URL signing protects your site resources from unauthorized downloads and hotlinking. This topic describes how type A signing works in Alibaba Cloud DCDN and provides an example.
How it works
-
Structure of a type A signed URL
http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}NoteThe content enclosed in
{}is the signing information appended to the standard URL. -
Field descriptions
Field
Description
DomainName
The domain name of your DCDN site.
Filename
The URL for the actual origin fetch. The Filename must start with a forward slash (
/).auth_key
The signing information, consisting of timestamp, rand, uid, and md5hash.
timestamp
The time when the signing server generates the signed URL. This value and the Validity Period of Signed URL together determine when the signed URL expires. The value is a 10-digit UNIX timestamp representing the number of seconds elapsed since 00:00:00 on January 1, 1970.
NoteConfigure the TTL in the Configure URL Signing console. The signed URL expires at
timestamp+ the configured validity period.rand
A random number. Set this to a UUID without hyphens (-), for example, 477b3bbc253f467b8def6711128c7bec.
uid
User ID. This field is not used. Set it to 0.
md5hash
A 32-character string calculated by using the MD5 algorithm, consisting of digits and lowercase letters.
Calculation method:
sstring = "URI-Timestamp-rand-uid-PrivateKey" (URI is the relative path of the requested object, such as /Filename, and does not include parameters.) md5hash = md5sum(sstring) -
Authentication logic
When a DCDN server receives a resource request, it checks whether
timestamp+validity period of the signed URLis earlier than the current time.-
If
timestamp+validity period of the signed URLis earlier than the current time, the signed URL has expired and the server returns an HTTP 403 error. -
If
timestamp+validity period of the signed URLis later than the current time, the server constructs a string in thesstringformat (see thesstringformat in the table). Then, it calculates themd5hashvalue using the MD5 algorithm and compares the calculatedmd5hashvalue with themd5hashvalue in the user's request.-
If the values match, authentication is successful and the resource is returned.
NoteUpon successful authentication, the signing parameters are stripped from the URL. This improves the cache hit ratio and reduces back-to-origin traffic. For example:
-
URL with signing parameters:
http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>} -
After successful authentication:
-
URL format used to generate the cache key:
http://DomainName/FileName -
URL format for the actual origin fetch:
http://DomainName/FileName
-
-
-
If the values do not match, authentication fails and an HTTP 403 error is returned.
-
-
Signed URL example
The following example demonstrates type A signing.
-
Example conditions
-
Origin request object:
http://domain.example.com/video/standard/test.mp4NoteIf the request URL contains non-ASCII characters, you must encode the URL first. Use the encoded URL to construct the hash string. For example:
-
Original URL:
https://example.com/image/AlibabaCloud.jpg -
Encoded URL:
https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg
-
-
The key is set to: aliyuncdnexp1234.
-
The signing server generates the signed URL at 08:00:00 on October 10, 2015 (UTC+8), which corresponds to the decimal integer value 1444435200.
-
-
Concatenation process
-
The DCDN server constructs a string to be hashed for calculating the
md5hash./video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234 -
Based on this string, the DCDN server calculates the
md5hash.md5hash = md5sum("/video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234") = 23bf85053008f5c0e791667a313e28ce -
Generate the signed URL.
http://domain.example.com/video/standard/test.mp4?auth_key=1444435200-0-0-23bf85053008f5c0e791667a313e28ce
-
When a client requests a resource by using the signed URL, the DCDN server calculates a md5hash value and compares it with the md5hash value in the request (23bf85053008f5c0e791667a313e28ce). If the values match and the signed URL has not expired, authentication succeeds. Otherwise, authentication fails.