Referer-based hotlink protection is not completely secure. We recommend that you use URL authentication to protect resources on the origin server against illegal downloads and misuse.

How URL authentication works

Alibaba Cloud Content Delivery Network (CDN) nodes work together with the origin server to authenticate URLs. This is a more secure and reliable method to protect resources on the origin server against hotlinking. ApsaraVideo VOD console supports only authentication method A. For more information, see URL authentication.

  1. The origin server provides a signed URL that contains authentication information.
  2. A user sends a request to a CDN node by using the signed URL.
  3. The CDN node verifies the authentication information in the signed URL to determine whether the request is valid. If the request is valid, the CDN node returns a success response. Otherwise, the CDN node denies the request.
Notice After a request URL is authenticated by a CDN node, special characters such as equal signs (=) and plus signs (+) in the URL are encoded.

Procedure

  1. Log on to the ApsaraVideo VOD console.
  2. In the left-side navigation pane, click Configuration Management.
  3. Choose CDN Configuration > Domain Names.
  4. On the Domain Names page, select the domain name that you want to configure, and click Configure in the Actions column.
    Click Configure
  5. Click Resource Access Control.
  6. Click the URL Authentication tab. On the URL Authentication tab, click Modify.
    Modify
  7. Enable URL Authentication, configure the authentication information, and then click OK.
    Modify
    The following table describes the parameters.
    Parameter Description
    Authentication Method
    ApsaraVideo VOD supports only authentication method A to protect resources on the origin server.
    Note If URL authentication fails, a 403 error code is returned. In this case, you must re-calculate the signature.
    • The MD5 value is invalid.

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • The timestamp is invalid.

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key Specify the primary key for the selected authentication method.
    Secondary Key Specify the secondary key for the selected authentication method.
    Default Validity Period Specify the default validity period for the signed URL. Unit: minutes.
    Support Previewing If the preview feature is enabled, users can view or listen to a snippet of a video or audio file, such as the first 5 minutes of the file. This feature is widely used in paid services, such as video or audio content that charges non-members a fee. For more information, see Configure the preview feature for VOD resources.

    After URL authentication is enabled and configured, it takes effect globally in the domain name.

    After URL authentication is enabled, if all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiry time. You can also obtain the signed URL by calling the GetPlayInfo API.
    Note After URL authentication is enabled, the URLs of video, audio, thumbnail, and snapshot files are signed.
  8. Optional: Generate a signed URL.
    Note You can use the Generate Authentication URL feature in the ApsaraVideo VOD console to test and verify the effect of a signed URL.
    In the Generate Authentication URL section, configure the Original URL parameter and other authentication parameters.  Generate a signed URL
    The following table describes the parameters.
    Parameter Description
    Original URL Enter a complete URL, such as https://www.aliyun.com.
    Authentication Method By default, authentication method A is used.
    Authentication Key Specify the authentication key as needed. The Authentication Key can be the Primary Key or the Secondary Key that you configured in the URL Authentication dialog box.
    Validity Period Specify the validity period for the signed URL as needed. Unit: second. Example: 1,800.
    Note Example: In the Set URL Authentication section, Default Validity Period is set to 1,800 seconds.
    • If you do not configure the Validity Period parameter in the Generate Authentication URL section, the actual validity period for Generate Authentication URL is 1,800 seconds.
    • If you set the Validity Period in the Generate Authentication URL section to 1,800 seconds, the actual validity period for Generate Authentication URL is 3,600 seconds.
  9. Optional: Click Generate.
    Generate