All Products
Search

This Product

    ApsaraVideo VOD:Type C signing

    Document Center

    ApsaraVideo VOD:Type C signing

    Last Updated:Feb 06, 2024

    ApsaraVideo VOD allows you to use the URL signing feature to protect origin content from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type C signing works.

    How it works

    How a URL is signed based on type C

    • Format 1 

      http://DomainName/{<md5hash>/<timestamp>}/FileName

    • Format 2 

      http://DomainName/FileName?{&KEY1=<md5hash>&KEY2=<timestamp>}
    Note

    The content that is enclosed in braces ({}) indicates the encrypted information that is added to the standard URL.

    Fields in a signed URL

    Field

    Description

    DomainName

    The domain name for ApsaraVideo VOD.

    PrivateKey

    The primary key or the secondary key that is configured in the ApsaraVideo VOD console. For more information, see Enable and configure URL signing.

    Filename

    The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (/).

    timestamp

    The time when a signed URL is generated. The timestamp and the default validity period determine the time when a signed URL expires. The timestamp follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone. The decimal string is converted into a hexadecimal string.

    Note

    In most cases, a signed URL expires after the default validity period that you specified in ApsaraVideo VOD elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period.

    md5hash

    The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.

    The md5hash value is calculated by using the following method: 

    sstring = "Privatekey+URI+timestamp" (The URI specifies the address that points to the requested resource. The URI does not contain parameters such as /Filename.)
md5hash = md5sum(sstring)

    Signing logic

    When an Alibaba Cloud CDN point of presence (POP) receives a request, the POP checks whether the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time.

    • If the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time, the POP determines that the URL expired and returns the HTTP 403 status code.

    • If the time that is calculated by adding timestamp and default validity period is later than the current time, the POP generates a string based on sstring described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value of md5hash value and compares the calculated md5hash value with the md5hash value in the request.

      • If the values are the same, the request passes the authentication. The POP returns the requested resource.

        Note

        If a request passes the authentication, URL signing parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.

        • For a URL that is signed in Format 1 or Format 2, the format of the URL that is used to generate a cache key is http://DomainName/FileName.

        • For a URL that is signed in Format 1 or Format 2, the format of the URL in the back-to-origin request is http://DomainName/FileName.

      • If the two values are different, the request fails the authentication. The POP returns the HTTP 403 status code.

    Examples

    The following example shows how to implement type C signing.

    Sample conditions

    • Retrieve an object from the origin server:

      http://domain.example.com/test.flv
      Note

      If the URL of the requested object contains Chinese characters, you need to encode the URL before you concatenate a signed URL.

      • Original URL: https://example.com/image/阿里云.jpg

      • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

    • Set PrivateKey to aliyuncdnexp1234.

    • Set timestamp to 55CE8100.

    Concatenation procedure

    1. Generate a signature string that is used to calculate the md5hash value. 

      aliyuncdnexp1234/test.flv55CE8100

    2. Calculate the md5hash value based on the signature string. 

      md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd

    3. Generate a signed URL.

      • Format 1: 

        http://domain.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

      • Format 2: 

        http://domain.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100

    If a client uses a signed URL to request a resource, Alibaba Cloud CDN compares the calculated md5hash value with the md5hash value in the request. If the values are the same, such as a37fa50a5fb8f71214b1e7c95ec7a1bd, the request passes the authentication. Otherwise, the request fails the authentication.