The URL authentication feature protects origin server resources from unauthorized downloads and access. With the hotlink protection feature, you can configure a referer blacklist or whitelist to prevent some hotlinking issues. However, hotlink protection cannot completely protect resources on the origin server because referer content can be forged. To resolve this issue, Dynamic Route for CDN (DCDN) provides URL authentication to protect resources on the origin server, which is more secure and effective.

Background information

A DCDN node works with origin servers to implement URL authentication to protect resources on the origin servers in a more secure and reliable manner.
  • The DCDN node encrypts a URL to include authentication information in the URL.
  • An end user sends a request to the DCDN node by using an encrypted URL.
  • The DCDN node verifies the authentication information in the encrypted URL to determine whether the request is valid. If the request is valid, the DCDN node returns a successful response. If the request is invalid, the DCDN node rejects the request.

For more information about sample Python authentication code, see Sample authentication code.

Procedure

  1. Log on to the Dynamic Route for CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Configure.
  4. In the left-side navigation pane of the specified domain, click Access Control.
  5. Click the URL Authentication tab.
  6. In the URL Authentication Setting section, click Modify.
    URL Authentication Setting
  7. Turn on URL Authentication and configure the required parameters.
    Parameter Description
    Authentication Type
    Alibaba Cloud DCDN supports three authentication types. You can select an authentication type based on your workloads to protect resources on the origin server. The following authentication types are supported:
    Note If a URL authentication error occurs, a 403 error is returned.
    • MD5 calculation errors

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Time-related errors

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key The primary key corresponding to the selected authentication type.
    Secondary Key The secondary key corresponding to the selected authentication type.
  8. Click OK.

What to do next

To generate an encrypted URL, follow these steps:
  1. In the Generate Encrypted URL section, configure the original URL and the authentication information.
    Parameter Description
    Original URL Enter a full URL, for example, https://www.aliyun.com.
    Authentication Type
    Select an authentication type based on your needs.
    Authentication Key Set the cryptographic key. The cryptographic key can be the primary key or the secondary key configured in the URL Authentication dialog box.
    Validity Period Set the TTL value for the encrypted URL. Unit: seconds. Example: 1800.
    Generate Encrypted URL
  2. Click Generate.
    You can then obtain the encrypted URL and the timestamp.Generate