ApsaraVideo VOD:Remote authentication

How it works

ApsaraVideo VOD supports URL signing and remote authentication to help prevent site resources from being illegally downloaded or used. The following section describes the differences between URL signing and remote authentication:

• URL signing: After you apply signing rules that are created for a domain name to POPs, the POPs complete the signing process. For more information about URL signing, see Configure URL signing.

• Remote authentication: You can specify a self-managed authentication server. After POPs receive client requests, the requests are redirected to the specified authentication server.

The following figure shows how remote authentication works.

1. A client sends a request to a CDN POP. The request carries parameters that are used for authentication.

2. The POP redirects the request to the authentication server.

3. The authentication server checks the request parameters and returns the authentication result to the POP.

4. The POP processes the request based on the authentication result that is returned from the authentication server. If the request passes the authentication, access is allowed. If the request fails the authentication, access is denied or restricted. Examples:

   • Example 1: The request passes the authentication. The POP returns the requested resources to the user.

   • Example 2: The request fails the authentication. The POP returns the HTTP status code 404 to the user.

   • Example 3: The request fails the authentication. The POP throttles requests from the user.

   • Example 4: The authentication times out. The POP performs the specified action such as the allow action.

Usage notes

After you enable remote authentication, the authentication server checks each request. If you estimate a large number of requests to be sent to the POP, make sure that the authentication server can handle traffic spikes without compromising performance.

Procedure

1. Log on to the ApsaraVideo VOD console.

2. In the left-side navigation pane, click Configuration Management.

3. Choose CDN Configuration > Domain Names. The Domain Names page appears.

4. Find the domain name that you want to configure and click Configure in the Actions column.

5. On the page that appears, click Resource Access Control.

6. Click the Remote Authentication tab.

7. Turn on Remote Authentication and configure remote authentication.

   The following table describes the parameters for remote authentication.

   Parameter	Description
   Authentication Server Address	Enter the address of the authentication server. The address must be publicly accessible. Alibaba Cloud CDN checks the specified server address and the format of the address. Supported formats The server address must be in one of the following formats: http://example.com/auth https://example.com/auth http://192.0.2.1/auth https://192.0.2.1/auth Address requirements The server address cannot contain 127.0.0.1 or localhost. Otherwise, the server address is considered invalid.
   Request Method	Select a request method that is supported by the authentication server. Valid values: GET, HEAD, and POST. POST Parameters are transmitted in the request body and the address bar remains unchanged. The size for data transmission is unlimited. Requests are not cached or stored in browser history. Security is high. GET Parameters are transmitted in the request line, and the address bar displays the values of the parameters. A maximum of 1,024 bytes can be transmitted for a request due to browser limits. Requests are cached and stored in browser history. Security is low. HEAD The HEAD method is similar to the GET method. However, the server does not return the request body after you call the HEAD method.
   File Types	All: The authentication server checks all file types. Specified: The authentication server checks only the file types that you specify. If you specify multiple file types, separate the file types with vertical bars (|). Example: mp4|flv. File types are case-sensitive. For example, jpg and JPG are considered different file types.
   Parameters to Retain	Specify the URL parameters that you want the authentication server to check. Valid values: Retain All URL Parameters, Retain Specified URL Parameters, and Delete All URL Parameters. If you specify multiple parameters, separate the parameters with vertical bars (|). Example: user|token. Parameters are case-sensitive. For example, key and KEY are considered different parameters.
   Add Custom Parameters	Add custom parameters to the URLs of requests before the requests are redirected to the authentication server. You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console. When you specify key-value pairs, take note of the following rules: Separate values with vertical bars (|). Example: token=$arg_token|vendor=ali_cdn. Parameters are case-sensitive. For example, key and KEY are considered different parameters. If you use preset variables, the values of the selected variables are added to client requests before the requests are redirected to the authentication server. For example, if you select the $http_host variable, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see the Variables section of this topic.
   Request Headers to Retain	Specify the request headers that you want the authentication server to check. Valid values: Retain All Request Headers, Retain Specified Request Headers, and Delete All Request Headers. If you specify multiple request headers, separate the request headers with vertical bars (|). Example: user_agent|referer|cookies. Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header. Note If you select Retain All Request Headers, the POP deletes the Host header from requests. If you want to retain the Host header in requests, you can configure Retain Specified Request Headers or Add Custom Parameters. By default, the POP deletes the Host header from requests because the Host header in requests that are redirected to the authentication server specifies the accelerated domain name. In this case, the authentication server may fail to identify the requests, which may cause authentication errors such as the HTTP status code 404.
   Add Custom Parameters	Add custom request headers to requests that are sent to the POP before the requests are redirected to the authentication server. You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console. When you specify key-value pairs, take note of the following rules: Separate multiple request headers with vertical bars (|). Example: User-Agent=$http_user_agent|vendor=ali_cdn. Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header. If you use preset variables, the values of the variables are added to requests that are sent to the POP before the requests are redirected to the authentication server. For example, if you select the $http_host variable, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see the Variables section of this topic.
   Successful Authentication	Specify the HTTP status code that is returned by the authentication server if a request passes the authentication. We recommend that you set the HTTP status code for successful authentication to 2XX. If you set the HTTP status code to 200, the authentication server returns the HTTP status code 200 to CDN POPs for client requests that pass the authentication. If the authentication server returns an HTTP status code that does not indicate whether the request passes or fails the authentication, the authentication times out.
   Failed Authentication	Specify the HTTP status code that is returned by the authentication server if a request fails the authentication. We recommend that you set the HTTP status code for failed authentication to 4XX. If you set the HTTP status code to 403, the authentication server returns the HTTP status code 403 to CDN POPs for client requests that fail the authentication. If the authentication server returns an HTTP status code that indicates whether the request passes or fails the authentication, the authentication times out.
   Custom HTTP Status Code	Specify the HTTP status code that is returned from the POP to the user after the POP receives an HTTP status code indicating failed authentication from the authentication server. If you set Custom HTTP Status Code to 403, the POP returns the HTTP status code 403 to the user for requests that fail the authentication.
   Timeout	The timeout period starts when the POP redirects a request to the authentication server. The timeout period ends when the POP receives the authentication result from the authentication server. Unit: milliseconds. Maximum value: 3000.
   Action	Specify the action that the POP performs on a request if the authentication times out. Valid values: Allow: The POP returns the requested resources to the user. Reject: The POP rejects the request and returns the HTTP status code that you specify in the Custom HTTP Status Code field to the user.

8. Click OK.

   After you enable remote authentication, you can modify the settings of remote authentication or disable remote authentication on the Remote Authentication tab.

Variables

If you add custom parameters, you can select preset variables that are provided by ApsaraVideo VOD. The following table describes the variables.

Related API operations

BatchSetVodDomainConfigs