ApsaraVideo VOD allows you to configure URL authentication in the console to protect the content that you upload to ApsaraVideo VOD against illegal download and hotlinking. This topic describes how URL authentication works and how to configure authentication method A.

Background

To prevent hotlinking and protect origin resources, you can configure a Referer blacklist or whitelist to identify and filter out malicious users. You can perform URL authentication to identify forged Referer content in a more secure and effective manner. ApsaraVideo VOD supports only authentication method A.

How URL authentication works

URL authentication uses Alibaba Cloud CDN nodes together with origin servers to protect origin content from hotlinking.

  1. You provide users with a signed URL that contains authentication information. For more information, see Authentication method A.
  2. A user sends a request to a CDN node by using the signed URL.
  3. The CDN node verifies the authentication information in the signed URL to determine whether the request is valid. If the request is valid, the CDN node returns a success response. Otherwise, the CDN node rejects the request. This protects the resources on the origin server. For more information about the authentication logic, see Authentication logic.

Authentication method A

  • Signed URL structure

    A signed URL contains the address of playback files and the access token (auth_key). The value of the access token is calculated by using the MD5 algorithm based on the authentication key and expiration time. The access token has a specific validity period. Example:

    http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
    The following table describes the fields in a signed URL.
    Field Description
    DomainName The domain name for ApsaraVideo VOD.
    Filename The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (/).
    timestamp The time at which the server returns a response, which is also the time at which the URL is generated. The value is in the UNIX timestamp format. The time is determined by the server and is in UTC. The time must be converted into decimal integers and must be 10 characters in length. This time determines the expiration time of a signed URL. The expiration time of the signed URL is calculated by using the following formula: Timestamp + Configured validity period. Log on to the ApsaraVideo VOD console and choose Domain Names > Resource Access Control. On the URL Authentication tab, specify a value for Validity Period in the Generate Authentication URL section. If you set Validity Period to 1,800 seconds, the signed URL expires 1,800 seconds after the time specified by the timestamp parameter. In this case, the 403 HTTP status code is returned.
    • You can generate a timestamp in the ApsaraVideo VOD console. Choose Domain Names > Resource Access Control. On the URL Authentication tab, click Modify in the Set URL Authentication section. In the URL Authentication dialog box, specify a value for Default Validity Period. The timestamp is calculated by using the following formula: Time when the URL is generated + Default validity period.
    • If you generate the URL by using code, you can set the timestamp to a custom value.

    For example, the signed URL expires at 00:30:00 on July 07, 2022, and the value of Validity Period is set to 1,800 seconds. The timestamp is calculated by using the following formula: 00:30:00 on July 07, 2022 - 1,800 seconds = 00:00:00 on July 07, 2022 = 1657125000.

    rand A random number. In most cases, the value of this field is set to 0. If you want to generate a different URL each time, we recommend that you use a universally unique identifier (UUID). The value cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c****.
    uid The user ID. Set this field to 0.
    md5hash The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.
    sstring = "URI-timestamp-rand-uid-PrivateKey"
    md5hash = md5sum(sstring)
    • URI: the relative path of the requested file, excluding the parameters. Example: /Filename.
    • PrivateKey: the authentication key that is configured in the ApsaraVideo VOD console. You can use the primary key or the secondary key.

      The primary and secondary keys have the same effect. The secondary key is used to ensure a smooth switchover. If the primary key is changed, all generated playback URLs that use the original primary key immediately become invalid. When you switch the primary key to the secondary key, the generated playback URLs that use the original primary key remain valid for a period of time. The secondary key works as a primary key. This ensures a smooth switchover.

    • md5sum: the function that is used to calculate the MD5 hash value. Use the MD5 hash calculation function that is provided by your development language.
  • Authentication logic

    When a CDN node receives a request, the CDN node checks whether the time that is calculated by adding the values of timestamp and Default Validity Period is earlier than the current time.

    • If the time that is calculated by adding the values of timestamp and Default Validity Period is earlier than the current time, the CDN node determines that the URL is expired and returns the 403 HTTP status code.
    • If the time calculated by adding timestamp and Default Validity Period is later than the current time, the CDN node generates a string in the same format. Then, the CDN node uses the MD5 algorithm to calculate the value of HashValue and compares the values of HashValue and md5hash in the request.
      • If they are the same, the request passes the authentication. The CDN node returns the requested resource.
      • If they are different, the request fails the authentication. The CDN node returns the 403 HTTP status code.

Usage methods

You need to enable and configure URL authentication on the URL Authentication page. For more information, see Configure URL authentication.

How to obtain a signed URL
  • After URL authentication is enabled, if all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.
    Note After URL authentication is enabled, the URLs of video files, audio files, thumbnails, and snapshot files are signed.
  • After URL authentication is enabled, if your resources are not in the ApsaraVideo VOD console, you can use authentication method A to splice and generate a dynamic signed URL. For more information, see Authentication method A and Sample of signed URL splicing.

Sample of signed URL splicing

Sample conditions
  • Retrieve the resource from the origin server.
    http://example.aliyundoc.com/video/standard/test-****.mp4
    Notice If the back-to-origin request object contains Chinese characters, you must encode the URL before you splice a signed URL.
  • Set the cryptographic key to aliyunvodexp****.
  • If you set the expiration time of the URL to 00:00:00 on August 1, 2021, the timestamp is 1627747200.
Splicing procedure
  1. Generate a signature string.

    The CDN node generates a signature string that is used to calculate the value of Hashvalue.

    /video/standard/test-****.mp4-1627747200-0-0-aliyunvodexp****
  2. Calculate the value of MD5.

    The CDN node calculates the value of Hashvalue by using the signature string.

    HashValue = md5sum("/video/standard/test-****.mp4-1627747200-0-0-aliyunvodexp****") = 0e9048c8c7de46b6015618f42de7****
  3. Generate a signed URL.
    http://example.aliyundoc.com/video/standard/test-****.mp4?auth_key=1627747200-0-0-0e9048c8c7de46b6015618f42de7****

If the HashValue value that is calculated by the CDN node and the md5hash value that is included in the request are 0e9048c8c7de46b6015618f42de7****, the request passes the authentication. Otherwise, the request fails the authentication.