All Products
Search

This Product

    HTTPDNS:Implement authentication access

    Document Center

    HTTPDNS:Implement authentication access

    Last Updated:Feb 18, 2025

    1. Background

    To safeguard your billing against potential fraudulent activities, we have implemented an authentication mechanism. Follow the guidance in this document for seamless integration.

    2. Authentication solutions

    Existing users have already published products using features without authentication, necessitating continued access to non-authentication interfaces.

    To address this, we have introduced a new authentication interface. Products can transition to this new interface over time. Once the user base of the old app diminishes sufficiently, you can shut down the non-authentication interface to prevent any impact on the billing system, as illustrated below.

    image

    2.1 Migration plan for existing users

    • Disabling the non-authentication interface will block access to the HTTPDNS service for users of older versions who are using the product.

    • Direct existing users to update their versions and gradually switch to the authentication interface.

    • When the user count for products with non-authentication interfaces drops to a point where the associated losses from discontinuation are acceptable, you can manually disable the non-authentication interface.

    2.2 New user usage plan

    • To prevent additional access costs, the non-authentication interface is enabled by default.

    • If the authentication interface feature is the only requirement, manually disable non-authentication access privileges.

    2.3 Management of non-authentication interface switch

    • Enabling it may pose security risks.

    • Disabling the non-authentication interface switch is the only way to prevent incurring additional fees from attacks.

    3. Signature generation and authentication mechanism

    Warning

    When using the HTTP API, ensure you readHTTPDNS precautions when not using the SDK to mitigate the risk of business failure.

    3.1 Signature generation algorithm and examples

    Authentication Interface

    • http://47.74.XXX.XXX/{account_id}/sign_d

    • http://47.74.XXX.XXX/{account_id}/sign_resolve

    Important

    • In the examples above, {account_id} represents the HTTPDNS Account ID, which is viewable in the HTTPDNS console.

    • When calling operations with authentication, you may specify the IP parameter, although it is not used in signature generation.

    • For more information, see how to obtain the endpoint of the resolving service

    Signature Algorithm

    sign = md5sum( host-secret-timestamp )

    Authentication Field Description

    Field

    Description

    host

    The domain name that you want to resolve, which is the same as the host parameter in the resolving request.

    secret

    Generated by the server,console > Developer Configurationto obtain.

    timestamp

    The expiration time of the signature, which is the number of seconds since January 1, 1970 (a positive integer with a fixed length of 10).

    Note

    The maximum validity period of the signature does not exceed 24 hours.

    Signature Examples

    • Example 1 (single domain name resolution API interface):

      • Original request: http://47.74.XXX.XXX/{account_id}/d?host=www.aliyun.com

      • The secret key for signature generation in this example is IAmASecret. The signed request is set to expire at 15:00:00 on August 15, 2018 (timestamp: 1534316400).

      • sign = md5sum("www.aliyun.com-IAmASecret-1534316400") = 60c71e98b6d7fcbb366243e224eab457

      • Authenticated request: http://47.74.XXX.XXX/{account_id}/sign_d?host=www.aliyun.com&t=1534316400&s=60c71e98b6d7fcbb366243e224eab457

    • Example 2 (batch domain name resolution API interface):

      • Original request:

        http://47.74.XXX.XXX/{account_id}/resolve?host=www.aliyun.com, www.taobao.com

      • The secret key for signature generation in this example is IAmASecret. The signed request is set to expire at 15:00:00 on August 15, 2018 (timestamp: 1534316400).

      • sign = md5sum("www.aliyun.com,www.taobao.com-IAmASecret-1534316400") = 12a3f6b1b14a46ca813ca6439beb59a4

      • Authenticated request: http://47.74.XXX.XXX/{account_id}/sign_resolve?host=www.aliyun.com,www.taobao.com&t=1534316400&s=12a3f6b1b14a46ca813ca6439beb59a4

    Advantages and Disadvantages of This Solution

    • Disadvantages

      • Varying client times.

      • Potential risk of key exposure on the client side.

    • Advantages

      • Eliminates the need for server pulls.

    3.2 Authentication response

    • A successful authentication results in an HTTP response status code of 200. The response content aligns with that of single domain name resolution in the API Response Description.

    • If authentication fails, the HTTP response status code will be 403 or 400, with a specific error code returned in JSON format.

       { "code": "InvalidSignature" }

    3.3 Status code description

    HTTP status code

    Error code

    Description

    403

    SignatureExpired

    The error code returned because the specified timestamp expires.

    403

    InvalidSignature

    The error code returned because the signature in the request is invalid.

    400

    InvalidDuration

    The error code returned because the specified validity period exceeds 86,400 seconds.

    400

    InvalidSignature

    The error code returned because the signature format is invalid.

    400

    InvalidTimestamp

    The timestamp format is invalid.

    400

    AccountNotExists

    The error code returned because the account does not exist or is disabled.