All Products
Search
Document Center

ApsaraVideo VOD:Type A signing

Last Updated:May 06, 2023

ApsaraVideo VOD allows you to use the URL signing feature to protect origin content from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type A signing works.

How it works

How a URL is signed based on type A

http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash

Fields in a signed URL

Field

Description

DomainName

The domain name for ApsaraVideo VOD.

Filename

The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash (/).

auth_key

The cryptographic key that you specified.

timestamp

The time when a signed URL is generated. The timestamp and the default validity period specify the time when a signed URL expires. The time is in UTC+8 and follows the YYYYMMDDHHMM format.

Note

In most cases, a signed URL expires after the default validity period that you specified in ApsaraVideo VOD elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period.

rand

A random number. In most cases, the value of this field is set to 0. If you want to generate a different URL each time, we recommend that you use a UUID. The value cannot contain hyphens (-). Example: 477b3bbc253f467b8def6711128c****.

uid

The user ID. Set this field to 0.

md5hash

The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.

md5hash is calculated based on the following string:

sstring = "URI-timestamp-rand-uid-PrivateKey"
md5hash = md5sum(sstring)
  • URI: the relative path of the requested file, excluding the parameters. Example: /Filename.

  • PrivateKey: the primary key or the secondary key that you configured in the ApsaraVideo VOD console. For more information, see Enable and configure URL signing.

  • md5sum: the function that is used to calculate the MD5 hash value. Use the MD5 hash calculation function that is provided by your development language.

Signing logic

When an Alibaba Cloud CDN point of presence (POP) receives a request, the POP checks whether the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time.

  • If the time that is calculated by adding the values of timestamp and default validity period is earlier than the current time, the POP determines that the URL is expired and returns the HTTP 403 status code.

  • If the time calculated by adding timestamp and default validity period is later than the current time, the POP generates a string based on sstring described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value of md5hash and compares the calculated md5hash value with the md5hash value in the request.

    • If the two values are different, the authentication fails. The POP returns the HTTP 403 status code.

    • If the two values are the same, the request passes the authentication. The POP returns the requested resource.

      Note

      If the request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce origin traffic.

      • The format of the URL in the back-to-origin request is http://DomainName/FileName.

      • The format of the URL that is used to generate a cache key is http://DomainName/FileName.

Sample of signed URL concatenation

The following example shows how to implement type A signing.

Sample conditions

  • Retrieve an object from the origin server:

    http://example.aliyundoc.com/video/standard/test.mp4
    Note

    If the URL of the object that you retrieve from the origin server contains Chinese characters, you must encode the URL before you concatenate a signed URL.

  • Set PrivateKey to aliyunvodexp1234.

  • Convert the timestamp when the signed URL is generated 2021-08-01 00:00:00 (UTC+8) to decimal integers 1627747200.

Concatenation procedure

  1. Generate a signature string that is used to calculate the md5hash value.

    /video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234
  2. Calculate the md5hash value based on the signature string.

    HashValue = md5sum("/video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234") = 0e9048c8c7de46b6015618f42de7****
  3. Generate a signed URL.

    http://example.aliyundoc.com/video/standard/test.mp4?auth_key=1627747200-0-0-0e9048c8c7de46b6015618f42de7****

If a client uses a signed URL to request a resource, the POP compares the calculated md5hash value with the md5hash value in the request. If two values are the same, such as 0e9048c8c7de46b6015618f42de7****, the request passes the authentication. Otherwise, the authentication fails.