Access Control

Access Control policies restrict resource access based on geographic location, IP addresses, and token-based authentication. These policies provide security and content distribution control for specific audiences.

Access Control Types

Access control policies can be applied to resources based on the following criteria:

Geographic IP Restrictions

The CDN restricts access based on the user's country using ISO 3166 country codes. For example, Vietnam is VN and Singapore is SG.

IP Address Restrictions

Specific IP addresses or IP ranges can have restricted access policies using CIDR notation or network classes.

![Figure Needed] Screenshot showing access control policy configuration with geographic and IP restrictions

Policy Configuration Methods

Whitelist and Blacklist Policies

Access control uses whitelist and blacklist approaches:

Whitelist: Users within the whitelist are allowed to access resources
Blacklist: Users matching blacklist criteria are denied resource access

![Figure Needed] Screenshot showing whitelist and blacklist policy configuration options

Default Access Behavior

By default, the CDN allows all access. To implement restrictions, create policies as follows:

Selective Blocking: Create blacklist policies to block access from specific sources
Restrictive Access: Create a blacklist policy to block all access, then create whitelist policies to allow specific sources

Policy Application Rules

URL Pattern Matching

Policies are named and applied to resources based on URLs using:

Prefix Matching: Match URLs starting with specified path
Suffix Matching: Match URLs ending with specified extension
Regular Expression Matching: Complex pattern matching for advanced scenarios

Geographic Restrictions

Use ISO 3166 country codes for geographic policies
Reference country codes at: ISO Country Codes
Geographic restrictions apply to all requests from specified countries

IP Address Policies

Specify individual IP addresses: 192.168.1.100
Define IP ranges using CIDR notation: 192.168.1.0/24
Use network classes for broader ranges

Policy Precedence Rules

Priority Order

When multiple policies exist, the system applies them in this order:

IP Address Policies: Take precedence over geographic restrictions
Longest Prefix Match: Among matching policies, the longest prefix wins
Smallest Subnet: If prefix lengths are equal, smallest subnet is selected
Geographic Policies: Applied when no IP policies match

Policy Synchronization

Policy changes may take up to 10 minutes to synchronize across all CDN servers. Test policies from multiple locations to ensure proper implementation.

Token-Based Access Control

Token access requires valid encrypted token strings for resource access, providing secure, time-limited, and IP-restricted content delivery.

![Figure Needed] Screenshot showing token generation interface

Token Generation

Generate tokens by clicking the "+" button in the admin panel
Token information is only displayed when accessing via HTTPS
Store token values securely for link generation and resource access

Token Implementation

Time-Limited Access

Tokens support time-based access control using:

stime: Start time of validity
etime: Expiration time
Format: yyyymmddHHMMSS (e.g., 20240801010000 for UTC time)

IP-Restricted Access

Add IP restrictions to tokens: &ip=1.1.1.1

Token URL Structure

Original URL Example

http://www.example.com/path/to/resource?clientId=12345&product=A123&other=xyz

Token Implementation Steps

Step 1: Remove protocol and domain name:

/path/to/resource?clientId=12345&product=A123&other=xyz

Step 2: Add validity period fields:

/path/to/resource?clientId=12345&product=A123&other=xyz&stime=20081201060100&etime=20081201183000

Step 3: Generate and append encrypted string:

Use HMAC-SHA1 to generate hash from Step 2 string and secret key
Extract first 20 characters of hash, prepend with 0
Append encrypted string to URL:

/path/to/resource?clientId=12345&product=A123&other=xyz&stime=20081201060100&etime=20081201183000&encoded=0<first20chars-of-hash>

Final Token URL

http://www.example.com/path/to/resource?clientId=12345&product=A123&other=xyz&stime=20081201060100&etime=20081201183000&encoded=0<first20chars-of-hash>

Token Authentication Behavior

Users attempting to access resources without valid tokens receive:

HTTP Status: 403 Forbidden
Message: "Forbidden" error in browser

Testing and Validation

Policy Testing

If testing policies from current locations is not possible:

Add temporary access control policies affecting your IP address
Test policy effectiveness from multiple geographic locations
Remove test policies after validation

Troubleshooting

Verify country codes are correct ISO 3166 format
Confirm IP ranges use proper CIDR notation
Allow synchronization time for policy changes
Test token generation and validation processes

Access Control Types​

Geographic IP Restrictions​

IP Address Restrictions​

Policy Configuration Methods​

Whitelist and Blacklist Policies​

Default Access Behavior​

Policy Application Rules​

URL Pattern Matching​

Geographic Restrictions​

IP Address Policies​

Policy Precedence Rules​

Priority Order​

Policy Synchronization​

Token-Based Access Control​

Token Generation​

Token Implementation​

Time-Limited Access​

IP-Restricted Access​

Token URL Structure​

Original URL Example​

Token Implementation Steps​

Final Token URL​

Token Authentication Behavior​

Testing and Validation​

Policy Testing​

Troubleshooting​