The URL signing feature is used to protect origin servers from unauthorized downloads and access. This topic describes how Alibaba Cloud Content Delivery Network (CDN) type A signing works.
How it works
How a URL is signed based on type A signing
http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}
NoteThe content that is enclosed in braces (
{}
) indicates the encrypted information that is added to the standard URL.Fields in a signed URL
Field
Description
DomainName
The accelerated domain name.
Filename
The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (
/
).auth_key
The cryptographic key that you specified.
timestamp
The time when a signed URL is generated. The timestamp and the TTL value determine the time when a signed URL expires. The timestamp follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 on January 1, 1970. The timestamp is a string that has a fixed length of 10 characters.
NoteIn most cases, the validity period of a signed URL equals the value of the TTL parameter. In some cases, the signing server also assigns a TTL value to a signed URL. Timestamp = UNIX timestamp + TTL. Validity period of the signed URL = Timestamp + TTL that is configured on Alibaba Cloud CDN.
rand
A random number. The string cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c7bec. We recommend that you use a universally unique identifier (UUID).
uid
The user ID. Set this field to 0.
md5hash
The 32-digit string that is calculated by using the MD5 algorithm. The string can contain digits and lowercase letters.
The
md5hash
value is calculated by using the following method:sstring = "URI-Timestamp-rand-uid-PrivateKey" (The URI specifies the address that points to the requested resource. The URI does not contain parameters such as /Filename.) md5hash = md5sum(sstring)
Authentication logic
When a point of presence (POP) receives a request, the POP determines whether the time that is calculated by adding the
timestamp
and theTTL
value in the request is earlier than the current time.If the time that is calculated by adding the
timestamp
and theTTL
value in the request is earlier than the current time, the POP determines that the URL of the request expired and returns a 403 error.If the time that is calculated by adding the
timestamp
and theTTL
value in the request is later than the current time, a string is generated based on thesstring
that is described in the preceding table. Then, amd5hash
value is generated based on the MD5 algorithm. The generatedmd5hash
value is compared with themd5hash
value in the request.If the values are the same, the request passes the authentication. The POP returns the requested resource.
NoteIf a request passes the authentication, URL signing parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.
The format of the URL that is used to generate a cache key is
http://DomainName/FileName
.The format of the URL in the origin request is
http://DomainName/FileName
.
If the two values are different, the request fails the authentication. The POP returns the HTTP 403 status code.
Examples
The following example shows how to implement type A signing.
Sample conditions
Retrieve an object from the origin server:
http://domain.example.com/video/standard/test.mp4
NoteIf the URL of the requested object contains Chinese characters, you need to encode the URL before you concatenate a signed URL.
Original URL:
https://example.com/image/阿里云.jpg
Encoded URL:
https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg
Set auth_key to aliyuncdnexp1234.
Set timestamp to 1444435200. The time when the signing server generates a signed URL is 08:00:00 (UTC+8) on October 10, 2015, which is converted into the decimal integer 1444435200.
Concatenation procedure
Generate a signature string that is used to calculate the
md5hash
value./video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234
Calculate the
md5hash
value based on the signature string.md5hash = md5sum("/video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234") = 23bf85053008f5c0e791667a313e28ce
Generate a signed URL.
http://domain.example.com/video/standard/test.mp4?auth_key=1444435200-0-0-23bf85053008f5c0e791667a313e28ce
If a client uses a signed URL to request a resource, the POP compares the calculated md5hash
value with the md5hash
value in the request. If they are the same, such as 23bf85053008f5c0e791667a313e28ce, and the signed URL is within the validity period, the request passes the authentication. Otherwise, the authentication fails.