ApsaraVideo VOD allows you to configure URL authentication in the console to protect the content that you upload to ApsaraVideo VOD against illegal download and hotlinking. This topic describes how URL authentication works and how to configure authentication method A.

Background information

By default, content distributed by ApsaraVideo VOD is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use referer whitelist and blacklist, IP whitelist and blacklist, and URL authentication to regulate access control. URL authentication adds signature strings and timestamps to URLs to enhance access control for the original server. ApsaraVideo VOD supports only authentication method A.

How URL authentication works

URL authentication uses Alibaba Cloud points of presence (POPs) together with origin servers to protect origin content from hotlinking. URL authentication involves the following objects:
  • Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
  • Client: The client initiates a request and sends the signed URL to POPs for authentication.
  • POPs: The POPs verify the authentication information, including the signature and timestamp, carried by the request.
URL authentication logic for ApsaraVideo VOD
The following steps describe how URL authentication works:
  1. You set URL signing rules, including authentication algorithms and cryptographic keys, on your origin server.

    For example, http://DomainName/timestamp/md5hash/FileName is a URL signed by the origin server.

  2. When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure. For more information, see Authentication method A.
  3. The client uses the signed URL to request resources from a POP.
  4. The POP checks the authentication information including the signature string and timestamp carried by the request and determines whether the request is valid.
    • If the request fails the authentication, the POP rejects the request.
    • If the request passes the authentication, the POP responds to the request.
    Note
    • If the requested resource is not cached on POPs, the POPs remove the authentication parameters from the URL and restore the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to http://DomainName/FileName. Then, the original URL is used to generate a cache key or redirect the request to the origin server.
    • After a request passes the authentication, the special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

Authentication method A

How it works

  • How a URL is signed based on method A
    http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
  • Fields in a signed URL
    Field Description
    DomainName The domain name for ApsaraVideo VOD.
    Filename The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash /.
    auth_key The cryptographic key that you set.
    timestamp The time when a signed URL is generated. The timestamp and the default validity period specify the time when a signed URL expires. The time is represented by a UNIX timestamp, which indicates the number of seconds that have elapsed since 00:00:00 on January 1, 1970 (UTC). The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone.
    Note In most cases, a signed URL expires after the default validity period elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period.
    rand The random number. In most cases, the value of this field is set to 0. If you want to generate a different URL each time, we recommend that you use a universally unique identifier (UUID). The value cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c****.
    uid The user ID. Set this field to 0.
    md5hash The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.

    md5hash is calculated based on the following string:

    sstring = "URI-timestamp-rand-uid-PrivateKey"
    md5hash = md5sum(sstring)
    • URI: the relative path of the requested file, excluding the parameters. Example: /Filename.
    • PrivateKey: the authentication key that is configured in the ApsaraVideo VOD console. You can use the primary key or the secondary key. For more information, see Enable and configure URL authentication.
    • md5sum: the function that is used to calculate the MD5 hash value. Use the MD5 hash calculation function that is provided by your development language.
  • Authentication logic

    When a POP receives a request, it checks whether the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time.

    • If the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time, the POP determines that the URL is expired and returns the HTTP 403 status code.
    • If the time calculated by adding timestamp and default validity period is later than the current time, the POP generates a string based on sstring described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value of md5hash and compares the generated md5hash with the md5hash value in the request.
      • If the two values are the same, the request passes the authentication. The POP returns the requested resource.
        Note If a request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.
        • The format of the URL that is used to generate a cache key is http://DomainName/FileName.
        • The format of the URL in the back-to-origin request is http://DomainName/FileName.
      • If the two values are different, the request fails the authentication. The POP returns the HTTP 403 status code.

Sample of signed URL concatenation

The following example shows how to implement authentication method A.

Sample conditions

  • Retrieve an object from the origin server:
    http://example.aliyundoc.com/video/standard/test.mp4
    Notice If the URL of the object that you retrieve from the origin server contains Chinese characters, you must encode the URL before you concatenate a signed URL.
  • Set PrivateKey to aliyunvodexp1234.
  • Convert the time when the signed URL is generated at 00:00:00 on August 1, 2021 (UTC+8) to decimal integers 1627747200.

Concatenation procedure

  1. Generate a signature string that is used to calculate the value of md5hash.
    /video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234
  2. Calculate the value ofmd5hash by using the signature string.
    HashValue = md5sum("/video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234") = 0e9048c8c7de46b6015618f42de7****
  3. Generate a signed URL.
    http://example.aliyundoc.com/video/standard/test.mp4?auth_key=1627747200-0-0-0e9048c8c7de46b6015618f42de7****

If the md5hash value that is calculated by the POP and the md5hash value that is included in the request are 0e9048c8c7de46b6015618f42de7****, the request passes the authentication. Otherwise, the request fails the authentication.

Usage

  1. Enable and configure URL authentication.

    Enable and configure URL authentication in the ApsaraVideo VOD console. For more information, see Enable and configure URL authentication.

  2. Obtain a signed URL.
    • After URL authentication is enabled, if all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.
      Note After URL authentication is enabled, the URLs of video, audio, thumbnail, and snapshot files are signed.
    • If your resources are not in the ApsaraVideo VOD console, you can use authentication method A to concatenate and generate a dynamic signed URL. For more information, see Authentication method A and Sample of signed URL concatenation.