Help Center/ Content Delivery Network/ User Guide/ Custom Domain Name Configuration/ Access Control/ Token Authentication/ Signing Method C1
Updated on 2024-10-28 GMT+08:00
View PDF
Share

Signing Method C1

By default, the content distributed by CDN is public resources. Token authentication protects these resources from being downloaded and stolen by malicious users. Huawei Cloud CDN provides four URL signing methods. This topic describes the signing method C1.

  • Token authentication is disabled by default.
  • You cannot configure this function for domain names with special configurations on the CDN console.
  • Domain names whose service type is whole site acceleration do not support signing method C1.
  • When token authentication is configured, user requests will include authentication parameters. If Ignore specific parameters is not configured:
    • Origin pull will become frequent.
    • If your origin server is an OBS bucket, fees for bucket outbound traffic will incur.

How It Works

Example signed URLs look like: 
http://DomainName/{<sha256>/<timestamp>}/FileName
http://DomainName/{<md5hash>/<timestamp>}/FileName

The following table describes the parameters in a signed URL.

Table 1 Parameter description

Parameter

Description

DomainName

Acceleration domain name.

timestamp

Time when the authentication server generates a signed URL, that is, the authentication start time. The value is a hexadecimal integer, indicating the total number of seconds that have elapsed since 00:00:00 January 1, 1970.

Validity period

How long a signed URL remains effective. The value ranges from 0s to 31,536,000s.

Example: If the validity period is set to 1,800s, users can access CDN only when the current time is earlier than or equal to timestamp + 1,800s. Or, the signed URL is considered invalid.

md5hash

A string of 32 characters calculated using the MD5 algorithm. The string consists of lowercase letters and digits.

sha256

A string of 64 characters calculated using the SHA256 algorithm. The string consists of lowercase letters and digits.

Filename

Back-to-origin URL. Its value must start with a slash (/) and does not include the parameters following the question mark (?).

PrivateKey

Signing key, which is used to generate a signed URL, for example, huaweicloud12345. A key contains 6 to 32 characters, including letters and digits.

Verification Method

After receiving a request, a CDN server verifies the request as follows:

  1. Checks whether the authentication parameter is included in the request. If not, the request is considered invalid and an HTTP 403 error code is returned.
  2. Checks whether the value of timestamp plus the validity period specified in the signed URL is later than the current time.
    • If not, the signed URL is considered invalid and the HTTP 403 error is returned.
    • If yes, the time verification passes and CDN goes to step 3.
  3. Constructs sstring, calculates HashValue using this string and the MD5 or SHA256 algorithm, and compares HashValue with the md5hash or sha256 value in the request. If the md5hash or sha256 value is the same as HashValue, the authentication is successful and the requested file is returned. Or, the authentication fails and an HTTP 403 error code is returned. HashValue is calculated as follows: 
    sstring = "PrivateKeyFilenameTimestamp" 
HashValue = md5sum(sstring)
    Or 
    sstring = "PrivateKeyFilenameTimestamp" 
HashValue = sha256sum(sstring)

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab and click Configure under Token Authentication.
    Figure 1 Configuring token authentication
  5. Turn on the Status switch.
  6. Set the parameters according to the following table and click OK.
    Table 2 Parameter description

    Parameter

    Description

    Signing Method

    Select Method C1.

    Authentication Scope

    Files to be authenticated. Select All files, Specific files, or Specific files excluded.

    Inheritance

    Add the authentication parameter to TS and MP4 files under M3U8/MPD index files, so that the files can be played after authentication succeeds.

    NOTE:
    • If there are multi-layer M3U8/MPD files, only the first-layer M3U8/MPD files are parsed, and the TS/MP4 streams of M3U8/MPD files in other layers are not expanded.
    • The standard M3U8 format is supported. M3U8 files are parsed by line. If the parsing fails, responses from the origin server are returned to users. URIs starting with the #EXT-X-MAP tag and URLs/URIs not starting with the pound key (#) are supported.
    • The standard MPD format is supported. MPD files are parsed by line. If the parsing fails, responses from the origin server are returned to users. The URI between tags <BaseURL> and </BaseURL> is identified. The SegmentTemplate tag is not supported.
    • If your M3U8/MPD index files contain special characters, CDN does not automatically transcode the characters during authentication calculation. If clients have the logic for automatically transcoding special characters, the access may fail due to the authentication failure.
    • If the origin server returns resources compressed using gzip or Brotli to CDN PoPs, the authentication inheritance settings become invalid.

    Start Time
    • Same as user request: time when a user accesses the M3U8/MPD file.
    • Current time: current time of the authentication server.

    File Name Extensions

    Set this parameter when you select Specific files or Specific files excluded for Authentication Scope. Only requests for files with the specified file name extensions are authenticated or not authenticated.

    • Only lowercase letters and digits are supported. Use semicolons (;) to separate multiple file name extensions.

    Signing Key

    Authentication password. The value contains 6 to 32 characters, including letters and digits.

    NOTE:

    For security purposes, you are advised to use 8 to 32 characters.

    Secondary Key

    (Optional) Secondary password for authentication. If you want the old and new keys to take effect, you can set the old key as the secondary key. Users can access content only after CDN verifies the primary or secondary key.

    • A key contains 6 to 32 characters, including letters and digits.
      NOTE:

      For security purposes, you are advised to use 8 to 32 characters.

    Encryption Algorithm

    MD5 or SHA256.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s.

    Authentication Calculator

    Using the authentication calculator, you can generate a signed URL for users. Set parameters according to Table 2 and Table 3, and click Generate to generate a signed URL that will expire at a specific time.

    Escape special characters in the signed URL if any.

    Table 3 Parameter description

    Parameter

    Description

    Signing Key

    Authentication password. Enter 6 to 32 characters, including letters and digits. The value must be the same as the signing key specified in the token authentication configuration.

    Access Path

    Path of the content, which starts with a slash (/) and does not carry a query string.

    Encryption Algorithm

    MD5 or SHA256.

    Start Time

    Time when the signed URL will take effect.

    Validity Period

    How long the signed URL remains effective. The value ranges from 0s to 31,536,000s. If this value is greater than the validity period set in the token authentication settings, the latter will be used.

    Example: If you set this parameter to 2,000s, but the validity period set in the token authentication settings is 1,800s, the validity period of signed URLs will be 1,800s.

Disabling Token Authentication

Switch off Status to disable token authentication and clear all token authentication settings. You need to set related parameters when enabling this function again.

Example

The following uses the MD5 algorithm as an example:

  1. The back-to-origin URL is as follows: 
    http://hwcdn.example.com/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
  2. The signing key is huaweicloud12345 (customizable).
  3. The authentication takes effect since 10:00:00 on June 30, 2017. Therefore, timestamp is 5955b0a0. The validity period is 1,800s.
  4. The CDN server constructs a string for calculating md5hash. 
    huaweicloud12345/T128_2_1_0_sdk/0210/M00/82/3E/test.mp35955b0a0
  5. The CDN server calculates md5hash according to the string. 
    md5hash = md5sum(huaweicloud12345/T128_2_1_0_sdk/0210/M00/82/3E/test.mp35955b0a0) = 8540f43a2416fd4a432fe4f92d2ea089
  6. The request URL is: 
    http://hwcdn.example.com/8540f43a2416fd4a432fe4f92d2ea089/5955b0a0/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3

If a request is within the validity period (earlier than or equal to 10:30:00 on June 30, 2017) and the md5hash value in the request is the same as the calculated md5hash value (8540f43a2416fd4a432fe4f92d2ea089), the authentication is successful.

Parent topic: Token Authentication