Referer-based hotlink protection is not completely secure. We recommend that you use URL authentication to protect resources on the origin server against illegal downloads and misuse. This topic describes how to enable or disable the URL authentication feature and how to verify a signed URL.

Background information

By default, content distributed by ApsaraVideo VOD is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use referer whitelist and blacklist, IP whitelist and blacklist, and URL authentication to regulate access control. URL authentication adds signature strings and timestamps to URLs to enhance access control.

For more information about URL authentication and the implementation logic, see Configure URL authentication.

Enable and configure URL authentication

Notice
  • Before you enable URL authentication, make sure that you have configured URL authentication rules, including authentication algorithms and cryptographic keys, on the origin server.
  • The authentication logic on ApsaraVideo VOD must be the same as that on the origin server.
  1. Log on to the ApsaraVideo VOD console.
  2. In the left-side navigation pane of the ApsaraVideo VOD console, choose Configuration Management > CDN Configuration > Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
  4. On the page that appears, click Resource Access Control.
  5. Click the URL Authentication tab. In the Set URL Authentication section, click Modify.
  6. In the URL Authentication dialog box, turn on URL Authentication and configure the authentication parameters.
    URL Authentication
    The following table describes the parameters.
    Parameter Description
    Authentication Method
    ApsaraVideo VOD supports only authentication method A to protect resources on the origin server.
    Note If URL authentication fails, a 403 error is returned. Causes of the error include:
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd7****

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=143946****

    Primary Key Specify the primary key for the selected authentication method.
    Secondary Key Specify the secondary key for the selected authentication method.

    The primary and secondary keys have the same effect. The secondary key is used to ensure a smooth switchover. If the primary key is changed, all generated playback URLs that use the original primary key immediately become invalid. When you switch the primary key to the secondary key, the generated playback URLs that use the original primary key remain valid for a period of time. The secondary key works as a primary key. This ensures a smooth switchover.

    Default Validity Period Specify a validity period for signed URLs. Users can access ApsaraVideo VOD before the signed URLs expire. The time when a signed URL expires is calculated based on the following formula: Expiration time = Timestamp + Validity period.
    • Default value: 30. Unit: minutes.
    • For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the validity period is 30 minutes. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
    Support Previewing If the preview feature is enabled, users can view or listen to a snippet of a video or audio file, such as the first 5 minutes of the file. This feature is widely used in paid services, such as video or audio content that charges non-members a fee. For more information, see Configure the preview feature.
  7. Click OK.

    After the configuration is complete, URL authentication takes effect for this domain name.

    If all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.
    Note After URL authentication is enabled, the URLs of video files, audio files, thumbnails, and snapshots are signed.

Verify the URL authentication result

To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the ApsaraVideo VOD console to verify whether the signed URLs are correct.

  1. In the Generate Authentication URL section, configure the Original URL parameter and other authentication parameters.
    The following table describes the parameters.
    Parameter Description
    Original URL Enter a complete URL, such as https://www.aliyundoc.com.
    Authentication Method By default, authentication method A is used.
    Authentication Key Enter the primary key or secondary key that you specified in Enable and configure URL authentication.
    Validity Period Enter the validity period of the signed URL that you specified in Enable and configure URL authentication. Unit: seconds. Example: 1800.
  2. Click Generate to obtain the Authentication URL and Timestamp.
    Generate a signed URL

Disable URL authentication

Notice If URL authentication is disabled on ApsaraVideo VOD but user requests still carry authentication parameters, ApsaraVideo VOD fails to remove the authentication parameters. In this case, the requests cannot hit cache on ApsaraVideo VOD and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL authentication, make sure that URL authentication is disabled on both the origin server and ApsaraVideo VOD.
  1. In the Set URL Authentication section, click Modify.
  2. In the dialog box that appears, turn off URL Authentication.
  3. On the origin server, delete the URL authentication settings.