By default, content distributed by CDN services is publicly available. Users can access the content through URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use Referer whitelists and blacklists, IP whitelists and blacklists, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to enhance access control. This topic describes how URL signing works, how to enable or disable URL signing, and how to verify the URL signing settings.

How URL signing works

URL signing works with both origin servers and CDN edge nodes to protect origin servers from hotlink issues. URL signing involves the following objects:
  • Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
  • Client: The client initiates a request and sends the signed URL to CDN edge nodes for authentication.
  • CDN edge nodes: The CDN edge nodes verify the authentication information, including the signature and timestamp, carried by the request.
URL signing
  1. You must set URL signing rules, including authentication algorithms and cryptographic keys, on your origin server.

    For example, http://DomainName/timestamp/md5hash/FileName is a URL signed by the origin server.

  2. When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
  3. The client uses the signed URL to request resources from CDN edge nodes.
  4. The CDN edge nodes check the authentication information, including the signature string and timestamp, carried by the request and determine whether the request is valid.
    • If the request fails the authentication, it is rejected by the CDN edge nodes.
    • If the request passes the authentication, the CDN edge nodes respond to it.
      Note
      • If the requested resource is not cached on CDN edge nodes, the nodes remove the authentication parameters from the URL and restore the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to http://DomainName/FileName. Then, the original URL is used to generate a cache key or redirect the request to the origin server.
      • After a request passes the authentication, the special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

Configure and enable URL signing

Notice
  • Before you enable URL signing, make sure that you have set URL signing rules, including authentication algorithms and cryptographic keys on the origin server.
  • The authentication logic on CDN edge nodes must be the same as that on the origin server.
  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
  4. In the left-side management pane of the domain name, click Access Control.
  5. Click the URL Signing tab.
  6. In the URL Signing section, click Modify.
  7. In the Set URL Signing dialog box, turn on URL Signing and set the parameters.
    Configure URL signing
    Parameter Description
    Type
    Alibaba Cloud CDN supports three URL signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:
    Note If a URL signing error occurs, a 403 error is returned. Causes of the error include:
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key Specify the primary key for the selected signing type.
    Secondary Key Specify the secondary key for the selected signing type.
    TTL Specify a time-to-live (TTL) value for signed URLs. Users can access CDN edge nodes before the signed URLs expire. The expiration time of a signed URL is determined by the timestamp value and the TTL value.
    • Unit: seconds.
    • Valid values: 1 to 31536000.
    • Default value: 1800, which equals 30 minutes.
    • For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the TTL value is 1800. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
  8. Click OK.

Check the URL signing result

To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the Alibaba Cloud CDN console to check whether URLs can be correctly signed.

  1. In the Generate Signed URL section, set Original URL and other parameters.
    Generate a signed URL
    Parameter Description
    Original URL Enter a complete URL, for example, https://www.aliyun.com.
    Type

    Select the URL signing type that you specified in the Configure and enable URL signing step.

    Cryptographic Key Set Primary Key or Secondary Key based on the key that you specified in the Configure and enable URL signing step.
    TTL Enter the TTL value of the signed URL that you specified in the Configure and enable URL signing step.
  2. Click Generate to obtain the Signed URL and Timestamp.
    Configure URL signing

Disable URL signing

Notice If URL signing is disabled on CDN edge nodes but user requests still carry authentication parameters, CDN edge nodes fail to remove the authentication parameters. In this case, the requests cannot hit cache on CDN edge nodes and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL signing, make sure that URL signing is disabled on both the origin server and on CDN edge nodes.
Disable URL signing
  1. Log on to the Alibaba Cloud CDN console, navigate to the URL Signing section, and then click Modify. In the dialog box that appears, turn off URL signing.
  2. On the origin server, delete the URL signing settings.