Skip to main content

Configure secure access to content

Last update:

By default, any user can access your content.

You can configure access by code word or your own script.

Configure access by code word

Configuring access by code word (Tokenized URL) allows you to make content links temporary and restrict access to content by IP address.

A token of the following format is added to site links: md5(kymJ2w55VH4LUMSKGb6ZqA,1704067200). The token is generated from:

  • a code word you have created;
  • the file path on the origin;
  • optional: the link expiration time in POSIX time format;
  • optional: the allowed IP address.

As a result, a link with a token will look like this:

https://cdn.example.com/md5(kymJ2w55VH4LUMSKGb6ZqA,1704067200)/path/to/file.png.

When a user follows a link, CDN servers verify the token in the request. If the token is valid and the link has not expired, the servers provide the content. CDN servers receive content from the origin regardless of whether a code word is used.

  1. In the control panel, on the top menu, click Products and select CDN.

  2. In the CDN Resources section, open the CDN resource page → Restrictions.

  3. In the Authorization block, select By code word.

  4. Enter a code word between 6 and 32 characters long. You can use Latin letters and digits.

  5. Optional: to avoid specifying a link expiration time, select the Do not limit by time checkbox.

  6. Optional: to avoid restricting content access to specific IP addresses, select the Do not check IP checkbox.

  7. Click Apply. While settings are being applied, the CDN resource enters the PROCESSING status. You cannot apply other settings during this time. Settings take effect when the CDN resource transitions to ACTIVE.

  8. Configure link generation with a token on the origin server using a script. You can view script examples in the Script examples for generating a token subsection.

For your information

These are script examples for token generation with IP address and link expiration constraints.

<?php
$secret = '<code_word>';
$ip = '<ip_address>';
$path = '<file_path>';
$lifetime = <link_lifetime>;
$expires = time() + $lifetime;
$link = "$secret$path$ip$expires";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$domain = '<domain>';
$url = "$domain/md5($md5,$expires)$path";
echo $url;
echo "\n";

Specify:

  • <code_word> — the code word you specified when configuring access by code word;

  • <ip_address> — the IP address you permit to access the content;

  • <file_path> — the relative file path or path prefix on the origin. For example, there is a relative file path: /path/to/file.jpg. To grant access:

    • to a specific file, specify: /path/to/file.jpg;
    • to all files starting with /path/to/, including subfolders, specify: /path/to;
    • to all files in /path/ and its subfolders, specify: /path;

  • <link_lifetime> — the link lifetime in seconds;

  • <cdn_domain> — the CDN resource domain, including the protocol. You can view the CDN resource domain in the control panel: in the top menu, click ProductsCDNCDN Resources → the CDN resource row.

Configure access by your own script

You can add your own script to authorize users.

When a user follows a link, the decision to allow content access is made based on the script response.

In the script, you must pass the following headers:

  • Host — the domain name for which the request is intended;
  • X-Request-URI — the URI of the requested CDN resource;
  • X-Forwarded-For — the real IP address of the user requesting the CDN resource;
  • X-Remote-Addr — the IP address of the user requesting the CDN resource, or the proxy server IP address.

  1. In the control panel, on the top menu, click Products and select CDN.

  2. In the CDN Resources section, open the CDN resource page → Restrictions.

  3. In the Authorization block, select By external script.

  4. Insert the link to your script.

  5. Click Apply. While settings are being applied, the CDN resource enters the PROCESSING status. You cannot apply other settings during this time. Settings take effect when the CDN resource transitions to ACTIVE.