The URL authentication feature protects resources on origin servers from unauthorized access and downloads. Dynamic Route for CDN (DCDN) provides you with three authentication types. This topic describes how authentication type C works and provides an example.

How it works

Encrypted URLs can have the following formats:
  • Format 1
    http://DomainName/{<md5hash>/<timestamp>}/FileName
  • Format 2
    http://DomainName/FileName{&KEY1=<md5hash>&KEY2=<timestamp>}
Note The content enclosed by braces ({}) indicates the encrypted information that is added based on the standard URL.
The following table describes the fields in an encrypted URL.
Field Description
DomainName The domain name of the DCDN node.
FileName The actual URL that points to the requested resource on the origin server. The FileName field must start with a forward slash (/).
timestamp The time when the origin server is accessed. The time must be in the UNIX format. It is an unencrypted plaintext string that is 10 digits in length. It indicates the number of seconds that have elapsed since 00:00:00 Thursday, 1 January 1970, expressed in hexadecimal format.
md5hash The string calculated by using the MD5 algorithm. It must be 32 characters in length and can contain digits and lowercase letters.

Example

The following example shows how to implement type-C authentication.
  • Set the value of the PrivateKey field to aliyuncdnexp1234.
  • Set the value of the FileName field to /test.flv.
  • Set the value of the timestamp field to 55CE8100.
  • Calculate the MD5 hash value as follows:
    md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
  • The following encrypted URLs may be generated:
    • Format 1:
      http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv
    • Format 2:
      http://cdn.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100
When a client uses the encrypted URL to access a DCDN node, the DCDN node extracts encrypted string 1 and obtains FileName and access time of the original URL. The DCDN node performs the following steps to validate the request based on the defined business logic:
  1. The DCDN node uses FileName, access time, and PrivateKey of the original URL to perform MD5 encryption. The encrypted string 2 is generated.
  2. The DCDN node compares string 1 and string 2. If the two strings are different, the request is rejected.
  3. The DCDN node checks whether the difference between its current time and the time in the original URL exceeds the time-to-live (TTL) value. The default TTL value is 1,800 seconds.
    • If the time difference is less than the TTL value, the DCDN node returns a successful response.
    • If the time difference is greater than the TTL value, the DCDN node rejects the request and returns a 403 error.
    Note The TTL value of 1,800 seconds indicates that a request fails authentication when the difference between the time you access the origin server and the preset access time in the URL is greater than 1,800 seconds. For example, if you set the access time to 2020-08-15 15:00:00, the request URL will expire at 2020-08-15 15:30:00.