DocsICP FilingConsole
官方文档
首页

Configure URL signing

更新时间:
复制 MD 格式
产品详情
我的收藏

By default, content distributed through ApsaraVideo VOD is public. To prevent unauthorized downloading and hotlinking, you can use URL signing in addition to other security measures like referer-based hotlink protection and an IP address allowlist/blocklist. URL signing protects your origin server resources by validating a signature string and a timestamp included in the request URL.

How it works

URL signing for ApsaraVideo VOD coordinates between Alibaba Cloud CDN POPs and your application server to prevent unauthorized access. The process involves the following components:

  • Application server: Generates a signed URL based on predefined rules, including the signing algorithm and key.

  • The user's app or browser: Requests a resource by sending the signed URL to a CDN POP for validation.

  • CDN POP: Validates the information in the signed URL, such as the signature string and timestamp.

image

The authentication process works as follows:

  1. You configure the rules for generating a signed URL on your application server.

  2. A client requests a signed URL from your application server.

  3. Your application server returns a signed URL for the requested resource.

  4. The client uses the signed URL to request the resource from a CDN POP.

  5. The CDN POP validates the authentication information in the signed URL.

    • If authentication fails, the request is denied.

    • If authentication succeeds, the CDN POP processes the request.

  6. If authentication is successful, the CDN POP serves the resource based on its caching logic.

    Note

    • If the request results in a cache miss, the CDN POP performs an origin fetch. Before doing so, it removes the authentication parameters from the signed URL to restore the original URL (for example, http://DomainName/FileName). The CDN POP then uses this original URL to generate a cache key or fetch the content from your origin server.

    • After the CDN authenticates the request URL, it escapes special characters in the URL, such as = and +.

Enable and configure URL signing

Note

  • Ensure that you have configured the rules for generating a signed URL on your application server, including the signing algorithm and key.

  • The URL signing logic in ApsaraVideo VOD must match the logic on your application server.

  1. Log on to the ApsaraVideo VOD console.

  2. In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.

  3. Find the domain name to configure and click Configure in the Actions column.

  4. Click Resource Access Control.

  5. Go to the URL Signing tab and click Modify in the Set URL Signing section.

  6. Enable URL Signing and configure the authentication parameters.

    The following table describes the parameters.

    Parameter

    Description

    Type

    ApsaraVideo VOD offers three signing methods to protect your origin server resources. Choose the one that fits your required signed URL format:

    Note

    A URL signing error returns a 403 status code:

    • MD5 hash errors

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd7****

    • Timestamp errors

      Example: X-Tengine-Error:denied by req auth: expired timestamp=143946****

    Primary Key

    Enter the primary key for the selected signing method. The key must be 6 to 32 characters long and contain only uppercase letters, lowercase letters, and digits.

    Secondary Key

    Enter the secondary key for the selected signing method. The key must be 6 to 32 characters long and contain only uppercase letters, lowercase letters, and digits. You must provide at least one key (either Primary or Secondary).

    Note

    Using a Secondary Key prevents service interruptions by ensuring that URLs signed with the old key remain valid during the transition.

    Default Validity Period

    Specifies how long a signed URL is valid. Access is allowed until the URL's timestamp plus this validity period.

    • Default: 30. Unit: Minutes.

    • Example: If the signing server generates a signed URL at 2020-08-15 15:00:00 (UTC+8) and the Default Validity Period is set to 30 minutes, the signed URL will expire at 2020-08-15 15:30:00 (UTC+8).

    Support Previewing

    The preview feature lets users watch or listen to a specific portion of a media file, such as the first five minutes. This is commonly used for subscription-based services or pay-per-view content. For more information, see Preview videos.

  7. Click OK to save the configuration.

    Once enabled and configured, URL signing applies globally to all content delivered through this domain name.

    For resources managed through the ApsaraVideo VOD console, the console automatically generates time-limited signed URLs. You can also obtain a signed URL by calling the GetPlayInfo API operation.

    Note

    After you enable URL signing, it applies to the URLs of all assets, including videos, audio files, thumbnail, and snapshot.

Disable URL signing

Important

If you disable URL signing in ApsaraVideo VOD but client requests continue to include signing parameters, ApsaraVideo VOD cannot restore the original URL. As a result, each request results in a cache miss and is forwarded to your origin server. This surge in origin fetch traffic can significantly increase your costs. To avoid this, disable URL signing in both ApsaraVideo VOD and on your application server.

  1. In the Set URL Signing section, click Modify.

  2. Disable the Signed URL switch.

  3. Remove the signing parameters from the request URLs generated by your application server.

Generate a signed URL

Generate from the console

After you configure URL signing, generate a signed URL from the console to verify that the signing logic is correct.

  1. In the Generate Signed URL section, configure the Original URL and other authentication information.

    The following table describes the parameters.

    Parameter

    Description

    Original URL

    Enter the complete original URL. Example: https://****.com/ecs.mp4.

    Type

    Select the signing type (A, B, or C) that you chose in the Enable and configure URL signing step.

    Authentication Key

    Based on the settings you configured in Enable authentication and configure a signed URL, enter your Primary Key or Secondary Key.

    Validity Period

    Enter the validity period for URL signing according to the configuration that you specified in Enable URL signing and configure a signed URL. The unit is seconds. For example: 1800.

  2. Click Generate. The Signed URL and Timestamp are then displayed.

    The generated signed URL follows the format https://<domain-name>/<path>?auth_key={timestamp}-0-0-{md5hash}. You can click the Copy button to copy the URL.

Generate with an SDK

You can also generate a signed URL by integrating the ApsaraVideo VOD SDK with your application server and calling the GetPlayInfo API operation.

Generate with code

Alternatively, you can write your own code to generate a signed URL using one of the three signing methods.

Previous:URL signingNext:Type A signing