Practical Tutorial
  • EdgeOne initiates Automatic Warm-up
  • Cross-regional Secure Acceleration (Oversea Sites)
  • Scheduling Traffic to EdgeOne by Performing Canary Switching
  • Through traffic orchestration to multiple service providers
  • Configuring EdgeOne Security Event Alarms via TCOP
  • EdgeOne Resource Abuse Prevention
  • EdgeOne Implementation of Session Persistence Based on Client IP Addresses
  • EdgeOne Implementation of Origin-Pull Based on Client's Geo Location
  • EdgeOne Hotlink Protection Practical Tutorial
  • Quickly Enabling HTTPS Access with EdgeOne Free Certificate
  • EdgeOne Automatic Cache Purge
  • EdgeOne facilitate APKs.s dynamic packaging of Android
    • Feature Overview
    • Step 1: Preprocess the Android APK Parent Package
    • Step 2: Write the Channel Information into the APK Package with EdgeOne Edge Functions
    • Step 3: Implement Test and Verify the Outcome Effectiveness
이 페이지는 현재 영어로만 제공되며 한국어 버전은 곧 제공될 예정입니다. 기다려 주셔서 감사드립니다.

EdgeOne Hotlink Protection Practical Tutorial

This document describes how to use the hotlink protection capabilities provided by EdgeOne to protect your content against unauthorized hotlinking and improve the security of acceleration services.

Background

Hotlinking can result in other websites or applications directly using your resources, consuming your bandwidth and server resources, and may even lead to the misuse or unauthorized distribution of your content, harming your brand image and reputation. EdgeOne supports a range of hotlink protection capabilities to ensure that only authorized users can access and use your content, protecting your content's security.

Implementation Method

HTTP response: Implements basic access control such as IP blocklist/allowlist, Referer blocklist/allowlist, UA blocklist/allowlist, and regional access control. For details, see HTTP Response.
Token authentication: Timestamp hotlink protection, which is more secure and reliable. For details, see Token Authentication.
Edge functions: Customizable hotlink protection capabilities such as remote authentication can be supported through Edge Functions.

Directions

Referer Hotlink Protection

Setting access control rules based on the Referer field in the HTTP request header helps identify and filter visitors, preventing illegal use of website resources. After the Referer blocklist/allowlist is configured, EdgeOne will authenticate requests based on the list, allowing or denying access requests. If the request is allowed, EdgeOne will return the resource link; if denied, EdgeOne will return a 403 response code.

Configuration Samples

For your site example.com, if you only allow access to the domain business www.example.com with the Referer set to https://www.example.com, and deny other requests directly with a 403 response, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure.
2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com, and set the matching type HTTP Request Header Referer's header value not equal to https://www.example.com.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.


IP Blocklist/Allowlist

By configuring the IP blocklist/allowlist to filter user requests, you can intercept or allow access from specific IP addresses, effectively limiting access sources and addressing issues such as hotlinking by malicious IP addresses and attacks.

Configuration Samples

For your site example.com, if you only allow access from client IP addresses within the range of 1.1.2.1 to 1.1.2.254 (including 1.1.2.1 and 1.1.2.254) to the domain business www.example.com, and deny other access directly with a 403 response, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure.
2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com, and set the matching type client IP equal to 1.1.2.0/24.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.


UA Blocklist/Allowlist

User-Agent is part of the HTTP request header, which identifies the operating system and version and the browser type and version used by the user for accessing. You can configure the User-Agent blocklist/allowlist to restrict the sources of users accessing business resources and enhance the security of acceleration.

Configuration Samples

The domain business www.example.com under your example.com site is maliciously crawled by Google crawlers, causing a sudden bandwidth increase and severely impacting fees. Through analysis, it was found that the crawler request's User-Agent contains spider. If you want to block such requests, you can follow these steps:
1. Log in to the EdgeOne console and click Site List in the left sidebar. Subsequently, in the Site List, click the Site you want to configure.
2. On the site details page, click Site Acceleration to enter the global configuration page for the site. Then, click the Rule Engine tab.
3. On the Rule Engine page, click Create rule, and then select Add blank rule.
3.1 On the rule editing page, set the matching type to HOST equal to www.example.com.
3.2 Click Action, and in the pop-up operation list, select the operation as HTTP Response, and set the matching type to HTTP Request Header User-Agent with a regular expression match for the header value *spider*.
3.3 Configure the response status code as 403. Select the response page from the drop-down list. If no page is available, you need to click Create Page to create one first and then reference it.
4. The complete rule configuration is as demonstrated below. By clicking Save and publish, the rule configuration will be completed.


Token Authentication

Token authentication is a simple and highly reliable access control policy. By configuring authentication rules for URL access validation, it can effectively prevent malicious hotlinking of site resources. The use of this feature requires cooperation between the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for legitimacy verification of the URL based on predefined rules. For detailed configuration and usage, refer to Token Authentication.

Remote Authentication

If you have your own authentication server, you can configure remote authentication to forward user requests to the authentication server you specify. The server then validates the requests. This method is suitable for scenarios requiring precise access control and real-time authentication. EdgeOne can achieve remote authentication capability through edge functions. For sample functions, refer to Remote Authentication.