Allow restriction of downloads from CDN to stop hotlinking.
Maybe something as simple insisting on an Referer header present matching a supplied regex (for expected host domains). That would stop casual hotlinking and bandwidth theft IMHO.
Thanks for the feedback, we’d love to hear more about what you’re looking for. How would you like to restrict access? Anything besides expected domains?
This needs to be done asap, because how cdn works, we can get billed a lot from hotlinking..
In your docs you suggest to hide or put our code a little more complicated or ofuscated... thats almost a joke, theres no way to hide code from a website, everything can be seeen, so please put some check, like referer, origin, validation so we dont get extra billed
Corey Innis commented
In addition to referrer checking, I'd like to see:
* HMAC URL signing, with expiry checking
* An optional "callback" from CDN to my application, for further auth checks and logging
Matt Dunn commented
How long is "under review" necessary before you provide us with the ability to protect our assets?
Joy C. commented
Has anything been done on this issue? This is important for my app.
Deep Ganatra commented
Same issue. Opened ticket. This is pretty important feature. Not sure how it got missed by RackSpace. Amazon S3 has this feature implemented since quite sometime.
Jairo Perez commented
I have the same issue too, this is a critical feature.
Thomas Keene commented
This would be a great feature to have. Being able to restrict to both domain and paths would help a lot. When can we expect it to be usable?
Is this featured implemented now. We need this feature
Justin West commented
I agree with the .htaccess referrer requirements. This would help make clients feel better about having their objects in the cdn. Current configuration allows hotlinking. A referrer could always be spoofed, so another option could be acceptable, just not as easily implemented.
Ian Armstrong commented
This is pretty critical. I have members only content that becomes easy to hotlink outside of my site the minute it hits the cloud. This is very bad.
Bart van Wissen commented
If we were to use Cloud Files on our website, something like this would be required. Some images should only be visible to users who are logged in to certain parts of the website. It could be as simple as adding a signature to the URL based on a secret and the user's IP address, like with mod_auth_token.
Until support for this is added to Cloud Files, we will not be using it.
I realize that we can 'proxy' things through our own server, but it's just going to be too slow.
Jeremy O. commented
Another quick note, would probably want to include functionality for the streaming URL found on http://www.rackspace.com/knowledge_center/StreamingforCloudFilesFAQ
Jeremy O. commented
Would we be able to follow a format like the apache mod-auth-token http://code.google.com/p/mod-auth-token/ with timeout control and an ip address match?
So the current CDN URL would be something like this with a timeout of say 300 secs.
I'm able to do this with my Private Cloud Files Containers with CloudFuse and the Apache Mod-Auth-Token. But accessing large resources is so slow. I'd like to have the lighting fast edge CDN and so that my Cloud Server doesn't have to process any of the files.
Thoughts, feedback, etc on this is good.
Tom Elsner commented
Just wondering what the status on this is... in the sample php files for the cloud file api there seems to be a reference to $cont->acl_referrer("http://www.example.com");
Or is this something else. I can't find any reference to this in the api documentation.
Very much needed feature, such as Amazon S3 "Bucket Policies" or "Query String Authentication" which generates expiring image urls.
Damon Hart-Davis commented
Basically, expected/allowed domains in the Referer, so a regex would do, with possibly some special case handling of absent or invalid Referer header.
Next up would be a more general regex match on the URL.
Next would be restriction on access by source IP/domain, statically or dynamically, to help defeat hotlinking or malicious attacks.
But just the first (regex matching of Referer hostname, with simple allow/disallow for entirely absent Referer) would block 90%+ of casual/inadvertant misuse for me.
If it will respect directives in an .htaccess file then you could add this:
# Block bandwidth theft by other sites referencing images on your site
# Add this to Apache httpd.conf or .htaccess:
# Include this if you want to allow browsers that do not send Referer info
SetEnvIf Referer "^$" local_ref=1
Allow from env=local_ref
paul lashbrook commented
+1 on that... maybe its possible if a CNAME is used to make sure the files are only served to that CNAME? im not sure just thinking(typing) out loud