The URL signing feature protects the content uploaded to ApsaraVideo for VOD against illegal download and hotlinking. Using a referer blacklist and whitelist with hotlinking protection can resolve certain hotlinking issues. However, because the referer content can be forged, referer-based hotlinking protection cannot protect all resources. Using URL signing is a more effective way to protect the security of origin resources.
The URL signing feature uses Alibaba Cloud CDN nodes together with client resource sites to provide more secure and reliable hotlinking protection for origin resources. URL signing is implemented as follows:
- The CDN client site provides you with a signed URL (including permission verification information).
- You use the signed URL to send a request to a CDN node.
- The CDN node verifies the permission information in the signed URL to determine the legality of the request. The CDN node responds to legal requests and rejects illegal ones. This effectively protects the resources of CDN client sites.
Configure the ApsaraVideo for VOD console.
Log on to the ApsaraVideo for VOD console and choose Domain Names in the left-side navigation pane.
On the Domain Names page, click Configure for the target domain name.
Choose Resource Access Control in the left-side navigation pane, click the URL Authentication tab, and then click Modify.
In the URL Authentication dialog box, turn on the URL Authentication switch.
After URL signing is enabled, ApsaraVideo Player SDKs and the API or SDK for obtaining playback URLs automatically generate playback URLs with a validity period. To generate a dynamic signed URL, see the signing method described below.
Note: After URL signing is enabled, the URLs of video, audio, thumbnail, and snapshot files are all signed.
The primary and secondary keys are equally effective. The secondary key is used to ensure that the primary key can be changed smoothly without causing service interruption. If you directly change the primary key without using any secondary key, all the playback URLs created with the primary key immediately become invalid. If you change the primary key to the secondary key, the playback URLs created with the original primary key are not made invalid immediately. The video playback service is still available with the secondary key.
After you set the
Default Validity Periodparameter for the target domain name, all URLs using the domain name have the specified validity period. You can also customize the validity period for a single URL.
Note: If the Default Validity Period parameter is set, CDN adds the default validity period to the timestamp parameter value to determine the expiration time of a URL.
A signed URL consists of a file URL and an access token (auth_key). The value of the md5hash parameter in the access token is calculated by the MD5 algorithm based on the authentication key and expiration time. The access token has a specific validity period. The following table describes the timestamp, rand, uid, and md5hash parameters.
CDN adds the value of the
|rand||The random number, which is generally set to 0. To generate a different URL each time, you can use the UUID as the random number.|
|uid||The additional parameter, which is generally set to 0.|
|md5hash||The MD5 hash calculated by the MD5 algorithm. The value is a combination of digits 0 to 9 and lowercase English letters a to z, with a fixed length of 32 characters.|
When the time specified by the
Default Validity Period parameter plus the timestamp parameter value elapses, a signed URL expires. In this case, CDN returns HTTP error 403.
For example, if the timestamp parameter is set to 1597474800 (2020-08-15 15:00:00) and the
Default Validity Period parameter is set to 30 minutes, the actual expiration time is 2020-08-15 15:30:00.
sstring = "URI-timestamp-rand-uid-PrivateKey"
md5hash = md5sum(sstring)
URI: the relative path of the requested file, excluding parameters. For example, /Filename.
PrivateKey: the authentication key configured in the ApsaraVideo for VOD console. Either the primary key or secondary key can be used.
md5sum: the function for calculating the MD5 hash. Use the MD5 hash calculation function provided by your development language.
- Assume that the URL of the requested file is as follows:
Set the authentication key to aliyuncdnexp1234 (primary key or secondary key configured in the ApsaraVideo for VOD console).
Set the expiration time of the signed URL to 2015-10-10, 00:00:00 (UNIX timestamp: 1444435200).
Assemble the string for calculating the
md5hashvalue as follows:
Assume that both the rand and uid parameters are set to 0.
- Calculate the
Md5hashvalue as follows:
md5hash = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
- Obtain the request URL as follows:
In the preceding URL, the auth_key parameter indicates the access token contained in the signed URL.