Hotlink Protection URL Calculation
Last updated: 2019-09-11 11:34:44PDF
Security hotlink protection refers to the txSecret field in the push and playback URLs, which is used to prevent attackers from forging your backend for push URL generation or stealing your playback address for illegal profit.
How It Works
In order to prevent an attacker from forging your server to generate push and playback URLs, you can configure the hotlink protection encryption key in the LVB Console as shown below (do not disclose this key), so that the attacker cannot easily fake valid push and playback URLs:
Step 1: Exchange keys
First, you need to configure an encryption key in the console, which is used to generate the hotlink protection signature on your server. Since Tencent Cloud holds the same key as you do, it can decrypt and confirm the signature you generate.
An encryption key can be either a push hotlink protection key or a playback hotlink protection key. The former is used to generate a push hotlink protection URL, while the latter a playback hotlink protection URL. Currently, you can configure a push hotlink protection key in the LVB Console as shown below:
For more information on the playback hotlink protection key, see Best Practices - LVB Playback.
Step 2: Generate txTime
The plaintext in the signature is txTime, which is the validity period of the link. For example, if the current time is 2018-12-29 11:13:45, and the URL to be generated is expected to be valid for 3 hours, then txTime should be set to 2018-12-29 14:13:45.
However, it is obviously inappropriate to put such a long string of time in the URL. In actual use, we convert 2018-12-29 14:13:45 to a UNIX timestamp first, i.e., 1546064025 (matters related to the conversion and various backend programming languages are all taken care of by a time function), and then convert it to a hexadecimal string to further reduce the character length, i.e., txTime = 1546064025 (decimal) = 5C271099 (hexadecimal). Using a decimal string is also supported.
The txTime should not be too long or too short:
- If the expiration time is too short, when the host encounters network jitters during a live broadcast, the push cannot be resumed because the push URL expires.
- If the expiration time is too long, there may be a risk of hotlinking.
Step 3: Generate txSecret
The generation method of txSecret is MD5(KEY + StreamName + txTime). KEY is the encryption key configured in step 1. StreamName, also known as stream ID, is Test in this example (we recommend using a random number or a user ID). txTime is the 5C271099 calculated in last step, and MD5 is a standard irreversible one-way MD5 hash algorithm.
KEY is e12c46f2612d5106e2034781ab261ca3 Then txSecret = MD5(e12c46f2612d5106e2034781ab261ca3test5C271099) = f85a2ab363fe4deaffef9754d79da6fe
Step 4: Splice the hotlink protection URL
A push URL that conforms to the Tencent Cloud standard consists of the following four parts:
Now that we have a push (or playback) that tells Tencent Cloud the URL expiration time (txTime) and only Tencent Cloud can decrypt and verify the txSecret, StreamName, and push domain name (assumed as livepush.tcloud.com), we can put together a standard URL. In this example, the push URL is:
Go to LVB Console > Domain Management, select a pre-configured push domain name, click Manage > Push Configuration to display the Push Address Sample Code (for both PHP and Java) that demonstrates how to generate a hotlink protection address.