The URL signing feature protects the content that is uploaded to ApsaraVideo Live from unauthorized downloads and hotlinking. You can configure URL signing in the ApsaraVideo Live console. This topic describes the URL signing feature, how the feature works, how to configure the feature, and the usage notes.

Background information

To prevent hotlinking and protect origin resources, you can configure a Referer blacklist or whitelist to identify and filter out malicious users. However, considering that the Referer content can be forged, the URL signing feature is a more effective method to protect origin resources.

Use URL signing

  • In the ApsaraVideo Live console, you can use the default URL signing settings or customize the URL signing settings.
    • Default authentication: The default authentication type is Type A. For more information, see URL generator.
    • Custom authentication: If you do not want to use the default authentication, you can configure the URL signing settings. For more information, see Configure URL signing.
    Notice
    • You can configure the primary and secondary keys in the ApsaraVideo Live console. The primary and secondary keys are equally effective. The secondary key is used to ensure a smooth switchover.
    • If the primary key is changed, all generated streaming URLs that use the original primary key immediately become invalid. When you switch the primary key to the secondary key, the generated streaming URLs that use the original primary key remain valid for a period of time. This ensures a smooth switchover.
    • After you specify the default validity period for the required domain name, all URLs that use the domain name are valid only in the specified period. You can also customize the validity period for a single URL. In this case, ApsaraVideo Live appends the default validity period to the timestamp to determine the expiration time of a URL.
  • You can use code to construct a signed URL.
    1. You can construct an unsigned streaming URL based on the AppName and StreamName fields in an ingest URL. Example: rtmp:/DomainName/AppName/StreamName.
    2. Then, generate the signed streaming URL by using an authentication algorithm in your code. For more information about the authentication algorithm, see Construct a signed URL. For more information about the sample code that is used to generate a signed URL, see URL signing demos.

Construct a signed URL

Signed URLs are supported by third-party stream ingest tools and players on PCs and mobile devices. A signed URL consists of an ingest URL or a streaming URL and an access token. Example:
rtmp://DomainName/AppName/StreamName?auth_key=timestamp-rand-uid-md5hash
Signed URL Description
rtmp://DomainName/AppName/StreamName The ingest URL or streaming URL. For more information, see Ingest and streaming URLs.
auth_key=timestamp-rand-uid-md5hash The access token, which includes the timestamp, rand, uid, and md5hash fields.
timestamp The time when the signed URL expires, which is determined by the time when a signed URL is generated and the specified validity period. This value is a UNIX timestamp. Unit: seconds.
  • If you use the URL Generator in the ApsaraVideo Live console to generate a signed URL, the value of timestamp is the time when the signed URL is generated.
  • If you generate a signed URL on the Access Control > URL Authentication page in the ApsaraVideo Live console, the value of timestamp is the time when the signed URL is generated plus the Validity Period.
  • If you generate the URL by using code, you can set the timestamp to a custom value. For example, you can use the following Python code to set the timestamp field: timestamp = int(time.time()) + 1 * 3600.
rand A random number, which is typically set to 0.

If you want to generate a different URL each time, we recommend that you use a UUID as the random number. The value cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c7****.

uid An additional parameter, which is not used. It is typically set to 0.
md5hash The string that is calculated by using the MD5 algorithm. The string is 32 characters in length and contains digits and lowercase letters.
sstring = "URI-timestamp-rand-uid-PrivateKey" 
md5hash = md5sum(sstring)
  • URI: the relative address of the requested object. It is /AppName/StreamName in the original URL, where StreamName contains the extension name.

    If you generate a streaming URL in the Flash Video (FLV) format, the URI is /AppName/StreamName.flv.

    If you generate a streaming URL in the HTTP Live Streaming (HLS) format, the URI is /AppName/StreamName.m3u8.

    If you generate a transcoded streaming URL in the FLV format, the URI is /AppName/StreamName_ID.flv.

    If you generate a transcoded streaming URL in the HLS format, the URI is /AppName/StreamName_ID.m3u8.

  • PrivateKey: the primary key or secondary key that is configured in the ApsaraVideo Live console.
  • md5sum: the function that is used to calculate the MD5 hash value. Use a function in your development language.
Note No matter you use the ApsaraVideo Live console to generate a signed URL or use code to construct a signed URL, the md5hash value is calculated in the same way.

How URL signing works

After URL signing is enabled, the server verifies a request by performing the following operations:

  1. The server checks whether the timestamp in the request is earlier than the current time.
    • If the timestamp is earlier than the current time, the server considers that the signed URL expires and returns HTTP error code 403.
    • If the timestamp is later than the current time, the server constructs a string by using the following method.
  2. The server uses the MD5 algorithm to calculate the hash value of the string and then compares the hash value with that contained in the request.
    • If the two values are the same, the authentication is successful. The server returns the live stream.
    • If the two values are different, the authentication fails. The server returns HTTP error code 403.
The hash value is calculated based on the following formulas:
sstring = "URI-timestamp-rand-uid-PrivateKey"
HashValue = md5sum(sstring)
Example
  • Assumption:
    1. Request the rtmp://demo.aliyundoc.com/video/standard**** object by using req_auth.
    2. Set the cryptographic key to aliyunliveexp1234, which is the primary key or secondary key configured in the ApsaraVideo Live console.
    3. The time when the signed URL is generated is 16:49:57 on May 28, 2021 (UTC+8).
    4. In the ApsaraVideo Live console, the validity period of the signed URL is set to 20 minutes. The Validity Period that is set when the signed URL is generated is 40 minutes.
    5. Set both the rand and uid fields to 0.
  • Result:
    1. The calculated UNIX timestamp of the signed URL is 1622194197, which is 17:29:57 on May 28, 2021 (UTC+8).
    2. The server constructs a signature string that is used to calculate the hash value.

      /video/standard****-1622194197-0-0-aliyunliveexp1234

    3. The server calculates the hash value based on the signature string.

      HashValue = md5sum("/video/standard-1622194197-0-0-aliyunliveexp1234") = 5552ff52b5e4e20387c6dc18afce****

    4. The URL of the request is rtmp://demo.aliyundoc.com/video/standard****?auth_key=1622194197-0-0-5552ff52b5e4e20387c6dc18afce****.
      Note The auth_key field indicates the access token that is contained in the signed URL.
    5. The calculated hash value is md5hash = 5552ff52b5e4e20387c6dc18afce****, which is the same as that contained in the request. In this case, the authentication is successful.

Usage notes

  • By default, URL signing is enabled. We recommend that you keep this feature enabled to prevent your content from being pirated. If you want to disable URL signing, make sure that you understand the risk of unauthorized use of your service and agree to Terms for Disabling URL Authentication on the URL Authentication page in the ApsaraVideo Live console.
  • You must manually set the auth_key parameter. ApsaraVideo Live provides no API operation for calculating the value of the auth_key parameter.
  • After you enable URL signing, you must add the auth_key parameter to the ingest and streaming URLs. Otherwise, live streams cannot be played. You cannot sign only the ingest URL or the streaming URL. You must sign them both.
  • Signed URLs remain valid before their expiration timestamp. You can access a signed URL anytime before it expires. ApsaraVideo Live does not support one-time signed URLs.
  • The value of the auth_key parameter is the MD5 value of the URI without the queryString parameters. For more information, see the preceding section about setting URL signing parameters. The URIs of both the ingest and streaming URLs are AppName/StreamName. As a result, the values of the auth_key parameters for the ingest and streaming URLs are the same. If the ingest URL is not confidential, we recommend that you set an expiration timestamp as near as possible. This prevents malicious access to the streaming URL.
  • For ingest and streaming URLs in the Real-Time Messaging Protocol (RTMP), FLV, and Real-Time Streaming (RTS) formats, requests are authenticated only when stream ingest or streaming begins. Ongoing stream ingest or streaming is not interrupted if the signed URL expires during the process.
  • For streaming URLs in the M3U8 format, requests are authenticated at the beginning of streaming and during streaming. Ongoing streaming is interrupted if the signed URL expires during the process.