Mode A and Mode B
Last update:2024-05-20 11:28:21
This document provides a detailed explanation of Authentication Mode A and B, along with instructions on how to use them.
Authentication URL Structure
We provide Authentication Modes A and B, which allow embedding authentication information directly into the URL path. Here are the URL formats for these two modes:
Authentication Mode A
http://domain/<time>/<key>/uri
Authentication Mode B
http://domain/<key>/<time>/uri
In these URL structures, <key> and <time> are the authentication parameters. The CDN edge server verifies this information to determine whether to serve the requested content based on the verification results. Please not that the order of <key> and <time> in Modes A and B is fixed and cannot be altered.
The symbols
<>indicate the positions of the authentication parameters. These symbols will not appear in the actual URL.
Explanation of Fields in the Authentication URL
| Field | Description |
|---|---|
| domain | The domain you have added for the CDN. |
| time | The timestamp in the authentication URL, indicating when the URL was generated. The CDN edge server uses this timestamp to determine if the URL is still valid. If the current time surpasses the valid period of the URL, the content will not be served. The time value must follow the predetermined timestamp format; otherwise, authentication will fail. For the supported time stamp formats, see the Time Format section of this document. |
| key | The encrypted signature used for authentication verification, typically generated by combining the time stamp, an encryption key (ourkey), and the actual path (uri). For details on how this authentication parameter is computed, refer to the Signature Calculation Parameters section of this document. |
| uri | The actual path of the URL requesting content from the CDN. For instance, if the original request URL is http://cdnetworks.com/browse/index.html, then the uri would be /browse/index.html. If the request URL includes query parameters (e.g., /browse/index.html?user=123), the uri should only contain the path of the requested object, excluding the query string |
How the Authentication Works on CDN Edge Servers
When the CDN edge server receives a request, it first verifies whether the timestamp time in the authentication URL has expired:
- If the timestamp
time, plus the valid duration, is less than the current time, the URL is considered expired, access is denied, and an HTTP 403 error is returned. - Conversely, if the timestamp
time, plus the valid duration, meets or exceeds the current time current time, the CDN edge server will consider the URL valid. It then calculates the expected authentication signature(key) expected for the request URL and compares it with the signature in the request. If they match, authentication succeeds, and server fulfills the content request; otherwise, the request is denied, and an HTTP 403 error is returned.
How to Configure Mode A and Mode B
In the Authentication Modes settings, choose Mode A or Mode B as needed. The following sections explain the purpose and method for each configuration field.
Authentication Key ($ourkey)
The Authentication Key ($ourkey) is a unique string used to generate the authentication signature key in the URL. This ourkey, shared only between you and our CDN servers, enhances security by making the authentication parameters difficult for unauthorized parties to crack. You can set multiple ourkey values in the console, separated by semicolons (;).
When multiple ourkey values are configured, the CDN edge server will use them in order to authenticate requests. If the first ourkey fails, the server will try the next one, and so on, until a valid key is found or all keys fail validation.
Time Format
For constructing an authentication URL, the time field offers five optional formats to accommodate diverse requirements:
| Timestamp Format | Description |
|---|---|
| Decimal Unix Timestamp | E.g., 1586338211 represents April 8, 2020, 17:30:11 UTC. |
| Hexadecimal Unix Timestamp | E.g., 5e8e2463 represents 1586338211 in hexadecimal. |
| Millisecond-level Unix Timestamp | E.g., 1586338211000 represents the same point in time. |
| YYYYMMDDHHMMSS | E.g., 20200408173011 represents April 8, 2020, 17:30:11. |
| YYYYMMDDHHMM | E.g., 202004081730 represents April 8, 2020, at 17:30. |
Signature Calculation Algorithm
The signature key is generated using an encryption algorithm. By default, we use the MD5 algorithm. If you need a different encryption algorithm for enhanced security, please contact our technical support team for assistance.
Signature Calculation parameters
To generate the authentication signature key, you can optionally include the following parameters: time, ourkey, and uri. For detailed explanations of these fields, refer to the previous document Explanation of Fields in the Authentication URL.
In the process of constructing the encrypted string key, you can choose to include one or more of the above parameters and specify their combination order. For example, if you choose $uri$ourkey$time as the combination order, it means:
- The URL request address (
uri) is the starting part; - Followed by the custom encryption key (
ourkey); - And finally, the timestamp (
time).
For example, with the URL http://cdnetworks.com/browse/index.html, an ourkey of cdnetworks, and a time of 202405131620, the generated unencrypted string key will be /browse/index.htmlcdnetworks202405131620.
Valid Time (Seconds)
We offer three methods to configure the valid time for authentication information:
- Upper Limit of Validity Period: Enter a non-negative integer (e.g.,
60) to set the maximum validity period in seconds after thetimefield. For instance, entering60means the authentication information remains valid for one minute following thetimefield in the request URL. - Upper and Lower Limits of Validity Period: Enter two comma-separated values. The first value is the number of seconds before the timestamp (≤0), and the second value is the number of seconds after the timestamp (≥0). For example,
-60,60means the authentication information is valid from one minute before to one minute after the timestamp. - No Validity Period Validation: Enter a minus sign (
-) to disable validity period checks.
The positions of key and time are interchangeable
This option determines whether to allow the interchange of the key and time positions in the request URL. However, in Mode A or Mode B, the positions of key and time are fixed and MUST follow the specified order. Therefore, this configuration item is NOT applicable in Modes A and B.
Quick Verify if the URL Authentication Configuration is Correct
To avoid errors affecting your online business, it is advisable to initially deploy the configuration to a test environment. Once the configuration is verified as accurate, it can then be officially implemented in the live environment. For details on deploying configurations to a test environment, refer to the tutorial Deploy the Configurations to Staging Environment for Validation.
Additionally, you can use the Timestamp Anti-Hotlinking Calculator available on the CDN console to generate URL authentication parameters and quick verify your configuration. Visit the document Authentication URL Generator for more details.