The access to your CDN zone can be restricted by the HTTP referer.
The HTTP referer is an optional HTTP header field that identifies the URL of the website which is linked to the resource being requested.
More information about the HTTP referer you can find here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
To enable access limits based on the referer, follow the steps outlined below:
1. Log in to the Universal CDN Control Panel at my.ucdn.com.
2. Navigate to the My Zones tab located in the top left corner.
3. Click on the cogwheel icon next to the CDN zone which access will be restricted.
4. Navigate to the Limit Access tab.
A regular expression (shortened as regex, or regexp) is a sequence of characters that define a search pattern. Mainly, such patterns are used by string-searching or string-matching algorithms. In our case, we use it for input validation considering your domain name as an identification string.
We use Perl-compatible regular expressions (PCRE) syntax.
This is a quick-reference guide of Perl regex with some examples that might be useful for setting up the referer limit in the Universal CDN Control Panel.
The following 11 characters (often called “metacharacters”) are with special meanings in Perl regex:
Character | Meaning |
---|---|
caret ( ^ ) | beginning of string |
dollar sign ( $ ) | end of string |
backslash ( ) | quote or special |
period or dot ( . ) | any character except newline |
vertical bar ( | ) | alternative |
question mark ( ? ) | match 0 or 1 time; or: shortest match |
asterisk ( * ) | match 0 or more times |
plus sign ( + ) | match 1 or more times |
parenthesis ( ) | grouping; “storing” |
square bracket [ ] | set of characters |
curly braces { } | repetition modifier |
The regular expression syntax summary and classes are described here:
Perl-compatible regular expressions (PCRE) syntax and here Perl 5 version 32.1 documentation.
The metacharacters mentioned above must be escaped with a backslash ( ) to be taken literally.
Let’s review the syntax of the following examples and assume that your domain name is example.com.
Example I:
^https:\/\/video\.example\.com(\/.*|$)
^https:\/\/ – this part of the expression says that the begging of the string must contain the specified characters in the same order and no exception is allowed.
In the example above the specified string at the beginning is https:// (strings beginning with http:// are not allowed in the example above.
To allow strings beginning with https:// or with http://, the regex must start with ^http(s?):\/\/. Since forward slash ( / ) is used in Perl as a pattern delimiter it requires adding the backslash ( \ ) character right before it otherwise, the forward slash ( / ) character will not be taken literally.
video\.example\.com – this part of the expression says that the resources can be accessed only by a subdomain in which the string of characters must contain the specified once in the same order (no exceptions are allowed), and in case the previous conditions above are met. In this case, the specified string of characters is video.example.com.
Since the period or dot sign ( . ) is one of the special characters that are reserved for special use, the backslash ( \) character must be included right before the dot ( . ). Otherwise, the dot character will not be taken literally (e.g video\.example\.com).
(\/.*|$) – this part of the expression allows strings that only contain any characters after the forward slash ( / ) (if there are any), except the new line, and in case, the previous conditions above are met.
If there aren’t any characters after the forward slash ( / ) the access to the resources will be allowed in case the previous conditions are met.
Example II:
^http(s?):\/\/(.+\.)example\.com(\/.*|$)
^http(s?):/\/\ – this part of the expression says that the beginning of the string must contain the specified characters in the same order and no exception is allowed.
In the example above the specified string of characters at the beginning must be http:// or https://. Forward slash ( / ) is used in Perl as a pattern delimiter; it requires adding the backslash ( \ ) character right before it otherwise, the forward slash ( / ) character will not be taken literally.
(.+.)* – this part of the expression says that subdomains are allowed but they must be a part of the domain name specified in the consequent expression (in the example above they must be part of example.com, (e.g video.example.com).
example.com – this part of the expression says that the domain must contain the specified string of characters in the same order (no exceptions are allowed), and only in case the previous conditions are met. In the example above, the specified string must be example.com.
Since the period or dot ( . ) is one of the special characters that are reserved for special use, the backslash ( ) character must be included right before the dot ( . ) otherwise, the dot character will not be taken literally.
(\/.*|$) – this part of the expression allows strings that contain any characters after the forward slash ( / ) (if there are any), except the newline, in case the previous conditions are met.
If there aren’t any characters after the forward slash ( / ) the access to the resources will be allowed in case the previous conditions are met.
You can apply the filter to the Origin header in case of an empty or missing Referer header by checking the box next to “In case of missing Referer header, apply the filter to the Origin Header”.
After making any changes in the Universal CDN Control Panel do not forget to click on the Save Changes button.
Limit Access Using a Secret Key