To protect your site resources from being downloaded or stolen by unauthorized users, you can choose an authentication method from Types A, B, C, and D as needed. This document describes parameter fields and their purposes in TypeC authentication.
Access URL format
The access URL cannot contain any Chinese characters.
Description of authentication fields
|Resource access path. During authentication, `Filename` must start with a slash (
|The time when the server generates the authentication URL. It is a positive hex integer Unix timestamp, which is the total number of seconds between 00:00:00, January 1, 1970, UTC time and the URL generation time. Its definition is irrelevant to the time zone.
|A string containing 32 characters calculated based on the MD5 algorithm. It is calculated as follows:
• There are no symbols between parameters in `md5hash = md5sum(pkeytimestampuri)`.
• pkey: It can contain 6–40 letters and digits. It should be kept private and disclosed to only the client and server.
• uri: It is the resource access path and must start with a slash (/).
• timestamp: Its value is the above `timestamp`.
Authentication logic description
After the CDN server receives a user request, it parses the
timestamp parameter in the URL and the validity period of the authentication URL and compares it with the current time.
timestamp and the validity period of the authentication URL is before the current time, the server judges that the URL has expired and is invalid and returns the HTTP error code 403.
timestamp and the validity period of the authentication URL is after the current time, the server uses the MD5 algorithm to calculate the value of
md5hash and it with the
md5hash value passed in by the URL. If they are the same, the request will pass the authentication; otherwise, the HTTP error code 403 will be returned.
Taking the configuration of TypeC authentication as an example, the parameters and console configuration items are configured as follows:
Authentication key: dimtm5evg50ijsx2hvuwyfoiu65
Validity period of the authentication URL: 1s
The time when the signature calculation server generates the authentication URL: 2020-02-27 16:10:32 (UTC+8). Its decimal integer value after conversion is
Requested origin address:
|Resource access path, which is `/test.jpg`.
Generate the authentication URL:
When the client uses the encryption URL for access, if the
md5hash value calculated by the CDN server is the same as the
md5hash value carried by the access request, which are both
ea68b93ac23ebbc6eebf7f163c6e9c4c in this example, the request will pass the authentication; otherwise, the authentication will fail.
Cache hit rate
If you have enabled TypeC authentication for a domain, the signature and timestamp will be carried in the access URL path. When a CDN node caches the resource, it will automatically ignore the authentication path and thus not affect the cache hit rate.
The access format of a domain name with TypeC authentication mode enabled is as follows:
If the CDN node is not hit after successful authentication, it will initiate an origin-pull request, in which the
timestamp will be removed from the path. The origin server does not need to process the authentication information.