Baidu AI Cloud
中国站

百度智能云
All Product Document

CDN

  • CDN
  • >
  • Operation Guide
  • >
  • Configure Domain Name
  • >
  • Access Control
  • >
  • Advanced Authorization

Advanced Authorization

Last Updated2020-09-18

Overview

For the hotlink protection method of resources matched and realized by CDN acceleration node and origin server of client, different authorization modes can be selected to encrypt URL according to the business needs, so as to protect the resources of origin server.

Application Scenarios

In order to prevent the contents of the origin server from being theft, CDN provides hotlink protection feature, and the user can protect the resources of origin server by configuring Referer and IP blacklist/whitelist. However, as the Referer content can be forged, a risk of hotlinking still exists in the actual use. To protect the origin server resources better, CDN supports the feature of encrypting the URL of the origin server, to correctly respond to legitimate requests and reject illegal requests by means of authentication.

Explanation of the Principle

URL senior authentication is a more secure and reliable protection of origin server resources realized by collaboration of Baidu AI Cloud CDN acceleration nodes and customer’s origin servers.

  1. CDN customer provides encrypted URL to client.
  2. The client uses ab encrypted URL to send a request to the CDN node.
  3. CDN acceleration node verifies the privilege information of the encrypted URL to judge the validity of the request. Respond to the request normally when the request is valid, and refuse the request when it is invalid to protect the resources of origin server.

URL Authentication Method

Baidu AI Cloud CDN supports three authorization modes: Class A, Class B and Class C, and the user can select different authorization modes to encrypt URL according to the business needs, so as to protect the resources of origin server.

Class A Authorization Mode

Explanation of the Principle

Original URL: http://Domain/Filename

Encrypt URL: http://Domain/Filename?auth_key=Timestamp-Rand-Uid-Md5hash

Interpretation of encrypted URL field

Field Description
Domain Domain name of CDN client site
Filename Actual forward-to-origin access URL, should start with Filename during authentication
Timestamp The expiration time of the encrypted URL is an integer positive number, and its value is the number of seconds between January 1, 1970 and expiration time. Can be decimal or hexadecimal, should be accordance with the console configuration.
Rand A random number, which cannot contain strikethrough-.
Uid userId,It cannot contain underlines -`.
Md5hash The verification string computing by md5 algorithm is formed by a mixture of figures 0-9 and English letters in lowercase a-z, with a fixed length of 32. The value is md5sum(sstring), where sstring= "Filename-Timestamp-Rand-Uid-Key ", and Key can be the primary KEY or the standby KEY.

After CDN server receives the request, it will execute the following verification.

  1. Resolve the Timestamp in the request, if the Timestamp is smaller than the current time, it is considered that the encrypted URL expires, and will respond HTTP 403 error.
  2. Create a character string by sstring method. Then, use md5 algorithm to compute HashValue, and compare with Md5hash brought by client request. If the authorization is considered to have passed, with files returned; otherwise, the authorization fails, with HTTP 403 error returned.

Example Description

  1. Original URL: http://opencdn.example.com/authentication/test/2F.html
  2. Set the key: bdcloud666(Set by the users themselves).
  3. The customer sets the encrypted URL to expire on: At 00:00 on June 30, 2017, 00: namely the calculated number of second is 1498752000; rand is set to be "0" and uid is set to be "0".
  4. Customer stitches sstring: “/authentication/test/2F.html-1498752000-0-0-bdcloud666 "
  5. Compute md5hash = md5sum(“/authentication/test/2F.html-1498752000-0-0-bdcloud666”) = 89518343a306f93173783a260bb364f0 based on the sstring.
  6. The encrypted URL generated is: http://opencdn.example.com/authentication/test/2F.html?auth_key=1498752000-0-0-89518343a306f93173783a260bb364f0.
  7. The client uses encrypted URL to access CDN nodes, which verify Timestamp and Md5hash. The file will be returned if the verification passes; otherwise, the authorization fails, and HTTP 403 error will be returned.

API Configuration Example

"anti_hot_link":{"antiType": "typeA", "secretKey": "bdcloud666", "newsecretKey": "opencdn666","secureFile": "/test.txt"}

Class B Authorization Mode

Explanation of the Principle

Original URL: http://Domain/Filename

Encrypted URL: http://Domain/Timestamp/Md5hash/FileName

Interpretation of encrypted URL field

Field Description
Domain Domain name of CDN client site
Timestamp The time stamp, which can be in decimal or hexadecimal format, or in YYYYMMDDHHMM format, among which the decimal or hexadecimal format represents the number of seconds from January 1, 1970 to the time stamp, and the format shall be consistent with the console configuration. Timestampe + valid time (set by console) indicate the expiration time of encrypted URL. For example, set the validity to 1800 s, and set the timestamp to 201706301000, then the encrypted URL becomes invalid after 2017-06-30 10:30:00.
Md5hash The verification string computing by md5 algorithm is formed by a mixture of figures 0-9 and English letters in lowercase a-z, with a fixed length of 32. The value is md5sum(sstring), among which sstring=" KeyTimestampFilename", Key can be primary KEY or backup KEY
Filename Actual forward-to-origin access URL, should start with Filename during authentication

After CDN server receives the request, it will execute the following verification.

  1. The Timestamp in the resolution request; if (Timestamp + valid time) is less than the current time, the cryptographic URL is regarded to be expired to response HTTP 403 error.
  2. Construct sstring (sstring="KeyTimestampFilename", Key can be the primary KEY or backup KEY), and then use md5 algorithm to compute HashValue, and compare with Md5hash brought by client request. If the authorization is considered to have passed, with files returned; otherwise, the authorization fails, with HTTP 403 error returned.

Example Description

  1. Original URL: http://opencdn.example.com/4/44/obhqonkjtlhquiy93.mp3.
  2. Set the key: bdcloud666(Set by the users themselves).
  3. Set the valid time: 1800s(Set by the users themselves)
  4. Set timestamp as 201706301000 (the format is YYYYMMDDHHMM), meaning: At 10:00:00 on June 30, 2017
  5. Customer stitches sstring: "bdcloud666201706301000/4/44/obhqonkjtlhquiy93.mp3"
  6. Compute md5hash = md5sum("bdcloud666201706301000/4/44/obhqonkjtlhquiy93.mp3") = c13e51c58f41084ac98bd9feeeb1a346 based on sstring string
  7. The encrypted URL generated is: http://opencdn.example.com/201706301000/c13e51c58f41084ac98bd9feeeb1a346/4/44/ obhqonkjtlhquiy93.mp3.
  8. The client uses encrypted URL to access CDN nodes, which verify Timestamp and Md5hash. The file will be returned if the verification passes; otherwise, the authorization fails, and HTTP 403 error will be returned.

API Configuration Example

"anti_hot_link":{"antiType": "typeB", "secretKey": "bdcloud666", "newsecretKey": "opencdn666","secureFile": "/test.txt", "timeout": 1800}

Class C Authorization Mode

Explanation of the Principle

Original URL: http://Domain/Filename

Format I of encrypted URL: http://Domain/Md5hash/Timestamp/FileName

Format II of encrypted URL: http://Domain/FileName?md5hash=Md5hash&timestamp=Timestamp

Interpretation of encrypted URL field

Field Description
Domain Domain name of CDN client site
Md5hash The verification string computing by md5 algorithm is formed by a mixture of figures 0-9 and English letters in lowercase a-z, with a fixed length of 32. The value is md5sum(sstring), among which sstring="KeyFilenameTimestamp", Key can be primary KEY or backup KEY
Timestamp The time stamp, which can be in decimal or hexadecimal format, represents the number of seconds from January 1, 1970 to the time stamp. Format shall be consistent with the console configuration. Timestampe + valid time (set by console) indicate the expiration time of encrypted URL. For example, set the validity to 1800 s, and set the timestamp to 201706301000, then the encrypted URL becomes invalid after 2017-06-30 10:30:00.
Filename Actual forward-to-origin access URL, should start with Filename during authentication

After CDN server receives the request, it will execute the following verification.

  1. The Timestamp in the resolution request; if (Timestamp + valid time) is less than the current time, the cryptographic URL is regarded to be expired to response HTTP 403 error.
  2. 2.Construct sstring (sstring="KeyFilenameTimestamp", Key can be main KEY or Backup KEY), and then use md5 algorithm to work out HashValue, and compare it with the Md5hash brought in the client request. If the authorization is considered to have passed, with files returned; otherwise, the authorization fails, with HTTP 403 error returned.

Example Description

  1. Original URL: http://opencdn.example.com/test.flv
  2. Set the key: bdcloud666(Set by the users themselves).
  3. Set the valid time: 1800s(Set by the users themselves)
  4. The customer sets the timestamp as 5955b0a0 (with the format of hexadecimal), namely: At 10:00:00 on June 30, 2017
  5. Customer stitches sstring: "bdcloud666/test.flv5955b0a0"
  6. Calculate md5hash = md5sum ("bdcloud666/test.flv5955b0a0") = 34f55132617957ab98d86c4342a1f394 based on sstring string.
  7. The encrypted URL generated is:
  • Format I: http://opencdn.example.com/34f55132617957ab98d86c4342a1f394/5955b0a0/test.flv.
  • Format 2: http://opencdn.example.com/test.flv? md5hash=34f55132617957ab98d86c4342a1f394&timestamp=5955b0a0
  1. The client uses the encrypted URL of any format to access CDN nodes, which verify Timestamp and Md5hash. The file will be returned if the verification passes; otherwise, the authorization fails, and HTTP 403 error will be returned.

Configure URL authorization

1.Log into the CDN Management Console and enter the “Content Delivery Network (CDN)" page.

2.Click Domain Name Management on the left navigation bar.

3.Enter the domain name management page, and click the Management of the target domain name operation column.

4.Enter the “CDN Domain Name Details" page, and select the Access Control tab in the navigation bar at the top of the page.

5.Enter the access control page, and click Edit in the setting module of Advanced Authentication.

6.Select to Enable the authorization configuration, and configure the following parameters:

ParameterDescription
Type selectionThere are three authentication types, including A type authentication, href="https://cloud.baidu.com/doc/CDN/s/ujwvyeo0t#b type authentication method" target="_blank" rel="noopener">B type authentication and href="https://cloud.baidu.com/doc/CDN/s/ujwvyeo0t#c type authentication method" target="_blank" rel="noopener">C type authentication, please select as required.
Primary KEY/backup KEY
  • Authentication KEY contains master KEY and backup KEY; the master KEY must be set and generate the encrypted URL to limit user access through this KEY.
  • When you need to replace the key, if you want the new and old keys to take effect at the same time, you can set a standby KEY.
  • One of the main KEY and backup KEY, can be accessed normally after authentication. The standby KEY is not mandatory, and the format is the same as the primary KEY.
  • The key is the format of uppercase and lowercase letters, figures, with a length of 6 to 32 bits.
Time formatSelecthexadecimalordecimal.
Valid periodThe valid time of the encrypted URL set by the user is used to generate authorization URL, in s (second), with the time ranging from 0 to 100000000 in integer.

image.png

7.After clicking Save, you can see that authorization has been configured successfully in the advanced authorization module. A message indicating that "the configuration has been updated successfully, and will take effect in about five minutes" will appear on the page.

Note:

  • After enable the Advanced hotlink protection feature, the URL can be encrypted according to the authentication Key set by the user to protect the origin server resources.
  • The authentication calculator can generate an authentication URL according to the type selected and parameters entered. You can know the configuration result through the authentication calculator and verify whether it is valid.

Three Advanced Authorization PHP Code of CDN

CDN provides the following three kinds of PHP Demo for advanced authorization.

In terms of authorization error, CDN will return a 404 response code to the client, and prompt the type of error in the response header, such as: X-Error-Info: typeA.

Class A authorization mode 

function demoA(){ 
$time = strtotime("+3 hours"); 

$key = "key1234"; 
$domain = "http://test.cdn.bce.com"; 
$filename = "/dir/index.html"; 

//$sstring = "$filename-$time-$rand-$uid-$key" 
$sstring = $filename."-".$time."-0-0-".$key; 
$md5 = md5($sstring); 
$auth_key = "auth_key=".$time."-0-0-".$md5; 
$url = $domain.$filename."?".$auth_key; 

// echo "md5_src_string: \t".$sstring."\n"; 
echo "request_url: \t\t".$url."\n"; 
}

Class B authorization mode 

function demoB(){ 
$dt = new DateTime("now", new DateTimeZone('Asia/Chongqing')); 
$time = $dt->format("YmdHi"); 

$key = "key1234"; 
$domain = "http://test.cdn.bce.com"; 
$filename = "/dir/index.html"; 

//$sstring = "$key$time$filename" 
$sstring = $key.$time.$filename; 
$md5 = md5($sstring); 
$url = $domain."/".$time."/".$md5.$filename; 

// echo "md5_src_string: \t".$sstring."\n"; 
echo "request_url: \t\t".$url."\n"; 
}

Class C authorization mode 

function demoC(){ 
$time = dechex(time()); 

$key = "key1234"; 
$domain = "http://test.cdn.bce.com"; 
$filename = "/dir/index.html"; 

//$sstring = "$key$filename$time" 
$sstring = $key.$filename.$time; 
$md5 = md5($sstring); 
$url1 = $domain."/".$md5."/".$time.$filename; 
$url2 = $domain.$filename."?md5hash=".$md5."&timestamp=".$time; 

// echo "md5_src_string: \t".$sstring."\n"; 
echo "request_url type1: \t".$url1."\n"; 
echo "request_url type2: \t".$url2."\n"; 
}
Previous
Set the Hotlink Protection
Next
Set Cross-domain Access