All Products
Search
Document Center

ApsaraVideo Live:Configure URL signing

Last Updated:Dec 26, 2023

Referer-based hotlink protection is not completely secure. We recommend that you also use URL signing to protect ApsaraVideo Live resources against illegal downloads and unauthorized operations. This topic describes how to configure URL signing in the ApsaraVideo Live console.

How URL signing works

ApsaraVideo Live works with your live streaming server to implement URL signing to protect live streaming resources against hotlinking in a more secure and reliable manner.

  1. Your live streaming server provides a signed URL that contains authentication information.

  2. Stream ingest or streaming users send a request to ApsaraVideo Live by using the signed URL.

  3. ApsaraVideo Live verifies the authentication information in the signed URL to determine whether the request is valid. ApsaraVideo Live accepts valid requests and rejects invalid requests.

Important

After a request URL is authenticated by ApsaraVideo Live, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

For more information about the scenarios of URL signing, how it works, and the composition of a signed URL, see URL signing.

Enable URL signing

  1. Log on to the ApsaraVideo Live console.
  2. In the left-side navigation pane, click Domains to go to the Domain Management page.
  3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

    001

  4. Choose Streaming Management > Access Control.

  5. Click the URL Signing tab. Then, click Change Settings.

    修改配置

    Note
    • By default, URL signing is enabled for a domain name that you add. If you disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.

    • When URL signing is enabled, you can click Change Settings to modify the URL signing settings. When URL signing is disabled, you can turn on URL Signing and then configure the URL signing settings.

  6. Configure the URL signing settings and click OK.

    URL鉴权配置

    The following table describes the parameters.

    Parameter

    Description

    Authentication Type

    ApsaraVideo Live streaming domains support only the authentication type of Type A to protect resources on the origin server.

    Note

    If URL signing fails, HTTP status code 403 is returned. In this case, you must recalculate the signature.

    • Invalid MD5 value

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Invalid timestamp

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key

    After you add a domain name, ApsaraVideo Live generates a random primary key for the domain name. To view the primary key, click Domains in the left-side navigation pane of the ApsaraVideo Live console. On the Domain Management page, find the domain name and click Domain Settings in the Actions column. On the page that appears, choose Streaming Management > Access Control. Then, view the primary key on the URL Signing tab. You can also change the primary key.

    Secondary Key

    Specify a custom secondary key.

    Validity Period

    Signed URLs can be used to initiate stream ingest or streaming requests only within the validity period. Persistent connections are established for stream ingest and streaming. Stream ingest and streaming requests that were initiated within the validity period are not dropped after the validity period expires. New stream ingest and streaming requests fail to be initiated after the validity period expires.

    The default validity period of signed URLs under a domain name that you add is 1 day or 1,440 minutes. You can specify a custom validity period for signed URLs. The minimum value is 1 minute. There is no upper limit.

Disable URL signing

Note
  • If you disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.

  • After you disable URL signing, you can generate permanently valid ingest URLs and streaming URLs. If URL signing is enabled, you can specify the validity period of signed URLs based on your business requirements.

  1. On the URL Signing tab, click Sign Agreement.

  2. In the Sign Agreement dialog box, tick the checkbox and click Sign.

  3. After the Disclaimer for Disabling URL Signing is signed, click OK.

  4. Turn off URL Signing. After URL signing is disabled, you cannot encrypt URLs by setting cryptographic keys.

References

URL signing