All Products
Search

This Product

    Edge Security Acceleration:Type B signing

    Document Center

    Edge Security Acceleration:Type B signing

    Last Updated:Feb 05, 2026

    The URL signing feature protects resources on your site from unauthorized downloads and use. Alibaba Cloud DCDN provides four signing methods. This topic describes the principles of type B signing and provides examples.

    How it works

    • Structure of a signed URL for type B signing

      http://DomainName/{<timestamp>/<md5hash>}/FileName
      Note

      The content in {} represents the encrypted information that is added to the standard URL.

      Authentication fields

      Field

      Description

      DomainName

      The domain name of your DCDN site.

      timestamp

      The time when the signing server generates the signed URL. This field, together with the validity period, controls the expiration time of the signed URL. The time is based on UTC+8 and the format is YYYYMMDDHHMM.

      Note

      In most cases, the validity period of the signed URL is the validity period configured for DCDN. If you extend the validity period when you generate the signed URL, `timestamp` = UNIX timestamp + extended period. The actual validity period of the signed URL is `timestamp` + the period configured for DCDN.

      md5hash

      A validation string calculated using the MD5 algorithm. It is a 32-character fixed-length string that consists of digits from 0 to 9 and lowercase letters from a to z.

      The value of md5hash is calculated from the following string.

      sstring = "Privatekey+timestamp+Path" (Path is the relative address of the requested object, which does not contain parameters, such as /Filename)
md5hash = md5sum(sstring)

      Filename

      The path of the file to access for the origin fetch. For authentication, the Filename must start with a /.

    • Authentication logic

      After a DCDN server receives a resource access request, it checks if the sum of the timestamp and the validity period is earlier than the current time.

      • If the sum of the timestamp and the validity period is earlier than the current time, the server determines that the URL has expired and returns an HTTP 403 error.

      • If the sum of the timestamp and the validity period is later than the current time, the server constructs a string in the sstring format. For more information about the format, see the sstring format in the table. Then, the server uses the MD5 algorithm to calculate the md5hash value. The server then compares the calculated md5hash value with the md5hash value in the access request.

        • If the values match, authentication is successful and the resource is returned.

          Note

          When authentication is successful, the authentication parameters are removed from the URL and the URL is reverted to its original format. This improves the cache hit ratio and reduces back-to-origin traffic. For example:

          • URL with authentication parameters: http://DomainName/{<timestamp>/<md5hash>}/FileName

          • After successful authentication:

            • URL used to generate the cache key: http://DomainName/FileName

            • URL used for the origin fetch: http://DomainName/FileName

        • If the values do not match, authentication fails and an HTTP 403 error is returned.

    Signed URL example

    The following example shows how type B signing works.

    • Example conditions

      • Original request object: 

        http://domain.example.com/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3
        Note

        If the request URL contains Chinese characters or other non-ASCII characters, you must first encode the URL. Then, use the encoded URL to construct the string for hashing. For example:

        • Original URL: https://example.com/image/AlibabaCloud.jpg

        • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

      • Domain name for the DCDN site (DomainName): domain.example.com.

      • Timestamp (timestamp): 201508150800.

      • Private key (Privatekey): aliyuncdnexp1234.

      • Relative path of the user request (Path): /4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3.

      • Path of the file to access for the origin fetch (Filename): /4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3.

    • Concatenation flow

      1. Construct the string for hashing: 

        // sstring="Privatekey+timestamp+Path"
sstring=aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3

      2. Calculate the md5hash value:

        // md5hash = md5sum(sstring)
md5hash = md5sum("aliyuncdnexp1234201508150800/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3") = 9044548ef1527deadafa49a890a377f0

      3. Generate the signed URL:

        // Signed URL=http://DomainName/{<timestamp>/<md5hash>}/FileName
http://domain.example.com/201508150800/9044548ef1527deadafa49a890a377f0/4/44/44c0909bcfc20a01afaf256ca99a8b8b.mp3

    When a client uses the signed URL to send an access request, the DCDN server calculates the md5hash value. If the calculated value matches the md5hash value in the request, which is 9044548ef1527deadafa49a890a377f0, and the signed URL has not expired, authentication is successful. Otherwise, authentication fails.