By default, content distributed by ApsaraVideo VOD is publicly available and can be accessed by using URLs. If you want to protect your resources against hotlinking and unauthorized access, you can configure referer whitelist and blacklist, IP whitelist and blacklist, and URL signing to regulate access control. URL signing adds signature strings and timestamps to URLs to improve access control for the origin server. This topic describes how URL signing works and how to use URL signing.
How URL signing works
URL signing uses Alibaba Cloud CDN points of presence (POPs) together with origin servers to protect origin content from hotlinking. URL signing involves the following objects:
- Origin server: The origin server signs URLs based on the URL signing rules, including authentication algorithms and cryptographic keys. Then, the origin server returns the signed URLs to clients.
- Client: The client initiates a request and sends the signed URL to POPs for authentication.
- POPs: POPs verify the authentication information that is carried by the request, including the signature and timestamp.
The following section describes how URL signing works:
- You configure URL signing rules, including authentication algorithms and cryptographic keys, on your origin server.
For example, http://DomainName/timestamp/md5hash/FileName is a URL signed by the origin server.
- When a client attempts to access a URL, the origin server signs the URL based on the signing rules, and then returns the signed URL to the client, as shown in Step 2 and Step 3 in the preceding figure.
- The client uses the signed URL to request resources from POPs.
- A POP checks the authentication information that is carried by the request, including the signature string and timestamp, and determines whether the request is valid.
- If the request fails the authentication, the POP rejects the request.
- If the request passes the authentication, the POP responds to the request.
Note- If the requested resource is not cached on POPs, the POPs remove the authentication parameters from the URL and restore the URL to the original version before the request is redirected to the origin server. For example, the URL is restored to
http://DomainName/FileName
. Then, the original URL is used to generate a cache key or redirect the request to the origin server. - After a request passes the authentication, the special characters such as equal signs (
=
) and plus signs (+
) in the URL are escaped.
Usage
- Enable and configure URL signing.
Enable and configure URL signing in the ApsaraVideo VOD console. For more information, see Enable and configure URL signing.
- Obtain a signed URL.
- After URL signing is enabled, if all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation. Note After URL signing is enabled, the URLs of video, audio, thumbnail, and snapshot files are signed.
- If your resources are not in the ApsaraVideo VOD console, you can concatenate and generate dynamic signed URLs based on different signing types. For more information, see Type A signing, Type B signing, and Type C signing.
- After URL signing is enabled, if all your resources are in the ApsaraVideo VOD console, the console will automatically generate a signed URL with an expiration time. You can also obtain the signed URL by calling the GetPlayInfo operation.