URL authentication, a security protection function that is more advanced than Referer hotlink protection. It can be used to protect the files with a high security level.

URL authentication allows users to verify the identity of specific URLs based on the designated signatures. It adds signature strings and timestamps to URLs to enhance access control, which effectively protects resources on your origin server from illegal downloads and misuse.

To enable URL Authentication of AgileCDN, you can follow the steps below.

Tips: Advanced Configuration Model supports URL Authentication.

Step 1. Log in to AgileCDN dashboard.

Step 2. Choose CDN Management, select the Advanced Configuration Model and click Modify.


Step 3. Switch to Behaviors and click Create URL Authentication.

Step 4. In the Create URL Authentication window, input the Path(e.g. /images/head.jpg or /images/*), select the origin or origin group and click OK. Then, click Submit.

Tips: It will take about 8 to 15 minutes for the URL Authentication function to take effect.


Step 5. Choose the URL Authentication behavior and click Modify.

Step 6. In the Update URL Authentication window, click Auth Calculator.

Tips: In the Update URL Authentication window, you can check the Public Key ID and Private Key.


Step 7. Input the original URL, set the expire time and click Generate to obtain an Authentication URL and a Timestamp.


Principle of authentication URL generation

Example signed URL:

http://d111111abcdef8.agilewing.net/image.jpg ? color=red&size=medium&

Expires=1357034400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F

Required Parameters:

Expires: expiration date and time(in the form of timestamp).

Key-Pair-Id: Public Key ID obtained from the AgileCDN dashboard.

Signature:the string of signed URL.

Here, “color” and “size” are the custom parameters of URL path.

A policy statement for a signed URL

{

   "Statement": [

       {

           "Resource": "http://d111111abcdef8.agilewing.net/horizon.jpg?size=large&license=yes",

           "Condition": {

               "DateLessThan": {

                   "AWS:EpochTime": 1357034400

               }

           }

       }

   ]

}


Values that you specify in the policy statement for a signed URL that uses a canned policy

Resource:

The base URL including your query strings, if any, but excluding the Expires, Signature, and Key-Pair-Id parameters, for example:

http://d111111abcdef8.agilewing.net/images/horizon.jpg?size=large&license=yes

DateLessThan

The expiration date and time for the URL in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2013 10:00 am UTC converts to 1357034400 in Unix time format.

This value must match the value of the Expires query string parameter in the signed URL.

To create the value for the Signature parameter in a signed URL, you hash and sign the policy statement that you created in Creating a policy statement for a signed URL that uses a canned policy.

1. Use the SHA-1 hash function and RSA to hash and sign the policy statement that you created in the procedure To create the policy statement for a signed URL that uses a canned policy. Use the version of the policy statement that no longer includes white space.

Tips: The private key needed in SHA-1 hash function is the privateKey.pem shown in the Update URL Authentication window(Step 6 above).

Note:

The method that you use to hash and sign the policy statement depends on your programming language and platform.

2. Remove white space (including tabs and newline characters) from the hashed and signed string.

3. Base64-encode the string using MIME base64 encoding.

4. Replace characters that are invalid in a URL query string with characters that are valid. The following table lists invalid and valid characters.

Replace these invalid charactersWith these valid characters
+- (hyphen)
=_(underscore)
/~(tilde)

5. Append the resulting value to your signed URL after &Signature=, and return to “To create a signed URL using a canned policy” to finish concatenating the parts of your signed URL.