By default, content distributed by CDN services is publicly available. Users can access the content through URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use Referer whitelists and blacklists, IP whitelists and blacklists, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to enhance access control. This topic describes how URL signing works, how to enable or disable URL signing, and how to verify the URL signing settings.
How URL signing works
- Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
- Client: The client initiates a request and sends the signed URL to CDN edge nodes for authentication.
- CDN edge nodes: The CDN edge nodes verify the authentication information, including the signature and timestamp, carried by the request.
- You must set URL signing rules, including authentication algorithms and cryptographic
keys, on your origin server.
http://DomainName/timestamp/md5hash/FileNameis a URL signed by the origin server.
- When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
- The client uses the signed URL to request resources from CDN edge nodes.
- The CDN edge nodes check the authentication information, including the signature string
and timestamp, carried by the request and determine whether the request is valid.
- If the request fails the authentication, it is rejected by the CDN edge nodes.
- If the request passes the authentication, the CDN edge nodes respond to it.
- If the requested resource is not cached on CDN edge nodes, the nodes remove the authentication
parameters from the URL and restore the URL to the original version before the request
is redirected to the origin server. For example, the URL is restored to
http://DomainName/FileName. Then, the original URL is used to generate a cache key or redirect the request to the origin server.
- After a request passes the authentication, the special characters such as equal signs
=) and plus signs (
+) in the URL are escaped.
- If the requested resource is not cached on CDN edge nodes, the nodes remove the authentication parameters from the URL and restore the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to
Configure and enable URL signing
- Before you enable URL signing, make sure that you have set URL signing rules, including authentication algorithms and cryptographic keys on the origin server.
- The authentication logic on CDN edge nodes must be the same as that on the origin server.
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
- In the left-side management pane of the domain name, click Access Control.
- Click the URL Signing tab.
- In the URL Signing section, click Modify.
- In the Set URL Signing dialog box, turn on URL Signing and set the parameters.
Parameter Description TypeAlibaba Cloud CDN supports three URL signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:Note If a URL signing error occurs, a 403 error is returned. Causes of the error include:
- Invalid MD5 values
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
- Invalid timestamps
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key Specify the primary key for the selected signing type. Secondary Key Specify the secondary key for the selected signing type. TTL Specify a time-to-live (TTL) value for signed URLs. Users can access CDN edge nodes before the signed URLs expire. The expiration time of a signed URL is determined by the timestamp value and the TTL value.
- Unit: seconds.
- Valid values: 1 to 31536000.
- Default value: 1800, which equals 30 minutes.
- For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the TTL value is 1800. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
- Invalid MD5 values
- Click OK.
Check the URL signing result
To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the Alibaba Cloud CDN console to check whether URLs can be correctly signed.
- In the Generate Signed URL section, set Original URL and other parameters.
Parameter Description Original URL Enter a complete URL, for example,
Select the URL signing type that you specified in the Configure and enable URL signing step.
Cryptographic Key Set Primary Key or Secondary Key based on the key that you specified in the Configure and enable URL signing step. TTL Enter the TTL value of the signed URL that you specified in the Configure and enable URL signing step.
- Click Generate to obtain the Signed URL and Timestamp.