Updated on 2024-07-08 GMT+08:00

Referer Validation

You can set a referer blacklist or whitelist to identify and filter out values of the Referer header in HTTP requests, controlling access sources.

Background

The Referer header identifies the address of the web page from which the resource has been requested. CDN PoPs can use this header to trace and identify the source.

When receiving access requests from users, the CDN PoPs identify and check users against the referer blacklist or whitelist. Only users meeting blacklist and whitelist requirements can access the content. Unqualified users will receive a 403 error response.

Constraints

  • This function is disabled by default.
  • Either a referer blacklist or whitelist can be configured.

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab.
  5. In the Referer Validation area, click Edit. The Configure Referer Validation dialog box is displayed.
    Figure 1 Configuring referer validation
  6. Switch on Status to enable this configuration item.
  7. Select a value for Type and set referer parameters based on service requirements. The following table describes the parameters.
    Table 1 Parameters

    Parameter

    Description

    Filling Rule

    Include blank referer

    A blank referer is when the referer field in an HTTP request is left blank or when an HTTP request does not contain the referer field. If this option is selected, such requests will also be accepted (whitelist) or rejected (blacklist).

    NOTE:

    A blank referer indicates that the referer field is left blank or is not included in an HTTP request. The referer field with value null is not a blank referer.

    /

    Referer whitelist

    • If the referer field of an access request matches the whitelist rules, the requester can access the requested content. Otherwise, CDN returns a 403 error response code, indicating that access is forbidden.
    • If Include blank referer is selected and an access request contains a blank referer, the requester can access the requested content.
    • Enter domain names or IP addresses separated by semicolons (;).
    • Wildcard domain names are supported.
    • Enter up to two asterisks (*). They cannot be consecutive or at the end.
    • Domain names and IP addresses with ports are supported. The maximum port number is 65535.
    • Enter up to 500 domain names and IP addresses.

      Example: www.example.com:443;*.test.com;192.168.0.0

      NOTE:

      Domain names with special configurations support only one asterisk (*).

    Referer blacklist

    • If the referer field in an access request matches the blacklist rules, the requester cannot access the requested content, and 403 Forbidden will be returned. Otherwise, the requester can access the requested content.
    • If Include blank referer is selected and an access request contains a blank referer, the access request will be rejected, and 403 Forbidden will be returned.
    • Enter domain names or IP addresses separated by semicolons (;).
    • Wildcard domain names are supported.
    • Enter up to two asterisks (*). They cannot be consecutive or at the end.
    • Domain names and IP addresses with ports are supported. The maximum port number is 65535.
    • Enter up to 500 domain names and IP addresses.

      Example: www.example.com:443;*.test.com;192.168.0.0

      NOTE:

      Domain names with special configurations support only one asterisk (*).

  8. In the Rule text box, enter the domain names.
  9. Click OK.
  10. (Optional) Disable referer validation.
    • Switch off Status to disable referer validation and clear all referer validation settings. You need to set related parameters when enabling this function again.

Examples

  1. Assume that a referer whitelist www.test.com is configured for the domain name www.example.com and Include blank referer is selected.

    • If user 1 requests the URL https://www.example.com/file.html and the value of the referer field in the request is blank, CDN returns the content.
    • If user 2 requests the URL https://www.example.com/file.html and the value of the referer field in the request is www.test.com, CDN returns the content.
    • If user 3 requests the URL https://www.example.com/file.html and the value of the referer field in the request is www.abc.com, CDN returns a 403 error response code.
  2. Assume that a referer blacklist www.test01.com is configured for the domain name www.example01.com and Include blank referer is selected.

    • If user 1 requests the URL https://www.example01.com/file.html and the value of the referer field in the request is blank, CDN returns a 403 error response code.
    • If user 2 requests the URL https://www.example01.com/file.html and the value of the referer field in the request is www.test01.com, CDN returns a 403 error response code.
    • If user 3 requests the URL https://www.example01.com/file.html and the value of the referer field in the request is www.bcd.com, CDN returns the content.