs operation to configure multiple domain names at a time, including configuration of the Referer blacklist or whitelist.
Add the Java SDK dependency to pom.xml.
<dependency> <groupId>com.aliyun</groupId> <artifactId>alibabacloud-live20161101</artifactId> <version>2.0.3</version> </dependency>Configure Referer-based hotlink protection:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // The service endpoint. Refer to https://api.alibabacloud.com/product/live. .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }Note-
In this example, DomainNames specifies the streaming domain. The referer_white_domain_list field lists the whitelisted domain names. The allow_empty parameter is set to off to deny requests with an empty Referer header.
-
For information about the server SDK for Java, see Use the server SDK for Java.
-
-
-
Usage notes
Important-
The blacklist and whitelist are mutually exclusive.
-
Mobile clients send requests with an empty Referer header by default. To deny these requests, configure a trusted Referer header for mobile clients through ApsaraVideo Player.
-
If you deny empty Referer headers, configure HTTPS secure acceleration and URL redirection to redirect HTTP requests to HTTPS. This prevents browsers from stripping the Referer header when HTTPS pages request HTTP resources.
-
-
Example
You configure a Referer whitelist that includes
example.comfor the streaming domaindemo.developer.aliyundoc.comand deny requests that have an empty Referer header.-
Sample request:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' -
Sample error response:
X-Tengine-Error:denied by Referer ACL -
Sample request with the trusted Referer header:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'Referer: http://www.example.com'
-
User-Agent blacklist or whitelist
-
Overview
The User-Agent header identifies the client's operating system and browser. Configure a User-Agent blacklist or whitelist to control access from specific browsers or devices.
-
Configuration methods
To configure a User-Agent blacklist or whitelist, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.
-
Example
-
User-Agent header from Internet Explorer 9 on a PC:
User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0; -
Request with a custom User-Agent header:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'User-Agent: iPhone OS;MI 5'
-
IP address blacklist or whitelist
-
Overview
Configure an IP address blacklist or whitelist to deny or allow access from specific IP addresses.
-
IP addresses on the blacklist cannot access the accelerated domain name.
-
Only IP addresses on the whitelist can access the accelerated domain name.
-
You can add individual IP addresses or CIDR blocks.
For example, 127.0.0.0/24 covers IP addresses from 127.0.0.0 to 127.0.0.254. The /24 subnet mask designates the first 24 bits as the network portion, leaving 8 bits for hosts (28-2 = 254 usable addresses).
-
-
Configuration methods
-
Console: For more information, see Configure an IP address blacklist or whitelist.
-
API: Call the BatchSetLiveDomainConfigs operation to configure multiple domain names at a time, including configuration of the IP address blacklist or whitelist.
Configure an IP address whitelist using the Java server SDK:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // The service endpoint. Refer to https://api.alibabacloud.com/product/live. .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }Note-
In this example, DomainNames specifies the streaming domain. IP addresses in the 127.0.0.0/24 CIDR block are added to the whitelist.
-
For information about the server SDK for Java, see Use the server SDK for Java.
-
-
-
Usage notes
Important-
The blacklist and whitelist are mutually exclusive.
-
You can add up to 3,000 IPv4 addresses or 1,000 IPv6 addresses. IPv6 addresses are case-insensitive and must use full notation.
-