Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Signing Method C1

Updated on 2024-10-28 GMT+08:00

By default, the content distributed by CDN is public resources. Token authentication protects these resources from being downloaded and stolen by malicious users. Huawei Cloud CDN provides four URL signing methods. This topic describes the signing method C1.

NOTE:
  • Token authentication is disabled by default.
  • You cannot configure this function for domain names with special configurations on the CDN console.
  • Domain names whose service type is whole site acceleration do not support signing method C1.
  • When token authentication is configured, user requests will include authentication parameters. If Ignore specific parameters is not configured:
    • Origin pull will become frequent.
    • If your origin server is an OBS bucket, fees for bucket outbound traffic will incur.

How It Works

Example signed URLs look like:
http://DomainName/{<sha256>/<timestamp>}/FileName
http://DomainName/{<md5hash>/<timestamp>}/FileName

The following table describes the parameters in a signed URL.

Table 1 Parameter description

Parameter

Description

DomainName

Acceleration domain name.

timestamp

Time when the authentication server generates a signed URL, that is, the authentication start time. The value is a hexadecimal integer, indicating the total number of seconds that have elapsed since 00:00:00 January 1, 1970.

Validity period

How long a signed URL remains effective. The value ranges from 0s to 31,536,000s.

Example: If the validity period is set to 1,800s, users can access CDN only when the current time is earlier than or equal to timestamp + 1,800s. Or, the signed URL is considered invalid.

md5hash

A string of 32 characters calculated using the MD5 algorithm. The string consists of lowercase letters and digits.

sha256

A string of 64 characters calculated using the SHA256 algorithm. The string consists of lowercase letters and digits.

Filename

Back-to-origin URL. Its value must start with a slash (/) and does not include the parameters following the question mark (?).

PrivateKey

Signing key, which is used to generate a signed URL, for example, huaweicloud12345. A key contains 6 to 32 characters, including letters and digits.

Verification Method

After receiving a request, a CDN server verifies the request as follows:

  1. Checks whether the authentication parameter is included in the request. If not, the request is considered invalid and an HTTP 403 error code is returned.
  2. Checks whether the value of timestamp plus the validity period specified in the signed URL is later than the current time.
    • If not, the signed URL is considered invalid and the HTTP 403 error is returned.
    • If yes, the time verification passes and CDN goes to step 3.
  3. Constructs sstring, calculates HashValue using this string and the MD5 or SHA256 algorithm, and compares HashValue with the md5hash or sha256 value in the request. If the md5hash or sha256 value is the same as HashValue, the authentication is successful and the requested file is returned. Or, the authentication fails and an HTTP 403 error code is returned. HashValue is calculated as follows:
    sstring = "PrivateKeyFilenameTimestamp" 
    HashValue = md5sum(sstring)
    Or
    sstring = "PrivateKeyFilenameTimestamp" 
    HashValue = sha256sum(sstring)

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab and click Configure under Token Authentication.
    Figure 1 Configuring token authentication
  5. Turn on the Status switch.
  6. Set the parameters according to the following table and click OK.
    Table 2 Parameter description

    Parameter

    Description

    Signing Method

    Select Method C1.

    Authentication Scope

    Files to be authenticated. Select All files, Specific files, or Specific files excluded.

    Inheritance

    Add the authentication parameter to TS and MP4 files under M3U8/MPD index files, so that the files can be played after authentication succeeds.

    NOTE:
    • If there are multi-layer M3U8/MPD files, only the first-layer M3U8/MPD files are parsed, and the TS/MP4 streams of M3U8/MPD files in other layers are not expanded.
    • The standard M3U8 format is supported. M3U8 files are parsed by line. If the parsing fails, responses from the origin server are returned to users. URIs starting with the #EXT-X-MAP tag and URLs/URIs not starting with the pound key (#) are supported.
    • The standard MPD format is supported. MPD files are parsed by line. If the parsing fails, responses from the origin server are returned to users. The URI between tags <BaseURL> and </BaseURL> is identified. The SegmentTemplate tag is not supported.
    • If your M3U8/MPD index files contain special characters, CDN does not automatically transcode the characters during authentication calculation. If clients have the logic for automatically transcoding special characters, the access may fail due to the authentication failure.
    • If the origin server returns resources compressed using gzip or Brotli to CDN PoPs, the authentication inheritance settings become invalid.

    Start Time

    • Same as user request: time when a user accesses the M3U8/MPD file.
    • Current time: current time of the authentication server.

    File Name Extensions

    Set this parameter when you select Specific files or Specific files excluded for Authentication Scope. Only requests for files with the specified file name extensions are authenticated or not authenticated.

    • Only lowercase letters and digits are supported. Use semicolons (;) to separate multiple file name extensions.

    Signing Key

    Authentication password. The value contains 6 to 32 characters, including letters and digits.

    NOTE:

    For security purposes, you are advised to use 8 to 32 characters.

    Secondary Key

    (Optional) Secondary password for authentication. If you want the old and new keys to take effect, you can set the old key as the secondary key. Users can access content only after CDN verifies the primary or secondary key.

    • A key contains 6 to 32 characters, including letters and digits.
      NOTE:

      For security purposes, you are advised to use 8 to 32 characters.

    Encryption Algorithm

    MD5 or SHA256.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s.

    Authentication Calculator

    Using the authentication calculator, you can generate a signed URL for users. Set parameters according to Table 2 and Table 3, and click Generate to generate a signed URL that will expire at a specific time.

    NOTE:

    Escape special characters in the signed URL if any.

    Table 3 Parameter description

    Parameter

    Description

    Signing Key

    Authentication password. Enter 6 to 32 characters, including letters and digits. The value must be the same as the signing key specified in the token authentication configuration.

    Access Path

    Path of the content, which starts with a slash (/) and does not carry a query string.

    Encryption Algorithm

    MD5 or SHA256.

    Start Time

    Time when the signed URL will take effect.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s. If this value is greater than the validity period set in the token authentication settings, the latter will be used.

    Example: If you set this parameter to 2,000s, but the validity period set in the token authentication settings is 1,800s, the validity period of signed URLs will be 1,800s.

Disabling Token Authentication

Switch off Status to disable token authentication and clear all token authentication settings. You need to set related parameters when enabling this function again.

Example

The following uses the MD5 algorithm as an example:

  1. The back-to-origin URL is as follows:
    http://hwcdn.example.com/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
  2. The signing key is huaweicloud12345 (customizable).
  3. The authentication takes effect since 10:00:00 on June 30, 2017. Therefore, timestamp is 5955b0a0. The validity period is 1,800s.
  4. The CDN server constructs a string for calculating md5hash.
    huaweicloud12345/T128_2_1_0_sdk/0210/M00/82/3E/test.mp35955b0a0
  5. The CDN server calculates md5hash according to the string.
    md5hash = md5sum(huaweicloud12345/T128_2_1_0_sdk/0210/M00/82/3E/test.mp35955b0a0) = 8540f43a2416fd4a432fe4f92d2ea089
  6. The request URL is:
    http://hwcdn.example.com/8540f43a2416fd4a432fe4f92d2ea089/5955b0a0/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3

If a request is within the validity period (earlier than or equal to 10:30:00 on June 30, 2017) and the md5hash value in the request is the same as the calculated md5hash value (8540f43a2416fd4a432fe4f92d2ea089), the authentication is successful.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback