Alibaba Cloud Content Delivery Network (CDN) provides the URL signing feature to protect origin servers from unauthorized access and downloads. Hotlink protection provides a referer blacklist and a referer whitelist that can address some hotlink issues. However, the referer header can be forged. Origin servers require protection features that are more optimized than hotlink protection. In this case, you can enable the URL signing feature to protect your origin server.
- URLs can be signed by CDN nodes. Signed URLs carry signature information that can be used for permission verification.
- Users send signed URLs to CDN nodes.
- CDN nodes authenticate the signatures of the URLs to determine whether the requests are valid. If a request is valid, the CDN node returns a response. If a request is invalid, the CDN node rejects the request.
For more information about the sample Python code block for URL signing, see URL signing examples.
=) and plus signs (
+) in the URL are escaped.
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
- In the management pane of the domain name, click Access Control.
- Click the URL Signing tab.
- In the URL Signing section, click Modify.
- In the Set URL Signing dialog box, turn on URL Signing and set the parameters.
Parameter Description TypeAlibaba Cloud CDN supports three signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:Note If a URL signing error occurs, a 403 error is returned. Causes of the error include:
- Invalid MD5 values
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
- Invalid timestamps
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key Specify the primary key for the selected signing type. Secondary Key Specify the secondary key for the selected signing type.
- Invalid MD5 values
- Click OK.
What to do next
- In the Generate Signed URL section, enter the Original URL and signing information.
Parameter Description Original URL Enter a complete URL, for example,
Type Cryptographic Key Set the cryptographic key. The Cryptographic Key is the Primary Key or Secondary Key specified in the URL Signing settings. Validity Period Set the validity period of the signed URL based on your business requirements. Unit: seconds. Example: 1800.Note The default validity period is 30 minutes. If you want to set a validity period of less than 30 minutes, set Validity Period to a negative value. For example, if you want to set the validity period to 10 seconds, set Validity Period to -1790.
- Click Generate.
A Signed URL and a Timestamp are generated.