Help Center> Content Delivery Network> User Guide> Domain Name Settings> Access Control> Token Authentication> Signing Method A
Updated on 2024-03-18 GMT+08:00
View PDF

Signing Method A

By default, public resources are distributed by CDN. Token authentication protects these resources from being downloaded and stolen by malicious users. Huawei Cloud CDN provides four URL signing methods. This topic describes the signing method A.

  • Token authentication is disabled by default.
  • If your domain name has special configurations, token authentication cannot be configured for this domain name on the CDN console.
  • When token authentication is configured, user requests will include authentication parameters. If Ignore specific parameters is not configured:
    • Origin pull will become frequent.
    • If your origin server is an OBS bucket, fees for bucket outbound traffic will incur.

How It Works

An example signed URL looks like:

http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
http://DomainName/Filename?auth_key=timestamp-rand-uid-sha256

The following table describes the parameters in a signed URL.

Table 1 Parameter description

Parameter

Description

DomainName

Acceleration domain name.

timestamp

Time when the authentication server generates a signed URL, that is, the authentication start time. The value is a decimal integer, indicating the total number of seconds that have elapsed since 00:00:00 January 1, 1970.

Validity Period

How long a signed URL remains effective. The value ranges from 0s to 31,536,000s.

Example: If the validity period is set to 1,800s, users can access CDN within 1,800s since the time indicated by timestamp. Authentication fails and the URL is inaccessible if users access CDN 1,800s later.

rand

Random number. The recommended value is a UUID, which cannot contain hyphens (-), for example, 202cb962ac59075b964b07152d234b70.

uid

User ID. This parameter is not used now. You can set it to 0.

md5hash

A string of 32 characters calculated using the MD5 algorithm. The string consists of digits (0 to 9) and lowercase letters.

sha256

A string of 64 characters calculated using the SHA256 algorithm. The string consists of digits and lowercase letters.

Filename

Back-to-origin URL. Its value must start with a slash (/) and does not include the parameters following the question mark (?).

PrivateKey

Signing key, which is used to generate a signed URL, for example, huaweicloud12345. Enter 16 to 32 characters. The password can only and must contain both letters and digits.

Authentication Parameter

Authentication parameter carried in a URL. The default value is auth_key.

Verification Method

After receiving a request, a CDN server verifies the request as follows:

  1. Checks whether authentication parameters are included in the request. If not, the request is considered invalid and an HTTP 403 error code is returned.
  2. Checks whether the current system time is within the range [timestamp, timestamp+valid period]. If the current system time exceeds the range, the CDN server considers that the request expires and returns an HTTP 403 error code. If the current system time is within the range, the next step proceeds.
  3. Constructs a character string, calculates HashValue with the string using the MD5 and SHA256 algorithm, and compares HashValue with the md5hash or sha256 value in the request. If the md5hash or sha256 value is the same as HashValue, the authentication is successful and a file is returned. Otherwise, the authentication fails and an HTTP 403 error code is returned. HashValue is calculated as follows:
    sstring = "Filename-Timestamp-rand-uid-PrivateKey" 
HashValue = md5sum(sstring)
    Or 
    sstring = "Filename-Timestamp-rand-uid-PrivateKey" 
HashValue = sha256sum(sstring)

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab and click Configure under Token Authentication.
    Figure 1 Configuring token authentication
  5. Turn on the Status switch.
  6. Set the parameters according to the following table and click OK.
    Table 2 Parameter description

    Parameter

    Description

    Signing Method

    Select Method A.

    Authentication Scope

    Files to be authenticated. Select All files, Specific files, or Specific files excluded.

    Inheritance

    Add authentication parameters to TS and MP4 files under M3U8/MPD index files, so that the files can be played after authentication succeeds.

    NOTE:
    • If there are multi-layer M3U8/MPD files, only the first-layer M3U8/MPD files are parsed, and the TS/MP4 streams of M3U8/MPD files in other layers are not expanded.
    • The standard M3U8 format is supported. M3U8 files are parsed by line. If the parsing fails, responses from the origin server are returned to users. URIs starting with the #EXT-X-MAP tag and URLs/URIs not starting with the pound key (#) are supported.
    • The standard MPD format is supported. MPD files are parsed by line. If the parsing fails, responses from the origin server are returned to users. The URI between tags <BaseURL> and </BaseURL> is identified. The SegmentTemplate tag is not supported.
    • If your M3U8/MPD index files contain special characters, CDN does not automatically transcode the characters during authentication calculation. If clients have the logic for automatically transcoding special characters, the access may fail due to the authentication failure.
    • If the origin server returns resources compressed using gzip or Brotli to CDN PoPs, the authentication inheritance settings become invalid.

    Start Time
    • Same as user request: time when a user accesses the M3U8/MPD file.
    • Current time: current time of the authentication server.

    File Name Extension

    Set this parameter when you select Specific files or Specific files excluded for Authentication Scope. Only requests for files with the specified file name extensions are authenticated or not authenticated.

    • Only lowercase letters and digits are supported. Use semicolons (;) to separate multiple file name extensions.

    Signing Key

    Authentication password. Enter 16 to 32 characters. The password can only and must contain both letters and digits.

    Secondary Key

    (Optional) Secondary password for authentication. If you want the old and new keys to take effect, you can set the old key as the secondary key. Users can access content only after CDN verifies the primary or secondary key.

    • Enter 16 to 32 characters. The password can only and must contain both letters and digits.

    Parameter

    Authentication parameter carried in a URL. The default value is auth_key.

    • Enter up to 100 characters.
    • Enter letters, digits, and underscores (_). Do not start with a digit.

    Encryption Algorithm

    MD5 or SHA256.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s.

    Authentication Calculator

    Using the authentication calculator, you can generate a signed URL for users. Set parameters according to Table 2 and Table 3, and click Generate to generate a signed URL that will expire at a specific time.

    Escape special characters in the signed URL if any.

    Table 3 Parameter description

    Parameter

    Description

    Signing Key

    Authentication password. Enter 16 to 32 characters. The password can only and must contain both letters and digits. The value must be the same as the signing key specified in the token authentication configuration.

    Access Path

    Path of the content, which starts with a slash (/) and does not carry a query string.

    Encryption Algorithm

    MD5 or SHA256.

    Start Time

    Time when the signed URL will take effect.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s. If this value is greater than the validity period set in the token authentication configuration, the latter will be used.

    Example: If you set this parameter to 2,000s, but the validity period set in the token authentication configuration is 1,800s, the validity period of signed URLs will be 1,800s.

Disabling Token Authentication

Switch off Status to disable token authentication and clear all token authentication settings. You need to set related parameters when enabling this function again.

Example

The following uses the MD5 algorithm as an example:

  1. Assume the back-to-origin URL is as follows:
    http://hwcdn.example.com/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
  2. Set PrivateKey to huaweicloud12345.
  3. The authentication takes effect since 00:00:00 on June 30, 2017. Timestamp is 1498752000. Set the validity period to 1,800s.
  4. The CDN server constructs a string for calculating HashValue.
    /T128_2_1_0_sdk/0210/M00/82/3E/test.mp3-1498752000-0-0-huaweicloud12345
  5. The CDN server calculates HashValue according to the signed character string.
    HashValue = md5sum("/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3-1498752000-0-0-huaweicloud12345") =4143ae4a8034c637fd256dfd3542bafc
  6. The request URL is as follows:
    http://cdn.example.com/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3?auth_key=1498752000-0-0-4143ae4a8034c637fd256dfd3542bafc

If the request is within the validity period (from 00:00:00 on June 30, 2017 to 00:30:00 on June 30, 2017) and the calculated HashValue is the same as the md5hash value (4143ae4a8034c637fd256dfd3542bafc) carried in the request, the authentication is successful.

Parent topic: Token Authentication