The URL authentication feature protects origin server resources from unauthorized downloads and access. Dynamic Route for CDN (DCDN) provides you with three authentication types. This topic describes how authentication type A works and provides an example.

How it works

A URL is encrypted in the following format:
http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
The following table describes the fields in an encrypted URL.
Field Description
DomainName The domain name of the DCDN node.
Filename The actual URL that points to the requested resource on the origin server. The FileName field must start with a forward slash (/).
auth_key The cryptographic key that you have set.
timestamp The time when the URL expires. The time is a positive integer that is 10 digits in length. The value equals the number of seconds that have elapsed since 00:00:00 Thursday, 1 January 1970 plus the time-to-live (TTL) value of the URL. The TTL value is set by the client. If it is set to 1,800 seconds, authentication fails if the difference between the time the origin server is accessed and the preset access time is greater than 1,800 seconds.

For example, if you set the access time to 2020-08-15 15:00:00, the request URL will expire at 2020-08-15 15:30:00.

rand The random number. The number cannot contain hyphens (-). For example, 477b3bbc253f467b8def6711128c7bec. We recommend that you use UUID.
uid The user ID. Set this field to 0.
md5hash The string calculated by using the MD5 algorithm. It must be 32 characters in length, and can contain digits and lowercase letters.
When a DCDN node receives a request, it determines whether the timestamp in the request is earlier than the current time.
  • If the timestamp is earlier than the current time, the DCDN node determines that the URL expires and returns a 403 error.
  • If the timestamp is later than the current time, the DCDN node constructs a string in the same format as the following sstring. The DCDN node calculates Hashvalue by using the MD5 algorithm and then compares Hashvalue with the md5hash contained in the request.
    • If they are the same, authentication succeeds. The DCDN node returns the requested resource.
    • If they are different, authentication fails. The DCDN node returns a 403 error.
    The Hashvalue is calculated based on the following string:
    sstring = "URI-Timestamp-rand-uid-PrivateKey". URI is the address that points to the requested resource. It does not contain parameters such as Filename.
    Hashvalue = md5sum(sstring)

Example

The following example shows how to implement type-A authentication.
  1. Request the resource through req_auth.
    http://cdn.example.com/video/standard/1K.html
  2. Set the key to aliyuncdnexp1234.
  3. Set the expiration time of the authentication configuration file to October 10, 2015 00:00:00. The calculated number of seconds is 1444435200.
  4. The DCDN node constructs a signature string to calculate Hashvalue.
    /video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234
  5. The DCDN node calculates Hashvalue based on the signature string.
    Hashvalue = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  6. Encrypt the request URL.
    http://cdn.example.com/video/standard/1K.html?auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f

If the Hashvalue calculated by the DCDN node is the same as the md5hash contained in the request (both are 80cd3862d699b7118eed99103f2a3a4f), the request passes authentication. Otherwise, authentication fails.