tencent cloud

Content Delivery Network

Updates and Announcements
Release Notes
Announcements
User Tutorial
Product Introduction
Product Overview
Strengths
Use Cases
Term
Use Limits
CDN Performance Descriptions (Spot-check)
Purchase Guide
CDN Purchase Guide
ECDN Purchase Guide
Getting Started
Configuring CDN from Scratch
Adding Domain Names
CNAME Configuration
Domain Name Ownership Verification
FAQs about Domain Name Connection
Configuration Guide
Domain Management
Domain Name Configurations
Statistical Analysis
Purge and Prefetch
Log Management
EdgeOne
Service Query
Offline Cache
Permission Management
Permission Configuration
Console Permissions
Activate Real-time Logging as Sub-account/Collaborator
Use Cases
Accelerating Resources on COS with CDN
Practical Tutorial
Guide to Using the EdgeOne Tool for Migrating Content Delivery Network (CDN) Related Services
CDN - CVM
CDN - COS
Configuring CNAME via DNSPod
Regularly Storing CDN Logs
API Documentation
History
Introduction
API Category
Content Management APIs
Real-time Log APIs
Service Query APIs
Data Query APIs
Making API Requests
Log Query APIs
StopCdnDomain
Configuration Management APIs
Obsoleted APIs
Other APIs
Data Types
Error Codes
FAQ
Features
Billing
FAQs about Domain Name Connection
Cache Configuration FAQs
Purge and Prefetch
Statistical Analysis
FAQs about HTTPS
Connection
Errors
Troubleshooting Methods
Status Codes and Solutions
Node Cache Inconsistency
Slow Access Speed After CDN Activation
Low Traffic Hit Rate
404 Status Code
Page Display - CORS error
Resource Cache Failure
Service Level Agreement
Glossary
DocumentationContent Delivery NetworkConfiguration GuideDomain Name ConfigurationsAccess ControlAuthentication ConfigurationInstruction

Instruction

PDF
Focus Mode
Font Size
Last updated: 2024-12-30 21:35:15

Configuration Scenario

Generally, contents delivered over CDN are public resources by default, which can be accessed by users with URLs. To prevent malicious users from hotlinking your content for profit, you can configure advanced timestamp authentication in addition to access control policies such as referer blocklist/allowlist, IP blocklist/allowlist, and IP access frequency limit.
Note:
After timestamp hotlink protection is configured, the client needs to calculate the signature as configured and carry it to the server when initiating a request. The CDN node will authenticate the signature on the server, which will pass only after successful authentication.

Configuration Guide

Viewing configuration

Log in to the CDN Console, select Domain Management on the left sidebar, and click Manage on the right of the domain name to access its configuration page. Under the Security Configuration tab, find the authentication configuration, which is disabled by default:



Modifying configuration

1. Modify the configuration

CDN provides four authentication signature calculation models of your choice. You can use the Authentication Calculator provided to view these models. For more information on the configuration effect and algorithms, please see the specific algorithm documents for TypeA, TypeB, TypeC, and TypeD:



2. Disable the configuration

You can toggle the authentication configuration switch to disable this feature. When the switch is off, any existing configuration will not take effect in the production environment. If you toggle the switch on, a message will be displayed asking for your confirmation before the configuration takes effect across the entire network.



3. Add a region-specific configuration

If your acceleration domain name is configured for global acceleration and you want acceleration in and outside mainland China to have different authentication configurations, you can click Add Special Configuration under the configuration.


Note:
Currently, an added region-specific configuration item cannot be deleted but can only be disabled.

Configuration Sample

Suppose the domain name cloud.tencent.com is configured for global acceleration and the authentication configuration is as follows:

The actual effect will be as follows:
1. A user in mainland China can access the resource http://cloud.tencent.com/1.jpg by directly initiating a request.
2. A user outside Mainland China can access the resource http://cloud.tencent.com/1.jpg by initiating a request with a URL in the format of http://cloud.tencent.com/509301d10da7b862052927ed7a947f43/5e561139/1.jpg.

Sample Code

The following is the authentication calculation method with the Demo for Python as an example:
import requests
import json
import sys
import time
import hashlib

def generate_url(category, ts=None):
    url = 'http://www.test.com'              # Test domain name
    path = '/1.txt'                                     # Access path
    suffix = '?a=1&b=2'                                 # URL parameter
    key = 'abc123456789'                                # Authentication key
    now = int(time.mktime(time.strptime(ts, "%Y%m%d%H%M%S")) if ts else time.time())                # If a `ts` is entered, it will be used; otherwise, the current `ts` will be used
    sign_key = 'key'                                    # URL signature field
    time_key = 't'                                      # URL time field
    ttl_format = 10                                     # Time format. Valid values: 10, 16. This is supported only for type D
    if category == 'A':                                 # Type A
        ts = now
        rand_str = '123abc'
        sign = hashlib.md5('%s-%s-%s-%s-%s' % (path, ts, rand_str, 0, key)).hexdigest()
        request_url = '%s%s?%s=%s' % (url, path, sign_key, '%s-%s-%s-%s' % (ts, rand_str, 0, sign))
        print(request_url)
    elif category == 'B':                               # Type B
        ts = time.strftime('%Y%m%d%H%M', time.localtime(now))
        sign = hashlib.md5('%s%s%s' % (key, ts, path)).hexdigest()
        request_url = '%s/%s/%s%s%s' % (url, ts, sign, path, suffix)
        print(request_url)
    elif category == 'C':                               # Type C
        ts = hex(now)[2:]
        sign = hashlib.md5('%s%s%s' % (key, path, ts)).hexdigest()
        request_url = '%s/%s/%s%s%s' % (url, sign, ts, path, suffix)
        print(request_url)
    elif category == 'D':                               # Type D
        ts = now if ttl_format == 10 else hex(now)[2:]
        sign = hashlib.md5('%s%s%s' % (key, path, ts)).hexdigest()
        request_url = '%s%s?%s=%s&%s=%s' % (url, path, sign_key, sign, time_key, ts)
        print(request_url)


if __name__ == '__main__':
    if len(sys.argv) == 1:
        print('usage: python generate_url.py A 20200501000000')
    args = sys.argv[1:]
    generate_url(*args)

Previous Topic: Video Dragging ConfigurationNext Topic: TypeA

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback