Referer-based hotlink protection is not completely secure. We recommend that you use URL signing to protect resources on the origin server against illegal downloads and misuse. This topic describes how to enable or disable the URL signing feature and how to verify a signed URL.

Background information

By default, content distributed by ApsaraVideo VOD is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use referer whitelist and blacklist, IP whitelist and blacklist, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to enhance access control.

For more information about URL signing and the implementation logic, see Configure URL signing.

Enable and configure URL signing

  • Before you enable URL signing, make sure that you have configured URL signing rules including authentication algorithms and cryptographic keys on the origin server.
  • The URL signing logic on ApsaraVideo VOD must be the same as that on the origin server.
  1. Log on to the ApsaraVideo VOD console.
  2. In the left-side navigation pane of the ApsaraVideo VOD console, choose Configuration Management > CDN Configuration > Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
  4. On the page that appears, click Resource Access Control.
  5. Click the URL Signing tab. In the Set URL Signing section, click Modify.
  6. In the URL Signing dialog box, turn on URL Signing and configure the authentication parameters.
    URL Signing
    The following table describes the parameters.
    The URL signing feature of ApsaraVideo VOD supports three signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types:
    Note If URL signing fails, the HTTP 403 status code is returned. The following items describe the possible causes:
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd7****

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=143946****

    Primary KeySpecify the primary key for URL signing.
    Secondary KeySpecify the secondary key for URL signing.

    The primary and secondary keys have the same effect. The secondary key is used to ensure a smooth switchover. If the primary key is changed, all generated playback URLs that use the original primary key immediately become invalid. After you switch the primary key to the secondary key, the generated playback URLs that use the original primary key remain valid for a period of time. The secondary key works as a primary key. This ensures a smooth switchover.

    Default Validity PeriodSpecify a validity period for signed URLs. Users can access ApsaraVideo VOD before the signed URLs expire. The time when a signed URL expires is calculated based on the following formula: Expiration time = Timestamp + Validity period.
    • Default value: 30. Unit: minutes.
    • For example, the timestamp when a signed URL is generated is 15:00:00 on August 15, 2020 (UTC+8), and the validity period is 30 minutes. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
    Support PreviewingIf the preview feature is enabled, users can view or listen to a snippet of a video or audio file, such as the first 5 minutes of the file. This feature is widely used in paid services, such as video or audio content that charges non-members a fee. For more information, see Configure the preview feature.
  7. Click OK.

    After the configuration is complete, URL signing takes effect for this domain name.

    If all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.
    Note After URL signing is enabled, the URLs of video files, audio files, thumbnails, and snapshots are signed.

Verify the URL signing result

To ensure that the signing logic is correctly implemented, we recommend that you run a test in the ApsaraVideo VOD console to verify whether the signed URLs are correct.

  1. In the Generate Signed URL section, configure the Original URL parameter and other authentication parameters.
    The following table describes the parameters.
    Original URLSpecify a complete URL, such as
    TypeSelect the URL signing type that you specified in Enable and configure URL signing.
    Authentication KeyEnter the primary key or secondary key that you specified in Enable and configure URL signing.
    Validity PeriodEnter the validity period of the signed URL that you specified in Enable and configure URL signing. Unit: seconds. Example: 1800.
  2. Click Generate to obtain the Signed URL and Timestamp.
    Generate a signed URL

Disable URL signing

Important If URL signing is disabled on ApsaraVideo VOD but user requests still carry authentication parameters, ApsaraVideo VOD cannot remove the authentication parameters. In this case, the requests cannot hit cache and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL signing, make sure that URL signing is disabled on both the origin server and ApsaraVideo VOD.
  1. In the Set URL Signing section, click Modify.
  2. In the dialog box that appears, turn off URL Signing.
  3. On the origin server, delete the URL signing settings.