视频直播支持通过设置Referer黑白名单、User-Agent黑白名单、IP黑白名单进行访问控制,本文介绍视频直播访问控制功能、适用场景和使用方式。
简介
访问控制是在云端配置视频资源的访问策略,达到基本的保护目的,具有使用门槛低(仅云端配置不需要额外开发)、快速生效等优点,主要手段有:
Referer黑白名单
User-Agent黑白名单
IP黑白名单
User-Agent黑白名单,由于配置繁琐且存在误操作风险,暂未开放控制台设置,如有需求可以提交工单联系阿里云技术支持。关于如何提交工单,请参见联系我们。
适用场景
访问控制的使用门槛很低,只需简单配置即可使用,能起到一定的保护作用,特别是Web端。
Referer和User-Agent都基于HTTP Header,容易被伪造,安全性低。
IP黑白名单机制在大规模用户管理上存在局限性,不适合广泛的内容消费场景。
Referer黑白名单
介绍
通过HTTP协议的Referer机制,用户可配置Referer黑白名单来限制视频资源的访问。
请求到达CDN节点后,节点根据预设的黑白名单进行过滤,符合规则的请求可访问视频数据,否则返回403响应码。
Referer黑白名单是可选配置,默认不启用。
配置后会自动添加泛域名支持。例如填写
example.com
,最终配置生效的是*.example.com
,所有子级域名都会生效。支持设置是否允许空Referer字段访问资源,即允许通过浏览器地址栏直接访问资源URL。
使用方式
控制台:具体操作请参见防盗链。
API:通过调用BatchSetLiveDomainConfigs接口,可批量配置直播域名,包括Referer黑白名单。
在pom.xml文件中引入Java SDK:
<dependency> <groupId>com.aliyun</groupId> <artifactId>alibabacloud-live20161101</artifactId> <version>2.0.3</version> </dependency>
Java SDK设置Referer防盗链的示例代码如下:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // Endpoint 请参考 https://api.aliyun.com/product/live .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }
说明以上示例代码表示:为<DomainNames>设置Referer防盗链白名单,白名单域名列表为<referer_white_domain_list>,且不允许空Referer访问(allow_empty值为<off>)。
使用JAVA SDK,具体请参见Java SDK使用说明。
注意事项
重要黑白名单互斥,只能选择一种。
移动端默认支持空Referer访问,可选择关闭。若不允许空Referer访问,可配合阿里云播放器设置Referer。
当您设置不允许空Referer访问时,请务必配置HTTPS安全加速,并开启强制跳转HTTPS(HTTP>HTTPS)。部分浏览器处理HTTPS请求HTTP的资源时,会移除Referer,导致无法访问。
示例
当设置播流域名
demo.developer.aliyundoc.com
的Referer白名单为example.com
,且不允许空Referer访问。请求数据:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000'
返回中包含:
X-Tengine-Error:denied by Referer ACL
当请求带上允许的Referer后即正常返回:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'Referer: http://www.example.com'
User-Agent黑白名单
介绍
User-Agent是一个字符串头,用于识别用户的操作系统、浏览器及其版本等信息。通过User-Agent黑白名单可以限制特定浏览器或终端的访问。
使用方式
提交工单联系阿里云技术支持。关于如何提交工单,请参见联系我们。
示例
如PC端IE9浏览器:
User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
可模拟HTTP请求验证:
curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \ -H 'User-Agent: iPhone OS;MI 5'
IP黑白名单
介绍
支持配置IP黑名单或白名单,拒绝或只允许特定IP的访问。
添加IP到黑名单,拒绝该IP访问当前加速域名。
添加IP到白名单,仅允许该IP访问当前加速域名。
支持IP列表添加,并支持添加IP网段。
例如:网段127.0.0.0/24,24表示采用子网掩码中的前24位为有效位,即用32-24=8bit来表示主机号,该子网可以容纳28-2=254台主机,故可表示IP网段范围:127.0.0.0~127.0.0.254。
支持IPV6地址。
使用方式
控制台:具体操作,请参见IP黑白名单。
API:通过调用BatchSetLiveDomainConfigs接口,可批量配置直播域名,包括IP黑白名单。
Java SDK设置IP黑白名单的示例代码如下:
// This file is auto-generated, don't edit it. Thanks. package demo; import com.aliyun.auth.credentials.Credential; import com.aliyun.auth.credentials.provider.StaticCredentialProvider; import com.aliyun.core.http.HttpClient; import com.aliyun.core.http.HttpMethod; import com.aliyun.core.http.ProxyOptions; import com.aliyun.httpcomponent.httpclient.ApacheAsyncHttpClientBuilder; import com.aliyun.sdk.service.live20161101.models.*; import com.aliyun.sdk.service.live20161101.*; import com.google.gson.Gson; import darabonba.core.RequestConfiguration; import darabonba.core.client.ClientOverrideConfiguration; import darabonba.core.utils.CommonUtil; import darabonba.core.TeaPair; //import javax.net.ssl.KeyManager; //import javax.net.ssl.X509TrustManager; import java.net.InetSocketAddress; import java.time.Duration; import java.util.*; import java.util.concurrent.CompletableFuture; import java.io.*; public class BatchSetLiveDomainConfigs { public static void main(String[] args) throws Exception { // HttpClient Configuration /*HttpClient httpClient = new ApacheAsyncHttpClientBuilder() .connectionTimeout(Duration.ofSeconds(10)) // Set the connection timeout time, the default is 10 seconds .responseTimeout(Duration.ofSeconds(10)) // Set the response timeout time, the default is 20 seconds .maxConnections(128) // Set the connection pool size .maxIdleTimeOut(Duration.ofSeconds(50)) // Set the connection pool timeout, the default is 30 seconds // Configure the proxy .proxy(new ProxyOptions(ProxyOptions.Type.HTTP, new InetSocketAddress("<YOUR-PROXY-HOSTNAME>", 9001)) .setCredentials("<YOUR-PROXY-USERNAME>", "<YOUR-PROXY-PASSWORD>")) // If it is an https connection, you need to configure the certificate, or ignore the certificate(.ignoreSSL(true)) .x509TrustManagers(new X509TrustManager[]{}) .keyManagers(new KeyManager[]{}) .ignoreSSL(false) .build();*/ // Configure Credentials authentication information, including ak, secret, token StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder() // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set. .accessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")) .accessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")) //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token .build()); // Configure the Client AsyncClient client = AsyncClient.builder() .region("<Your RegionId>") // Region ID //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient) .credentialsProvider(provider) //.serviceConfiguration(Configuration.create()) // Service-level configuration // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc. .overrideConfiguration( ClientOverrideConfiguration.create() // Endpoint 请参考 https://api.aliyun.com/product/live .setEndpointOverride("live.aliyuncs.com") //.setConnectTimeout(Duration.ofSeconds(30)) ) .build(); // Parameter settings for API request BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest = BatchSetLiveDomainConfigsRequest.builder() .domainNames("<Your DomainNames>") .functions("<Your Functions>") // Request-level configuration rewrite, can set Http request parameters, etc. // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders())) .build(); // Asynchronously get the return value of the API request CompletableFuture<BatchSetLiveDomainConfigsResponse> response = client.batchSetLiveDomainConfigs(batchSetLiveDomainConfigsRequest); // Synchronously get the return value of the API request BatchSetLiveDomainConfigsResponse resp = response.get(); System.out.println(new Gson().toJson(resp)); // Asynchronous processing of return values /*response.thenAccept(resp -> { System.out.println(new Gson().toJson(resp)); }).exceptionally(throwable -> { // Handling exceptions System.out.println(throwable.getMessage()); return null; });*/ // Finally, close the client client.close(); } }
说明以上示例代码表示:为<DomainNames>设置IP白名单,白名单IP列表为<127.0.0.0/24>。
使用JAVA SDK,具体请参见Java SDK使用说明。
注意事项
重要黑、白名单互斥,您只能选择一种方式。
最多可配置1000个IPv6地址或3000个IPv4地址。IPv6地址不区分大小写,不支持::缩写格式。