The URL signing feature protects origin server resources from unauthorized download and access. With the hotlink protection feature, you can configure a referer blacklist or whitelist to prevent some hotlinking issues. However, hotlink protection cannot completely protect resources on the origin server because referer content can be forged. To resolve this issue, URL signing is provided to protect resources on the origin server, which is more secure and effective.

Background information

By working with the origin server, a CDN node implements URL signing to protect resources on the origin server in a more secure and reliable manner.
  • The CDN node provides encrypted URLs that contain permission verification information.
  • You can send a request to a CDN node by using an encrypted URL.
  • The CDN node authenticates the permission information in the encrypted URL to determine whether the request is valid. If the request is valid, the CDN node returns a successful response. If the request is invalid, the CDN node rejects the request.

For more information about sample Python authentication code, see Sample authentication code.

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the left-side navigation pane of the specified domain, click Access Control.
  5. Click the URL Signing tab.
  6. In the URL Signing section, click Modify.
    URL Authentication
  7. Turn on URL Signing and configure the required parameters.
    Parameter Description
    Type
    Alibaba Cloud CDN supports three signing types. You can select a signing type based on your needs to protect resources on the origin server. The following URL signing types are supported:
    Note If a URL signing error occurs, a 403 error is returned.
    • MD5 calculation errors

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Time-related errors

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547
    Primary Key The primary key corresponding to the selected signing type.
    Secondary Key The secondary key corresponding to the selected signing type.
  8. Click OK.

What to do next

To generate a signed URL, follow these steps:
  1. In the Generate Signed URL section, configure Original URL and signing information.
    Parameter Description
    Original URL Enter a complete original URL, for example, https://www.aliyun.com.
    Type
    Select a signing type based on your needs.
    Cryptographic Key Set the signing key. Cryptographic Key can be Primary Key or Secondary Key configured in the Set URL Signing dialog box.
    Validity Period Set the validity period for URL signing. Unit: seconds. Example: 1800.
    Generate signed URL
  2. Click Generate.
    You can obtain Signed URL and Timestamp.URL signing