tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Content Delivery Network
    Documentation
    Download PDF

    TypeA

    Last updated: 2024-12-30 21:35:22
    Download PDF
      You can add authentication to prevent hotlinking of your website. Tencent Cloud supports Type A, B, C and D authentication. This document describes details of Type A authentication.

      Algorithm Description

      Access URL formathttp://DomainName/Filename?sign=timestamp-rand-uid-md5hash
      Note:
      The access URL cannot contain any Chinese characters.
      Description of authentication fields
      Field
      Description
      DomainName
      CDN domain.
      Filename
      Resource access path. During authentication, `Filename` must start with a slash (/).
      timestamp
      The time when the server generates the authentication URL. It is a positive hex integer Unix timestamp, which is the total number of seconds between 00:00:00, January 1, 1970, UTC time and the URL generation time. Its definition is irrelevant to the time zone.
      rand
      A random string consisting 0-100 characters ([0-9], [a-z], [A-Z]).
      uid
      User ID (not in use), which defaults to 0.
      md5hash
      A string containing 32 characters calculated based on the MD5 algorithm. It is calculated as follows:
      md5hash = md5sum(uri-timestamp-rand-uid-pkey).
      uri: It is the resource access path and must start with a slash (/).
      timestamp: Its value is the above timestamp.
      rand: Its value is the above rand.
      uid: Its value is the above uid.
      pkey: It can contain 6 to 40 letters and digits. It should be kept private and disclosed to only the client and server.
      Authentication logic description After the CDN server receives a user request, it parses the timestamp parameter in the URL and the validity period of the authentication URL and compares it with the current time.
      1.1 If the sum of timestamp and the validity period of the authentication URL is before the current time, the server judges that the URL has expired and is invalid and returns the HTTP error code 403.
      1.2 If the sum of timestamp and the validity period of the authentication URL is after the current time, the server uses the MD5 algorithm to calculate the value of md5hash and it with the md5hash value passed in by the URL. If they are the same, the request will pass the authentication; otherwise, the HTTP error code 403 will be returned.

      Configuration Directions

      Here we take Type-A authentication as an example.
      Field configuration
      Authentication key: dimtm5evg50ijsx2hvuwyfoiu65
      Signature parameter: sign
      Validity period of the authentication URL: 1s
      
      
      
      The time when the signature calculation server generates the authentication URL: 2020-02-27 16:10:32 (UTC+8). Its decimal integer value after conversion is 1582791032 (timestamp).
      Requested origin address: http://www.mixcre.com/test/1.jpg
      Generation process
      Get authentication parameters:
      Parameter
      Value
      URI
      Resource access path, which is /test.jpg.
      timestamp
      1582791032
      rand
      Generate a random string: im1acp76sx9sdqe601v
      uid
      Set it to 0
      pkey
      dimtm5evg50ijsx2hvuwyfoiu65
      Concatenate the signature string: /test.jpg-1582791032-im1acp76sx9sdqe601v-0-dimtm5evg50ijsx2hvuwyfoiu65
      Calculate the MD5 value of the signature string: md5hash =md5sum(uri-timestamp-rand-uid-pkey)= md5sum(/test.jpg-1582791032-im1acp76sx9sdqe601v-0-dimtm5evg50ijsx2hvuwyfoiu65) = 3fbb88382c9356b6faaf9d68c7b2ae3a
      Generate the authentication URL:http://www.mixcre.com/test/1.jpg?sign=1682234383-YES3WZ57u91G3zA1YYzh5Y3aIy6U2i0K-0-57b80424b3e6f9da4027fe13c00c44a7 When the client uses the encryption URL for access, if the md5hash value calculated by the CDN server is the same as the md5hash value carried by the access request, which are both 3fbb88382c9356b6faaf9d68c7b2ae3a in this example, the request will pass the authentication; otherwise, the authentication will fail.

      Notes

      Cache hit rate
      For domain names using TypeA authentication mode, the access URL will carry the authentication parameter. When a CDN node caches the resource, the corresponding parameter will be ignored and thus will not affect the cache hit rate.
      Note:
      As the authentication parameter will be automatically ignored, the cache keys of the files to be authenticated will be affected, and the priority here is higher than the cache key rules in Cache Configuration > Cache Key Rule Configuration. For example, the Type A configuration here is as: "Authentication Parameter: sign"; "Authentication Scope: jpg"; then the sign parameter will be automatically ignored for JPG files even though the configuration is as "All Files: Not Ignore" in Cache Configuration -> Cache Key Rule Configuration.
      Origin-pull policy
      The access format of a domain name with Type A authentication mode enabled is as follows: http://DomainName/Filename?sign=timestamp-rand-uid-md5hash
      If the CDN node is not hit after successful authentication, it will initiate an origin-pull request, which is in the same format as the access request with the sign parameter retained. The origin server can ignore it or perform authentication again as needed.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2025 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy