Type B signing

更新时间:
复制 MD 格式

URL signing protects your site resources from unauthorized downloads and hotlinking. Alibaba Cloud DCDN supports four signing methods. Type B signing embeds a timestamp and an MD5 hash in the URL path for time-limited access control.

How it works

  • Structure of a signed URL for type B signing

    http://DomainName/{<timestamp>/<md5hash>}/FileName
    Note

    The content in {} is the signing information appended to the standard URL.

    Authentication fields

    Field

    Description

    DomainName

    The accelerated domain name.

    timestamp

    The time when the signing server generates the signed URL, in UTC+8 format YYYYMMDDHHMM. This field, together with the validity period, determines when the signed URL expires.

    Note

    Set the TTL in the Configure URL Signing console. After the configuration is complete, the expiration time of the signed URL is timestamp + the validity period configured for CDN.

    md5hash

    A 32-character string calculated by using the MD5 algorithm, consisting of digits 0–9 and lowercase letters a–z.

    The md5hash value is calculated from the following string.

    sstring = "Privatekey+timestamp+Path" (Path is the relative address of the requested object, which does not contain parameters, such as /Filename)
    md5hash = md5sum(sstring)

    Filename

    The path of the requested file. The path must start with /.

  • Authentication logic

    When a DCDN server receives a request, it checks whether the sum of timestamp and validity period is earlier than the current time.

    • If the sum is earlier than the current time, the URL is expired and the server returns HTTP 403.

    • If the sum is later than the current time, the server constructs a string in the sstring format, calculates the md5hash value by using the MD5 algorithm, and compares it with the md5hash value in the request.

      • If the values match, authentication succeeds and the resource is returned.

        Note

        After successful authentication, the signing parameters are stripped from the URL to restore its original format. This improves the cache hit ratio and reduces back-to-origin traffic. For example:

        • URL with authentication parameters: http://DomainName/{<timestamp>/<md5hash>}/FileName

        • After successful authentication:

          • URL used to generate the cache key: http://DomainName/FileName

          • URL used for the origin fetch: http://DomainName/FileName

      • If the values do not match, authentication fails and HTTP 403 is returned.

Signed URL example

The following example demonstrates how type B signing works.

  • Example conditions

    • Original request object:

      http://domain.example.com/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
      Note

      If the request URL contains Chinese characters or other non-ASCII characters, you must first encode the URL. Then, use the encoded URL to construct the string for hashing. For example:

      • Original URL: https://example.com/image/AlibabaCloud.jpg

      • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

    • Domain name for the DCDN site (DomainName): domain.example.com.

    • Timestamp (timestamp): 201508150800.

    • Private key (Privatekey): aliyuncdnexp1234.

    • Relative path of the user request (Path): /4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3.

    • Path of the file to access for the origin fetch (Filename): /4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3.

  • Concatenation flow

    1. Construct the string for hashing:

      // sstring="Privatekey+timestamp+Path"
      sstring=aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
    2. Calculate the md5hash value:

      // md5hash = md5sum(sstring)
      md5hash = md5sum("aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3") = 9044548ef1527deadafa49a890a377f0
    3. Generate the signed URL:

      // Signed URL=http://DomainName/{<timestamp>/<md5hash>}/FileName
      http://domain.example.com/201508150800/9044548ef1527deadafa49a890a377f0/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3

When a client sends a request with the signed URL, the DCDN server recalculates the md5hash value. If it matches the md5hash value in the request (9044548ef1527deadafa49a890a377f0) and the URL has not expired, authentication succeeds. Otherwise, authentication fails.