By default, content distributed by Alibaba Cloud CDN is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use referer whitelist and blacklist, IP whitelist and blacklist, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to enhance access control. This topic describes how URL signing works, how to enable or disable URL signing, and how to verify the URL signing settings.

How URL signing works

URL signing works with both origin servers and Alibaba Cloud CDN points of presence (POPs) to protect origin servers from hotlink issues. URL signing involves the following objects:
  • Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
  • Client: The client initiates a request and sends the signed URL to POPs for authentication.
  • POPs: The CDN POPs verify the authentication information, including the signature and timestamp, carried by the request.
URL signing
  1. You must set URL signing rules, including authentication algorithms and cryptographic keys, on your origin server.

    For example, http://DomainName/timestamp/md5hash/FileName is a URL signed by the origin server.

  2. When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
  3. The client uses the signed URL to request resources from CDN POPs.
  4. The CDN POPs check the authentication information, including the signature string and timestamp, carried by the request and determine whether the request is valid.
    • If the request fails the authentication, it is rejected by the CDN POPs.
    • If the request passes the authentication, the CDN POPs respond to it.
      Note
      • If the requested resource is not cached on CDN POPs, the POPs remove the authentication parameters from the URL and restore the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to http://DomainName/FileName. Then, the original URL is used to generate a cache key or redirect the request to the origin server.
      • After a request passes the authentication, the special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

Configure and enable URL signing

Important
  • Before you enable URL signing, make sure that you have configured URL signing rules, including signing algorithms and cryptographic keys, on the origin server.
  • The signing logic on CDN POPs must be the same as that on the origin server.
  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
    Domain Names
  4. In the left-side navigation pane of the domain name, click Access Control.
  5. Click the URL Signing tab.
  6. In the URL Signing section, click Modify.
  7. In the Set URL Signing dialog box, turn on URL Signing and set the parameters.
    URL signing
    Parameter Description
    Type
    Alibaba Cloud CDN supports three URL signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:
    Note If URL signing fails, a 403 error is returned. Causes of the error include:
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547
    Primary Key Specify the primary key for the selected signing type.
    Secondary Key Specify the secondary key for the selected signing type.
    TTL Specify a time-to-live (TTL) value for signed URLs. Users can access CDN POPs before the signed URLs expire. The expiration time of a signed URL is determined by the timestamp value and the TTL value.
    • Unit: seconds.
    • Valid values: 1 to 31536000.
    • Default value: 1800, which equals 30 minutes.
    • For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the TTL value is 1800. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
  8. Click the OK.

Check the URL signing result

To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the Alibaba Cloud CDN console to check whether URLs can be correctly signed.

  1. In the Generate Signed URL section, set Original URL and other parameters.
    Generate a signed URL
    Parameter Description
    Original URL Enter a complete URL, for example, https://www.aliyun.com.
    Type

    Select the URL signing type that you specified in the Configure and enable URL signing step.

    Cryptographic Key Set Primary Key or Secondary Key based on the key that you specified in the Configure and enable URL signing step.
    TTL Enter the TTL value of the signed URL that you specified in the Configure and enable URL signing step.
  2. Click Generate to obtain the Signed URL and Timestamp.
    Configure URL signing

Disable URL signing

Important If URL signing is disabled on CDN POPs but user requests still carry signing parameters, CDN POPs fail to remove the signing parameters. In this case, the requests cannot hit cache on CDN POPs and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL signing, make sure that URL signing is disabled on both the application server and on CDN POPs.
Disable URL signing
  1. In the Alibaba Cloud CDN console, navigate to the URL Signing section, and then click Modify. In the dialog box that appears, turn off URL signing.
  2. On the origin server, delete the URL signing settings.