# Access Control

When you need to restrict access to CDN resources, you can learn how to configure and what to be aware of from this article.

## Referer Anti-Theft Chain

You can identify and control user requests by configuring a Referer anti-theft chain blacklist and whitelist, which enhances the security of the acceleration domain name and prevents malicious users from stealing chains.

* The Referer anti-theft chain identifies and judges based on the value of the <strong>referer </strong> field in the HTTP Request Header. According to the policy set by the user, access user filtering is performed.
* Currently, the Referer anti-theft chain is divided into two mechanisms, blacklist and whitelist. It is not enabled by default.
* Whether to allow resource access with an empty Referer field can be set, i.e., direct resource URL access through the browser address bar is allowed.
* Up to 100 can be set, multiple are separated by carriage return; regular expressions are not supported; when referer is a wildcard domain, please start with *., for example: *.example2.com, including any matched host header and empty host header.

Referer Anti-Theft Chain

<!-- image-todo -->

<!-- image-todo -->


## IP Blacklist

You can identify and control user requests by configuring IP blacklists, enhancing the security of the acceleration domain name and preventing malicious user access.

* IP blacklist, IPs within the blacklist cannot access resources, by default, the blacklist is empty.
* Supports adding IP ranges, such as 10.0.0.1/24. Note: IP range blocking only supports /24 and above, for example, blocking ranges of 10.0.0.0/8 or 10.0.0.0/20 will not take effect.

IP Blacklist

<!-- image-todo -->

<!-- image-todo -->


## MD5 Anti-Theft Chain

You can prevent your site's resources from being misused by illegal users by configuring MD5 anti-theft chain, thus avoiding the sharp increase in bandwidth and cost due to theft.

MD5 anti-theft chain cannot be configured through the console at the moment. Configuration requires secret keys and expiration times. Please contact architects or technical support for configuration.

Configuration instructions：

```
k = md5(secret key + file URI + expiration time t)

1、k：Parameter name in the URL, md5(string), the string generated by md5 is 32 bits.

2、t：Expiration time, for example, if the current time is 2012-04-23 16:20:00, and the valid duration is set to 2 hours, then the expiration time is 2012-04-23 18:20:00, converted to seconds based on 1970, it is 1335176400, which is the value of parameter t.

3. Secret key: user provides secret key string.

Example： URL：http://tysxtest.ufile.abc.com.cn/test/3e2_teacher_720p.mp4

Secret key： whaty321；

Expiration time：2 hours. For example, expires at 2019-07-01 12:00, after conversion t=1561953600；

k=md5(whaty321/test/3e2_teacher_720p.mp41561953600)=1100bda530528404109eaa80bd9fb9d8

URL with added anti-theft chain: http://tysxtest.ufile.abc.com.cn/test/3e2_teacher_720p.mp4?k=1100bda530528404109eaa80bd9fb9d8&t=1561953600
```

The URL using anti-theft chain can be accessed normally, if the value of k does not match, the access will fail, if the check finds the time t has exceeded the valid duration, the check will fail as well.

## Operation steps：

1.Enter the UCDN product console and select the domain name to be configured on the <strong>Domain Management</strong> page.

<!-- image-todo -->

2.Enter the domain configuration details page, select <strong>Domain Configuration</strong> → <strong>Basic Settings</strong> → <strong>Access Control</strong>, and make the related configurations.

<!-- image-todo -->

3.Enable configurations like Referer Anti-Theft Chain, IP Blacklist.

> After finishing the configuration, you must click on <strong>**Confirm configuration**</strong> to successfully modify the configuration.
>
><!-- image-todo -->