Help Center/ Video On Demand/ Best Practices/ Configuring Hotlink Protection to Control Who Can Play Media
Updated on 2024-01-25 GMT+08:00
View PDF
Share

Configuring Hotlink Protection to Control Who Can Play Media

Scenario Description

VOD provides hotlink protection to control who can play the distributed audio and video. With hotlink protection enabled, CDN verifies key information carried in playback requests. Only the requests that pass the verification are responded. For other illegitimate requests, a status code 403 is returned. Hotlink protection is implemented by referer validation or URL validation.

Referer validation allows you to control access sources based on the referer field carried in an HTTP request. CDN filters requests based on the configured blacklist or whitelist. Referer validation is easy to configure, requires no extra development, and takes effect quickly. It is used for scenarios where audios and videos are mainly referenced on the web pages.

Because the HTTP header content can be forged, referer validation can only achieve the most basic protection, and the security is low. In this case, you can configure URL validation to safeguard your VOD assets. The key value for authentication is time-sensitive. Therefore, URL validation is used for scenarios that have high requirements on media security.

In this example, referer validation is enabled. Only domain names in the whitelist are allowed to access video files. Then configure URL validation to create authentication playback URLs.

Implementation

Referer validation works in a simple way. After a blacklist or whitelist is configured on the VOD console, VOD distributes the blacklist or whitelist to CDN. When receiving a request, CDN checks whether the request is valid based on the list. If the request is valid, CDN accesses the requested resource. If the request is invalid, CDN rejects the request and returns a status code 403.

URL validation is implemented by VOD edge nodes and origin server in VOD. It is a more secure and reliable anti-piracy solution than referer validation. Figure 1 shows how URL validation works.

Figure 1 URL validation working principles

The process is as follows:

  1. You enable URL validation on the VOD console and configure the allowed time difference and algorithm.
  2. VOD delivers the configured key value to CDN nodes.
  3. You obtain the authentication URL of a VOD media file.
  4. Viewers request CDN to play a video through the authentication playback URL.
  5. CDN verifies the request based on authentication information carried in the playback URL. Only requests that pass the verification are allowed.

Configuring Referer Validation

Configure referer validation to limit access for basic security of VOD resources.

Domain names with ports cannot be added to referer whitelists/blacklists.

  1. Log in to the VOD console.
  2. In the navigation pane, choose Domain Name Management.
  3. Click Settings in the row containing the domain name. On the Hotlink Protection Settings tab page, click Referer Validation.
  4. In the dialog box displayed, switch on the function and set related parameters.

    • Type: Blacklist or Whitelist
      • Blacklist: Domain names in this list are not allowed to access VOD resources. If Include empty referer is also selected, requests whose referer field in the HTTP header is empty are not allowed.
      • Whitelist: Domain names in this list are allowed to access VOD resources. If Include empty referer is also selected, requests whose referer field in the HTTP header is empty are allowed.
    • Rule: List details. You can enter a maximum of 100 domain names of four levels. Separate them with semicolons (;). Domain names and IP addresses can be entered together. Wildcard domain names are supported. A domain name cannot start with a protocol name (http:// or https://).

      Example: www.example.com;*.test.com;192.168.0.0

  5. Click OK.

    It takes about 3 to 5 minutes for the referer validation to take effect.

Configuring URL Validation

Configure URL validation to further enhance the security of VOD resources.

  1. Log in to the VOD console.
  2. In the navigation pane, choose Domain Name Management.
  3. Click Settings in the row containing the domain name. On the Hotlink Protection Settings tab page, click URL Validation.
  4. In the dialog box displayed, switch on the function and set related parameters.

    Table 1 Parameter description

    Parameter

    Description

    Key

    Click Generate to generate a key value.

    Maximum Time Difference

    How long an authentication URL remains valid. The default value is 120 minutes.

    For example, if the authentication URL generation time is 1573806090 (Nov. 15, 2019 16:21:30 GMT+08:00) and the allowed time difference is 120 minutes, the authentication URL expires at Nov. 15, 2019 18:21:30 GMT+08:00.

    Expiration Time of the Old Key

    By default, the old key expires 60 minutes later since the new key takes effect.

    For example, if the effective time of the new key is Nov. 15, 2019 16:21:30 GMT+08:00 and Expiration Time of the Old Key is 60 minutes, the old authentication URL expires at Nov. 15, 2019 17:21:30 GMT+08:00.

    Algorithm

    Encryption algorithm. There are algorithms A, B, C, or D. The default value is Algorithm D. The generated authentication URL varies depending on the selected algorithm. For details about how to create an authentication URL, see URL Validation.

    NOTE:

    Algorithms A, B, and C do not support HLS and DASH playback. Algorithm D is recommended.

  5. Click OK.
  6. Submit a service ticket for the settings to take effect. The submitted information must contain the configured domain name and information in Table 1.

    URL validation settings take effect once your request is approved. If you changed URL validation settings, you also need to submit a service ticket for approval.

Verify Whether Hotlink Protection Settings Have Taken Effect

  • Verify whether referer validation settings have taken effect.

    Add www.huaweicloud.com to the whitelist and deselect Exclude empty referer. Reference the video file in VOD https://1280.cdn-vod.huaweicloud.com/input/1.mp4 on the http://www.example.com/test/test.html web page, access the web page, and play the video. If the playback fails, referer validation settings have taken effect.

  • Verify whether URL validation settings have taken effect.
    1. Log in to the VOD console. In the navigation pane, choose Audio and Video Management.
    2. Click Details in the row containing a media file and click the Playback tab to obtain the playback URL.

      URL is the original playback URL. Click to obtain the authentication playback URL.

    3. Play the original playback URL and authentication playback URL on the player. If the original playback URL fails to be played but the authentication playback URL can be played, URL validation settings have taken effect.