Alibaba Cloud CDN provides the URL signing feature to protect origin servers from unauthorized access and downloads. The URL signing feature supports three signing types. This topic describes how type C signing works.

How it works

  • URL signing enabled: If a request is valid, URL parameters are removed from the request. Alibaba Cloud CDN restores the URL to the original one that carries authentication-specific parameters. Then, the original URL is used to generate cache keys or redirected to the origin server.
  • URL signing disabled: Authentication-specific parameters must be removed from user requests. Otherwise, Alibaba Cloud CDN cannot restore requests to the original ones that carry authentication-specific parameters. This results in cache misses, and these requests are redirected to the origin server. In this case, data transfer on the origin server is greatly increased, which also causes the data transfer fee to increase.

How it works

URLs are signed in one of the following formats:
  • Format 1
    http://DomainName/{<md5hash>/<timestamp>}/FileName
  • Format 2
    http://DomainName/FileName{&KEY1=<md5hash>&KEY2=<timestamp>}
Note The content enclosed by braces ({}) indicates the encrypted information that is added based on the standard URL format.

If a request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.

  • The URL that is used as the cache key is in the following format whether the URL is in Format 1 or Format 2:
    http://DomainName/FileName
  • The URL that is redirected to the origin server is in the following format whether the URL is in Format 1 or Format 2:
    http://DomainName/FileName
The following table describes the fields in an encrypted URL.
Field Description
DomainName The accelerated domain name.
FileName The actual URL that points to the requested resource on the origin server. The Filename field must start with a forward slash (/).
timestamp The time when the connection between the client and origin server is established. The time must be in the UNIX format. It is a plaintext string that is 10 characters in length. The string indicates the number of seconds that have elapsed since 00:00:00 (UTC+8) on January 1, 1970. The number is a hexadecimal value.
md5hash The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length, and can contain digits and lowercase letters.

Examples

The following example shows how to implement type C signing.
  • The value of the PrivateKey field is aliyuncdnexp1234.
  • The value of the FileName field is /test.flv.
  • The value of the timestamp field is 55CE8100.
  • In this case, the MD5 hash value is:
    md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
  • A signed URL is generated in one of the following formats:
    Note If the URL contains Chinese characters, use URL encoding to transcode the Chinese characters before you sign the URL.
    • Format 1:
      http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv
    • Format 2:
      http://cdn.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100
When a user sends a request that contains the signed URL to an edge node, the edge node extracts the encrypted string (String 1) and obtains the FileName and time when the connection between the client and origin server is established. The edge node performs the following steps to authenticate the request based on the defined business logic:
  1. The edge node uses the Filename, the time when the connection is established, and PrivateKey of the unsigned URL to perform MD5 encryption. Then, an encrypted string (String 2) is generated.
  2. The edge node compares String 1 with String 2. If the two strings are different, the request is rejected.
  3. The edge node checks whether the difference between the current time and the time in the unsigned URL has exceeded the validity period specified by t. The default value of t is 1,800 seconds.
    • If the time difference is less than the specified validity period, the edge node responds to the request.
    • If the time difference is greater than the specified validity period, the edge node rejects the request and returns a 403 error.
    Note The TTL value of 1,800 seconds indicates that a request fails authentication if the difference between the time when the connection between the client and origin server is established and the time specified in the URL is greater than 1,800 seconds. For example, if the connection between the client and origin server is established at 15:00:00 (UTC+8) on August 15, 2020 (2020-08-15 15:00:00), the URL expires at 15:30:00 (UTC+8) on August 15, 2020 (2020-08-15 15:30:00).