Referer-based hotlink protection is not completely secure. We recommend that you also use URL signing to protect ApsaraVideo Live resources against illegal downloads and unauthorized operations. This topic describes how to configure URL signing in the ApsaraVideo Live console.
How URL signing works
ApsaraVideo Live works with your live streaming server to implement URL signing to protect live streaming resources against hotlinking in a more secure and reliable manner.
Your live streaming server provides a signed URL that contains authentication information.
Stream ingest or streaming users send a request to ApsaraVideo Live by using the signed URL.
ApsaraVideo Live verifies the authentication information in the signed URL to determine whether the request is valid. ApsaraVideo Live accepts valid requests and rejects invalid requests.
After a request URL is authenticated by ApsaraVideo Live, special characters such as equal signs (=
) and plus signs (+
) in the URL are escaped.
For more information about the scenarios of URL signing, how it works, and the composition of a signed URL, see URL signing.
Enable URL signing
- Log on to the ApsaraVideo Live console.
In the left-side navigation pane, click Domain Names. The Domain Management page appears.
Find the streaming domain that you want to configure and click Domain Settings in the Actions column.
Choose .
Click the URL Signing tab. Then, click Change Settings.
NoteBy default, URL signing is enabled for a domain name that you add. If you disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.
When URL signing is enabled, you can click Change Settings to modify the URL signing settings. When URL signing is disabled, you can turn on URL Signing and then configure the URL signing settings.
Configure the URL signing settings and click OK.
The following table describes the parameters.
Parameter
Description
Authentication Type
ApsaraVideo Live streaming domains support only the authentication type of Type A to protect resources on the origin server.
NoteIf URL signing fails, HTTP status code 403 is returned. In this case, you must recalculate the signature.
Invalid MD5 value
Example:
X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be
Invalid timestamp
Example:
X-Tengine-Error:denied by req auth: expired timestamp=1439469547
Primary Key
After you add a domain name, ApsaraVideo Live generates a random primary key for the domain name. In the left-side navigation pane of the ApsaraVideo Live console, click Domain Names. Find the domain name that you want to configure and click Domain Settings in the Actions column. On the page that appears, choose
. On the URL Signing tab, you can view the primary key and can also change the primary key.Secondary Key
Specify a custom secondary key.
Validity Period
The signed URL can be used to initiate stream ingest or streaming requests only within the validity period. Persistent connections are established for stream ingest and streaming. Stream ingest and streaming requests that are initiated within the validity period are not dropped after the validity period expires. New stream ingest and streaming requests fail to be initiated after the validity period expires.
The default validity period for a signed URL under a domain name that you add is 1 day or 1,440 minutes. You can specify a custom validity period for the signed URL. The minimum value is 1 minute. There is no upper limit.
Disable URL signing
If you disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.
After you disable URL signing, you can generate permanently valid ingest URLs and streaming URLs. If URL signing is enabled, you can specify the validity period of signed URLs based on your business requirements.
On the URL Signing tab, click Sign Agreement.
In the Sign Agreement dialog box, tick the checkbox and click Sign.
After the Disclaimer for Disabling URL Signing is signed, click OK.
Turn off URL Signing. After URL signing is disabled, you cannot encrypt URLs by setting cryptographic keys.