Introduction
The URL Signing option of CDN Static and CDN Static Push services allows you to protect your CDN content from unwanted downloads.
Token authentication
URL Signing is a token authentication. Only requests with a valid token (also referred as signature, secure or hash) are allowed to access your content. Moreover the token can contain its expiration time and allowed/denied IP addresses.
An example of CDN URL with token
http://12345.r.cdnsun.net/photo.jpeg?secure=DMF1ucDxtHCxwYQ
As you can see in the above example the token is added to the URL as a value of a query string parameter ?secure=.
Token expiration time use case
Token can contain its expiration time. Let's assume that you want to provide a CDN URL to your customer which can not be shared with public. For example the customer paid you for your content so you want to provide him a CDN URL to download the content but you don't want to allow him to share this CDN URL with everyone. Solution in this case is to provide him a CDN URL with token containing expiration time close to expiry (few seconds or minutes). Using this CDN URL he will be able to download your content but if he will share the CDN URL with public then it will not open access to your content because the CDN URL token will be expired. Please note that token is validated only at the beginning of a connection, it is not being validated during an ongoing connection.
How to enable URL Signing
URL Signing can be enabled during a CDN service creation (in advanced settings) or on the Services/Settings page.
Select "Enabled" from the URL Signing select box and generate a URL Signing Key as in the picture below.
How to generate token
To generate a token you can make use of our token generators below. Please note that anyone is welcome to contribute on our GitHub.
Java
Download our Java URL Signing function from the GitHub and follow instructions from the README.md file.
.NET
Download our .NET URL Signing function from the GitHub and follow instructions from the README.md file.
PHP
Download our PHP URL Signing function from the GitHub and follow instructions from the README.md file.
Ruby
Download our Ruby URL Signing function from the GitHub and follow instructions from the README.md file.
Python
Download our Python URL Signing function from the GitHub and follow instructions from the README.md file.
Bash
Download our Bash URL Signing function from the GitHub and follow instructions from the README.md file.
URL Signing and HLS streaming
Please refer here for more details on HLS streaming through a CDN Static service. Let's assume that you want to protect your CDN HLS stream http://12345.r.cdnsun.net/mystream/playlist.m3u8. Please remind that the token generator requires path parameter and thus you can not use "normal" URL Signing because viewer's device will request URLs containing dynamic paths such as in the following example.
http://12345.r.cdnsun.net/mystream/segment1.ts http://12345.r.cdnsun.net/mystream/segment2.ts http://12345.r.cdnsun.net/mystream/segment3.ts
Fortunately we provide the following two additional URL Signing features to solve this problem.
URL Signing for HLS
URL Signing for HLS is a URL signing tailored for protecting HLS streams.
Example
Let's assume that you want to protect your CDN HLS stream http://12345.r.cdnsun.net/streams/live/playlist.m3u8. All you need to do is to generate a token for the path /streams/live and then instead of using the token as a query string parameter (as with "normal" URL Signing) use it as a part of the CDN HLS URL path, e.g. http://12345.r.cdnsun.net/secure=DMF1ucDAx1&expires=1542300811&ip=1.2.3.4/streams/live/playlist.m3u8.
Notes
- Token generator is the same as with "normal" URL Signing.
How to enable
Just enable "normal" URL Signing and that's all.
File type URL Signing
File type URL Signing allows you to protect only certain file types and keep the rest unprotected.
Example
Let's assume that you want to protect your CDN HLS stream http://12345.r.cdnsun.net/mystream/playlist.m3u8. You can enable .m3u8 file type URL Signing for the CDN service 12345.r.cdnsun.net and then all you need to do is to generate token for the playlist URL and use http://12345.r.cdnsun.net/mystream/playlist.m3u8?secure=DMF1ucDxtHCxwYQ on your website. Please note that only .m3u8 files will require valid token and thus .ts segments and other files will be accessible without token.
Notes
- Token generator is the same as with "normal" URL Signing.
How to enable
This feature is currently not available in our dashboard. To enable it first set "normal" URL Signing to Disabled and then contact us via the support form below to request the file type URL Signing feature. Your request should contain the following.
- CDN Service Identifier, e.g. 12345.r.cdnsun.net.
- CDN stream URL, e.g. http://12345.r.cdnsun.net/mystream/playlist.m3u8.
- List of file types, e.g. .m3u8.
- Optionally URL Signing Key or we will generate random URL Signing Key for you.