Type A signing

更新时间:
复制 MD 格式

URL signing protects your site resources from unauthorized downloads and hotlinking. This topic describes how type A signing works in Alibaba Cloud DCDN and provides an example.

How it works

  • Structure of a type A signed URL

    http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}
    Note

    The content enclosed in {} is the signing information appended to the standard URL.

  • Field descriptions

    Field

    Description

    DomainName

    The domain name of your DCDN site.

    Filename

    The URL for the actual origin fetch. The Filename must start with a forward slash (/).

    auth_key

    The signing information, consisting of timestamp, rand, uid, and md5hash.

    timestamp

    The time when the signing server generates the signed URL. This value and the Validity Period of Signed URL together determine when the signed URL expires. The value is a 10-digit UNIX timestamp representing the number of seconds elapsed since 00:00:00 on January 1, 1970.

    Note

    Configure the TTL in the Configure URL Signing console. The signed URL expires at timestamp + the configured validity period.

    rand

    A random number. Set this to a UUID without hyphens (-), for example, 477b3bbc253f467b8def6711128c7bec.

    uid

    User ID. This field is not used. Set it to 0.

    md5hash

    A 32-character string calculated by using the MD5 algorithm, consisting of digits and lowercase letters.

    Calculation method:

    sstring = "URI-Timestamp-rand-uid-PrivateKey" (URI is the relative path of the requested object, such as /Filename, and does not include parameters.)
    md5hash = md5sum(sstring)
  • Authentication logic

    When a DCDN server receives a resource request, it checks whether timestamp + validity period of the signed URL is earlier than the current time.

    • If timestamp + validity period of the signed URL is earlier than the current time, the signed URL has expired and the server returns an HTTP 403 error.

    • If timestamp + validity period of the signed URL is later than the current time, the server constructs a string in the sstring format (see the sstring format in the table). Then, it calculates the md5hash value using the MD5 algorithm and compares the calculated md5hash value with the md5hash value in the user's request.

      • If the values match, authentication is successful and the resource is returned.

        Note

        Upon successful authentication, the signing parameters are stripped from the URL. This improves the cache hit ratio and reduces back-to-origin traffic. For example:

        • URL with signing parameters: http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}

        • After successful authentication:

          • URL format used to generate the cache key: http://DomainName/FileName

          • URL format for the actual origin fetch: http://DomainName/FileName

      • If the values do not match, authentication fails and an HTTP 403 error is returned.

Signed URL example

The following example demonstrates type A signing.

  • Example conditions

    • Origin request object:

      http://domain.example.com/video/standard/test.mp4
      Note

      If the request URL contains non-ASCII characters, you must encode the URL first. Use the encoded URL to construct the hash string. For example:

      • Original URL: https://example.com/image/AlibabaCloud.jpg

      • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

    • The key is set to: aliyuncdnexp1234.

    • The signing server generates the signed URL at 08:00:00 on October 10, 2015 (UTC+8), which corresponds to the decimal integer value 1444435200.

  • Concatenation process

    1. The DCDN server constructs a string to be hashed for calculating the md5hash.

      /video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234
    2. Based on this string, the DCDN server calculates the md5hash.

      md5hash = md5sum("/video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234") = 23bf85053008f5c0e791667a313e28ce
    3. Generate the signed URL.

      http://domain.example.com/video/standard/test.mp4?auth_key=1444435200-0-0-23bf85053008f5c0e791667a313e28ce

When a client requests a resource by using the signed URL, the DCDN server calculates a md5hash value and compares it with the md5hash value in the request (23bf85053008f5c0e791667a313e28ce). If the values match and the signed URL has not expired, authentication succeeds. Otherwise, authentication fails.