Secure Token: configure access with tokenized URLs

When Secure Token is enabled your content may be downloaded only if a request contains a hash key. Secure Token protects your content from unwanted downloads.

A tokenized URL looks like

http://cdn.example.com/photo.jpeg?md5=DMF1ucDxtHCxwYQ&expires=2147483647


Control Panel Settings

To enable Secure Token go to CDN Resources in your Control Panel, choose the Resource and click Settings. Then open Advanced Settings, in the Access (Security), add Secure Token.

Activate the option, type in a signature key and save the settings. The signature key is similar to a password and can contain a from 6 to 32 characters.

Screenshot-2018-1-3_G-Core_Labs___________CDN-___________________10_.png

By default 4 parameters are considered in the token generation:

  • Expiration time
  • Path to the file
  • Key
  • IP (optional)

You can generate a token with or without IP. Remove the tick near Add a Сlient's IP to the Token and use the script that generates tokens without IP. 


Server Settings

Configure your server so that your CDN content is available at URLs containing tokens for the end users. At the same time, CDN servers need to get content without a token.

The token is generated in the following format:<expires><path><ip> <key>

<expires>: The expiration of the URL in the Unix timestamp format. 

<path>: The file path or file directory.

<key>: The URL signature key.

<IP>: The IPs that allowed to access. 

Use this command to generate Unix Timestamp in Linux: `date +%s -d "10min"` (current time + 10 minutes)

 CDN servers check every request on their side. They have all the same parameters <expires><path><ip> <key> and use them to generate hash key. 

  • If these parameters do not match or this URL is expired, CDN returns 403 Forbidden to the end user.
  • If all parameters match and URL isn't expired, CDN delivers the requested file to the end user. 


For generating the hash key refer to below for example scripts

PHP (with IP)

<?php
$secret = 'secret_key';
$ip = '1.2.3.4';
$path = '/live/133529_2/chunklist.m3u8';
$expires = time() + 10000;
$link = "$expires$path$ip $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "http://cdn.site.com{$path}?md5={$md5}&expires={$expires}";
echo $url;
echo "n";


PHP (without IP)

<?php
$secret = 'secret_key';
$path = '/live/133529_2/chunklist.m3u8';
$expires = time() + 10000;
$link = "$expires$path $secret";
$md5 = md5($link, true);
$md5 = base64_encode($md5);
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);
$url = "http://cdn.site.com{$path}?md5={$md5}&expires={$expires}";
echo $url;
echo "n"

Where:

  • $secret - the URL signature key
  • $path - the file path or file directory
  • $ip - the IPs that allowed to access
  • $expires - the expiration of the URL (in sec)
  • $link - token generation with the necessary parameters
  • $url - file's URL


Python (with IP)

import base64
from hashlib import md5
from time import time
secret = 'secret_key'  \The URL signature key
path = "/images/1.jpg" \ The file path or file directory
ip = '1.2.3.4' \ The IPs that allow to access
expires = int(time()) + 100000

# TTL of URL (in sec)
#Token generation
token = base64.encodestring(
md5(
"%s%s%s %s" % (expires, path, ip, secret)
).digest()
).replace("n", "").replace("+", "-").replace("/", "_").replace("=", "")
secured_url = "http://cdn.site.com%s?md5=%s&expires=%s" % (path, token, expires)
# File's URL
print secured_url

 

Python (without IP)

import base64
from hashlib import md5
from time import time
secret = 'secret_key'
path = "/images/1.jpg"
expires = int(time()) + 100000
token = base64.encodestring(
md5(
"%s%s %s" % (expires, path, secret)
).digest()
).replace("n", "").replace("+", "-").replace("/", "_").replace("=", "")
secured_url = "http://cdn.site.com%s?md5=%s&expires=%s" % (path, token, expires)
print secured_url

Where:

  • secret - the URL signature key
  • path - the file path or file directory
  • ip - the IPs that allowed to access
  • expires - the expiration of the URL (in sec)
  • token - token generation
  • secured_url - file's URL


With OpenSSL

You will get only token as a result. You need to set the time of the URLs expiring in UNIX format manually and add this token to your URLs.


With IP

echo -n '2147483647/images/1.jpg1.2.3.4 secret_key' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
'2147483647/images/1.jpg1.2.3.4 secret_key' = '{expires}{path}{ip} {secret_key}'

Without IP

echo -n '2147483647/images/1.jpg secret_key' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
'2147483647/images/1.jpg secret_key' = '{expires}{path} {secret_key}'
Was this article helpful?
Recently viewed articles