Skip to main content
Restrict access to content
Last update:

Restrict access to content

You can restrict access to content that is distributed via CDN — for example, set up key access, show content only to users from certain countries or in certain browsers.

Access by key

Tokenized URLs allow you to make links to content temporary and restrict access to content by IP address.

A special token is added to the links on the site, which encrypts the access key, the lifetime of the link and the allowed IP addresses. When a user clicks on a link, the CDN servers check the token in the request: if the key matches, the IP address is allowed and the lifetime of the link has not expired, the servers give the content. The CDN servers themselves receive content from the source regardless of token availability.

The tokenized links will be of the form:

  • CDN Selectel:
    https://cdn.example.com/123.jpg?md5=DMF1ucDxtHCxwYQ&expires=2147483647
  • CDN Akamai:
    https://cdn.example.com/123.jpg?sel-token=exp=1592563853~hmac=0851b56b74c47120565024a6c6532dc77dff809b0eeeb6fc1e01c86090a1bccd

Configure key access

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Key Access option.

  4. To generate a key automatically, click Generate Key.

  5. To use your key, enter it manually, keeping in mind the requirements:

    • Latin letters and numbers;
    • length from 6 to 32 characters;

  6. Optional: To allow only specific IP addresses to access content, check the Add client IP address to token checkbox.

  7. Click Save.

  8. Configure token generation on the source server. Four parameters are used to generate the token:

    • the lifetime of the link;
    • source link to the file;
    • IP addresses for which access to the file is allowed — optional parameter;
    • key that you set in step 4 or 5.
With the IP parameter

Use if you checked the Add client IP address to token checkbox in the CDN resource settings in step 6.

<?php
$secret = '<secret_key>';
$ip = '<ip_address>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path$ip $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $<url>;
echo "\n";

Specify:

  • <secret_key> — the secret key you specified in the CDN resource settings;
  • <ip_address> is the IP address that is allowed to receive the content;
  • <path> is the relative path to the file on the source;
  • <lifetime> — the lifetime of the link in seconds;
  • <domain> — domain of the CDN resource with the protocol specified. You can view the resource domain in control panel under CDNCDN Resources → resource page → General tab.
Without IP parameter

Use if you did not check the Add client IP address to token checkbox in step 6 in the CDN resource settings.

<?php
$secret = '<secret_key>';
$path = '<path>';
$expires = time() + <lifetime>;
$link = "$expires$path $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "<domain>{$path}?md5={$md5}&expires={$expires}";
echo $url;
echo "\n";

Specify:

  • <secret_key> — the secret key you specified in the CDN resource settings;
  • <path> is the relative path to the file on the source;
  • <lifetime> — the lifetime of the link in seconds;
  • <domain> — domain of the CDN resource with the protocol specified. You can view the resource domain in control panel under CDNCDN Resources → resource page → General tab.

Configure access policy from {#access-policy-from-domains}domains

The Access from Domains policy (Referrer ACL) allows you to grant or restrict access to content from other domains. By default, access by domain is not restricted.

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access Policy from Domains option.

  4. Select a policy:

    • permissive — links to your content will work on all domains other than those specified;
    • prohibitive — links to your content will only work on specified domains.

  5. Enter the names of the domains that you want to allow or deny access to according to the selected policy. Enter names one at a time on a line without specifying a protocol, e.g.:

    example.com
    example1.com

  6. Click Save.

Configure access policy from IP addresses

IP Access Policy (IP ACL) allows you to grant or restrict access to content from specific IP addresses. By default, access by IP addresses is not restricted.

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access Policy from IP Addresses option.

  4. Select a policy:

    • permissive — access to content is allowed to all IP addresses other than those specified;
    • prohibitive — access to content is denied to all IP addresses other than those specified.

  5. Enter the IP addresses to allow or deny access according to the selected policy. Enter addresses with a subnet mask, one per line, for example:

    192.0.2.0/24
    198.51.100.0/24

  6. Click Save.

Customize access policy by country

The option is not available for Akamai resources.

The Country Access Policy (Geo ACL) allows you to grant or restrict access to content from specific countries. By default, access by country is not restricted.

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Country Access Policy option.

  4. Select a policy:

    • permissive — access to content is allowed from all countries except those specified;
    • Prohibitive — access to content is prohibited from all countries except those specified.

  5. Select the countries for which you want to allow or deny access according to the selected policy.

  6. Click Save.

Configure access policy from client applications

Access policy from client applications (User Agent ACL) allows you to grant or restrict access to content from CDN by client applications (User Agent), for example, for a specific browser, set-top box, device. By default, all client applications are allowed access to the resource.

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access Policy from Client Applications option.

  4. Select a policy:

    • permissive — access to the resource is allowed to all client applications except the specified ones;
    • prohibitive — access to the resource is denied to all client applications except the specified ones.

  5. Enter the names of the applications you want to allow or deny access to according to the selected policy. Enter the names one at a time on a line, e.g.:

    Mozilla/5.0 (Windows NT 10.0; Win 64; x64)

  6. Click Save.

Customize unique HTTP headers

The Custom Origin headers option allows you to specify your own HTTP headers that the CDN server will add to the request when accessing the source.

  1. In Control Panel, go to CDNCDN Resources.
  2. Open the CDN resource card.
  3. Open the Settings tab.
  4. Enable the Unique HTTP Headers option.
  5. Enter the title of the header. Latin letters A-Z, a-z, numerals 0-9, underscore _ and hyphen - are allowed.
  6. Enter the value of the title. Latin letters A-Z, a-z, digits 0-9, underscore _, period ., slash /, colon :, hyphen -, equals = and space are allowed.
    Space can only be added within a value and between words. Do not put a space at the beginning and end of the value.
  7. If you need to add another header, click Add Header and repeat steps 5-6.

Title Access-Control-Allow-Origin

The option allows you to protect content from being downloaded on third-party sites and applications by adding the `Access-Control-Allow-Origin' header. Applies to all files on the CDN resource.

For example, a user at example1.com opens an image that is located on your site at cdn.example2.com/image.jpg. The user's browser sends a request to the domain server cdn.example2.com/image.jpg with an Origin header that points to the source of the request, in the example, Origin: http://example1.com.

The cdn.example2.com domain server checks the contents of the Origin header in the request:

  • if the domain is resolved, the server will respond to the browser with an Access-Control-Allow-Origin header that will allow the browser to display the image to the user of the example2.com site.
  • if the domain is not allowed, the server will respond to the browser without the Access-Control-Allow-Origin header, and the browser will not display the image to the user.

Customize the Access-Control-Allow-Origin header

  1. In Control Panel, go to CDNCDN Resources.

  2. Open the CDN resource page → Settings tab.

  3. Enable the Access-Control-Allow-Origin header option.

  4. Select a policy:

    • *, for all domains — displaying content is allowed to all sites, the CDN server will send a response to the browser with the header Access-Control-Allow-Origin: *;
    • only for specified domains — only specified sites are allowed to display content. When the CDN server receives a request, it will check the value of the Origin header against the domains you specify in the settings in step 5. If the domain is resolved, the server will respond to the browser with an Access-Control-Allow-Origin header with the name of that domain;
    • for all domains — content display is allowed to all sites, CDN-server will send in response to the browser the name of the domain from which the request came, for example: Access-Control-Allow-Origin: example.com.

  5. If you selected the Only for Specified Domains policy, enter the names of the domains that are allowed to upload content, up to a maximum of 20 domains. Enter names one at a time on a line with no protocol.

  6. Click Save.