Anti-hotlinking can be based on OSS. Currently, there are two main methods of anti-hotlinking provided by OSS:

Set Referer. Both the console and SDK can be operated, which is suitable for users who don’t want to write code and also suitable for users who like to develop;

Signed URL is suitable for users who like to develop. This article will give a specific example of setting up Referer anti-hotlinking in a console, and will also give an example of dynamically generating a signed URL to prevent hotlinking based on the PHP SDK.

Specific steps to prevent hotlinking through Referer

Step one: Enter the OSS management console interface.

Step 2: Click the name of the target storage space to enter the storage space management page.

Step 3: Click Bucket Properties > Anti-leeching settings.

Step 4: Click "Settings" to add a whitelist URL and set whether to allow it to be empty.

Please click to enter the image description. Step 5: Click "Submit" to save the anti-leeching settings.

Example

For a storage space named test-1-001, set its referer whitelist to -hangzhou.aliyuncs.com";#Endpoint, based on the area created by Bucket To choose, in this article it is Hangzhou $bucket = 'referer-test';#Bucket, you need to use the user's own $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint);$object = "aliyun-logo.png" ;#Object that needs to be signed$timeout = 300;#The time when the expected link expires, which means 300 seconds from the current time when the code is running to the beginning of this line$signedUrl = $ossClient->signUrl($bucket, $object, $ timeout); #Function implemented by signed URL $img= $signedUrl;#Dynamicly place the signed URL into the image resource and print it out $my_html = "";$my_html .= "";$my_html .= "

".$img."

Step 3: If you make multiple requests through the browser, you will find that the signed URL will change. This is mainly caused by the change of the expiration time. This expiration time is the time when the link expires. It is displayed in the form of unix time. For example: Expires=189999, this time can be converted to local time. The command under Linux is date -d@189999, or you can find tools on the Internet to convert it yourself.

Special Notes

Signed URLs can be used together with the Referer whitelist function

If the expiration time of the signed URL is limited to minutes, the hotlink user must obtain it even if he forges the Referer. The signed URL must be within a valid time before hotlinking can be successful. Compared with using Referer alone, it is more difficult to use signed URLs. In other words, the signature URL and the Referer whitelist function can increase the anti-hotlinking effect. < /p>

Summary of anti-hotlinking, the best practices for anti-hotlinking based on OSS are as follows:

Use third-level domain name URLs, such as referer-test.oss-cn-hangzhou.aliyuncs.com/aliyun -logo.png, which is more secure than binding a second-level domain name. The third-level domain name method can provide bucket-level cleaning and isolation, can cope with the surge in traffic after stolen links, and can also avoid the mutual influence between different buckets, ultimately improving business availability;

If you use automatic Define the domain name as the connection. Please also bind the CNAME to the third-level domain name. The rule is bucket + endpoint. If your bucket is named test, the third-level domain name is test.oss-cn-hangzhou.aliyuncs.com;

Set the permission category as strict as possible for the bucket. For example, the Bucket that provides public network services is set to public-read or private, and it is prohibited to set it to public-read-write.

For Bucket permissions, see Access Control;

Verify the access source and set an appropriate Referer whitelist as needed;

If a more stringent anti-leeching solution is needed, please refer to the signed URL solution ;

Record Bucket access logs, which can promptly detect hotlinking activities and verify the effectiveness of anti-hotlinking solutions. For access logs, see Setting Access Logging.