Access control - ApsaraVideo Live - Alibaba Cloud Documentation Center

To prevent unauthorized access to your live resources, use access control methods such as URL signing, IP address blacklist and whitelist, and remote authentication.

Overview

Access control for an ingest domain is critical for securing your resources and preventing unauthorized access. The primary methods include:

URL signing: Verifies the authenticity of each request using cryptographic signatures, offering the most comprehensive security.
IP address blacklist and whitelist: Restricts or allows access from specific IP addresses to filter viewers.
Remote authentication: Enhances flexibility and security by forwarding user requests to your own authentication server for validation.

URL signing

How it works

URL signing prevents hotlinking by coordinating authentication between ApsaraVideo Live and your business server.

Your business server generates a signed URL that contains authentication information.
A user makes a stream ingest or playback request to the ApsaraVideo Live service using this signed URL.
An edge node of ApsaraVideo Live validates the authentication information in the signed URL. The node serves valid requests and denies invalid ones.

Important

After ApsaraVideo Live authenticates your request URL, it escapes special characters in the URL, such as = and +.

To learn more about use cases, the structure of a signed URL, and the signing mechanism, see Signed ingest and streaming URLs.

Procedure

Log on to the ApsaraVideo Live console.
In the left-side navigation pane, click Domain Names. The Domain Management page appears.
Find the ingest domain that you want to configure and click Domain Settings in the Actions column.
Choose Streaming Management > Access Control.
Click the URL Signing tab, and click Modify.
Note
- URL signing is enabled by default when you add a domain. To disable it for the first time, you must acknowledge the risks of unauthorized access and sign the disclaimer.
- Modification is supported only when the feature is enabled.

Configure URL signing parameters and click OK.

URL鉴权

Parameter	Description
Authentication Type	ApsaraVideo Live only supports Authentication Type A to protect your origin resources. Note An invalid URL signing request returns a 403 error. Please recalculate the signature. Invalid MD5 values Example: `X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be` Invalid timestamps Example: `X-Tengine-Error:denied by req auth: expired timestamp=1439469547`
Primary Key	When you add a domain, the console randomly generates a primary key. You can view the primary key on the URL Signing tab of the Access Control page. You can also enter a custom primary key for your chosen authentication method.
Secondary Key	Enter a custom secondary key for your chosen authentication method. Note The primary and secondary keys have the same authentication permissions. The secondary key is mainly used for smooth key rotation. If you change the primary key, all signed URLs generated with the old key will become invalid. To avoid service interruptions, copy the current primary key to the secondary key field before creating a new primary key. This process ensures that requests signed with the old key remain valid during the transition.
Validity Period	The period during which a signed URL can be used to initiate an ingest request. Stream ingest is long-lived connection. An active connection will not be terminated when the validity period expires. However, new requests made with the expired URL will fail. The default validity period for a new domain is 1 day (1440 minutes). You can set a custom validity period.

IP address blacklist or whitelist

How it works

Add an IP address to a blacklist to block it from accessing the ingest domain.
Add an IP address to a whitelist to allow only that IP address to access the ingest domain.

Note

The IP address blacklist and whitelist both support IPv6 addresses. Only uppercase letters are supported in IPv6 addresses, for example, 2001:DB8:0:23:8:800:200C:417A or 2001:0DB8:0000:0023:0008:0800:200C:417A. IPv6 addresses in abbreviated format, such as 2001:0DB8::0008:0800:200C:417A, are not supported.
Both the blacklist and whitelist support adding IP address ranges in CIDR notation. For example, 192.168.0.0/24 uses a subnet mask with the first 24 bits, leaving 32 - 24 = 8 bits for the host address. This subnet can contain 2⁸ = 256 addresses. Therefore, 192.168.0.0/24 represents the IP address range from 192.168.0.0 to 192.168.0.255.

Procedure

Log on to the ApsaraVideo Live console.
In the left-side navigation pane, click Domain Names. The Domain Management page appears.
Find the ingest domain that you want to configure and click Domain Settings in the Actions column.

Choose Streaming Management > Access Control.

Click the IP Blacklist or Whitelist tab, and turn on the feature.
Configure List Type and Rule, then click OK.
List type
Decription
Blacklist
IP addresses on the blacklist cannot access the resource.
Whitelist
Only IP addresses on the whitelist can access the resource. All other IP addresses are blocked.

Remote authentication

How it works

Both remote authentication and URL signing protect live stream resources by ensuring that only authorized users can access them. They differ in their technical implementation:

URL signing: You configure authentication rules in the live center, which then handles the entire authentication process.
Remote authentication: You maintain a dedicated authentication server. The live center forwards requests to your server for validation. Remote authentication is not supported for the HLS protocol.

The data flow for remote authentication is as follows:

Step	Description
①	A user sends a resource access request that contains authentication parameters to the live center.
②	The live center receives the request and forwards it to your authentication server, either directly or after applying specified rules.
③	Your authentication server validates the parameters in the request, determines the authentication result, and returns it to the live center.
④	The live center takes action based on the result from your server and returns the corresponding data to the user. Example 1: If authentication is successful, the live center serves the requested content to the user. Example 2: If authentication fails, the live center returns a 403 status code to the user. Example 3: If authentication times out, the live center performs the default action for a timeout, which is to either allow or deny the user's request.

Procedure

Log on to the ApsaraVideo Live console.
In the left-side navigation pane, click Domain Names. The Domain Management page appears.
Select the ingest domain that you want to configure, and click Domain Settings.
Choose Streaming Management > Access Control.

Click the Remote Authentication tab, turn on the switch, and configure the parameters as prompted.

Note

When remote authentication is enabled, every user request is forwarded to your authentication server. If you expect a high volume of requests, consider the load and performance of your authentication server.

Parameter	Description
Authentication Server Address	The publicly accessible address of your authentication server. The system validates the format and value of the address you enter. You can set a fixed URL or a URL with concatenated variables. Fixed URL: Supports HTTP(S). The value cannot contain `127.0.0.1` or `localhost`, as these are invalid local addresses.Valid formats include: `http(s)://example.aliyundoc.com/auth` `http(s)://192.0.2.1/auth`. URL with concatenated variables: You can generate the authentication URL by concatenating variables. For details on the rules for concatenating variables, see URL variable concatenation.
Pass-through URL Parameters	Controls which parameters from the user's request URL are included in the authentication request. Valid values: Specified Parameters Passed, Specified Parameters Not Passed, and None. Note If you select Specified Parameters Passed or Specified Parameters Not Passed, enter the parameters in the input box, separated by commas (,). For example: `key1,key2,key3`.
HTTP Status Code to Return	The HTTP status code that your authentication server returns to the live center upon successful authentication. You can set one of the following: Successful Authentication: Enter a custom status code for success. The live center allows requests only if your server returns this code. All other status codes block the request. For example, if you set the success code to 200, a 200 response means authentication is successful. Failed Authentication: Enter a custom status code for failure. The live center blocks the user request only if the authentication server returns this specific code. All other status codes will result in the request being allowed. For example, if you set the failure code to 403, a 403 response means authentication has failed.
Authentication Duration (s)	The timeout for the authentication server to respond to a request from the live center. The duration can be an integer from 0 to 30.
Retries on Timeout	The number of times the live center will retry the request to the authentication server after the authentication duration is exceeded. After the specified number of retries, the system will perform the Action After Authentication Timeout.
Action After Timeout	The action the live center takes if the data exchange with the authentication server times out. The available actions are Allow and Deny. Allow: If authentication times out, the live center directly allows the user request. Deny: If authentication times out, the live center rejects the user request and returns an authentication failure status code (such as 403) to the user.
Asynchronous Authentication	When enabled, ingestion starts immediately without waiting for the remote authentication result. If the authentication fails, the connection is then terminated.

Click OK to complete the parameter configuration.
After successfully configuring remote authentication, you can modify the settings or disable the feature on the Remote Authentication tab.

URL variable concatenation

You can generate the authentication URL by concatenating variables. The details are as follows:

Type	Description
Numeric variables	Numeric variables, such as `${1}` and `${2}`, refer to parts of the URL path before the `?`. For example, in the URL `rtmp://domain.aliyundoc.com/appname/streamname?token=1&name=xr`, `${1}` would be `appname` and `${2}` would be `streamname`.
Alphabetic variables	Alphabetic variables, such as `${arg_token}` and `${arg_name}`, refer to query parameters after the `?`. For example, in the URL `rtmp://domain.aliyundoc.com/appname/streamname?token=1&name=xrc`, `${arg_token}` would be `1` and `${arg_name}` would be `xrc`.
Custom variables	Custom variables start with the `udv_` prefix. Currently supported variables are `${udv_host}` and `${udv_ip}`, which refer to the host and the client IP address.
NGX variables	All `ngx.var.*` variables can be referenced directly. For example, `${args}` can be used to reference `ngx.var.args`. All variable values are escaped using the `ngx.escape_uri` function to avoid ambiguity from special characters.
Stream name variables	You can add variables in the format `videoname=${stream_name}`. `${stream_name}` will be replaced with the stream name from the request.

Note

Suppose the ingest URL is rtmp://domain.aliyundoc.com/app/stream?token=***&name=xrc.

And the remote authentication server address is configured as http://auth.aliyundoc.com/?app=${udv_host}&streamname=${2}&appname=${1}&token=${arg_token}.

Then, the actual authentication URL sent will be http://auth.aliyundoc.com/?app=domain.aliyundoc.com&streamname=stream&appname=app&token=***.

List type	Decription
Blacklist	IP addresses on the blacklist cannot access the resource.
Whitelist	Only IP addresses on the whitelist can access the resource. All other IP addresses are blocked.