All Products
Search

This Product

    Edge Security Acceleration:Server authentication

    Document Center

    Edge Security Acceleration:Server authentication

    Last Updated:Mar 27, 2025

    The authentication feature allows you to protect your website assets from unauthorized downloads and access. This topic describes how the server authentication feature of Edge Security Acceleration (ESA) works and provides an example for better explanation.

    How it works

    • Composition of a signed URL

      http://server_address[:port]/[uri]?auth_key=timestamp-rand-md5hash

    • Fields in a signed URL

      Field

      Description

      server_address

      The address of the server where resources are located.

      port

      The server port.

      uri

      The relative path of the specific resource on the server.

      auth_key

      The authentication key that you specified.

      timestamp

      The timestamp at which the signed URL expires. This value is calculated by adding the specified time to live (TTL) to the UNIX timestamp when the signed URL is generated. The generation timestamp is a 10-digit integer indicating the number of seconds that have elapsed since January 1, 1970 00:00:00 UTC.

      Note

      rand

      The random string. The string cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c7bec. We recommend that you use a universally unique identifier (UUID).

      md5hash

      The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.

      Calculation method:

      string_to_sign = "URI-Timestamp-rand-PrivateKey" (URI indicates the relative path of the specific resource and does not contain query string parameters. Example: /accesslog/post)
md5hash = md5sum(string_to_sign)

    • Authentication logic

      When a point of presence (POP) receives a request, the POP checks whether the value of timestamp is earlier than the current time.

      • If timestamp is earlier than the current time, the POP considers that the requested URL has expired and returns HTTP status code 403.

      • If timestamp is later than the current time, a string is generated by using string_to_sign described in the preceding table. Then, an md5hash value is generated by using the MD5 algorithm. The generated md5hash value is compared with the md5hash value in the request.

        • If the two values are the same, the request passes the authentication. The POP returns the requested resource.

        • If they are different, the request fails the authentication. The POP returns HTTP status code 403.

    Example

    The resource URL is http://abc.aliyun.com:8080/accesslog/post, PrivateKey is aliyuncdn1234, and the TTL specified by ExpiredTime is 300 seconds.

    • Assume that the current time is 00:00:00 on December 1, 2017, UTC+8:00, which is 1512057600 represented in UNIX format. The timestamp contained in the signed URL is calculated by using the following formula:

      timestamp = 1512057600 + 300 = 1512057900

      The string to be signed:

      string_to_sign = "/accesslog/post-1512057900-0-aliyuncdn1234"

    • Calculate the md5hash value based on this string:

      md5hash = md5sum("/accesslog/post-1512057900-0-aliyuncdn1234") = 0b3cc22622bdbb82d5ba632a5a5c89ca

    • Signed URL:

      http://abc.aliyun.com:8080/accesslog/post?auth_key=1512057900-0-0b3cc22622bdbb82d5ba632a5a5c89ca

    If a client uses the signed URL to request a resource, the ESA POP compares the calculated md5hash value with the md5hash value in the request. If the values are the same (0b3cc22622bdbb82d5ba632a5a5c89ca in this example), and the signed URL is within the validity period, the request is served as expected. If the values are different, the request fails the authentication.