Referer-based hotlink protection is not completely secure. We recommend that you use URL signing to protect ApsaraVideo Live resources against illegal download and misuse. This topic describes how to configure URL signing in the console.
How it works
Alibaba Cloud CDN nodes work with live streaming servers of users to implement URL signing to protect live streaming resources against hotlinking in a more secure and reliable manner.
- A live streaming server of a user provides a signed URL that contains authentication information.
- The user sends a live stream ingest or live streaming request to a CDN node by using the signed URL.
- The CDN node verifies the authentication information in the signed URL to determine whether the request is valid. If the request is valid, the CDN node returns a successful response. Otherwise, the CDN node denies the request.
equal signs (=)and
plus signs (+)in the URL are escaped.
For more information about the scenarios and principles of URL signing, and the composition of a signed URL, see URL Authentication.
- Log on to the ApsaraVideo Live console.
- In the left-side navigation pane, click Domains to go to the Domain Management page.
- Select the streaming domain that you want to configure and click Domain Settings.
- Click the URL Authentication tab. Then, click Change Settings.Note By default, URL signing is enabled. Before you disable URL signing for the first time, make sure that you understand the risk of unauthorized use of your service and agree to the Terms for Disabling URL Authentication.
- Configure the authentication information and click OK.The following table describes the parameters.
Parameter Description Authentication TypeApsaraVideo Live ingest domains and streaming domains support only Type A signing to protect resources on the origin.Note If a URL signing error occurs, a 403 error code is returned. In this case, you must re-calculate the signature.
- The MD5 value is invalid.
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
- The timestamp is invalid.
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key A random primary key is generated during initialization. You can customize the primary key for the selected signing type. Secondary Key Enter the secondary key for the selected signing type. Validity Period The signed URL can be used to initiate stream ingest or streaming only within the validity period. Persistent connections are established for live stream ingest and live streaming. Live stream ingest or live streaming that has been initiated within the validity period is not terminated because the validity period expires. However, newly initiated live stream ingest and live streaming requests fail because the validity period expires.
Default value: 30. Unit: minutes. You can customize the default validity period for the signed URL.
- The MD5 value is invalid.
- Generate a signed URL.In the Generate Signed URL section, set the Original URL parameter and configure other authentication information.The following table describes the parameters.
Parameter Description Original URL Enter a complete URL, such as
Authentication Type By default, Type A signing is used. Cryptographic Key Specify the authentication key as needed. The authentication key can be the primary key or the secondary key that you configured in the URL Authentication dialog box. Validity Period Specify the validity period for the signed URL as needed. Unit: seconds. Example: 1800.Note By default, the validity period is 30 minutes. If you need to specify a validity period of less than 30 minutes, set the Validity Period parameter to a negative value. For example, if you need to specify a validity period of 10 seconds, set the Validity Period parameter to -1790.
- Click Generate.