When do I need to use URL signing for live streaming?

By default, URL signing is enabled to prevent illegal recording and distribution. We recommend that you keep this feature enabled.

ApsaraVideo Live provides ingest and streaming URLs for you to ingest and play streams. However, these URLs are public. Without security control, everyone can use these URLs for stream ingest and live streaming, which may cause you unexpected charges.

In the root directory of the domain to which the streaming URL belongs, the crossdomain.xml file grants access across all domains by default. Sample code:
<! --Content of the crossdomain.xml file-->
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

To protect ingest and streaming URLs from unauthorized access, you can sign the URLs and set an expiration timestamp for them. For more information, see URL signing.

ApsaraVideo Live also supports referer-based hotlink protection and IP address whitelists and blacklists. You can use these features as needed. For more information, see Access control.

How do I configure URL signing?

You can also write code to obtain a signed streaming URL.

You can construct an unsigned streaming URL based on the AppName and StreamName parameters in an ingest URL. For example, the constructed streaming URL is rtmp:/DomainName/AppName/StreamName. Then, calculate a signed streaming URL by using an authentication algorithm in your code. For more information about the authentication algorithm, see Signed URLs.

For more information about the sample code that is used to calculate a signed URL, see URL signing demos.

What do I need to take note of when I use URL signing?

  • By default, URL signing is enabled. We recommend that you keep this feature enabled to prevent illegal recording and distribution. If you want to disable URL signing, make sure that you understand the risk of unauthorized use of your service and agree to Terms for Disabling URL Authentication on the URL Authentication page in the ApsaraVideo Live console.
  • You must manually set the auth_key parameter. ApsaraVideo Live provides no API operation for calculating the value of the auth_key parameter.
  • After you enable URL signing, you must add the auth_key parameter to the ingest and streaming URLs. Otherwise, live streams cannot be played. You cannot sign only the ingest URL or the streaming URL. You must sign them both.
  • Signed URLs remain valid before their expiration timestamp. You can access a signed URL anytime before it expires. ApsaraVideo Live does not support one-time signed URLs.
  • The value of the auth_key parameter is the MD5 value of the URI without the queryString parameters. For more information, see the preceding section about setting URL signing parameters. The URIs of both the ingest and streaming URLs are AppName/StreamName. As a result, the values of the auth_key parameters for the ingest and streaming URLs are the same. If the ingest URL is not confidential, we recommend that you set an expiration timestamp as near as possible. This prevents malicious access to the streaming URL.
  • Requests are authenticated only when stream ingest or live streaming begins. Ongoing stream ingest or live streaming is not interrupted if the signed URL expires during the process.