ApsaraVideo VOD allows you to use the URL signing feature to protect origin content from unauthorized downloads and access. The URL signing feature supports three signing types. This topic describes how type A signing works.
How it works
How a URL is signed based on type A
http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
Fields in a signed URL
Field | Description |
DomainName | The domain name for ApsaraVideo VOD. |
Filename | The actual URL that points to the requested resource on the origin server. The value of the Filename field must start with a forward slash ( |
auth_key | The cryptographic key that you specified. |
timestamp | The time when a signed URL is generated. The timestamp and the default validity period specify the time when a signed URL expires. The time is in UTC+8 and follows the YYYYMMDDHHMM format. Note In most cases, a signed URL expires after the default validity period that you specified in ApsaraVideo VOD elapses. If you specify a validity period for a signed URL on the signing server, the timestamp and validity period of the signed URL are calculated based on the following formula: Timestamp = UNIX timestamp on the signing server + Configured validity period on the signing server. Validity period = Timestamp + Default validity period. |
rand | A random number. In most cases, the value of this field is set to 0. If you want to generate a different URL each time, we recommend that you use a UUID. The value cannot contain hyphens ( |
uid | The user ID. Set this field to 0. |
md5hash | The string that is calculated by using the MD5 algorithm. The string must be 32 characters in length and can contain digits and lowercase letters.
|
Signing logic
When an Alibaba Cloud CDN point of presence (POP) receives a request, the POP checks whether the time that is calculated by adding the values of timestamp
and default validity period
is earlier than the current time.
If the time that is calculated by adding the values of
timestamp
anddefault validity period
is earlier than the current time, the POP determines that the URL is expired and returns the HTTP 403 status code.If the time calculated by adding
timestamp
anddefault validity period
is later than the current time, the POP generates a string based onsstring
described in the preceding table. Then, the POP uses the MD5 algorithm to calculate the value ofmd5hash
and compares the calculatedmd5hash
value with themd5hash
value in the request.If the two values are different, the authentication fails. The POP returns the HTTP 403 status code.
If the two values are the same, the request passes the authentication. The POP returns the requested resource.
NoteIf the request passes the authentication, authentication-specific parameters are removed from the URL to increase the cache hit ratio and reduce origin traffic.
The format of the URL in the back-to-origin request is
http://DomainName/FileName
.The format of the URL that is used to generate a cache key is
http://DomainName/FileName
.
Sample of signed URL concatenation
The following example shows how to implement type A signing.
Sample conditions
Retrieve an object from the origin server:
http://example.aliyundoc.com/video/standard/test.mp4
NoteIf the URL of the object that you retrieve from the origin server contains Chinese characters, you must encode the URL before you concatenate a signed URL.
Set PrivateKey to aliyunvodexp1234.
Convert the timestamp when the signed URL is generated 2021-08-01 00:00:00 (UTC+8) to decimal integers 1627747200.
Concatenation procedure
Generate a signature string that is used to calculate the
md5hash
value./video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234
Calculate the
md5hash
value based on the signature string.HashValue = md5sum("/video/standard/test.mp4-1627747200-0-0-aliyunvodexp1234") = 0e9048c8c7de46b6015618f42de7****
Generate a signed URL.
http://example.aliyundoc.com/video/standard/test.mp4?auth_key=1627747200-0-0-0e9048c8c7de46b6015618f42de7****
If a client uses a signed URL to request a resource, the POP compares the calculated md5hash
value with the md5hash
value in the request. If two values are the same, such as 0e9048c8c7de46b6015618f42de7****
, the request passes the authentication. Otherwise, the authentication fails.