Help & Documentation>Content Delivery Network>Configuration Guide>Configuration Management>Access Control>Authentication Configuration>Configuration Instructions

Configuration Instructions

Last updated: 2024-12-31 17:34:31

On this page:

Configuration Scenario

Generally, contents delivered over CDN are public resources by default, which can be accessed by users with URLs. To prevent malicious users from hotlinking your content for profit, you can configure advanced timestamp authentication in addition to access control policies such as referer blocklist/allowlist, IP blocklist/allowlist, and IP access frequency limit.
Note
After timestamp hotlink protection is configured, the client needs to calculate the signature as configured and carry it to the server when initiating a request. The CDN node will authenticate the signature on the server, which will pass only after successful authentication.

Configuration Guide

Viewing Configuration

Log in to the CDN console, select Domain Management from the menu bar, click Management on the right side of the domain name to enter the domain configuration page. In Access Control, you can see the authentication configuration, which is in closed status by default:



Modify

1. Modify the configuration

CDN provides four authentication signature calculation methods for you to choose from. You can also use the authentication calculator above to view different authentication modes and the final effect after configuration. For specific algorithm descriptions, please refer to the algorithm documentation for TypeA, TypeB, TypeC, and TypeD:



2. Disable the configuration

You can toggle the authentication configuration switch to disable this feature. When the switch is off, any existing configuration will not take effect in the production environment. If you toggle the switch on, a message will be displayed asking for your confirmation before the configuration takes effect across the entire network:



3. Add a region-specific configuration

If your acceleration domain name is configured for global acceleration and you want to configure different authentication settings for acceleration in and outside the Chinese mainland, you can click [Add Special Configuration] below the configuration to set it up.


Note
Currently, an added region-specific configuration can only be disabled but not deleted.

Configuration Example

Suppose the domain name cloud.tencent.com is configured for global acceleration and the authentication configuration is as follows:

The actual effect will be as follows:
1. When users within China access the resource http://cloud.tencent.com/1.jpg, if the global default configuration is off and the special configuration for the region is only on for outside China, the configuration within China will not have an authentication effect. Users can directly initiate the request, the current request will be effective, and the correct file will be returned.
2. When users outside China access the resource http://cloud.tencent.com/1.jpg, since the current authentication mode for outside China is TypeC, the correct format of the request URL should be http://cloud.tencent.com/509301d10da7b862052927ed7a947f43/5e561139/1.jpg. If users request using this URL, the correct file content will be returned; otherwise, the access request will be denied.

Sample code

The following is the authentication calculation method with the Demo for Python as an example:
import requests
import json
import sys
import time
import hashlib

def generate_url(category, ts=None):
    url = 'http://www.test.com'              # Test domain name
    path = '/1.txt'                                     # Access path
    suffix = '?a=1&b=2'                                 # URL parameter
    key = 'abc123456789'                                # authentication key
    now = int(time.mktime(time.strptime(ts, "%Y%m%d%H%M%S")) if ts else time.time())                # If a ts is entered, it will be used; otherwise, the current ts will be used
    sign_key = 'key'                                    # URL signature field
    time_key = 't'                                      # URL time field
    ttl_format = 10                                     # Time format. Valid values: 10, 16. This is supported only for type D
    if category == 'A':                                 #Type A
        ts = now
        rand_str = '123abc'
        sign = hashlib.md5('%s-%s-%s-%s-%s' % (path, ts, rand_str, 0, key)).hexdigest()
        request_url = '%s%s?%s=%s' % (url, path, sign_key, '%s-%s-%s-%s' % (ts, rand_str, 0, sign))
        print(request_url)
    elif category == 'B':                               #Type B
        ts = time.strftime('%Y%m%d%H%M', time.localtime(now))
        sign = hashlib.md5('%s%s%s' % (key, ts, path)).hexdigest()
        request_url = '%s/%s/%s%s%s' % (url, ts, sign, path, suffix)
        print(request_url)
    elif category == 'C':                               #Type C
        ts = hex(now)[2:]
        sign = hashlib.md5('%s%s%s' % (key, path, ts)).hexdigest()
        request_url = '%s/%s/%s%s%s' % (url, sign, ts, path, suffix)
        print(request_url)
    elif category == 'D':                               #Type D
        ts = now if ttl_format == 10 else hex(now)[2:]
        sign = hashlib.md5('%s%s%s' % (key, path, ts)).hexdigest()
        request_url = '%s%s?%s=%s&%s=%s' % (url, path, sign_key, sign, time_key, ts)
        print(request_url)


if __name__ == '__main__':
    if len(sys.argv) == 1:
        print('usage: python generate_url.py A 20200501000000')
    args = sys.argv[1:]
    generate_url(*args)

中国站 - English