URL Validation
Referer validation can filter visitors' identities. However, the referer content can be forged, which cannot completely protect your VOD resources. Therefore, VOD provides URL validation. You can configure the key and generate the corresponding playback URL. The URL has a certain validity period, which effectively prevents VOD resources from being illegally stolen.
Implementation
Referer validation works in a simple way. After a blacklist or whitelist is configured on the VOD console, VOD distributes the blacklist or whitelist to CDN. When receiving a request, CDN checks whether the request is valid based on the list. If the request is valid, CDN accesses the requested resource. If the request is invalid, CDN rejects the request and returns a status code 403.
URL validation is implemented by VOD edge nodes and origin server in VOD. It is a more secure and reliable anti-piracy solution than referer validation. Figure 1 shows how URL validation works.
The process is as follows:
- You enable URL validation on the VOD console and configure the allowed time difference and algorithm.
- VOD delivers the configured key value to CDN nodes.
- You obtain the authentication URL of a VOD media file.
- Viewers request CDN to play a video through the authentication playback URL.
- CDN verifies the request based on authentication information carried in the playback URL. Only requests that pass the verification are allowed.
Notes
- This function is optional and is disabled by default.
- After this function is enabled, the original URLs cannot be used. New authentication URLs must be generated based on rules.
- If the authentication URL expires or the signature fails to be authenticated, the video fails to be played and the message "403 Forbidden" is returned.
- Algorithms A, B, and C do not support HLS and DASH playback scenarios.
- To disable URL validation, submit a service ticket.
Procedure
- Log in to the VOD console.
- In the navigation pane, choose Domain Name Management.
- Click Settings in the row containing your domain name and then click the Hotlink Protection Settings tab.
- Click URL Validation and switch on URL Validation.
- Configure URL validation parameters. Table 1 describes the parameters.
Table 1 Parameter description Parameter
Description
Key
Click Generate to generate a key value.
Maximum Time Difference
How long an authentication URL remains valid. The default value is 120 minutes.
For example, if the authentication URL generation time is 1573806090 (Nov. 15, 2019 16:21:30 GMT+08:00) and the allowed time difference is 120 minutes, the authentication URL expires at Nov. 15, 2019 18:21:30 GMT+08:00.
Expiration Time of the Old Key
By default, the old key expires 60 minutes later since the new key takes effect.
For example, if the effective time of the new key is Nov. 15, 2019 16:21:30 GMT+08:00 and Expiration Time of the Old Key is 60 minutes, the old authentication URL expires at Nov. 15, 2019 17:21:30 GMT+08:00.
Algorithm
Key encryption algorithm. The following algorithms are supported:
Algorithms A, B, and C: The MD5 digest algorithm is used. For details, see Encryption Algorithm A, Encryption Algorithm B, and Encryption Algorithm C.
Algorithm D: The symmetric encryption algorithm is used. For details, see Encryption Algorithm D.
Algorithm E: The SHA-256 algorithm is used. For details, see Encryption Algorithm E (same as the Signing Method C2 of CDN).
NOTE:- Algorithms A, B, and C do not support HLS and DASH playback. Algorithm D or E is recommended.
- Currently, algorithm E supports preview only for HLS and MP4 files. The preview function of MP4 files takes effect only when the packaging format MOOV is in front of MDAT. After the preview function is enabled, the playback URL can be obtained from the VOD console. The default preview duration is 300s.
- Click OK.
- If you select algorithm D, you need to submit a service ticket for approval after configuring the parameters. The submitted information must contain the configured domain name and information listed in Table 1.
URL validation settings take effect once your request is approved. If you modify the URL validation settings, you also need to submit a service ticket for approval.
- Verify whether the URL validation settings have taken effect.
Obtain the authentication playback URL and play the content via the URL. If the playback is successful, the URL validation settings have taken effect.
Generating an Authentication URL
- Log in to the VOD console.
- In the navigation pane, choose Audio and Video Management.
- Click Details in the row containing your media file and then click the Playback tab.
URL is your playback address. Click
to obtain the authentication URL.Figure 2 Obtaining the authentication URL
Encryption Algorithm A
Authentication URL format
Original URL?auth_key={timestamp}-{rand}-{uid}-{auth_key}
auth_key = MD5(/asset/{assetId}/{file_name}-{timestamp}-{rand}-{uid}-{private_key})
|
Field |
Description |
|---|---|
|
timestamp |
Time when an authentication URL is generated. The value is a Unix timestamp, which is the number of seconds since January 1, 1970. Example: 1564731935 (2019.08.02 15:45) |
|
rand |
Random number. The recommended value is a UUID, which cannot contain hyphens (-). Example: f03cbe7c4a3849bc8d8769e3110e4533 |
|
uid |
This parameter is not used now. Set it to 0. |
|
private_key |
Key value set on the console. For details, see Procedure. |
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 private_key: myPrivateKey timestamp: 1547123166 rand: 477b3bbc253f467b8def6711128c7bec uid: 0
auth_key = md5(/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4-1547123166-477b3bbc253f467b8def6711128c7bec-0-myPrivateKey) = 584883719a3f722bf1a32a3b0a4d25dd
An authentication URL based on algorithm A is:
http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4?auth_key=1547123166-477b3bbc253f467b8def6711128c7bec-0-584883719a3f722bf1a32a3b0a4d25dd
Encryption Algorithm B
https://{cdn_domain}/{date_YYYYmmddHHMM}/{md5sum}/asset/{asset_id}/{file_name}
md5sum = md5({private_key}{date_yyyyMMddHHmm}/asset/{asset_id}/{file_name})
|
Field |
Description |
|---|---|
|
date_yyyyMMddHHmm |
Time when an authentication URL is generated. The format is yyyyMMddHHmm. Example: 201908051445 |
|
file_name |
Path from the media ID to the end in the original playback URL Example: play_video/test.mp4 |
|
private_key |
Key value set on the console. For details, see Procedure. |
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 private_key: myPrivateKey date_yyyyMMddHHmm: 201901102026 file_name: test.mp4
Obtain md5sum based on the calculation formula.
md5sum = md5(myPrivateKey201901102026/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4) = 713ef643de8df076da6ec3c0545968cb
An authentication URL based on algorithm B is:
http://1.cdn.myhuaweicloud.com/201901102026/713ef643de8df076da6ec3c0545968cb/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4
Encryption Algorithm C
https://{cdn_domain}/{md5hash}/{time_hex}/asset/{asset_id}/{file_name}
md5hash = md5({private_key}/asset/{asset_id}/{file_name}{time_hex})
|
Field |
Description |
|---|---|
|
file_name |
Path from the media ID to the end in the original playback URL Example: play_video/test.mp4 |
|
time_hex |
Time when an authentication URL is generated. The value is a hexadecimal Unix timestamp. Example: hex(1564987530)=5D47D08A |
|
private_key |
Key value set on the console. For details, see Procedure. |
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 private_key: myPrivateKey time_hex: hex(timestamp) = hex(1547123166) = 5C3739DE file_name: test.mp4
md5hash=md5(myPrivateKey/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp45C3739DE) = afa20c956043fe6d130b16f2704ac870
An authentication URL based on algorithm C is:
http://1.cdn.myhuaweicloud.com/afa20c956043fe6d130b16f2704ac870/5C3739DE/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4
Encryption Algorithm D
Authentication URL format
Original URL?auth_info={Encrypted string}.{EncodedIV}
- Original encrypted string = url_encoding({path}+"$"+{Timestamp}).
- Encrypted string = aes_cbc_128_pkcs5padding (original encrypted string, key, IV)
- EncodedIV = hex(IV)
|
Field |
Description |
|---|---|
|
path |
Directory from the domain name to the last level, including the slash (/) behind the domain name and slash (/) behind the last level of directory, excluding the file name Example: /asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/ |
|
Timestamp |
Time when an authentication URL is generated. The value is UTC time in yyyyMMddHHmmss format. Example: 20190805101025 |
|
key |
Key value set on the console. For details, see Procedure. |
|
IV |
Randomly generated byte array. It can be up to 16 characters long. hex(): converts the byte array into a hexadecimal string.
Sample code for generating IV is:
byte[] iv = new byte[16]; SecureRandom secureRand = new SecureRandom(); secureRand.nextBytes(iv); |
Original URL: https://179.cdn-vod.huaweicloud.com/asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/index.m3u8 path: /asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/ key: 8Ks1qn14XRO28qOa Timestamp: 20190805102430
Original encrypted string = url_encoding("/asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/") + "$" + "20190805102430"
Encrypted string = aes_cbc_128_pkcs5padding (original encrypted string, key, IV) = 34M%2F6KtYgxuAozdBLIVTe0dUVAZdvXsYQoYAnDmuhRHh1hshYg%2B2Tl0AmSwySDh%2BmkER44qYKpSP%2BgfsLM%2FIZe4F6K4n1Nx6ouGwyKfqdDA%3D
EncodedIV = hex(IV) = 79436d453636364e335941713330534e
https://179.cdn-vod.huaweicloud.com/asset/32237c8f68fcc6071a2d8e3421eee20d/play_video/index.m3u8?auth_info=34M%2F6KtYgxuAozdBLIVTe0dUVAZdvXsYQoYAnDmuhRHh1hshYg%2B2Tl0AmSwySDh%2BmkER44qYKpSP%2BgfsLM%2FIZe4F6K4n1Nx6ouGwyKfqdDA%3D.79436d453636364e335941713330534e
Encryption Algorithm E
Authentication URL format
Original URL?auth_key={authKey}×tamp={timestamp}&exper={exper}
|
Field |
Description |
|---|---|
|
timestamp |
Time when an authentication URL is generated. The value is a Unix timestamp, which is the number of seconds since January 1, 1970. Unit: second. Example: 1564731935, that is, the time is 2019.08.02 15:45. |
|
fileName |
Back-to-origin URL. During authentication, the value must start with a slash (/) and does not include the parameters behind ? in the authentication URL. Example: /asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 |
|
PrivateKey |
Signing key, which is used to generate a signed URL. The key contains 6 to 32 characters in only letters and digits. |
|
exper |
Video preview duration. The value is a number, in second. |
Original URL: http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 private_key: 32d6b2d740f10b86 timestamp: 1547123166 fileName: /asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4 exper: 300
auth_key = sha256(32d6b2d740f10b86/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp41547123166300) = 3a935cf1d8299fe63ec8d4e0afb5ef3304883a702a4e760f3c5ae838a4b69768
http://1.cdn.myhuaweicloud.com/asset/6b2d740f10b8697d8ea6672868ecdb6f/test.mp4?auth_key=3a935cf1d8299fe63ec8d4e0afb5ef3304883a702a4e760f3c5ae838a4b69768×tamp=1547123166&exper=300
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
