Restrict access to content
You can restrict access to content that is distributed via CDN — for example, set up key access, show content only to users from certain countries or in certain browsers.
Key access
Tokenized URLs allow you to make links to content temporary and restrict access to content by IP address.
A special token is added to the links on the site, encrypting the access key, link lifetime and authorized IP addresses. When a user clicks on the link, CDN-servers check the token in the request: if the key matches, the IP-address is allowed and the lifetime of the link has not expired, the servers deliver the content. CDN-servers themselves receive content from the source regardless of token availability.
Links with the token will be of the form https://cdn.example.com/123.jpg?md5=DMF1ucDxtHCxwYQ&expires=2147483647
.
Configure key access
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Key Access option.
-
To generate a key automatically, click Generate Key.
-
To use your key, enter it manually, keeping in mind the requirements:
- Latin letters and numbers;
- length from 6 to 32 characters;
-
Optional: To allow only specific IP addresses to access content, check the Add client IP address to token checkbox.
-
Click Save.
-
Configure token generation on the source server. Four parameters are used to generate the token:
- the lifetime of the link;
- source link to the file;
- IP addresses for which access to the file is allowed — optional parameter;
- key that you set in step 4 or 5.
PHP script
Python script
OpenSSL script
With IP parameter
Use if you checked the Add client IP address to token checkbox in the CDN resource settings in step 6.
<?php
$secret = '<secret_key>';
$ip = '<ip_address>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path$ip $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $<url>;
echo "\n";Specify:
<secret_key>
— secret key specified in the CDN resource settings;<ip_address>
— The IP address that is allowed to receive the content;<path>
— relative path to the file on the source;<lifetime>
— link lifetime in seconds;<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General.
Without IP parameter
Use if you did not check the Add client IP address to token checkbox in the CDN resource settings in step 6.
<?php
$secret = '<secret_key>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $url;
echo "\n";Specify:
<secret_key>
— secret key specified in the CDN resource settings;<path>
— relative path to the file on the source;<lifetime>
— link lifetime in seconds;<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General.
With IP parameter
Use if you checked the Add client IP address to token checkbox in the CDN resource settings in step 6.
import base64
from hashlib import md5
from time import time
secret = "<secret_key>"
ip = "<ip_address>"
path = "<path>"
lifetime = <lifetime>
domain = "<domain>"
expires = int(time()) + lifetime
token_byte = base64.encodebytes(
md5(f"\{secret}".encode("utf-8")).digest()
)
token = (
token_byte
.decode("utf-8")
.replace("\n", "")
.replace("+", "-")
.replace("/", "_")
.replace("=", "")
)
secured_url = f"\{expires}"
print(secured_url)Specify:
<secret_key>
— secret key specified in the CDN resource settings;<ip_address>
— The IP address that is allowed to receive the content;<path>
— relative path to the file on the source;<lifetime>
— link lifetime in seconds;<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General.
Without IP parameter
Use if you did not check the Add client IP address to token checkbox in the CDN resource settings in step 6.
import base64
from hashlib import md5
from time import time
secret = "<secret_key>"
path = "<path>"
lifetime = <lifetime>
domain = "<domain>"
expires = int(time()) + lifetime
token_byte = base64.encodebytes(
md5(f"\{secret}".encode("utf-8")).digest()
)
token = (
token_byte
.decode("utf-8")
.replace("\n", "")
.replace("+", "-")
.replace("/", "_")
.replace("=", "")
)
secured_url = f"\{expires}"
print(secured_url)Specify:
<secret_key>
— secret key specified in the CDN resource settings;<path>
— relative path to the file on the source;<lifetime>
— link lifetime in seconds;<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General.
With IP parameter
Use if you checked the Add client IP address to token checkbox in the CDN resource settings in step 6.
-
Generate a token:
echo -n '<lifetime><path><ip_address> <secret_key>' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
'<lifetime><path><ip_address> <secret_key>' = '{expires}{path}{ip} {secret_key}'Specify:
<lifetime>
— link lifetime in seconds;<path>
— relative path to the file on the source;<ip_address>
— The IP address that is allowed to receive the content;<secret_key>
— secret key specified in the CDN resource settings;<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General.
-
Put the references in the form of:
<domain>/<path>?md5=<token>&expires=<lifetime>
Where:
<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General;<path>
— relative path to the file on the source;<token>
— the token received when executing the script;<lifetime>
— link lifetime in seconds (Unix).
Without IP parameter
Use if you did not check the Add client IP address to token checkbox in the CDN resource settings in step 6.
-
Generate a token:
echo -n '<lifetime><path> <secret_key>' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
'<lifetime><path> <secret_key>' = '{expires}{path} {secret_key}'Specify:
<lifetime>
— link lifetime in seconds;<path>
— relative path to the file on the source;<secret_key>
— secret key specified in the CDN resource settings.
-
Bring the references into view by any suitable method:
<domain>/<path>?md5=<token>&expires=<lifetime>
Where:
<domain>
— domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click Products → CDN → share page → tab General;<path>
— relative path to the file on the source;<token>
— the token received when executing the script;<lifetime>
— link lifetime in seconds (Unix).
Configure access policy from domains
The Access from Domains policy (Referrer ACL) allows you to grant or restrict access to content from other domains. By default, access by domain is not restricted.
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Access Policy from Domains option.
-
Select a policy:
- permissive — links to your content will work on all domains other than those specified;
- prohibitive — links to your content will only work on specified domains.
-
Enter the names of the domains that you want to allow or deny access to according to the selected policy. Enter the names one by one on a line without specifying a protocol, for example:
example.com
example1.com -
Click Save.
Configure access policy from IP addresses
The IP Address Access Policy (IP ACL) allows you to grant or restrict access to content from specific IP addresses. By default, access by IP addresses is not restricted.
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Access policy from IP addresses option.
-
Select a policy:
- permissive — access to content is allowed to all IP addresses other than those specified;
- prohibitive — access to content is denied to all IP addresses other than those specified.
-
Enter the IP addresses to be allowed or denied access according to the selected policy. Enter addresses with a subnet mask, one per line, for example:
192.0.2.0/24
198.51.100.0/24 -
Click Save.
Customize access policy by country
The Country Access Policy (Geo ACL) allows you to grant or restrict access to content from specific countries. By default, country access is not restricted.
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Country Access Policy option.
-
Select a policy:
- permissive — access to content is allowed from all countries except those specified;
- Prohibitive — access to content is prohibited from all countries except those specified.
-
Select the countries for which you want to allow or deny access according to the selected policy.
-
Click Save.
Configure access policy from client applications
The User Agent ACL policy allows you to grant or restrict access to content from the CDN by User Agent, for example, to a specific browser, set-top box, device.By default, all client applications are allowed access to the resource.
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Access policy from client applications option.
-
Select a policy:
- permissive — access to the resource is allowed to all client applications except the specified ones;
- prohibitive — access to the resource is denied to all client applications except the specified ones.
-
Enter the names of the applications for which you want to allow or deny access according to the selected policy. Enter the names one per line, for example:
Mozilla/5.0 (Windows NT 10.0; Win 64; x64)
-
Click Save.
Customize unique HTTP headers
The Custom Origin headers option allows you to specify your own HTTP headers that the CDN server will add to the request when accessing the source.
- In the Control Panel, on the top menu, click Products and select CDN.
- Open the CDN resource card.
- Open the Settings tab.
- Enable the Unique HTTP Headers option.
- Enter the title of the header. Latin letters
A-Z
,a-z
, digits0-9
, underscore_
and hyphen-
are allowed. - Enter the value of the title. Latin letters
A-Z
,a-z
, digits0-9
, underscore_
, dot ., slash/
, colon :, hyphen-
, equals=
and space are allowed.
Space can only be added within a value and between words. Do not put a space at the beginning and end of a value. - If you need to add another header, click Add Header and repeat steps 5-6.
Access-Control-Allow-Origin Header
This option allows you to protect content from being downloaded on third-party sites and applications by adding an Access-Control-Allow-Origin
header. Applies to all files on the CDN resource.
For example, a user on example1.com
opens an image that is located on your site at cdn.example2.com/image.jpg
. The user's browser sends a request to the cdn.example2.com/image.jpg
domain server with an Origin
header that points to the source of the request, in the example, Origin: http://example1.com
.
The cdn.example2.com
domain server checks the contents of the Origin
header in the request:
- if the domain is resolved, the server will respond to the browser with an
Access-Control-Allow-Origin
header that will allow the browser to display the image for theexample2.com
user. - if the domain is not allowed, the server will respond to the browser without the
Access-Control-Allow-Origin
header, and the browser will not display the image to the user.
Customize the Access-Control-Allow-Origin header
-
In the Control Panel, on the top menu, click Products and select CDN.
-
Open the CDN resource page → Settings tab.
-
Enable the Access-Control-Allow-Origin Header option.
-
Select a policy:
*
for all domains — all sites are allowed to display content, the CDN server will send a response to the browser with the headerAccess-Control-Allow-Origin: *;
;- only for specified domains — only specified sites are allowed to display content. When the CDN server receives a request, it will check the
Origin
header value against the domains you specified in the settings in step 5. If a domain is allowed, the server will respond to the browser with anAccess-Control-Allow-Origin
header with the name of that domain; - for all domains — all sites are allowed to display content, CDN-server will send the browser the name of the domain from which the request came, for example:
Access-Control-Allow-Origin: example.com
.
-
If you selected the Specified Domains Only policy, enter the names of domains that are allowed to upload content, up to a maximum of 20 domains. Enter the names one at a time on a line without specifying a protocol.
-
Click Save.