Skip to main content

Restrict access to content

Last update:

You can restrict access to content that is distributed via CDN — for example, set up key access, show content only to users from certain countries or in certain browsers.

Key access

Tokenized URLs allow you to make links to content temporary and restrict access to content by IP address.

A special token is added to the links on the site, encrypting the access key, link lifetime and authorized IP addresses. When a user clicks on the link, CDN-servers check the token in the request: if the key matches, the IP-address is allowed and the lifetime of the link has not expired, the servers deliver the content. CDN-servers themselves receive content from the source regardless of token availability.

Links with the token will be of the form https://cdn.example.com/123.jpg?md5=DMF1ucDxtHCxwYQ&expires=2147483647.

Configure key access

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Key Access option.

  4. To generate a key automatically, click Generate Key.

  5. To use your key, enter it manually, keeping in mind the requirements:

    • Latin letters and numbers;
    • length from 6 to 32 characters;

  6. Optional: To allow only specific IP addresses to access content, check the Add client IP address to token checkbox.

  7. Click Save.

  8. Configure token generation on the source server. Four parameters are used to generate the token:

    • the lifetime of the link;
    • source link to the file;
    • IP addresses for which access to the file is allowed — optional parameter;
    • key that you set in step 4 or 5.
    With IP parameter

    Use if you checked the Add client IP address to token checkbox in the CDN resource settings in step 6.

    <?php
    $secret = '<secret_key>';
    $ip = '<ip_address>';
    $path = '<path>';
    $expires = time() + <lifetime>;
    $link = "$expires$path$ip $secret";
    $md5 = md5($link, true);
    $md5 = base64_encode($md5);
    $md5 = strtr($md5, '+/', '-_');
    $md5 = str_replace('=', '', $md5);
    $url = "<domain>{$path}?md5={$md5}&expires={$expires}";
    echo $<url>;
    echo "\n";

    Specify:

    • <secret_key> — secret key specified in the CDN resource settings;
    • <ip_address> — The IP address that is allowed to receive the content;
    • <path> — relative path to the file on the source;
    • <lifetime> — link lifetime in seconds;
    • <domain> — domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click ProductsCDN → share page → tab General.
    Without IP parameter

    Use if you did not check the Add client IP address to token checkbox in the CDN resource settings in step 6.

    <?php
    $secret = '<secret_key>';
    $path = '<path>';
    $expires = time() + <lifetime>;
    $link = "$expires$path $secret";
    $md5 = md5($link, true);
    $md5 = base64_encode($md5);
    $md5 = strtr($md5, '+/', '-_');
    $md5 = str_replace('=', '', $md5);
    $url = "<domain>{$path}?md5={$md5}&expires={$expires}";
    echo $url;
    echo "\n";

    Specify:

    • <secret_key> — secret key specified in the CDN resource settings;
    • <path> — relative path to the file on the source;
    • <lifetime> — link lifetime in seconds;
    • <domain> — domain of the CDN resource with the protocol. You can view the domain of the resource in the control panel: in the top menu, click ProductsCDN → share page → tab General.

Configure access policy from domains

The Access from Domains policy (Referrer ACL) allows you to grant or restrict access to content from other domains. By default, access by domain is not restricted.

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access Policy from Domains option.

  4. Select a policy:

    • permissive — links to your content will work on all domains other than those specified;
    • prohibitive — links to your content will only work on specified domains.

  5. Enter the names of the domains that you want to allow or deny access to according to the selected policy. Enter the names one by one on a line without specifying a protocol, for example:

    example.com
    example1.com

  6. Click Save.

Configure access policy from IP addresses

The IP Address Access Policy (IP ACL) allows you to grant or restrict access to content from specific IP addresses. By default, access by IP addresses is not restricted.

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access policy from IP addresses option.

  4. Select a policy:

    • permissive — access to content is allowed to all IP addresses other than those specified;
    • prohibitive — access to content is denied to all IP addresses other than those specified.

  5. Enter the IP addresses to be allowed or denied access according to the selected policy. Enter addresses with a subnet mask, one per line, for example:

    192.0.2.0/24
    198.51.100.0/24

  6. Click Save.

Customize access policy by country

The Country Access Policy (Geo ACL) allows you to grant or restrict access to content from specific countries. By default, country access is not restricted.

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Country Access Policy option.

  4. Select a policy:

    • permissive — access to content is allowed from all countries except those specified;
    • Prohibitive — access to content is prohibited from all countries except those specified.

  5. Select the countries for which you want to allow or deny access according to the selected policy.

  6. Click Save.

Configure access policy from client applications

The User Agent ACL policy allows you to grant or restrict access to content from the CDN by User Agent, for example, to a specific browser, set-top box, device.By default, all client applications are allowed access to the resource.

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access policy from client applications option.

  4. Select a policy:

    • permissive — access to the resource is allowed to all client applications except the specified ones;
    • prohibitive — access to the resource is denied to all client applications except the specified ones.

  5. Enter the names of the applications for which you want to allow or deny access according to the selected policy. Enter the names one per line, for example:

    Mozilla/5.0 (Windows NT 10.0; Win 64; x64)

  6. Click Save.

Customize unique HTTP headers

The Custom Origin headers option allows you to specify your own HTTP headers that the CDN server will add to the request when accessing the source.

  1. In the Control Panel, on the top menu, click Products and select CDN.
  2. Open the CDN resource card.
  3. Open the Settings tab.
  4. Enable the Unique HTTP Headers option.
  5. Enter the title of the header. Latin letters A-Z, a-z, digits 0-9, underscore _ and hyphen - are allowed.
  6. Enter the value of the title. Latin letters A-Z, a-z, digits 0-9, underscore _, dot ., slash /, colon :, hyphen -, equals = and space are allowed.
    Space can only be added within a value and between words. Do not put a space at the beginning and end of a value.
  7. If you need to add another header, click Add Header and repeat steps 5-6.

Access-Control-Allow-Origin Header

This option allows you to protect content from being downloaded on third-party sites and applications by adding an Access-Control-Allow-Origin header. Applies to all files on the CDN resource.

For example, a user on example1.com opens an image that is located on your site at cdn.example2.com/image.jpg. The user's browser sends a request to  the cdn.example2.com/image.jpg domain server with an Origin header that points to the source of the request, in the example, Origin: http://example1.com.

The cdn.example2.com domain server checks the contents of the Origin header in the request:

  • if the domain is resolved, the server will respond to the browser with an Access-Control-Allow-Origin header that will allow the browser to display the image for the example2.com user.
  • if the domain is not allowed, the server will respond to the browser without the Access-Control-Allow-Origin header, and the browser will not display the image to the user.

Customize the Access-Control-Allow-Origin header

  1. In the Control Panel, on the top menu, click Products and select CDN.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access-Control-Allow-Origin Header option.

  4. Select a policy:

    • * for all domains — all sites are allowed to display content, the CDN server will send a response to the browser with the header Access-Control-Allow-Origin: *;;
    • only for specified domains — only specified sites are allowed to display content. When the CDN server receives a request, it will check the Origin header value against the domains you specified in the settings in step 5. If a domain is allowed, the server will respond to the browser with an Access-Control-Allow-Origin header with the name of that domain;
    • for all domains — all sites are allowed to display content, CDN-server will send the browser the name of the domain from which the request came, for example: Access-Control-Allow-Origin: example.com.

  5. If you selected the Specified Domains Only policy, enter the names of domains that are allowed to upload content, up to a maximum of 20 domains. Enter the names one at a time on a line without specifying a protocol.

  6. Click Save.