All Products
Search

This Product

    Dynamic Content Delivery Network:Type C signing

    Document Center

    Dynamic Content Delivery Network:Type C signing

    Last Updated:Feb 08, 2024

    The URL signing feature is used to protect origin servers from unauthorized downloads and access. Dynamic Content Delivery Network (DCDN) supports three URL signing types. This topic describes how type C signing works.

    How it works

    • How a URL is signed based on type C signing

      • Format 1 

        http://DomainName/{<md5hash>/<timestamp>}/FileName

      • Format 2 

        http://DomainName/FileName?{&KEY1=<md5hash>&KEY2=<timestamp>}
      Note

      The content that is enclosed in braces ({}) indicates the encrypted information that is added to the standard URL.

    • Fields in a signed URL

      Field

      Description

      DomainName

      The accelerated domain name.

      PrivateKey

      The cryptographic key that you specified. The key must be 16 to 32 characters in length, and can contain letters and digits.

      FileName

      The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (/).

      timestamp

      The time when a signed URL is generated. The timestamp and the TTL value determine when a signed URL expires. The timestamp follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone. The decimal string is converted into a hexadecimal string.

      Note

      In most cases, the validity period of a signed URL equals the value of the TTL parameter. In some cases, the signing server also assigns a TTL value to a signed URL. Timestamp = UNIX timestamp on the signing server + TTL assigned by the signing server. Validity period of the signed URL = Timestamp + TTL that is assigned by DCDN.

      md5hash

      The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.

      The md5hash value is calculated by using the following method: 

      sstring = "Privatekey+URI+timestamp" (The URI specifies the address that points to the requested resource. The URI does not contain parameters such as /Filename.)
md5hash = md5sum(sstring)

    • Authentication logic

      When a point of presence (POP) receives a request, the POP determines whether the time that is calculated by adding the timestamp and the TTL value in the request is earlier than the current time.

      • If the time that is calculated by adding the timestamp and the TTL value in the request is earlier than the current time, the POP determines that the URL of the request expired and returns a 403 error.

      • If the time that is calculated by adding the timestamp and the TTL value in the request is later than the current time, an sstring is generated. Then, an md5hash value is generated based on the MD5 algorithm. The generated md5hash value is compared with the md5hash value in the request.

        • If the values are the same, the request passes the authentication. The POP returns the requested resource.

          Note

          If a request passes the authentication, URL signing parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.

          • For a URL that is signed in Format 1 or Format 2, the format of the URL that is used to generate a cache key is http://DomainName/FileName.

          • For a URL that is signed in Format 1 or Format 2, the format of the URL in the back-to-origin request is http://DomainName/FileName.

        • If the two values are different, the request fails the authentication. The POP returns the HTTP 403 status code.

    Examples

    The following example shows how to implement type C signing.

    • Sample conditions

      • Retrieve an object from the origin server:

        http://domain.example.com/test.flv
        Note

        If the URL of the requested object contains Chinese characters, you need to encode the URL before you concatenate a signed URL.

        • Original URL: https://example.com/image/阿里云.jpg

        • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

      • Set PrivateKey to aliyuncdnexp1234.

      • Set timestamp to 55CE8100.

    • Concatenation procedure

      1. Generate a signature string that is used to calculate the md5hash value. 

        aliyuncdnexp1234/test.flv55CE8100

      2. Calculate the md5hash value based on the signature string. 

        md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd

      3. Generate a signed URL.

        • Format 1: 

          http://domain.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

        • Format 2: 

          http://domain.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100

    If a client uses a signed URL to request a resource, DCDN compares the calculated md5hash value with the md5hash value in the request. If the values are the same, such as a37fa50a5fb8f71214b1e7c95ec7a1bd, the request passes the authentication. Otherwise, the request fails the authentication.