To protect ApsaraVideo Live resources from unauthorized use, use URL signing, IP blacklists and whitelists, and remote authentication. These methods enhance the security and user experience of your live video streams.
Overview
Access control for ingest domains is essential to secure your resources and prevent unauthorized access. It includes the following methods:
URL signing: Overcomes the limitations of Referer-based hotlink protection by verifying the legitimacy of every request.
IP blacklist and whitelist: Restricts or allows access from specific IP addresses, enabling visitor identification and filtering.
Remote authentication: Forwards user requests to a designated authentication server for validation, offering greater flexibility and enhanced security.
URL signing
Introduction
URL signing works with your business server to provide a secure method for protecting live stream resources. Workflow:
Your business server generates a signed URL that contains authentication information.
The end user use this signed URL to initiate a stream ingest request to ApsaraVideo Live.
An edge node of ApsaraVideo Live decodes and validates the URL signature. If invalid, it rejects the request.
After ApsaraVideo Live authenticates the request URL, special characters in the URL (such as = and +) are escaped.
For more information about applicable scenarios, signed URL structure, and working principles, see Signed ingest and streaming URLs.
Procedure
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the ingest domain that you want to manage and click Domain Settings in the Actions column.
Choose Streaming Management > Access Control.
Click the URL Signing tab and then click Modify.
The authentication configuration section includes the URL Signing toggle, Authentication Type (for example, Type A), Primary Key, Secondary Key, and Validity Period (in minutes).
NoteURL signing is enabled by default when you add a domain. To disable it for the first time, you must acknowledge the risk of unauthorized usage and sign the Liability Waiver Agreement.
If URL signing is enabled, click Modify to update the settings. If you previously disabled URL signing, simply turn on the URL Signing toggle to reconfigure it.
Configure the URL signing settings and click OK.
Parameter
Description
Authentication Type
Ingest domains support only Type A signing.
NoteAll URL signing errors return a 403 error. If you encounter this, recalculate the signature.
To diagnose the exact cause of the failure, check the
X-Tengine-Errorheader in the HTTP response:MD5 calculation errors
Example:
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760beTimestamp errors
Example:
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key
When you add a domain, the console randomly generates a primary key. You can also enter a custom primary key.
Secondary Key
Enter a backup password for URL authentication.
NoteThe primary and secondary keys have equal validity. The secondary key is mainly used for smooth key rotation.
If you update the primary key, all URLs signed with the old primary key become invalid. To avoid disruption, copy the old primary key to the secondary key field so it continues to work during the transition.
Validity Period
The validity period defines how long the signed URL remains valid for initiating ingest or playback. Live ingest and playback use long-lived connections. Once started within the validity period, these sessions continue even after expiration. However, new ingest or playback requests fail if the URL has expired.
The default validity period for a newly added domain is 1 day (1440 minutes). You can customize this value in minutes.
IP blacklist and whitelist
Introduction
IP blacklist: IP addresses added to the blacklist will be denied access to the accelerated domain.
IP whitlist: Only IP addresses added to the whitelist are allowed to access the accelerated domain.
Both blacklist and whitelist support IPv6 addresses under the following formatting rules:
Any hexadecimal letters in the IPv6 address must be in uppercase, such as
2001:DB8:0:23:8:800:200C:417A.Abbreviated IPv6 formats using double colons (
::) are not supported, such as2001:0DB8::0008:0800:200C:417A.
Both blacklist and whitelist support CIDR blocks. For example,
192.168.0.0/24.
Procedure
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the ingest domain that you want to manage and click Domain Settings in the Actions column.
Choose Streaming Management > Access Control.
Click the IP Blacklist or Whitelist tab and enable the feature.
Set the List Type and Rule, then click OK.
Blacklist and whitelist are mutually exclusive; only one can be active at a time. You can configure a maximum of 1,000 IPv6 addresses or 3,000 IPv4 addresses. Separate entries with line breaks, with no duplicate entries. CIDR notation is supported (for example,
127.0.0.0/24). IPv6 addresses are case-insensitive and do not support the::abbreviated format.Type
Description
IP Blacklist
IP addresses added to the blacklist will be denied access to the accelerated domain.
Whitelist
Only IP addresses added to the whitelist are allowed to access the accelerated domain.
Remote authentication
Introduction
Both remote authentication and URL signing protect live stream resources by ensuring only authorized users can access them. They differ in implementation:
URL signing: You provide the authentication rules to the live center, which handles the entire authentication process.
Remote authentication: You maintain your own authentication server. When the live center receives a user request, it forwards the request to your authentication server for validation. You are responsible for setting up and managing this server. Remote authentication does not support HTTP Live Streaming (HLS).
The data flow for remote authentication is as follows:
Step | Description |
① | The user sends a resource access request containing authentication parameters to the live center. |
② | The live center receives the request and forwards it directly (or after applying specified rules) to the authentication server. |
③ | The authentication server evaluates the request using the provided parameters and returns the result to the live center. |
④ | The live center takes action based on the authentication result and returns data to the user.
|
Procedure
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the ingest domain that you want to manage and click Domain Settings in the Actions column.
Choose Streaming Management > Access Control.
Click the Remote Authentication tab, turn on the toggle, and configure the parameters as prompted.
NoteAfter enabling remote authentication, every user request is forwarded to your authentication server. Under high traffic, ensure your server can handle the load and perform well.
Parameter
Description
Authentication Server Address
The publicly accessible address of your authentication server. The system validates the format and value of the address you enter. You can use a fixed URL or a variable-based URL.
Fixed URL: Supports HTTP(S). Values must not include 127.0.0.1 or localhost, as these are invalid. Examples:
http(s)://example.aliyundoc.com/auth
http(s)://192.0.2.1/auth
Variable-based URL: Construct the authentication URL using variables. For details, see Variable-Based URLs.
Request Method
Specifies the HTTP request method that the live center uses to send authentication requests to your authentication server. Valid values: GET and POST.
Pass Through URL Parameters
Controls which parameters from the user's request URL are used for authentication. Choose Specified Parameters Passed, Specified Parameters Not Passed, or None.
NoteIf you select Specified Parameters Passed or Specified Parameters Not Passed, enter the parameter names in the field below, separated by commas (,). Example:
key1,key2,key3.HTTP Status Code to Return
The HTTP status code your authentication server returns to the live center upon successful authentication. Choose one of the following:
Successful Authentication: After selecting this option, enter a custom success status code. The live center allows the request only if your server returns this exact code. All other codes result in rejection.
Example: Set the success status code to 200. If your server returns 200, authentication succeeds.
Failed Authentication: After selecting this option, enter a custom failure status code. The live center blocks the request only if your server returns this exact code. All other codes result in approval.
Example: Set the failure status code to 403. If your server returns 403, authentication fails.
Authentication Duration (s)
This measures the time from when the live center sends the authentication request until it receives a response from your server.
Enter an integer from 0 to 30.
Retries on Timeout
The number of times the live center retries your authentication server after a timeout. Once retries are exhausted, the live center performs the action specified under "Action After Timeout."
Action After Timeout
The action the live center takes when authentication times out. Supported actions are Allow and Deny:
Allow: On timeout, the live center permits the user request.
Deny: On timeout, the live center rejects the request and returns a failure status code (for example, 403) to the user.
Asynchronous Authentication
When enabled, playback starts without waiting for the remote authentication result. If authentication later fails, playback stops. This avoids increased time to first frame caused by synchronous remote authentication delays. After switching between synchronous and asynchronous authentication, test to ensure it works as expected.
Click OK to complete the configuration.
After configuring remote authentication, you can modify or disable it on the Remote Authentication tab.
Construct a URL with variables
You can construct the authentication server URL using variables as described below:
Type | Description |
Numeric Variables | Numeric variables like For example, if the ingest URL is |
Alphabetic Variables | Alphabetic variables like For example, if the ingest URL is |
Custom Variables | Custom variables start with the prefix |
NGX Variables | All All referenced values are processed by the URL escape function |
Stream Name Variable | You can use |
If the ingest or playback URL is rtmp://domain.aliyundoc.com/app/stream?token=***&name=xrc,
and the remote authentication server address is configured as http://auth.aliyundoc.com/?app=${udv_host}&streamname=${2}&appname=${1}&token=${arg_token},
then the actual authentication URL becomes http://auth.aliyundoc.com/?app=domain.aliyundoc.com&streamname=stream&appname=app&token=***.