Skip to main content
Restrict access to content
Last update:

Restrict access to content

You can restrict access to content that is distributed via CDN — for example, set up key access, show content only to users from certain countries or in certain browsers.

Key access

Tokenized URLs allow you to make links to the content temporary and restrict access to the content by IP address.

A special token is added to the links on the site, encrypting the access key, link lifetime and authorized IP addresses. When a user clicks on the link, CDN-servers check the token in the request: if the key matches, the IP-address is allowed and the lifetime of the link has not expired, the servers deliver the content. CDN-servers themselves receive content from the source regardless of token availability.

The tokenized links will be of the form:

  • CDN Selectel:
    https://cdn.example.com/123.jpg?md5=DMF1ucDxtHCxwYQ&expires=2147483647
  • CDN Akamai:
    https://cdn.example.com/123.jpg?sel-token=exp=1592563853~hmac=0851b56b74c47120565024a6c6532dc77dff809b0eeeb6fc1e01c86090a1bccd

Configure key access

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Key access.

  4. To generate a key automatically, tap Generate key.

  5. To use your key, enter it manually, keeping in mind the requirements:

    • Latin letters and numbers;
    • length from 6 to 32 characters;

  6. Optional: to allow only certain IP addresses to access content, check the checkbox Add the client IP address to the token.

  7. Click Save.

  8. Configure token generation on the source server. Four parameters are used to generate the token:

    • the lifetime of the link;
    • source link to the file;
    • IP addresses for which access to the file is allowed — optional parameter;
    • key that you set in step 4 or 5.
With IP parameter

Use if you checked the checkbox in step 6 in the CDN resource settings Add the client IP address to the token.

<?php
$secret = '<secret_key>';
$ip = '<ip_address>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path$ip $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $<url>;
echo "\n";

Specify:

  • <secret_key> — the secret key you specified in the CDN resource settings;
  • <ip_address> — The IP address that is allowed to receive the content;
  • <path> — The relative path to the file on the source;
  • <lifetime> — is the lifetime of the link in seconds;
  • <domain> — domain of the CDN resource with the protocol. You can view the resource domain in control panel under CDNCDN resources → resource page → tab General.
Without IP parameter

Use if you did not check the checkbox in step 6 in the CDN resource settings Add the client IP address to the token.

<?php
$secret = '<secret_key>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $url;
echo "\n";

Specify:

  • <secret_key> — the secret key you specified in the CDN resource settings;
  • <path> — The relative path to the file on the source;
  • <lifetime> — is the lifetime of the link in seconds;
  • <domain> — domain of the CDN resource with the protocol. You can view the resource domain in control panel under CDNCDN resources → resource page → tab General.

Configure access policy from domains

The Access from Domains policy (Referrer ACL) allows you to grant or restrict access to content from other domains. By default, access by domain is not restricted.

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Access policy from domains.

  4. Select a policy:

    • permissive — links to your content will work on all domains other than those specified;
    • prohibitive — links to your content will only work on specified domains.

  5. Enter the names of the domains that you want to allow or deny access to according to the selected policy. Enter the names one by one on a line without specifying a protocol, for example:

    example.com
    example1.com

  6. Click Save.

Configure access policy from IP addresses

The IP Address Access Policy (IP ACL) allows you to grant or restrict access to content from specific IP addresses. By default, access by IP addresses is not restricted.

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Access policy from IP addresses.

  4. Select a policy:

    • permissive — access to content is allowed to all IP addresses other than those specified;
    • prohibitive — access to content is denied to all IP addresses other than those specified.

  5. Enter the IP addresses to be allowed or denied access according to the selected policy. Enter addresses with a subnet mask, one per line, for example:

    192.0.2.0/24
    198.51.100.0/24

  6. Click Save.

Customize access policy by country

The option is not available for Akamai resources.

The Country Access Policy (Geo ACL) allows you to grant or restrict access to content from specific countries. By default, country access is not restricted.

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Access policy by country.

  4. Select a policy:

    • permissive — access to content is allowed from all countries except those specified;
    • Prohibitive — access to content is prohibited from all countries except those specified.

  5. Select the countries for which you want to allow or deny access according to the selected policy.

  6. Click Save.

Configure access policy from client applications

The User Agent ACL policy allows you to grant or restrict access to content from CDN by User Agent, e.g. for a specific browser, set-top box, device. By default, all client applications are allowed to access the resource.

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Access policy from client applications.

  4. Select a policy:

    • permissive — access to the resource is allowed to all client applications except the specified ones;
    • prohibitive — access to the resource is denied to all client applications except the specified ones.

  5. Enter the names of the applications for which you want to allow or deny access according to the selected policy. Enter the names one per line, for example:

    Mozilla/5.0 (Windows NT 10.0; Win 64; x64)

  6. Click Save.

Customize unique HTTP headers

The Custom Origin headers option allows you to specify your own HTTP headers that the CDN server will add to the request when accessing the source.

  1. In control panel go to CDNCDN resources.
  2. Open the CDN resource card.
  3. Open the tab Settings.
  4. Enable the option Unique HTTP headers.
  5. Enter the title of the heading. Latin letters are allowed A-Z, a-z, figures. 0-9underlining _ and hyphen -.
  6. Enter the value of the title. Latin letters are allowed A-Z, a-z, figures. 0-9underlining _period ., slash /colon :hyphen -equals = and a space.
    Space can only be added within a value and between words. Do not put a space at the beginning and end of a value.
  7. If you need to add another header, click Add a headline and repeat steps 5-6.

Access-Control-Allow-Origin Header

The option allows you to protect content from being downloaded on third-party sites and applications by adding a header Access-Control-Allow-Origin. Applies to all files on the CDN resource.

For example, a user who is on a website example1.comopens the image that is located on your website at cdn.example2.com/image.jpg. The user's browser sends to the domain server cdn.example2.com/image.jpg query header Originwhich points to the source of the request, in the example. Origin: http://example1.com.

Domain Server cdn.example2.com checks the contents of the header Origin in the request:

  • if the domain is allowed, the server will respond to the browser with the header Access-Control-Allow-Originwhich will allow the browser to display an image to the user of the site example2.com.
  • if the domain is not allowed, the server will respond to the browser without a header Access-Control-Allow-Originand the browser will not display the image to the user.

Customize the Access-Control-Allow-Origin header

  1. In control panel go to CDNCDN resources.

  2. Open the CDN resource page → tab Settings.

  3. Enable the option Access-Control-Allow-Origin Header.

  4. Select a policy:

    • *For all domains — all sites are allowed to display content, the CDN server will send a response to the browser with the header Access-Control-Allow-Origin: *;
    • only for specified domains — only specified sites are allowed to display content. When receiving a request, the CDN server will check the value of the header Origin with the domains you specify in the settings in step 5. If the domain is allowed, the server will respond to the browser with the following header Access-Control-Allow-Origin with the name of this domain;
    • for all domains — content display is allowed for all sites, CDN-server will send in response to the browser the name of the domain from which the request came, for example: Access-Control-Allow-Origin: example.com.

  5. If you chose a policy Only for specified domainsEnter the names of the domains that are allowed to upload content, up to a maximum of 20 domains. Enter the names one per line without specifying a protocol.

  6. Click Save.