By default, content that is distributed by Alibaba Cloud CDN is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use Referer whitelists and blacklists, IP address whitelists and blacklists, and URL signing to manage access control. URL signing adds signature strings and timestamps to URLs to optimize access control.
Authentication logic
Points of presence (POPs) work with origin servers to implement URL signing to protect resources on the origin servers in a more secure and reliable manner. URL signing involves the following objects:
Origin server: The origin server signs URLs based on URL signing rules, including signing algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
Client: The client initiates a request and sends the signed URL to the POP for authentication.
POP: The POP verifies the signing information that is carried by the request, including the signature and timestamp.
You configure URL signing rules, including signing algorithms and cryptographic keys, on your origin server.
For example,
http://DomainName/timestamp/md5hash/FileName
is a URL signed by the origin server.When a client attempts to access a URL, the origin server signs the URL based on the URL signing rules and returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
The client uses the signed URL to request resources from the POP, as shown in Step 4 in the preceding figure.
The POP verifies the signing information, including the signature and timestamp, in the signed URL and determines whether the request is valid.
If the request fails the authentication, the POP rejects the request.
If the request passes the authentication, the POP responds to the request.
NoteIf the requested resource is not cached on the POP, the POP removes the URL signing parameters from the URL and restores the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to
http://DomainName/FileName
. Then, the original URL is used to generate a cache key or the request is redirected to the origin server.After a request passes the authentication, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.
Usage notes
After you configure URL signing, requests that fail the authentication can still reach POPs. However, POPs reject the requests and return an HTTP 403 status code. The requests are recorded in Alibaba Cloud CDN logs.
In URL signing, the system verifies the encrypted string and timestamp in the signed URL. You are charged for data transfer that is generated when POPs block malicious requests. If clients request resources over HTTPS, you are also charged for HTTPS requests.
Configure and enable URL signing
Before you enable URL signing, make sure that you have configured URL signing rules, including signing algorithms and cryptographic keys, on the origin server.
The authentication logic on POPs must be the same as the authentication logic on the origin server.
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Access Control.
Click the URL Signing tab.
In the URL Signing section, click Modify.
In the Set URL Signing dialog box, turn on URL Signing and configure the parameters as described in the following table.
Parameter
Description
Type
Alibaba Cloud CDN supports four URL signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types are:
NoteIf URL signing fails, the HTTP 403 status code is returned. The following items describe the possible causes:
Invalid MD5 values
Example:
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
Invalid timestamps
Example:
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key
Specify the primary key for the selected signing type. The key must be 6 to 128 characters in length and can contain letters and digits.
Secondary Key
Specify the secondary key for the selected signing type. The key must be 6 to 128 characters in length and can contain letters and digits. You must specify either the primary key or secondary key.
TTL
Specify a time-to-live (TTL) value for signed URLs. Users can access CDN POPs before the signed URLs expire. The expiration time of a signed URL is determined by the timestamp value and the TTL value.
Unit: seconds.
Valid values: 1 to 31536000.
Default value: 1800, which equals 30 minutes.
For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the TTL value is 1800. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
Signature Parameter
Specify a custom signature parameter. This parameter takes effect only when the Type parameter is set to Type F.
Timestamp Parameter
Specify a custom timestamp parameter. This parameter takes effect only when the Type parameter is set to Type F.
Timestamp Format
Specify the timestamp format. Valid values: Decimal (Unix Timestamp) and Hexadecimal (Unix Timestamp). This parameter takes effect only when the Type parameter is set to Type F.
URL Encoding
The URL encoding switch is turned off by default. If this switch is turned on, URL encoding is performed on the request URL. This parameter takes effect only when the Type parameter is set to Type F.
Rule Condition
Rule conditions can identify parameters in a request to determine whether a configuration applies to the request.
Do not use conditions
Select the configured rule conditions in Rules Engine. For more information, see Rules engine.
Click OK.
Check the URL signing result
To ensure that the authentication logic is correctly implemented, we recommend that you run a test in the Alibaba Cloud CDN console to check whether URLs can be correctly signed.
In the Generate Signed URL section, set Original URL and other parameters.
Parameter
Description
Original URL
Enter a complete URL, such as
https://www.aliyun.com
.Type
Select the URL signing type that you specified in the Configure and enable URL signing section.
Cryptographic Key
Enter the Primary Key or Secondary Key that you specified in the Configure and enable URL signing section.
TTL
Enter the validity period of the signing URL that you specified in the Configure and enable URL signing section. Unit: seconds.
Click Generate to obtain the Signed URL and Timestamp.
Disable URL signing
If URL signing is disabled on POPs but user requests still carry URL signing parameters, the POPs fail to remove the URL signing parameters. In this case, the requests cannot hit the cache on the POPs and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL signing, make sure that URL signing is disabled on the origin server and POPs.
In the Alibaba Cloud CDN console, go to the URL Signing section, click Modify, and then turn off URL Signing.
On the origin server, delete the URL signing settings.