DocsICP FilingConsole
官方文档
首页

Configure URL signing

更新时间:
复制 MD 格式
产品详情
我的收藏

By default, content distributed by CDN is public and accessible to anyone with its URL. To protect your origin resources from unauthorized access and malicious downloads, you can use URL signing in addition to other access control methods like Referer hotlink protection and IP blacklists/whitelists. URL signing secures your content by validating the encrypted string and timestamp contained within a signed URL.

How it works

URL signing prevents unauthorized access to your origin resources by coordinating requests between Alibaba Cloud CDN POPs and your origin. The process involves three key components:

  • Origin application server: Generates a signed URL based on a defined signing rule, including the algorithm and key, and returns it to the client.

  • Client: Sends the signed URL to a CDN POP to request a resource.

  • CDN POP: Validates the information in the signed URL, such as the signature string and timestamp.

image

  1. CDN or customers configure the generation rules for signed URLs (including a signing algorithm and a key) on the origin application server.

    For example, a signed URL can have the format http://DomainName/timestamp/md5hash/FileName.

  2. When a client visits a page on your application, the origin application server generates a signed URL based on the configured rules and embeds it in the page returned to the client.

  3. The client uses the signed URL to request the resource from a CDN POP.

  4. The CDN POP validates the information in the signed URL, such as the signature string and timestamp, to determine if the request is legitimate.

    • If authentication fails, the POP denies the request.

    • If authentication succeeds, the POP serves the content.

      Note

      • If a CDN node does not have a cached resource, the CDN node removes the authentication parameters from the signed URL and restores it to the original URL (for example, http://DomainName/FileName), and then uses the original URL to generate a cache key or initiate an origin-fetch request.

      • After CDN authenticates the request URL, it encodes any special characters in the URL, such as Chinese or other non-ASCII characters.

Usage notes

  • After you configure URL signing, requests that fail authentication can still reach CDN nodes, but are rejected by the CDN nodes and a 403 status code is returned. The CDN logs still record these failed authentication requests.

  • URL signing validates requests on CDN POPs. Therefore, intercepting malicious requests still consumes a small amount of billable traffic. For HTTPS requests, additional fees apply because the CDN POPs consume processing resources to perform the interception.

Configure and enable URL signing

Important

  • Make sure that you have configured the generation rules for signed URLs, including the signing algorithm and key, on your origin application server.

  • The URL signing logic configured in the CDN console must match the logic on your origin application server.

  1. Log on to the CDN console.

  2. In the left navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Manage in the Actions column.

  4. In the domain's navigation pane, click Access Control.

  5. Click the URL Signing tab.

  6. In the URL Signing section, click Modify.

  7. Turn on the Set URL Signing switch and configure the parameters.

    Parameter

    Description

    Type

    Alibaba Cloud CDN provides four signing methods. You can select a signing type based on the format of your signed URLs to effectively protect your origin resources. The following URL signing types are available:

    Note

    If URL signing fails, a 403 error is returned:

    • MD5 calculation error

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Time-related error

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key

    Enter the primary key for the signing method. The key must be 6 to 128 characters in length and can contain uppercase letters, lowercase letters, and digits.

    Secondary Key

    Enter the secondary key for the signing method. The key must be 6 to 128 characters in length and can contain uppercase letters, lowercase letters, and digits. You must specify at least a primary or secondary key.

    TTL

    Specifies the validity period of the signed URL. A client must access the resource within the timestamp + TTL period. Requests sent after this period fail authentication.

    • Unit: seconds

    • Valid values: 1 to 31536000

    • Default value: 1800 (30 minutes)

    • Example: If your signing server generates a signed URL at 15:00:00 (UTC+8) on August 15, 2020 and the TTL is 1,800 seconds, the signed URL expires at 15:30:00 (UTC+8) on August 15, 2020.

    Signature Parameter

    You can customize the names of the signature parameters. This is valid only when the authentication type is set to Method F.

    Timestamp Parameter

    You can customize the name of the timestamp parameter. This is effective only when the authentication type is set to Type F.

    Timestamp Format

    Sets the timestamp format, which can be decimal (Unix timestamp) or hexadecimal (Unix timestamp). This setting takes effect only when the authentication type is set to Type F.

    URL Encoding

    The URL encoding switch is disabled by default. If you enable this switch, it URL-encodes user request URLs. This feature is effective only when the authentication type is set to Method F.

    Rule Condition

    A rule condition allows a rule to be applied only when a request meets specific criteria.

    Important

    When a feature references rule conditions, the execution order follows the priority of the associated rule conditions, not the order of the feature configurations.

    • Do not use: Disables conditional rules.

    • You can add or edit conditional rules in the Rules engine.

  8. Click OK.

Verify the signed URL

After you configure URL signing, use the Signed URL Generator in the CDN console to generate a signed URL and verify the implementation. This process confirms that your server's signing logic is correct.

  1. In the Signed URL Generator section, specify the Original URL (Unencoded) and other signing information.

    Parameter

    Description

    Original URL (Unencoded)

    Enter the complete original URL, for example, https://www.aliyun.com. The tool automatically encodes the original URL when it generates the signed URL.

    Type

    Select the URL signing type based on the settings that you configured in the Configure and enable URL signing section.

    Cryptographic Key

    Enter the Primary Key or Secondary Key that you configured in the Configure and enable URL signing section.

    TTL

    Enter the TTL for the URL signing in seconds, based on the settings that you configured in the Configure and enable URL signing section.

  2. Click Generate to obtain the Signed URL and Timestamp.

Disable URL signing

Important

If you disable URL signing in the CDN console but client requests still contain signing parameters, CDN cannot restore the request URLs to their original format. This causes cache misses, redirecting all such requests to your origin. As a result, your origin traffic and costs increase significantly. Therefore, to fully disable URL signing, you must remove the configuration from both your application server and the CDN console.

image

  1. In the URL Signing section of the CDN console, click Modify and turn off the URL signing switch.

  2. On your application server, remove the logic that adds signing parameters to request URLs.

API reference

Previous:URL signingNext:Type A signing