By default, content that is distributed by Dynamic Content Delivery Network (DCDN) is publicly available. Users can access the content by using URLs. If you want to prevent your resources from hotlinking and unauthorized access, you can use Referer whitelists and blacklists, IP whitelists and blacklists, and URL signing to manage access control. URL signing adds signature strings and timestamps to URLs to optimize access control. This topic describes how URL signing works, how to enable or disable URL signing, and how to verify the URL signing settings.
How URL signing works
Points of presence (POPs) work with origin servers to implement URL signing to protect resources on the origin servers in a more secure and reliable manner. URL signing involves the following objects:
Origin server: The origin server signs URLs based on URL signing rules, including signing algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
Client: The client initiates a request and sends the signed URL to the POP for authentication.
POP: The POP verifies the signing information that is carried by the request, including the signature and timestamp.
You need to configure URL signing rules, including signing algorithms and cryptographic keys, on your origin server.
For example,
http://DomainName/timestamp/md5hash/FileName
is a URL signed by the origin server.When a client attempts to access a URL, the origin server signs the URL based on the URL signing rules and returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
The client uses the signed URL to request resources from the POP, as shown in Step 4 in the preceding figure.
The POP verifies the signing information, including the signature and timestamp, in the signed URL and determines whether the request is valid.
If the request fails the authentication, the POP rejects the request.
If the request passes the authentication, the POP responds to the request.
NoteIf the requested resource is not cached on the POP, the POP removes the URL signing parameters from the URL and restores the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to
http://DomainName/FileName
. Then, the original URL is used to generate a cache key or the request is redirected to the origin server.After a request passes the authentication, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.
Configure and enable URL signing
Before you enable URL signing, make sure that you have configured URL signing rules, including signing algorithms and cryptographic keys, on the origin server.
The authentication logic on POPs must be the same as the authentication logic on the origin server.
Log on to the DCDN console.
In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name whose acceleration region you want to change and click Configure.
In the left-side navigation tree of the domain name, click Access Control.
Click the URL Authentication tab.
Turn on URL Authentication Setting.
In the URL Authentication dialog box, configure the parameters according to the following table.
Parameter
Description
Authentication Type
DCDN supports three URL signing types. You can select a signing type based on your business requirements to protect resources on your origin server. Supported signing types:
NoteIf URL signing fails, the HTTP 403 status code is returned. The following items describe the possible causes:
Invalid MD5 values
Example:
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
Invalid timestamps
Example:
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key
Specify the primary key for the selected signing type. The key must be 6 to 128 characters in length and can contain letters and digits.
Secondary Key
Specify the secondary key for the selected signing type. The key must be 6 to 128 characters in length and can contain letters and digits. You must specify either the primary key or secondary key.
Validity Period
Specify a validity period for signed URLs. Users can access points of presence (POPs) before the signed URLs expire. The expiration time of a signed URL is determined by the timestamp value and the validity period.
Unit: seconds.
Valid values: 1 to 31536000.
Default value: 1800, which is equal to 30 minutes.
For example, the timestamp when the signing server generates a signed URL is 2020-08-15 15:00:00 (UTC+8), and the value of Validity Period is 1800. In this case, the signed URL remains valid until 15:30:00 on August 15, 2020 (UTC+8).
Click OK.
Check the URL authentication result
To ensure that the signing logic is correctly implemented, we recommend that you run a test in the DCDN console to check whether URLs are correctly signed.
In the Generate Encrypted URL for Testing section, configure Original URL and other parameters according to the following table.
Parameter
Description
Original URL
Enter a complete URL, such as
https://www.aliyun.com
.Authentication Type
Select the URL signing type that you specified in Configure and enable URL signing.
Authentication Key
Enter the Primary Key or Secondary Key that you specified in Configure and enable URL authentication.
Validity Period
Enter the validity period of the signing URL that you specified in Configure and enable URL authentication. Unit: seconds.
Click Generate to obtain the Authentication URL and Timestamp.
Disable URL signing
If URL signing is disabled on POPs but user requests still carry URL signing parameters, the POPs fail to remove the URL signing parameters. In this case, the requests cannot hit the cache on the POPs and are redirected to the origin server. This increases network traffic on the origin server and data transfer fees. If you want to disable URL signing, make sure that URL signing is disabled on the origin server and POPs.
On the URL Authentication tab of the DCDN console, turn off URL Authentication Setting.
On the origin server, delete the URL signing settings.