Alibaba Cloud CDN provides the URL signing feature to protect origin servers from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type A signing works.

How it works

  • URL signing enabled: If a request is valid, URL parameters are removed from the request. Alibaba Cloud CDN restores the URL to the original one that carries authentication-specific parameters. Then, the original URL is used to generate cache keys or redirected to the origin server.
  • URL signing disabled: Authentication-specific parameters must be removed from user requests. Otherwise, Alibaba Cloud CDN cannot restore requests to the original ones that carry authentication-specific parameters. This results in cache misses, and these requests are redirected to the origin server. In this case, data transfer on the origin server is greatly increased, which also causes the data transfer fee to increase.

How it works

URLs are signed in the following format:
http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
If a request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.
  • The URL that is used as the cache key is in the following format:
    http://DomainName/FileName
  • The URL that is redirected to the origin server is in the following format:
    http://DomainName/FileName
The following table describes the fields in a signed URL.
Field Description
DomainName The accelerated domain name.
Filename The actual URL that points to the requested resource on the origin server. The Filename field must start with a forward slash (/).
auth_key The cryptographic key that you have set.
timestamp The time when the server returns a response, and also the time when the URL is generated. The time is determined by the server and is in UTC. It must be converted to decimal integers, and be 10 characters in length. This time controls when a URL expires. The time-to-live (TTL) value of the cryptographic key is set in the Alibaba Cloud CDN console by you. If you set the TTL value to 1,800 seconds, the URL expires 1,800 seconds after the time specified by the timestamp parameter.

For example, if the origin server returns a response at 15:00:00 (UTC+8) on August 15, 2020 (2020-08-15 15:00:00), the URL of the request expires at 15:30:00 (UTC+8) on August 15 (2020-08-15 15:30:00).

rand A random number. The number must not contain hyphens (-). Example: 477b3bbc253f467b8def6711128c7bec. We recommend that you use a universally unique identifier (UUID).
uid The user ID. Set this field to 0.
md5hash The string that is calculated by using the MD5 algorithm. It must be 32 characters in length, and can contain digits and lowercase letters.
When an edge node receives a request, the edge node determines whether the time calculated by adding the timestamp and the TTL value of the cryptographic key in the request is earlier than the current time.
  • If the time calculated by adding the timestamp and the TTL value of the cryptographic key is earlier than the current time, the edge node determines that the URL of the request expires and returns a 403 error.
  • If the time calculated by adding the timestamp and the TTL value of the cryptographic key is later than the current time, the edge node generates a string in the same format as the sstring string. It then uses the MD5 algorithm to calculate the HashValue, and compares it with the md5hash value in the request.
    • If they are the same, the request passes the authentication. The edge node returns the requested resource.
    • If they are different, the request fails the authentication. The edge node returns a 403 error.
    The HashValue is calculated based on the following string:
    sstring = "URI-Timestamp-rand-uid-PrivateKey" (The URI specifies the address that points to the requested resource. It does not contain parameters such as /Filename.)
    HashValue = md5sum(sstring)

Examples

The following example shows how to implement type A signing.
  1. For example, a user wants to retrieve the following resource from the origin server:
    http://cdn.example.com/video/standard/test.mp4
  2. The cryptographic key is aliyuncdnexp1234.
  3. The timestamp returned by the server is 00:00:00 (UTC+8) on October 10, 2015, which is converted to the decimal integer 1444435200.
  4. The edge node generates a signature string to calculate the HashValue.
    /video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234
  5. The edge node calculates the HashValue based on the signature string.
    HashValue = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  6. A signed URL is generated.
    Note If the URL contains Chinese characters, use URL encoding to transcode the Chinese characters before the URL is signed.
    http://cdn.example.com/video/standard/test.mp4?auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f

If the HashValue calculated by the edge node is the same as the md5hash value contained in the request (both are 80cd3862d699b7118eed99103f2a3a4f in this example), the request passes the authentication. Otherwise, the request fails the authentication.