ApsaraVideo VOD allows you to use the URL signing feature to protect origin content from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type C signing works.
How it works
How a URL is signed based on type C
Format 1
http://DomainName/{<md5hash>/<timestamp>}/FileName
Format 2
http://DomainName/FileName?{&KEY1=<md5hash>&KEY2=<timestamp>}
The content that is enclosed in braces ({}
) indicates the encrypted information that is added to the standard URL.
Fields in a signed URL
Field | Description |
DomainName | The domain name for ApsaraVideo VOD. |
PrivateKey | The primary key or the secondary key that is configured in the ApsaraVideo VOD console. For more information, see Enable and configure URL signing. |
Filename | The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash ( |
timestamp | The time when a signed URL is generated. The timestamp and the default validity period determine the time when a signed URL expires. The timestamp follows the UNIX time format. It is the number of seconds that have elapsed since 00:00:00 Thursday, January 1, 1970. The timestamp is a string that consists of 10 positive decimal integers and is irrelevant to the time zone. The decimal string is converted into a hexadecimal string. Note In most cases, a signed URL expires after the default validity period that you specified in ApsaraVideo VOD elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period. |
md5hash | The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters. The
|
Signing logic
When an Alibaba Cloud CDN point of presence (POP) receives a request, the POP checks whether the time that is calculated by adding the values of timestamp
and default validity period
is earlier than the current time.
If the time that is calculated by adding the values of
timestamp
anddefault validity period
is earlier than the current time, the POP determines that the URL expired and returns the HTTP 403 status code.If the time that is calculated by adding
timestamp
anddefault validity period
is later than the current time, the POP generates a string based onsstring
described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value ofmd5hash
value and compares the calculatedmd5hash
value with themd5hash
value in the request.If the values are the same, the request passes the authentication. The POP returns the requested resource.
NoteIf a request passes the authentication, URL signing parameters are removed from the URL to increase the cache hit ratio and reduce back-to-origin traffic.
For a URL that is signed in Format 1 or Format 2, the format of the URL that is used to generate a cache key is
http://DomainName/FileName
.For a URL that is signed in Format 1 or Format 2, the format of the URL in the back-to-origin request is
http://DomainName/FileName
.
If the two values are different, the request fails the authentication. The POP returns the HTTP 403 status code.
Examples
The following example shows how to implement type C signing.
Sample conditions
Retrieve an object from the origin server:
http://domain.example.com/test.flv
NoteIf the URL of the requested object contains Chinese characters, you need to encode the URL before you concatenate a signed URL.
Original URL:
https://example.com/image/阿里云.jpg
Encoded URL:
https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg
Set PrivateKey to
aliyuncdnexp1234
.Set timestamp to
55CE8100
.
Concatenation procedure
Generate a signature string that is used to calculate the
md5hash
value.aliyuncdnexp1234/test.flv55CE8100
Calculate the
md5hash
value based on the signature string.md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
Generate a signed URL.
Format 1:
http://domain.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv
Format 2:
http://domain.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100
If a client uses a signed URL to request a resource, Alibaba Cloud CDN compares the calculated md5hash
value with the md5hash
value in the request. If the values are the same, such as a37fa50a5fb8f71214b1e7c95ec7a1bd, the request passes the authentication. Otherwise, the request fails the authentication.