When do I need to use URL signing?

By default, URL signing is enabled to prevent illegal recording and distribution. We recommend that you keep this feature enabled.

ApsaraVideo Live provides ingest and streaming URLs for you to ingest and play streams. These URLs are public. Without security control, everyone can use these URLs to ingest and play streams. This may cause you unexpected charges.

In the root directory of a domain name to which a streaming URL belongs, the crossdomain.xml file grants access across all domain names by default. Sample code:
<!--Content of the crossdomain.xml file-->
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

To protect ingest and streaming URLs from unauthorized access, you can sign the URLs and specify an expiration timestamp for them. For more information, see URL signing.

ApsaraVideo Live also supports Referer-based hotlink protection and IP address whitelists and blacklists. You can use these features based on your business requirements. For more information, see Access control.

How do I configure URL signing?

In the ApsaraVideo Live console, you can use the default URL signing settings or customize the URL signing settings.
  • Default authentication: The default authentication type is Type A. For more information, see Live URL generator.
  • Custom authentication: If you do not want to use the default authentication, you can configure the URL signing settings. For more information, see Configure URL signing.

You can also write code to generate a signed URL.

You can construct an unsigned streaming URL based on the AppName and StreamName parameters in an ingest URL. For example, you can construct the following URL: rtmp:/DomainName/AppName/StreamName. Then, generate a signed streaming URL by using an authentication algorithm in your code. For more information about the authentication algorithm, see Construct a signed URL.

For more information about the sample code that is used to generate a signed URL, see URL signing demos.

What do I need to take note of when I use URL signing?

  • By default, URL signing is enabled. We recommend that you keep this feature enabled to prevent your content from being pirated. If you want to disable URL signing, make sure that you understand the risk of unauthorized use of your service and agree to Terms for Disabling URL Authentication on the URL Authentication page in the ApsaraVideo Live console.
  • You must manually set the auth_key parameter. ApsaraVideo Live provides no API operation for calculating the value of the auth_key parameter.
  • After you enable URL signing, you must add the auth_key parameter to the ingest and streaming URLs. Otherwise, live streams cannot be played. You cannot sign only the ingest URL or the streaming URL. You must sign them both.
  • Signed URLs remain valid before their expiration timestamp. You can access a signed URL anytime before it expires. ApsaraVideo Live does not support one-time signed URLs.
  • The value of the auth_key parameter is the MD5 value of the URI without the queryString parameters. For more information, see the preceding section about setting URL signing parameters. The URIs of both the ingest and streaming URLs are AppName/StreamName. As a result, the values of the auth_key parameters for the ingest and streaming URLs are the same. If the ingest URL is not confidential, we recommend that you set an expiration timestamp as near as possible. This prevents malicious access to the streaming URL.
  • For ingest and streaming URLs in the Real-Time Messaging Protocol (RTMP), FLV, and Real-Time Streaming (RTS) formats, requests are authenticated only when stream ingest or streaming begins. Ongoing stream ingest or streaming is not interrupted if the signed URL expires during the process.
  • For streaming URLs in the M3U8 format, requests are authenticated at the beginning of streaming and during streaming. Ongoing streaming is interrupted if the signed URL expires during the process.

What is the validity period of a signed URL?

Validity period specifies the duration for which a signed URL can be used to initiate stream ingest or streaming. Persistent connections are established for stream ingest and streaming.
  • For ingest and streaming URLs in the RTMP, FLV, and RTS formats, requests are authenticated only when stream ingest or streaming begins. Ongoing stream ingest or streaming is not interrupted if the signed URL expires during the process. Stream ingest or streaming requests that start after the signed URL expires fail.
  • For streaming URLs in the M3U8 format, requests are authenticated at the beginning of streaming and during streaming. Ongoing streaming is interrupted if the signed URL expires during the process.

How long is the validity period of a signed URL?

To ensure that a signed URL is available, you must set the validity period of the signed URL to at least 1 minute. There is no upper limit. However, we recommend that you specify a proper validity period based on your business requirements to ensure the security of live streaming.

Can I generate a signed URL that is permanently valid?

To ensure the security of live streaming, ApsaraVideo Live does not allow you to generate signed URLs that are permanently valid. We recommend that you specify a proper validity period for a signed URL based on your business requirements. If you want to use a URL that is permanently valid, disable URL signing.