Referer-based hotlink protection is not completely secure. We recommend that you use URL authentication to protect resources on the origin server against illegal downloads and misuse. This topic describes how to enable or disable the URL authentication feature and how to verify a signed URL.
By default, content distributed by ApsaraVideo VOD is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use referer whitelist and blacklist, IP whitelist and blacklist, and URL authentication to regulate access control. URL authentication adds signature strings and timestamps to URLs to enhance access control.
For more information about URL authentication and the implementation logic, see Configure URL authentication.
Enable and configure URL authentication
- Before you enable URL authentication, make sure that you have configured URL authentication rules, including authentication algorithms and cryptographic keys, on the origin server.
- The authentication logic on ApsaraVideo VOD must be the same as that on the origin server.
- Log on to the ApsaraVideo VOD console.
- In the left-side navigation pane of the ApsaraVideo VOD console, choose .
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- On the page that appears, click Resource Access Control.
- Click the URL Authentication tab. In the Set URL Authentication section, click Modify.
- In the URL Authentication dialog box, turn on URL Authentication and configure the authentication parameters. The following table describes the parameters.
Parameter Description Authentication MethodApsaraVideo VOD supports only authentication method A to protect resources on the origin server.Note If URL authentication fails, a 403 error is returned. Causes of the error include:
- Invalid MD5 values
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd7****
- Invalid timestamps
X-Tengine-Error:denied by req auth: expired timestamp=143946****
Primary Key Specify the primary key for the selected authentication method. Secondary Key Specify the secondary key for the selected authentication method.
The primary and secondary keys have the same effect. The secondary key is used to ensure a smooth switchover. If the primary key is changed, all generated playback URLs that use the original primary key immediately become invalid. When you switch the primary key to the secondary key, the generated playback URLs that use the original primary key remain valid for a period of time. The secondary key works as a primary key. This ensures a smooth switchover.
Default Validity Period Specify a validity period for signed URLs. Users can access ApsaraVideo VOD before the signed URLs expire. The time when a signed URL expires is calculated based on the following formula: Expiration time = Timestamp + Validity period.
- Default value: 30. Unit: minutes.
- For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the validity period is 30 minutes. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
Support Previewing If the preview feature is enabled, users can view or listen to a snippet of a video or audio file, such as the first 5 minutes of the file. This feature is widely used in paid services, such as video or audio content that charges non-members a fee. For more information, see Configure the preview feature.
- Invalid MD5 values
- Click OK.
After the configuration is complete, URL authentication takes effect for this domain name.If all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.Note After URL authentication is enabled, the URLs of video files, audio files, thumbnails, and snapshots are signed.
Verify the URL authentication result
To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the ApsaraVideo VOD console to verify whether the signed URLs are correct.
- In the Generate Authentication URL section, configure the Original URL parameter and other authentication parameters. The following table describes the parameters.
Parameter Description Original URL Enter a complete URL, such as
Authentication Method By default, authentication method A is used. Authentication Key Enter the primary key or secondary key that you specified in Enable and configure URL authentication. Validity Period Enter the validity period of the signed URL that you specified in Enable and configure URL authentication. Unit: seconds. Example: 1800.
- Click Generate to obtain the Authentication URL and Timestamp.
Disable URL authentication
- In the Set URL Authentication section, click Modify.
- In the dialog box that appears, turn off URL Authentication.
- On the origin server, delete the URL authentication settings.