- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Configuration Guide
- Permission Management
- Use Cases
- Best Practice
- API Documentation
- FAQ
- Troubleshooting Methods
- CDN Service Level Agreement
- Glossary
- Updates and Announcements
- User Tutorial
- Product Introduction
- Purchase Guide
- Getting Started
- Configuration Guide
- Permission Management
- Use Cases
- Best Practice
- API Documentation
- FAQ
- Troubleshooting Methods
- CDN Service Level Agreement
- Glossary
To protect your site resources from being downloaded or stolen by unauthorized users, you can choose an authentication method from Types A, B, C, and D as needed. This document describes parameter fields and their purposes in TypeC authentication.
Algorithm Description
Access URL format
http://DomainName/md5hash/timestamp/FileNameNote:The access URL cannot contain any Chinese characters.
Description of authentication fields
Field Description DomainName CDN domain. Filename Resource access path. During authentication, `Filename` must start with a slash ( /).timestamp The time when the server generates the authentication URL. It is a positive hex integer Unix timestamp, which is the total number of seconds between 00:00:00, January 1, 1970, UTC time and the URL generation time. Its definition is irrelevant to the time zone. md5hash A string containing 32 characters calculated based on the MD5 algorithm. It is calculated as follows:
• There are no symbols between parameters in `md5hash = md5sum(pkeytimestampuri)`.
• pkey: It can contain 6–40 letters and digits. It should be kept private and disclosed to only the client and server.
• uri: It is the resource access path and must start with a slash (/).
• timestamp: Its value is the above `timestamp`.Authentication logic description
After the CDN server receives a user request, it parses thetimestampparameter in the URL and the validity period of the authentication URL and compares it with the current time.- If the sum of
timestampand the validity period of the authentication URL is before the current time, the server judges that the URL has expired and is invalid and returns the HTTP error code 403. - If the sum of
timestampand the validity period of the authentication URL is after the current time, the server uses the MD5 algorithm to calculate the value ofmd5hashand it with themd5hashvalue passed in by the URL. If they are the same, the request will pass the authentication; otherwise, the HTTP error code 403 will be returned.
- If the sum of
Directions
Taking the configuration of TypeC authentication as an example, the parameters and console configuration items are configured as follows:
Field configuration
Authentication key: dimtm5evg50ijsx2hvuwyfoiu65
Validity period of the authentication URL: 1s
The time when the signature calculation server generates the authentication URL: 2020-02-27 16:10:32 (UTC+8). Its decimal integer value after conversion is
1582791032(timestamp).Requested origin address:
http://cloud.tencent.com/test.jpg
Generation process
- Get authentication parameters:
Parameter Value URI Resource access path, which is `/test.jpg`. timestamp 1582791032 pkey dimtm5evg50ijsx2hvuwyfoiu65 - Concatenate the signature string: dimtm5evg50ijsx2hvuwyfoiu651582791032/test.jpg
- Calculate the MD5 value of the signature string: md5hash = md5sum(pkeytimestampuri) =md5sum(dimtm5evg50ijsx2hvuwyfoiu651582791032/test.jpg) = ea68b93ac23ebbc6eebf7f163c6e9c4c
- Get authentication parameters:
Generate the authentication URL:
http://cloud.tencent.com/ea68b93ac23ebbc6eebf7f163c6e9c4c/1582791032/test.jpg
When the client uses the encryption URL for access, if themd5hashvalue calculated by the CDN server is the same as themd5hashvalue carried by the access request, which are bothea68b93ac23ebbc6eebf7f163c6e9c4cin this example, the request will pass the authentication; otherwise, the authentication will fail.
Notes
Cache hit rate
If you have enabled TypeC authentication for a domain, the signature and timestamp will be carried in the access URL path. When a CDN node caches the resource, it will automatically ignore the authentication path and thus not affect the cache hit rate.
Origin-pull policy
The access format of a domain name with TypeC authentication mode enabled is as follows:
http://DomainName/md5hash/timestamp/FileName
If the CDN node is not hit after successful authentication, it will initiate an origin-pull request, in which the md5hash and timestamp will be removed from the path. The origin server does not need to process the authentication information.
Yes
No
Was this page helpful?