All Products
Search
Document Center

ApsaraVideo Live:Access control

Last Updated:Aug 13, 2024

ApsaraVideo Live allows you to implement access control by configuring a blacklist or whitelist based on the Referer header, User-Agent header, or IP address. This topic describes when and how to use the access control feature of ApsaraVideo Live.

Overview

The access control feature allows you to configure access policies for video resources on the cloud. This easy-to-use feature requires only simple configurations and ensures access policies can quickly take effect. The following types of access policies are supported:

  • Referer blacklist or whitelist

  • User-Agent blacklist or whitelist

  • IP address blacklist or whitelist

Note

You cannot configure a User-Agent blacklist or whitelist in the ApsaraVideo Live console due to complex configurations and risks of misoperations. If you want to configure a User-Agent blacklist or whitelist, submit a ticket to Alibaba Cloud for technical support. For information about how to submit a ticket, see Contact us.

Scenarios

  • The access control feature requires only simple configurations. This feature helps protect your services, especially web services, from unauthorized access.

  • The Referer and User-Agent blacklists and whitelists provide a lower level of protection because HTTP headers are prone to forgery.

  • The IP address blacklist and whitelist are not suitable for scenarios in which you want to distribute content to a large number of consumers.

Referer blacklist or whitelist

  • Overview

    • Referer is an HTTP request header that allows servers to identify the source of requests. You can configure a Referer blacklist or whitelist to control resource access based on the Referer header.

    • After a request is sent to an Alibaba Cloud CDN point of presence (POP), the POP authenticates the request based on the preset Referer whitelist or blacklist. If the request passes the authentication, the video data is returned. Otherwise, the HTTP status code 403 is returned.

    • By default, no Referer blacklists or whitelists are used. You can configure a Referer blacklist or whitelist based on your business requirements.

    • After you add a domain name to the Referer blacklist or whitelist, all subdomains are automatically added. For example, if you add example.com to the Referer whitelist or blacklist, this access policy takes effect for the wildcard subdomain *.example.com.

    • You can specify whether to allow requests that have an empty Referer header. If you allow these requests, users can directly access your video resources by entering URLs in the address bar.

  • Configuration

    • You can configure a Referer blacklist or whitelist in the ApsaraVideo Live console. For more information, see Configure hotlink protection.

    • You can also call the BatchSetLiveDomainConfigs operation to configure a Referer blacklist or whitelist for multiple streaming domains.

      The following sample code provides an example on how to configure a Referer whitelist by using the server SDK for Java:

      // Replace the placeholder values with actual values.
      DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>");
      IAcsClient client = new DefaultAcsClient(profile);
      BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest =new BatchSetLiveDomainConfigsRequest();
      batchSetLiveDomainConfigsRequest.setDomainNames("<DomainNames>");
      batchSetLiveDomainConfigsRequest.setFunctions("[{\"functionArgs\":[{\"argName\":\"refer_domain_allow_list\",\"argValue\":\"<referer_white_domain_list>\"},{\"argName\":\"allow_empty\",\"argValue\":\"<off>\"}],\"functionName\":\"referer_white_list_set\"}]");
      try {
          BatchSetLiveDomainConfigsResponse response = client.getAcsResponse(batchSetLiveDomainConfigsRequest);
          System.out.println(new Gson().toJson(response));
          //todo something
      } catch (ServerException e) {
          e.printStackTrace();
      } catch (ClientException e) {
          e.printStackTrace();
      }
      Note
      • In the preceding sample code, the DomainNames parameter specifies the streaming domain for which the Referer whitelist is configured. The referer_white_domain_list field specifies the domain names that you want to add to the Referer whitelist. The allow_empty parameter is set to off, which specifies that an empty Referer header is not allowed.

      • For information about the server SDK for Java, see Use the server SDK for Java.

  • Usage notes

    Important
    • The blacklist and whitelist are mutually exclusive and cannot be used at the same time.

    • In most cases, requests from mobile clients do not contain a Referer header. By default, servers allow these requests. If you block requests with an empty Referer header, you can configure a trusted Referer header for mobile clients by using ApsaraVideo Player.

    • If you block requests with an empty Referer header, you must configure HTTPS secure acceleration and URL redirection to forcibly redirect requests from HTTP to HTTPS. URL redirection helps prevent access failures that occur when browsers remove the Referer header from HTTPS requests for HTTP resources.

  • Example

    You add example.com to the Referer whitelist for the demo.developer.aliyundoc.com streaming domain and block requests with an empty Referer header.

    1. Sample request with an empty Referer header:

      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000'
    2. Sample error response:

      X-Tengine-Error:denied by Referer ACL
    3. Sample request with the trusted Referer header:

      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \
      -H 'Referer: http://www.example.com' 

User-Agent blacklist or whitelist

  • Overview

    The User-Agent header is a characteristic string that allows servers to identify the operating system, CPU, and browser of the requesting user agent, including the rendering engine, programming language, and plug-ins of the browser. You can configure a User-Agent blacklist or whitelist to control access from specific browsers or terminals.

  • Configuration

    To configure a User-Agent blacklist or whitelist, submit a ticket to Alibaba Cloud for technical support. For information about how to submit a ticket, see Contact us.

  • Example

    • Sample User-Agent header indicating that the request comes from Internet Explorer 9 on a PC:

      User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
    • Sample request with a User-Agent header:

      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \
      -H 'User-Agent: iPhone OS;MI 5'

IP address blacklist or whitelist

  • Overview

    ApsaraVideo Live allows you to configure an IP address blacklist or whitelist for an accelerated domain name.

    • If you configure a blacklist, IP addresses in the blacklist are not allowed to access the accelerated domain name.

    • If you configure a whitelist, only IP addresses in the whitelist can access the accelerated domain name.

    • You can add a list of IP addresses or CIDR blocks.

      For example, you can add 127.0.0.0/24 to an IP address blacklist or whitelist. "/24" indicates that the first 24 bits of the 32-bit IP address are used for the network part and the remaining 8 bits for the host part. Therefore, the subnet can accommodate up to 254 hosts, and the range of IP addresses in the subnet is from 127.0.0.0 to 127.0.0.254.

    • IPv6 addresses are supported.

  • Configuration

    • You can configure an IP address blacklist or whitelist in the ApsaraVideo Live console. For more information, see Configure an IP address blacklist or whitelist.

    • You can also call the BatchSetLiveDomainConfigs operation to add IP addresses to a blacklist or whitelist.

      The following sample code provides an example on how to configure an IP address whitelist by using the server SDK for Java:

      // Replace the placeholder values with actual values.
      DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>");
      IAcsClient client = new DefaultAcsClient(profile);
      BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest =new BatchSetLiveDomainConfigsRequest();
      batchSetLiveDomainConfigsRequest.setDomainNames("<DomainNames>");
      batchSetLiveDomainConfigsRequest.setFunctions("[{\"functionArgs\":[{\"argName\":\"ip_list\",\"argValue\":\"<127.0.0.0/24>\"}],\"functionName\":\"ip_allow_list_set\"}]");
      try {
          BatchSetLiveDomainConfigsResponse response = client.getAcsResponse(batchSetLiveDomainConfigsRequest);
          System.out.println(new Gson().toJson(response));
          //todo something
      } catch (ServerException e) {
          e.printStackTrace();
      } catch (ClientException e) {
          e.printStackTrace();
      }
      Note
      • In the preceding sample code, the DomainNames parameter specifies the streaming domain for which the whitelist is configured. The IP addresses in the 127.0.0.0/24 CIDR block are added to the whitelist.

      • For information about the server SDK for Java, see Use the server SDK for Java.

  • Usage notes

    Important
    • The blacklist and whitelist are mutually exclusive and cannot be used at the same time.

    • You can add up to 1,000 IPv6 addresses or 3,000 IPv4 addresses. IPv6 addresses are not case-sensitive. The notation of an IPv6 address cannot be shortened.