ApsaraVideo Live：Configure URL signing

How URL signing works

ApsaraVideo Live works with your live streaming server to implement URL signing to protect live streaming resources against hotlinking in a more secure and reliable manner.

1. Your live streaming server provides a signed URL that contains authentication information.

2. Stream ingest or streaming users send a request to ApsaraVideo Live by using the signed URL.

3. ApsaraVideo Live verifies the authentication information in the signed URL to determine whether the request is valid. ApsaraVideo Live accepts valid requests and rejects invalid requests.

For more information about the scenarios of URL signing, how it works, and the composition of a signed URL, see URL signing.

Enable URL signing

1. Log on to the ApsaraVideo Live console.

2. In the left-side navigation pane, click Domain Names. The Domain Management page appears.

3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

4. Choose Streaming Management > Access Control.

5. Click the URL Signing tab. Then, click Change Settings.

   

   Note

   • By default, URL signing is enabled for a domain name that you add. If you disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.

   • When URL signing is enabled, you can click Change Settings to modify the URL signing settings. When URL signing is disabled, you can turn on URL Signing and then configure the URL signing settings.

6. Configure the URL signing settings and click OK.

   

   The following table describes the parameters.

   Parameter	Description
   Authentication Type	ApsaraVideo Live streaming domains support only the authentication type of Type A to protect resources on the origin server. Note If URL signing fails, HTTP status code 403 is returned. In this case, you must recalculate the signature. Invalid MD5 value Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be Invalid timestamp Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547
   Primary Key	After you add a domain name, ApsaraVideo Live generates a random primary key for the domain name. In the left-side navigation pane of the ApsaraVideo Live console, click Domain Names. Find the domain name that you want to configure and click Domain Settings in the Actions column. On the page that appears, choose Streaming Management > Access Control. On the URL Signing tab, you can view the primary key and can also change the primary key.
   Secondary Key	Specify a custom secondary key.
   Validity Period	The signed URL can be used to initiate stream ingest or streaming requests only within the validity period. Persistent connections are established for stream ingest and streaming. Stream ingest and streaming requests that are initiated within the validity period are not dropped after the validity period expires. New stream ingest and streaming requests fail to be initiated after the validity period expires. The default validity period for a signed URL under a domain name that you add is 1 day or 1,440 minutes. You can specify a custom validity period for the signed URL. The minimum value is 1 minute. There is no upper limit.

Disable URL signing

1. On the URL Signing tab, click Sign Agreement.

2. In the Sign Agreement dialog box, tick the checkbox and click Sign.

3. After the Disclaimer for Disabling URL Signing is signed, click OK.

4. Turn off URL Signing. After URL signing is disabled, you cannot encrypt URLs by setting cryptographic keys.

References

URL signing