Alibaba Cloud Video-on-Demand (VOD) Service Access: Realize Anti-theft Chain and Smooth Online Playback

For video projects, the most troublesome thing is not how to write the player at the front end, but two extremely realistic operation and maintenance problems:

Bandwidth Cost and Caton: Video files are often tens of megabytes. If they are directly placed on their own servers, several people will be stuck watching the system at the same time, and the monthly public network traffic fee is bottomless.

Video theft brush, theft chain: some peers or malicious users directly right-click to copy the video playback link in your web page and post it on their own website to borrow chicken and lay eggs. All the bandwidth you worked so hard to pay for, you made wedding clothes for others.

In the cloud native era, the safest solution is to host the video to Aliyun

Video on Demand (VOD)

In service.

Today's tutorial does not talk about empty technical theories, but goes directly to pure dry goods. Take you with the most grounded way of actual combat,

Fix the accelerated playback of the video stream and set up two dead lines of defense of "Referer anti-theft chain URL authentication"

Completely lock down your video assets.

Core architecture: How does video-on-demand work?

Before doing it, take 10 seconds to understand the core link of VOD:

Plaintext

[Background Upload Video]-> [VOD Automatic Transcoding]-> [Slice Storage in OSS]-> [Distribute to CDN Edge Node]]

│

[User Browser] <-3. Get the secure URL and decode it in the player-[Calculate the authentication URL at the back end] <-1. Initiate a playback request

Simply put, the video cannot be played directly from the original film. VOD will automatically smash and transcode your video into standard stream files with different definitions, and then push them to all parts of the country.

CDN (Content Delivery Network)

Node. When users play, they directly pull the CDN cache nearby, which is not only fast, but also does not occupy your own server bandwidth at all.

Step 1: Console Basic Configuration (3 minutes)

The newly bought service is a blank sheet of paper. We need to match the domain name and transcoding strategy first.

1. Binding distribution domain name

ApsaraVideo for VOD must bind your own domain name (which requires an ICP filing) as the "video playback domain name". Alibaba Cloud's default test domain name cannot be used.

Log on to the Alibaba Cloud console and search for VOD ".

In the left-side navigation pane, click Configuration Management $\rightarrow $Distribution Acceleration Configuration $\rightarrow $Domain Name Management ".

Click "Add Domain Name", select "On-Demand Acceleration" for the business type, and enter your subdomain name (such as video.yourname.com).

After the creation is completed, Aliyun will give you a CNAME address. Take this address

, go to your domain name resolution background (such as Aliyun DNS) and add a CNAME record. Only when the resolution takes effect can CDN acceleration officially work.

2. Configure transcoding templates (the key to smooth playback)

The original video (such as MP4 recorded by mobile phone) is large in size and the code rate is not fixed, so it is easy to get stuck in the environment of poor network. We need to have the system automatically slice it and reduce the volume.

In the left-side navigation pane, go to Global Settings $\rightarrow $Transcoding Template Group ".

Click Add Transcoding Template Group ".

Encapsulation format: HLS (M3U8) is strongly recommended.

💡Why choose HLS/M3U8? MP4 playback must wait for the entire file to download a part of the index, and HLS format is to cut the video into countless small slices of 10 seconds. When the user plays, he downloads as much as he uses, not only in seconds, but also in fast forward and retry, which is extremely smooth, and can automatically switch fluency according to the network.

Check the clarity you need (e. g. SD, high-performance HD) and click Save.

Step 2: Set up two dead lines of anti-theft chain (2 minutes)

The domain name is well matched, and then security measures must be taken immediately. If you don't get on the anti-theft chain, once your broadcast domain name is exposed, everyone can directly pay your traffic.

The first line of defense: Referer anti-theft chain (anti-small white)

Its principle is to check "who is requesting this video". If the request is sent from Baidu or someone else's small website, reject it directly.

In the "Domain Name Management" list, click "Configure" on the right side of the playback domain name you just bound ".

Click Access Control $\rightarrow $on the left to find Referer Anti-Theft Chain and click Modify.

Type: Select Whitelist ".

Referer List: Enter your own website domain name, one by one, for example:

Allow Empty Referer: If your video is to be embedded in a mobile phone APP, or if users are allowed to open it directly in the browser address bar, check "Yes"; If you strictly restrict viewing only in your own web page, you must check "No".

The second line of defense: URL authentication (anti-master: core life-saving means)

Referer can easily be faked by hackers by modifying the HTTP header. To completely lock the video, you must open it.

URL authentication

.

After opening, the real playback address of the video will be followed by a string of encrypted strings (such

? auth_key = timestamp-random number-MD5

). This encrypted string is dynamically calculated by your own back-end server when the user clicks to play, and

Usually only 30 minutes valid

. After expiration, hackers can't play even if they get the entire link.

On the Access Control page of the domain name, switch to the URL Authentication tab.

Click Modify to change the status to Open ".

Primary key/Standby key: Enter a random string

For long strings (such as MySecretKey2026), click Save. Remember this Key, it is the key to be used in our code later.

The default effective time is set to 1800 seconds (30 minutes).

Step 3: Back-end Spring Boot dynamically generates an authentication URL(3 minutes)

Now we want to realize that when the user clicks a video on the front end, the back end calculates a secure playback link with timeliness through the "main key" just now.

1. Introduce dependencies

Introduce the core tool classes of Aliyun on-demand in your Spring Boot project:

<dependency>

<groupId>org.apache.commons</groupId>

<artifactId>commons-lang3</artifactId>

<version>3.12.0</version>

</dependency>

<dependency>

<groupId>commons-codec</groupId>

<artifactId>commons-codec</artifactId>

<version>1.15</version>

</dependency>

2. Write an authentication algorithm tool class

There is no need to introduce a heavy official SDK. Aliyun's URL authentication solution A is essentially a standard MD5 signature algorithm. Copy directly the following pure dry goods code that I have simplified for you:

Step 3: Implement the front-end Vue countdown component (1 minute)

With the backend sorted, on the frontend we need to prevent users from repeatedly clicking the “Send” button by implementing a standard 60-second countdown.

Here, taking… as an example

Vue 3 (Composition API) Axios

For example, here’s the most straightforward code:

<template>

<div class="sms-box">

<input type="text" v-model="phone" placeholder="Enter your mobile number" />

<button :disabled="isCounting" @click="handleSend">

{{isCounting ? '${countdown} seconds until retry': 'Get verification code'}}

</button>

</div>

</template>

<script setup>

import { ref } from 'vue';

import axios from 'axios';

const phone = ref('');

const countdown = ref(60);

const isCounting = ref(false);

let timer = null;

const handleSend = async () => {

if (! If (/^1[3-9]\d{9}$/.test(phone.value)) {

alert('Please enter a valid mobile phone number');

return;

}

try {

// Call the backend API

const res = await axios.post('/api/sms/send?phone=${phone.value}');

alert(res.data);

// Activate the countdown

startCountdown();

} catch (error) {

alert(error.response?.data || 'Request failed');

}

};

const startCountdown = () => {

isCounting.value = true;

countdown.value = 60;

timer = setInterval (

() => {

countdown.value--;

if (countdown.value <= 0) {

clearInterval(timer);

isCounting.value = false;

}

}, 1000);

};

</script>

A Guide to Avoiding Pitfalls in Production Environments (Operations‑Level Lessons Learned the Hard Way)

Beware of hackers “SMS bombing” your API! As soon as the API goes live, attackers will use automated scripts to flood your /api/sms/send endpoint with tens of thousands of random phone numbers. It can drain your Alibaba Cloud account balance in a single night. Iron‑clad Defense: In addition to implementing a 60‑second countdown on the frontend and using Redis on the backend to limit the frequency of SMS requests per phone number to once every 60 seconds, the SMS‑sending API must also enforce either a CAPTCHA or a human‑verification slider. The backend only sends a text message for valid requests that successfully complete the puzzle.

The "frequency limit" that triggers Alibaba Cloud to report an error. Alibaba Cloud SMS has a flow control and anti-brush mechanism (no more than 1 cell phone number in 1 minute, no more than 5 cell phone numbers in 1 hour, and no more than 10 cell phone numbers in 1 day). If you’re frantically sending yourself test SMS messages locally and suddenly encounter the error “isv.BUSINESS_LIMIT_CONTROL,” don’t panic—your code isn’t broken. You’ve been rate‑limited by Alibaba Cloud, but the restriction will be automatically lifted tomorrow.

Once this end-to-end, full‑stack process is completed, your microservices application will officially be equipped with compliant and secure short‑message notification capabilities. Hurry up and deploy it—give it a try!