All Products
Search
Document Center

Authentication configurations

Last Updated: Dec 11, 2018

Introduction

The URL authentication feature can protect the content and resources of a site from being leeched by other sites. Using the anti-leech method to add a blacklist or whitelist to the referer can partially resolve the leech issue. However, because the referer content can be forged, the anti-leech method cannot fully protect the site resources. It is safer and more effective to use the URL authentication method to protect the site resources.

Concept

The URL authentication feature is a more secure and reliable anti-leech method for origin resources. It is implemented through cooperation between Alibaba Cloud CDN acceleration nodes and client resource sites.

Step 1: The CDN client site provides an encrypted URL including verification information of permissions.

Step 2: A user initiates a request to the acceleration node using the encrypted URL.

Step 3: The acceleration node determines the validity of the request based on permission information in the encrypted URL. The acceleration node responds to valid requests normally and rejects invalid requests. This effectively protects the resources of CDN client sites.

URL authentication method

Alibaba Cloud DCDN supports authentication Method A, Method B and Method C. You can select an appropriate method to protect origin site resources based on your business requirements.

Authentication method A

Concept

Format of the encrypted URL for user access
  1. http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
Authentication fields

Note: You can set the PrivateKey field.

  • The validity period 1,800 seconds indicates that the authentication fails when the user fails to access the client source server 1,800 seconds after the preset access time.

    For example, if the user sets the access expiration time to 2020-08-15 15:00:00, the link actually fails at 2020-08-15 15:30:00.

Field Description
timestamp The expiration time. It is a positive integer with a fixed length of 10 and a time in seconds from January 1, 1970. This 10-digit integer is used to control the expiration time. Effective time is 1,800 seconds.
rand Random number, usually set to 0.
uid Not used yet (set to 0).
md5hash Verification string calculated by the MD5 algorithm, which is a combination of numbers 0 to 9 and lowercase English letters a to z, with a fixed length of 32 characters.
Authentication process
  1. When the CDN server receives a request, it first determines whether timestamp in the request is earlier than the current time.

    • If it is earlier, it is considered expired and an HTTP 403 error is returned.

    • If timestamp is later than the current time, an identical string is constructed (see the following string construction method).

  2. Use the MD5 algorithm to calculate HashValue, and compare it with md5hash that is carried in the request.

    • If the results are consistent, authentication succeeds and the file is returned.

    • If the results are inconsistent, authentication fails and an HTTP 403 error is returned.

HashValue is calculated by the following string:

  1. sstring = "URI-Timestamp-rand-uid-PrivateKey" (URI is the relative address of the user's request object. It does not contain parameters such as /Filename.)
  2. HashValue = md5sum(sstring)

Example

  1. Request objects through req_auth:

    1. http:// cdn.example.com/video/standard/1K.html
  2. The key is set to aliyuncdnexp1234 (user-defined).

  3. The expiration date of the authentication configuration file is October 10, 2015 00:00:00. The calculated number of seconds is 1,444,435,200.
  4. The CDN server constructs a signature string for the calculation of HashValue:

    1. /video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234"
  5. The CDN server calculates HashValue based on the signature string:

    1. HashValue = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  6. When requested, the URL is:

    1. http://cdn.example.com/video/standard/1K.html?auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f

If the calculated HashValue matches the value of md5hash = 80cd3862d699b7118eed99103f2a3a4f that is carried in the user request, authentication succeeds.

Authentication method B

Concept

Format of the encrypted URL for user access
  • The user visits the following URL:
  1. http://DomainName/timestamp/md5hash/FileName

The structure of the encrypted URL: domain name + time to generate the URL (accurate to minutes) (timestamp) + MD5 value (md5hash). For the real path (FileName) that finally joins the origin server, the valid time of URL is 1800 seconds.

  • When authentication succeeds, the actual origin URL is:
  1. http://DomainName/FileName
Authentication fields

Note: PrivateKey is set by CDN clients.

  • The validity period 1,800 seconds indicates that the authentication fails when the user fails to access the client source server 1,800 seconds after the preset access time. For example, if the user sets the access expiration time to 2020-08-15 15:00:00, the link actually fails at 2020-08-15 15:30:00.
Field Description
DomainName CDN client domain name.
timestamp Resource expiration time, part of the URL. As a factor to calculate md5hash, its format is YYYYMMDDHHMM, and the valid time is 1800s.
md5hash The string obtained by the MD5 algorithm together with timestamp, FileName, and the pre-defined PrivateKey, that is, md5(PrivateKey + timestamp + FileName).
FileName The actual URL of the origin access. Note that FileName must start with a slash (/) in authentication.

Example

  1. The origin fetch request object:

    1. http://cdn.example.com/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
  2. The key is set to aliyuncdnexp1234(user-defined).
    .

  3. The time for the user to access the client source server is 201508150800 (format: YYYYMMDDHHMM).
  4. The CDN server then constructs a signature string for the calculation of md5hash:

    1. aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
  5. The server calculates md5hash based on the signature string:

    1. md5hash = md5sum("aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3") = 9044548ef1527deadafa49a890a377f0
  6. The URL to request CDN:

    1. http://cdn.example.com/201508150800/9044548ef1527deadafa49a890a377f0/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3

If the calculated md5hash matches the value of md5hash = 9044548ef1527deadafa49a890a377f0 that is carried in the user request, authentication succeeds.

Authentication method C

Concept

Formats of the encrypted URL for user access

Format 1

http://DomainName/{<md5hash>/<timestamp>}/FileName

Format 2

http://DomainName/FileName{&KEY1=<md5hash>&KEY2=<timestamp>}

  • The content in braces represents the encrypted information that is added based on the standard URL.

  • <md5hash> is the MD5 encrypted string of authentication information.

  • <timestamp> is an unencrypted string, expressed in plain text. The fixed length is 10 bits. It is the number of seconds since January 1, 1970, Coordinated Universal Time (UTC), expressed in hexadecimal format.

  • Use format 1 to encrypt a URL, for example:
    1. http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

<md5hash> is a37fa50a5fb8f71214b1e7c95ec7a1bd.<timestamp> is 55CE8100.

Authentication fields
  • Field description for <md5hash>:
Field Description
PrivateKey Interference string. Different clients use different interference strings.
FileName The actual URL of the origin fetch access. Note that the path must start with a slash (/) in authentication.
time The UNIX time of the user’s access to the origin server, expressed in hexadecimal format.
  • PrivateKey value: aliyuncdnexp1234

  • FileName value: /test.flv

  • time value: 55CE8100
  • Therefore, md5hash is:

    1. md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
  • Plain text: timestamp = 55CE8100

  • The encrypted URL is then generated as follows:

Format 1:

  1. http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

Format 2:

  1. http://cdn.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100

Example

The user accesses the acceleration node using the encrypted URL. The CDN server first extracts the encrypted string 1, obtains <FileName> of the original URL and the user access time, and then performs verification according to the defined business logic:

  1. Use <FileName> of the original URL, request time, and PrivateKey to do MD5 encryption, and get an encrypted string.

  2. Compare whether the encrypted string 2 and the encrypted string 1 are the same. The access request is rejected if the two strings are inconsistent.

  3. Use the current time on the CDN server to subtract the plaintext time in the access URL to determine whether the preset time limit t expires (the time limit t is set to 1,800 s by default).

  4. The validity period 1,800 s means that the authentication fails when the user fails to access the client source server 1,800 s after the preset access time.

    For example, if the user sets the access expiration time to 2020-08-15 15:00:00, the link actually fails at 2020-08-15 15:30:00.

  5. If the time difference is less than the preset time limit, the request is valid, and the CDN acceleration node responds normally. Otherwise, the request is rejected and an HTTP 403 error is returned.

URL authentication code example

See Authentication Code Examples in CDN Peripheral Tools.

Procedure

  1. On the Domain Names page, select a domain name, and click Configure.

  2. Go to Access Control > URL Authentication, and click Modify.

  3. Configure the parameters.