CDN:Type F URL signing

Principles

• Type F signed URL structure

  Access URL format:

  http://DomainName/FileName?{sign=<md5hash>&time=<timestamp>}

  Note

  • {} represents the encrypted information added to the standard URL.

  • The access URL cannot contain Chinese characters.

  • URL signing is not supported for URLs that contain a question mark (?).

  • The sign and time parameters in the example are default system parameters. You can customize the Signature Parameter and Timestamp Parameter in the Configure URL Signing console.

• Field	Description
  DomainName	The domain name of the Alibaba Cloud CDN site.
  PrivateKey	A user-defined encryption key, consisting of 16 to 32 characters (uppercase letters, lowercase letters, and digits).
  FileName	The actual origin request URL. During authentication, FileName must start with /.
  timestamp	The time when the signing server generates the signed URL. This, along with the validity period of the signed URL, controls the expiration time of the signed URL. The timestamp is the Unix timestamp from the signing server (Unix timestamp is the total number of seconds from UTC 1970-01-01 00:00:00 to the present, a 10-digit decimal integer, independent of time zone). In the Configure URL Signing console, set the Timestamp Format to Decimal (Unix Timestamp) or Hexadecimal (Unix Timestamp). Note Set the TTL in the Configure URL Signing console. After the configuration is complete, the expiration time of the signed URL is timestamp + the validity period configured for CDN.
  md5hash	A string calculated using the MD5 algorithm, consisting of digits 0-9 and lowercase English letters a-z, with a fixed length of 32. md5hash is calculated using the following string. sstring = "Privatekey+URI+timestamp" // URI is the relative address of the user's requested object, excluding parameters, such as /Filename md5hash = md5sum(sstring)

• Authentication logic

  When an Alibaba Cloud CDN or server receives a request to access a resource, it checks whether the value of timestamp plus the validity period is less than the current time.

  • If the value of timestamp plus the validity period is less than the current time, the server determines that the URL has expired and returns an HTTP 403 error.

  • If timestamp + validity period of the signed URL is greater than the current time, construct a string using the sstring method (for more information, see the sstring construction method in the table). Then, use the MD5 algorithm to calculate the md5hash value. Compare the calculated md5hash value with the md5hash value included in the user's access request.

    • If the values match, the authentication is successful and the requested resource is returned.

      Note

      After a successful authentication, the authentication parameters are removed from the URL, and the URL reverts to its original format. This process improves the cache hit ratio and reduces back-to-origin traffic. For example:

      • URL with authentication parameters: http://DomainName/FileName?{sign=<md5hash>&time=<timestamp>}

      • After a successful authentication:

        • URL used to generate the cache key: http://DomainName/FileName

        • URL used for origin fetch: http://DomainName/FileName

    • If the values do not match, the authentication fails, and the server returns an HTTP 403 error.