tencent cloud


How to Use Key Hotlink Protection

Last updated: 2022-12-16 14:16:08


    Demo features

    This demo describes how to use the key hotlink protection mechanism of VOD, including enabling key hotlink protection in the console, building a hotlink protection signature distribution service, and playing back a video with a hotlink protection signature.

    Architecture and process

    An HTTP service is built based on SCF in the demo to receive the requests for getting hotlink protection signatures from clients. It gets the original URL of a video in VOD from the request body, calculates a signature, and returns the URL with the signature to the client.

    The system mainly involves four components: developer (you), API Gateway, SCF, and VOD. Here, API Gateway and SCF are the deployment objects of this demo as shown below:

    The specific business process is as follows:

    1. Get the original URL of the video in the VOD console (in the actual production environment, it should be the player that requests the video URL from the business backend; to simplify the process, this document takes your operation as an example to simulate such business behavior here).
    2. Use the original URL of the video to request a hotlink protection signature from SCF.
    3. Use the video URL with the hotlink protection signature to request VOD CDN to play back the video.

    The SCF code in the demo is developed based on Python 3.6. SCF also supports other programming languages such as Python 2.7, Node.js, Go, PHP, and Java for your choice as needed. For more information, please see Development Guide.


    The VOD key hotlink protection signature distribution service demo provided in this document is open-source and free of charge, but it may incur the following fees during service building and use:

    • Fees for purchasing a Tencent Cloud CVM instance to run the service deployment script. For more information, please see Instance Billing Modes.
    • Fees for using signature distribution service provided by SCF. For more information, please see Billing Mode and Free Tier.
    • Fees for using Tencent Cloud API Gateway to provide public network APIs for SCF. For more information, please see Billing Overview.
    • Fees for VOD storage of uploaded videos.
    • VOD storage space will be taken up by uploaded videos. For more information, please see Video Storage Pricing.

    Step 1. Prepare a CVM instance

    The deployment script needs to be executed on a CVM instance meeting the following requirements:

    • Region: not limited.
    • Model: the minimum official configuration (1 CPU core and 1 GB memory) is sufficient.
    • Public network: a public IP is required, and the bandwidth should be at least 1 Mbps.
    • Operating system: official public image Ubuntu Server 16.04.1 LTS 64-bit or Ubuntu Server 18.04.1 LTS 64-bit.

    For detailed directions on how to purchase a CVM instance and reinstall the system, please see Operation Guide - Creating Instances via CVM Purchase Page and Operation Guide - Reinstalling System, respectively.


    • The key hotlink protection signature distribution service demo itself does not depend on CVM but only uses CVM to run the deployment script.
    • If you do not have a CVM instance satisfying the above conditions, you can also run the script on another Linux (such as CentOS or Debian) or macOS server with public network access, but you need to modify certain commands in the deployment script based on the operating system. Please search for the specific modification method by yourself.
    1. Activate the VOD service as instructed in Getting Started - Step 1.
    2. After activation, enable key hotlink protection as instructed in Setting Hotlink Protection and record the hotlink protection key:

      Here, enable key hotlink protection instead of referer hotlink protection. If you enable referer hotlink protection at the same time, the request may fail as the test method below does not meet the corresponding requirements.

      Step 3. Get the API key and APPID

    Your API key (i.e., SecretId and SecretKey) and APPID are required for deploying and running the key hotlink protection signature distribution service demo.

    • If you have not created an API key yet, please generate one as instructed in Root Account Access Key. If you have already created a key, please get it as instructed in the same document.
    • You can view the APPID on the Account Information page in the console as shown below:

    Log in to the CVM instance prepared in step 1 as instructed in Logging into Linux Instance in Standard Login Method and enter and run the following command on the remote terminal:

    ubuntu@VM-69-2-ubuntu:~$ export SECRET_ID=AKxxxxxxxxxxxxxxxxxxxxxxx; export SECRET_KEY=xxxxxxxxxxxxxxxxxxxxx;export APPID=125xxxxxxx;export ANTI_LEECH_KEY=xxxx;git clone https://github.com/tencentyun/vod-server-demo.git ~/vod-server-demo; bash ~/vod-server-demo/installer/ anti_leech_sign_scf_en.sh

    Please assign the corresponding values obtained in step 3 to SECRET_ID, SECRET_KEY, and APPID in the command and assign the hotlink protection key obtained in step 2 to ANTI_LEECH_KEY.

    This command will download the demo source code from GitHub and automatically run the installation script. The installation process will take several minutes (subject to the CVM network conditions), during which the remote terminal will print the following information:

    [2020-06-04 15:57:10] Start checking npm.
    [2020-06-04 15:57:18] npm is successfully installed.
    [2020-06-04 15:57:18] Start installing ServerLess.
    [2020-06-04 15:57:19] ServerLess is successfully installed.
    [2020-06-04 15:57:20] Start deploying the VOD key hotlink protection signature distribution service.
    [2020-06-04 15:57:30] The deployment of the VOD key hotlink protection signature distribution service is completed.
    [2020-06-04 15:57:32] Service address: https://service-xxxxxxxx-125xxxxxxx.gz.apigw.tencentcs.com/release/anti_leech_sign

    Copy the address of the signature distribution service in the output log (which is https://service-xxxxxxxx-125xxxxxxx.gz.apigw.tencentcs.com/release/anti_leech_sign in this example).


    If the following warning is displayed in the output log, it is generally because the CVM instance cannot immediately parse the service domain name deployed just now. You can ignore this warning.

    > [2020-04-25 17:18:44] Warning: the key hotlink protection signature distribution service failed the test.

    Upload a test video to VOD as instructed in Uploading Video - Local Upload. After the video is uploaded, click Quick View and click Copy URL on the right to copy the video URL.

    On the command line on the CVM instance, run the curl command to try directly accessing this URL. The access will be rejected by the server for non-compliance with the key hotlink protection rule, and the HTTP return code will be 403 (during the test, please replace the URL in the command with the actual URL, which also applies below):

    ubuntu@VM-69-2-ubuntu:~$ curl -I "http://125xxxxxxx.vod2.myqcloud.com/f888c998vodcq125xxxxxxx/c849148f528xxxxxxxxxxxxxxxx/xxxxxxxxxx.mp4"
    HTTP/1.1 403 Forbidden
    Server: NWS_VP
    Connection: keep-alive
    Date: Thu, 04 Jun 2020 08:27:54 GMT
    Content-Type: text/plain
    Content-Length: 14

    On the command line on the CVM instance, run the curl command to request the URL with the hotlink protection signature from the service deployed in step 4 (-d means to initiate the request in POST method, and the carried parameter is the video URL):

    ubuntu@VM-69-2-ubuntu:~$ curl -d 'http://125xxxxxxx.vod2.myqcloud.com/f888c998vodcq125xxxxxxx/c849148f528xxxxxxxxxxxxxxxx/xxxxxxxxxx.mp4' https://service-xxxxxxxx-125xxxxxxx.gz.apigw.tencentcs.com/release/anti_leech_sign; echo

    Run the curl command again to access the URL with the hotlink protection signature obtained in the previous step, and the URL can be accessed normally (the HTTP return code will be 200):

    ubuntu@VM-69-2-ubuntu:~$ curl -I "http://125xxxxxxx.vod2.myqcloud.com/f888c998vodcq125xxxxxxx/c849148f528xxxxxxxxxxxxxxxx/xxxxxxxxxx.mp4?t=5ed8b8d2&exper=0&rlimit=0&us=455041&sign=fe6394007c2e7aef39fc70a02e897f69"
    HTTP/1.1 200 OK
    Server: tencent-cos
    Connection: keep-alive
    Date: Thu, 04 Jun 2020 08:37:17 GMT
    Last-Modified: Fri, 22 May 2020 15:06:15 GMT
    Content-Type: video/mp4
    Content-Length: 232952632
    Accept-Ranges: bytes
    ETag: "1da6be3a0d1da5edae4ff0b1feff02cf-223"
    x-cos-hash-crc64ecma: 16209801220610226954
    x-cos-request-id: NWVkOGIyYmVfZDUyMzYyNjRfYWMwMF85YjkyNzA=
    X-Daa-Tunnel: hop_count=4
    X-NWS-LOG-UUID: b404f43e-3c86-4c54-8a78-fb78e4e85cf2 add71e19fb08c6d9dbe1b21a2fb157bf
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Origin,No-Cache,X-Requested-With,If-Modified-Since,Pragma,Last-Modified,Cache-Control,Expires,Content-Type,X_Requested_With,Range
    Access-Control-Allow-Methods: GET,POST,OPTIONS
    Access-Control-Allow-Origin: *

    You can access the URL with the hotlink protection signature in a browser and verify the signature by playing back the video. However, this method has certain requirements for the video format. Generally, H.264-encoded .mp4 videos have high compatibility, which are recommended. You can also use a third-party tool such as Postman to send HTTP requests for test. Please search for the specific usage by yourself.

    System Design Description

    API protocol

    The key hotlink protection signature distribution function uses API Gateway to provide APIs. The specific API protocol is as detailed below:

    Service Function Name API Form Request Content Response Content
    Key hotlink protection signature distribution anti_leech_sign HTTP POST Original video URL URL with hotlink protection signature

    Signature distribution service code interpretation

    1. main_handler() is the entry function.

    2. Call parse_conf_file() and read the configuration information from the config.json file. The configuration items are as described below (for specific parameters, please see Key Hotlink Protection):

      Field Data Type Description
      key String Key hotlink protection key
      t Integer Signature validity period in seconds. When a request is being processed, this parameter plus the current time on the SCF server will be `t` in the hotlink protection parameters
      exper Integer Preview duration
      rlimit Integer Maximum number of client IPs that can access the signature
    3. Parse the Dir parameter from the request body, generate the t and us parameters locally, and read the exper and rlimit parameters from the configuration file:

            original_url = event["body"]
         parse_result = urlparse(original_url)
         directory = path.split(parse_result.path)[0] + '/'
         # Signature parameters
         timestamp = int(time.time())
         rand = random.randint(0, 999999)
         sign_para = {
             "t": hex(timestamp + configuration['t'])[2:],
             "exper": configuration['exper'],
             "rlimit": configuration['rlimit'],
             "us": rand
    4. Call generate_sign() to calculate the hotlink protection signature. For the specific algorithm, please see Key Hotlink Protection.

    5. Generate the QueryString and add it at the end of the original URL to concatenate a URL with the hotlink protection signature:

            sign_para["sign"] = signature
         query_string = urlencode(sign_para)
         new_parse_result = parse_result._replace(query=query_string)
         signed_url = urlunparse(new_parse_result)
    6. Return the signature. For the formats and descriptions of the returned data, please see Overview of API Gateway Trigger.

            return {
             "isBase64Encoded": False,
             "statusCode": 200,
             "headers": {"Content-Type": "text/plain; charset=utf-8",
                         "Access-Control-Allow-Origin": "*",
                         "Access-Control-Allow-Methods": "POST,OPTIONS"},
             "body": signed_url
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support