Alibaba Cloud CDN provides the URL signing feature to protect origin servers from unauthorized access and downloads. The URL signing feature supports three signing types. This topic describes how type C signing works.
How it works
-
How a URL is signed based on type C singing
- Format 1
http://DomainName/{<md5hash>/<timestamp>}/FileName
- Format 2
http://DomainName/FileName{&KEY1=<md5hash>&KEY2=<timestamp>}
Note The content enclosed by braces ({}
) indicates the encrypted information that is added based on the standard URL format. - Format 1
- Fields in a signed URL
Field Description DomainName The accelerated domain name. PrivateKey The cryptographic key that you have set. The key must be 16 to 32 characters in length, and can contain letters and digits. FileName The actual URL that points to the requested resource on the origin server. The Filename field must start with a forward slash ( /
).timestamp The time when a signed URL is generated. The timestamp and the TTL value specify the time when a signed URL expires. The time is represented by a UNIX timestamp, which indicates the number of seconds that have elapsed since 00:00:00 on January 1, 1970 (UTC). The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone. Note In most cases, the validity period of a signed URL equals the value of the TTL parameter. In some cases, the signing server also assigns a TTL value to a signed URL. Timestamp = UNIX timestamp on the signing server + TTL assigned by the signing server. Validity period of the signed URL = Timestamp + TTL assigned by Alibaba Cloud CDN.md5hash The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length, and can contain digits and lowercase letters. - Authentication logicWhen a CDN edge node receives a request, the CDN edge node determines whether the time calculated by adding the
timestamp
and theTTL
value in the request is earlier than the current time.- If the time calculated by adding the
timestamp
and theTTL
value in the request is earlier than the current time, the CDN edge node determines that the URL of the request expires and returns a 403 error. - If the time calculated by adding the
timestamp
and theTTL
value in the request is later than the current time, ansstring
is generated. Then, amd5hash
value is generated based on the MD5 algorithm. The generatedmd5hash
value is compared with themd5hash
value in the request.- If they are the same, the request passes the authentication. The edge node returns
the requested resource.
Note If a request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.
- For a URL signed in Format 1 or Format 2, the format of the URL that is used to generate
a cache key is
http://DomainName/FileName
. - For a URL signed in Format 1 or Format 2, the format of the URL in the back-to-origin
request is
http://DomainName/FileNam
.
- For a URL signed in Format 1 or Format 2, the format of the URL that is used to generate
a cache key is
- If they are different, the request fails the authentication. The edge node returns a 403 error.
- If they are the same, the request passes the authentication. The edge node returns
the requested resource.
- If the time calculated by adding the
Examples
The following example shows how to implement type C signing.
- Sample conditions
- A user wants to retrieve the following resource from the origin server:
http://cdn.example.com/test.flv
Note If the URL of the requested object contains Chinese characters, you must encode the URL before you concatenate a signed URL. - The value of the PrivateKey field is
aliyuncdnexp1234
. - The value of the timestamp field is
55CE8100
.
- A user wants to retrieve the following resource from the origin server:
- Concatenation procedure
- Alibaba Cloud CDN calculates the
md5hash
value based on the signature string.md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
- A signed URL is generated.
- Format 1:
http://cdn.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv
- Format 2:
http://cdn.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100
- Format 1:
- Alibaba Cloud CDN calculates the
If a client uses a signed URL to request a resource, Alibaba Cloud CDN compares the
calculated md5hash
value with the md5hash
value in the request. If they are the same, for example, a37fa50a5fb8f71214b1e7c95ec7a1bd, the request passes the authentication. Otherwise, the request fails the authentication.