Type B signing - ApsaraVideo VOD - Alibaba Cloud Documentation Center

ApsaraVideo VOD allows you to use the URL signing feature to protect origin content from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type B signing works.

How it works

How a URL is encrypted based on type B

http://DomainName/timestamp/md5hash/FileName

Fields in a signed URL

Field	Description
DomainName	The domain name for ApsaraVideo VOD.
timestamp	The time when a signed URL is generated. The timestamp and the default validity period specify the time when a signed URL expires. The time is in UTC+8 and follows the YYYYMMDDHHMM format. Note In most cases, a signed URL expires after the default validity period that you specified in ApsaraVideo VOD elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period.
md5hash	The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.
Filename	The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (`/`).

Signing logic

When an Alibaba Cloud CDN point of presence (POP) receives a request, the POP checks whether the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time.

If the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time, the POP determines that the URL is expired and returns the HTTP 403 status code.
If the time calculated by adding timestamp and default validity period is later than the current time, the POP generates a string based on sstring described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value of md5hash and compares the calculated md5hash value with the md5hash value in the request.
- If the two values are different, the authentication fails. The POP returns the HTTP 403 status code.
- If the two values are the same, the request passes the authentication. The POP returns the requested resource.
  Note
  If the request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce origin traffic.
  - The format of the URL in the back-to-origin request is http://DomainName/FileName.
  - The format of the URL that is used to generate a cache key is http://DomainName/FileName.

Examples

The following example shows how to implement type B signing.

Sample conditions

Retrieve an object from the origin server:
```
http://example.aliyundoc.com/video/standard/test.mp4
```
Note
If the URL of the object that you retrieve from the origin server contains Chinese characters, you must encode the URL before you concatenate a signed URL.
Set PrivateKey to aliyunvodexp1234.
Convert the timestamp when the signed URL is generated 2021-08-01 00:00:00 (UTC+8) to decimal integers 1627747200.

Concatenation procedure

Generate a signature string that is used to calculate the value of md5hash.
```
aliyunvodexp12341627747200/video/standard/test.mp4
```

Calculate the value of md5hash by using the signature string.

md5hash = md5sum("aliyunvodexp12341627747200/video/standard/test.mp4") = 9044548ef1527deadafa49a890a3****

Generate a signed URL.

http://example.aliyundoc.com/1627747200/9044548ef1527deadafa49a890a3****/video/standard/test.mp4

If a client uses a signed URL to request a resource, the POP compares the calculated md5hash value with the md5hash value in the request. If two values are the same, such as, 9044548ef1527deadafa49a890a3****, the request passes the authentication. Otherwise, the authentication fails.