Mode A and Mode B

This document provides a detailed explanation of Authentication Mode A and B, along with instructions on how to use them.

Authentication URL Structure

Modes A and B allow you to embed authentication information directly into the URL path for CDN. This method helps secure your content by ensuring that only authorized users can access it.

Authentication Mode A

The URL format for Authentication Mode A is as follows:

http://domain/<time>/<key>/uri

Authentication Mode B

The URL format for Authentication Mode B is as follows:

http://domain/<key>/<time>/uri

In these URL structures, <key> and <time> are the authentication parameters. The CDN edge server verifies this information to determine whether to serve the requested content based on the verification results. Please note that the order of <key> and <time> in Modes A and B is fixed and cannot be altered.

The symbols <> in the URL structures indicate the positions of the authentication parameters. These symbols are not part of the actual URL.

Explanation of Fields in the Authentication URL

The authentication URL consists of the following fields:

How the Authentication Works on CDN Edge Servers

When a CDN edge server receives a request with embedded authentication parameters, it performs the following steps:

1. Timestamp Validation: The server first checks if the timestamp (time) in the URL has expired.

   • If time + valid duration < current time, the URL is considered expired. Access is denied, and an HTTP 403 Forbidden error is returned.
   • If time + valid duration ≥ current time, the URL is considered valid.

2. Signature Verification: If the timestamp is valid, the CDN edge server calculates the expected authentication signature based on the configured encryption key (ourkey), the timestamp (time), and the requested URI (uri). It then compares this calculated signature with the key provided in the URL.

   • If the calculated signature matches the signature in the request, authentication is successful, and the CDN edge server serves the requested content.
   • If the signatures do not match, authentication fails. Access is denied, and an HTTP 403 Forbidden error is returned.

How to Configure Mode A and Mode B

In the Authentication Modes settings, choose Mode A or Mode B as needed. The following sections explain the purpose and method for each configuration field.

Authentication Key ($ourkey)

The Authentication Key ($ourkey) is a secret string that is used to generate the authentication signature (key) in the URL. This key is shared only between you and the CDN servers, providing an extra layer of security by making it difficult for unauthorized users to generate valid authentication parameters.

• You can configure multiple $ourkey values in your CDN console, separated by semicolons .
• When multiple keys are configured, the CDN edge server will attempt to authenticate the request using each key in the order they are listed. If authentication fails with the first key, the server will try the next one, and so on, until a valid key is found or all keys have been attempted.

Time Format

When constructing an authentication URL, the time field must adhere to one of the following supported formats:

Signature Calculation Algorithm

The authentication signature (key) is generated using an encryption algorithm. By default, the MD5 algorithm is used. For enhanced security, you can request a different encryption algorithm by contacting our technical support team.

Signature Calculation Parameters

To generate the authentication signature (key), you will typically use the following parameters:

• time: The timestamp.
• ourkey: Your secret authentication key.
• uri: The requested content path.

When constructing the string to be encrypted, you can choose to include one or more of these parameters and specify their order of combination.

• Example: If you configure the combination order as $uri$ourkey$time, the unencrypted string will be formed by concatenating the uri, followed by the $ourkey, and then the time.

  • For the URL http://cdnetworks.com/browse/index.html, with an $ourkey of cdnetworks, and a time of 202405131620, the generated unencrypted string would be /browse/index.htmlcdnetworks202405131620. This string would then be passed through the configured encryption algorithm (e.g., MD5) to generate the final signature (key).

Valid Time (Seconds)

You can configure the validity period for the authentication information using one of the following methods:

• Upper Limit of Validity Period: Enter a non-negative integer to set the maximum validity period in seconds after the timestamp (time) in the URL.
  • Example: Entering 60 means the authentication information will be valid for one minute after the time specified in the URL.
• Upper and Lower Limits of Validity Period: Enter two comma-separated integer values. The first value represents the number of seconds before the timestamp (must be ≤ 0), and the second value represents the number of seconds after the timestamp (must be ≥ 0).
  • Example: Entering -60,60 means the authentication information will be valid from one minute before to one minute after the timestamp.
• No Validity Period Validation: Enter a minus sign (-) to disable validity period checks.

The positions of key and time are interchangeable

The option to interchange the positions of key and time in the request URL is not applicable to Authentication Modes A and B. In these modes, the positions of key and time are fixed and must follow the specified order.

Quick Verify if the URL Authentication Configuration is Correct

To ensure your authentication configuration is correct and to avoid potential disruptions to your online services, it is highly recommended to initially deploy the configuration to a test environment. Once you have verified its accuracy, you can then implement it in your live production environment.

• For detailed instructions on deploying configurations to a test environment, please refer to the document: Deploy the Configurations to Staging Environment for Validation.

Additionally, you can utilize the Timestamp Anti-Hotlinking Calculator available in your CDN console. This tool allows you to generate URL authentication parameters and quickly verify your configuration.

• For more information on the calculator, please refer to the document: Authentication URL Generator.