The URL signing feature protects the content uploaded to ApsaraVideo Live from unauthorized downloads and hotlinking. You can configure URL signing in the ApsaraVideo Live console. This topic describes the URL signing feature, how the feature works, how to configure this feature, and the usage notes.

Background information

To prevent hotlinking, you can configure a Referer blacklist or whitelist to identify and filter users and protect the security of origin resources. However, the Referer content can be forged. Therefore, the URL signing feature is a more effective method to protect the security of origin resources.

Overview

CDN nodes for ApsaraVideo Live work with the origin server to implement URL signing. URL signing protects resources on the origin server in a more secure and reliable manner.

  1. The origin server provides a user with a signed URL that contains permission verification information.
  2. The user sends a request to a CDN node by using the signed URL.
  3. The CDN node verifies the permission information in the signed URL to determine the legality of the request. The CDN node responds to legal requests and rejects illegal requests. This protects the resources on the origin server.
Notice After a request URL is signed by ApsaraVideo Live, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

Scenario

ApsaraVideo Live provides ingest and streaming URLs for you to ingest and play streams. These URLs are public. Without security control, everyone can use these URLs to ingest and play streams. This may cause you unexpected charges.

In addition, the cross-domain policy file crossdomain.xml grants access across all domains configured in the file by default. For more information about the configuration of the crossdomain.xml file, see the following code. To protect ingest and streaming URLs from unauthorized access, you can sign the URLs and set an expiration timestamp for them.

<! --Content of the crossdomain.xml file-->
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

Signed URL

Signed URLs are supported by third-party stream ingest tools and players on PCs and mobile terminals. A signed URL consists of an ingest URL or streaming URL and an access token. Example:

rtmp://DomainName/AppName/StreamName? auth_key=timestamp-rand-uid-md5hash
  • rtmp:/DomainName/AppName/StreamName: the ingest URL or streaming URL. For more information, see Ingest and streaming URLs.
  • auth_key=timestamp-rand-uid-md5hash: the access token, in which md5hash is calculated by the MD5 algorithm based on the authentication key and expiration time. The access token has a specific validity period.
    • Authentication key: a randomly assigned key. You can also specify the key. The authentication key does not expire.
    • Expiration time: indicates that the signed URL expires when the time a user accesses the origin server is later than the time specified by the timestamp field.

      For example, if you set the validity period to 1,800 seconds in the ApsaraVideo Live console and set the timestamp field to 2020-08-15 15:00:00, the signed URL expires at 2020-08-15 15:30:00.

    The following table describes the timestamp, rand, uid, and md5hash fields.

    Field Description
    timestamp The timestamp at which the URL expires. The value is a UNIX timestamp representing the number of seconds that have elapsed since the epoch time January 1, 1970, 00:00:00 UTC.

    If you set the validity period to 30 minutes in the ApsaraVideo Live console, the signed URL expires 30 minutes after the specified timestamp.

    For example, if you set the timestamp field to 1597474800, which is 2020-08-15 15:00:00, and set the validity period to 30 minutes in the ApsaraVideo Live console, the actual expiration time of the URL is 2020-08-15 15:30:00.

    rand A random number, which is typically set to 0.

    If you want to generate a different URL each time, we recommend that you use a universally unique identifier (UUID) as the random number. The value cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c7bec.

    uid This parameter is an additional parameter, which is not used. It is typically set to 0.
    md5hash The string that is calculated by using the MD5 algorithm. The string is 32 characters in length and consists of digits and lowercase letters.
    • URI: the relative path of the requested file, excluding parameters. Example: /AppName/StreamName.
    • PrivateKey: the authentication key that is configured in the ApsaraVideo Live console. The primary key or secondary key can be used.
    • md5sum: the function that is used to calculate the MD5 hash value. Use the MD5 hash calculation function that is provided by your development language.
    sstring = "URI-timestamp-rand-uid-PrivateKey" 
    md5hash = md5sum(sstring)

How it works

After URL signing is enabled, the server verifies a request by performing the following operations:

  1. The server checks whether the timestamp in the request is earlier than the current time.
    • If the timestamp is earlier than the current time, the server considers that the signed URL expires and returns HTTP error code 403.
    • If the timestamp is later than the current time, the server constructs a string by using the same method. The following code shows how the string is constructed.
  2. The server uses the MD5 algorithm to calculate the hash value of the string, and then compares the hash value with that contained in the request.
    • If the two values are the same, the authentication is successful. The server returns the live stream.
    • If the two values are different, the authentication fails. The server returns HTTP error 403.
The hash value is calculated based on the following formulas:
sstring = "URI-timestamp-rand-uid-PrivateKey" // The URI field specifies the relative path of the requested file, excluding parameters. Example: /AppName/StreamName.
HashValue = md5sum(sstring)
Example
  • Assumption:
    1. Request resources by using req_auth.

      rtmp://live.example.com/video/standard/1K.html

    2. Set the authentication key to aliyunliveexp1234, which is the authentication key configured in the ApsaraVideo Live console. The primary key or secondary key can be used.
    3. Set the expiration time of the signed URL to 00:00:00 October 10, 2015.
    4. Set the rand and uid fields both to 0.
  • Result:
    1. The calculated UNIX timestamp of the signed URL that has the specified expiration time is 1444435200.
    2. The server generates a signature string that is used to calculate the hash value.

      /video/standard/1K.html-1444435200-0-0-aliyunliveexp1234

    3. The server calculates the hash value based on the signature string.

      HashValue = md5sum("/video/standard//1K.html-1444435200-0-0-aliyunliveexp1234") = 80cd3862d699b7118eed99103f2a3a4f

    4. The URL in the request is rtmp://live.example.com/video/standard/1K.html? auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f
      Note In the preceding URL, the auth_key field indicates the access token that is contained in the signed URL.
    5. The calculated hash value is 80cd3862d699b7118eed99103f2a3a4f, which is the same as that contained in the request. Therefore, the authentication is successful.

Configuration methods

In the ApsaraVideo Live console, you can use the default URL signing settings or customize the URL signing settings.
  • In the default URL signing settings, the authentication key is randomly assigned and the validity period is 30 minutes. If the validity period is exceeded, the signed URL expires. For more information, see Use the URL generator.
  • If you do not use the default settings, you can customize the primary authentication key, secondary authentication key, and validity period. Then, you can enter the original URL to generate a signed URL for stream ingest. For more information, see Configure URL signing.
  • After URL signing is enabled, ApsaraVideo Player SDKs and the API or SDKs provided by ApsaraVideo Live to obtain streaming URLs automatically generate streaming URLs with a validity period.
  • The primary and secondary keys are equally effective. The secondary key is used to ensure a smooth switchover.

    If the primary key is changed, all the generated playback URLs that have the original primary key immediately become invalid. When you switch the primary key to the secondary key, the generated playback URLs that use the original primary key remain valid for a period of time. This ensures a smooth switchover.

  • After you specify the default validity period for the required domain name, all URLs that use the domain name have the specified validity period. You can also customize the validity period for a single URL.
    Note If the default validity period is specified, ApsaraVideo Live appends the default validity period to the timestamp to determine the expiration time of a URL.

You can also write code to generate a signed URL.

You can construct an unsigned streaming URL based on the AppName and StreamName parameters in an ingest URL. For example, you can construct the following URL: rtmp:/DomainName/AppName/StreamName. Then, generate the signed streaming URL by using an authentication algorithm in your code. For more information about the authentication algorithm, see Signed URL.

For more information about the sample code that is used to generate a signed URL, see Sample authentication code.

Usage notes

  • By default, URL signing is enabled. We recommend that you keep this feature enabled to prevent illegal recording and distribution. To disable URL signing, make sure that you understand the risk of unauthorized use of your service and agree to Terms for Disabling URL Authentication on the URL Authentication page in the ApsaraVideo Live console.
  • You must set the auth_key parameter manually. ApsaraVideo Live provides no API operation for calculating the auth_key parameter.
  • After you enable URL signing, you must add the auth_key parameter to the ingest and streaming URLs. Otherwise, live streams cannot be played. You cannot sign only the ingest URL or the streaming URL. You must sign them both.
  • Signed URLs remain valid before their expiration timestamp. You can access a signed URL anytime before it expires. ApsaraVideo Live does not support one-time signed URLs.
  • The value of the auth_key parameter is the MD5 value of the URI without the queryString parameters. For more information, see the preceding section about setting URL signing parameters. The URIs of both the ingest and streaming URLs are AppName/StreamName. As a result, the values of the auth_key parameters for the ingest and streaming URLs are the same. We recommend that you set an expiration timestamp as near as possible if the ingest URL is not confidential. This prevents malicious access to the streaming URL.
  • Requests are authenticated only when stream ingest or live streaming begins. Ongoing stream ingest or live streaming is not be interrupted if the signed URL expires during the process.