Signing Method B
By default, the content distributed by CDN is public resources. Token authentication protects these resources from being downloaded and stolen by malicious users. Huawei Cloud CDN provides four URL signing methods. This topic describes the signing method B.
- Token authentication is disabled by default.
- You cannot configure this function for domain names with special configurations on the CDN console.
- Domain names whose service type is whole site acceleration do not support signing method B.
- When token authentication is configured, user requests will include authentication parameters. If Ignore specific parameters is not configured:
- Origin pull will become frequent.
- If your origin server is an OBS bucket, fees for bucket outbound traffic will incur.
How It Works
Example signed URLs look like:
http://DomainName/timestamp/sha256/FileName
http://DomainName/timestamp/md5hash/FileName
If the authentication is successful, the back-to-origin URL is:
http://DomainName/FileName
The following table describes the parameters in a signed URL.
Parameter |
Description |
---|---|
DomainName |
Acceleration domain name. |
timestamp |
Time when the authentication server generates a signed URL, that is, the authentication start time. The UTC+08:00 time of the authentication server is used. The format is YYYYMMDDHHMM, for example, 201706301000. |
Validity period |
How long the signed URL remains effective. The value ranges from 0s to 31,536,000s. Example: If the validity period is set to 1,800s, users can access CDN only when the current time is earlier than or equal to timestamp + 1,800s. Or, the signed URL is considered invalid. |
md5hash |
A string of 32 characters calculated using the MD5 algorithm. The string consists of lowercase letters and digits. |
sha256 |
A string of 64 characters calculated using the SHA256 algorithm. The string consists of lowercase letters and digits. |
Filename |
Back-to-origin URL. Its value must start with a slash (/) and does not include the parameters following the question mark (?). |
PrivateKey |
Signing key, which is used to generate a signed URL, for example, huaweicloud12345. A key contains 6 to 32 characters, including letters and digits. |
Verification Method
After receiving a request, a CDN server verifies the request as follows:
- Checks whether the authentication parameter is included in the request. If not, the request is considered invalid and an HTTP 403 error code is returned.
- Checks whether the value of timestamp plus the validity period specified in the signed URL is later than the current time.
- If not, the signed URL is considered invalid and the HTTP 403 error is returned.
- If yes, the time verification passes and CDN goes to step 3.
- Constructs sstring, calculates HashValue using this string and the MD5 or SHA256 algorithm, and compares HashValue with the md5hash or sha256 value in the request. If the md5hash or sha256 value is the same as HashValue, the authentication is successful and the requested file is returned. Or, the authentication fails and an HTTP 403 error code is returned. HashValue is calculated as follows:
sstring = "PrivateKeytimestampFilename" HashValue = sha256sum(sstring)
Orsstring = "PrivateKeytimestampFilename" HashValue = md5sum(sstring)
Procedure
- Log in to Huawei Cloud console. Choose .
The CDN console is displayed.
- In the navigation pane, choose .
- In the domain list, click the target domain name or click Configure in the Operation column.
- Click the Access Control tab and click Configure under Token Authentication.
Figure 1 Configuring token authentication
- Turn on the Status switch.
- Set the parameters according to the following table and click OK.
Table 2 Parameter description Parameter
Description
Signing Method
Select Method B.
Authentication Scope
Files to be authenticated. Select All files, Specific files, or Specific files excluded.
Inheritance
Add the authentication parameter to TS and MP4 files under M3U8/MPD index files, so that the files can be played after authentication succeeds.
NOTE:- If there are multi-layer M3U8/MPD files, only the first-layer M3U8/MPD files are parsed, and the TS/MP4 streams of M3U8/MPD files in other layers are not expanded.
- The standard M3U8 format is supported. M3U8 files are parsed by line. If the parsing fails, responses from the origin server are returned to users. URIs starting with the #EXT-X-MAP tag and URLs/URIs not starting with the pound key (#) are supported.
- The standard MPD format is supported. MPD files are parsed by line. If the parsing fails, responses from the origin server are returned to users. The URI between tags <BaseURL> and </BaseURL> is identified. The SegmentTemplate tag is not supported.
- If your M3U8/MPD index files contain special characters, CDN does not automatically transcode the characters during authentication calculation. If clients have the logic for automatically transcoding special characters, the access may fail due to the authentication failure.
- If the origin server returns resources compressed using gzip or Brotli to CDN PoPs, the authentication inheritance settings become invalid.
Start Time
- Same as user request: time when a user accesses the M3U8/MPD file.
- Current time: current time of the authentication server.
File Name Extensions
Set this parameter when you select Specific files or Specific files excluded for Authentication Scope. Only requests for files with the specified file name extensions are authenticated or not authenticated.
- Only lowercase letters and digits are supported. Use semicolons (;) to separate multiple file name extensions.
Signing Key
Authentication password. The value contains 6 to 32 characters, including letters and digits.
NOTE:For security purposes, you are advised to use 8 to 32 characters.
Secondary Key
(Optional) Secondary password for authentication. If you want the old and new keys to take effect, you can set the old key as the secondary key. Users can access content only after CDN verifies the primary or secondary key.
- A key contains 6 to 32 characters, including letters and digits.
NOTE:
For security purposes, you are advised to use 8 to 32 characters.
Encryption Algorithm
MD5 or SHA256.
Validity Period
How long the signed URL remains effective. The value ranges from 0s to 31,536,000s.
Authentication Calculator
Using the authentication calculator, you can generate a signed URL for users. Set parameters according to Table 2 and Table 3, and click Generate to generate a signed URL that will expire at a specific time.
Table 3 Parameter description Parameter
Description
Signing Key
Authentication password. Enter 6 to 32 characters, including letters and digits. The value must be the same as the signing key specified in the token authentication configuration.
Access Path
Path of the content, which starts with a slash (/) and does not carry a query string.
Encryption Algorithm
MD5 or SHA256.
Start Time
Time when the signed URL will take effect.
Validity Period
How long the signed URL remains effective. The value ranges from 0s to 31,536,000s. If this value is greater than the validity period set in the token authentication settings, the latter will be used.
Example: If you set this parameter to 2,000s, but the validity period set in the token authentication settings is 1,800s, the validity period of signed URLs will be 1,800s.
Escape special characters in the signed URL if any.
Disabling Token Authentication
Switch off Status to disable token authentication and clear all token authentication settings. You need to set related parameters when enabling this function again.
Example
The following uses the MD5 algorithm as an example:
- The back-to-origin URL is as follows:
http://hwcdn.example.com/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
- The signing key is huaweicloud12345 (customizable).
- timestamp is 201706301000.
- The CDN server constructs a string for calculating md5hash.
huaweicloud12345201706301000/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
- The CDN server calculates md5hash according to the string.
md5hash = md5sum("huaweicloud12345201706301000/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3") =668f28d134ec6446a8ae83a43d0a554b
- The request URL is:
http://hwcdn.example.com/201706301000/668f28d134ec6446a8ae83a43d0a554b/T128_2_1_0_sdk/0210/M00/82/3E/test.mp3
If a request is within the validity period (earlier than or equal to 10:30:00 on June 30, 2017) and the md5hash value in the request is the same as the calculated md5hash value (668f28d134ec6446a8ae83a43d0a554b), the authentication is successful.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot