CDN:Type F signing

How it works

• Structure of a signed URL for type F signing

  Access URL format:

  http://DomainName/FileName?{sign=<md5hash>&time=<timestamp>}

  Note

  • The content in {} represents the encrypted information that is added to the standard URL.

  • The access URL cannot contain Chinese characters.

  • URL signing is not supported for URLs that contain a question mark (?).

• Fields in a signed URL

  Field	Description
  DomainName	The accelerated domain name.
  PrivateKey	The cryptographic key that you specified. The key must be 16 to 32 characters in length, and can contain letters and digits.
  FileName	The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (/).
  timestamp	The time when a signed URL is generated. The timestamp and the TTL value determine when a signed URL expires. The timestamp follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone. The decimal string is converted into a hexadecimal string. Note In most cases, the validity period of a signed URL equals the value of the TTL parameter. In some cases, the signing server also assigns a TTL value to a signed URL. Timestamp = UNIX timestamp + TTL. Validity period of the signed URL = Timestamp + TTL that is configured on CDN.
  md5hash	The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters. The md5hash value is calculated by using the following method: sstring = "Privatekey+URI+timestamp" (The URI specifies the address that points to the requested resource. The URI does not contain parameters such as /Filename.) md5hash = md5sum(sstring)

• Authentication logic

  After a CDN server receives a resource access request, it checks whether timestamp + validity period is earlier than the current time.

  • If timestamp + validity period is earlier than the current time, the server determines that the URL has expired and returns an HTTP 403 error.

  • If timestamp + validity period is later than the current time, the server constructs a string in the sstring format (see the table for the sstring construction method). The server then uses the MD5 algorithm to calculate the md5hash value and compares the calculated md5hash value with the md5hash value in the user request.

    • If the values match, the authentication is successful and the resource is returned.

      Note

      After the authentication is successful, the signing parameters are removed from the URL, and the URL is reverted to its original format. This improves the cache hit ratio and reduces back-to-origin traffic. For example:

      • Signed URL format: http://DomainName/FileName?{sign=<md5hash>&time=<timestamp>}

      • After authentication succeeds:

        • URL format used to generate the cache key: http://DomainName/FileName

        • URL format used for origin fetch: http://DomainName/FileName

    • If the values do not match, the authentication fails and the server returns an HTTP 403 error.