URL Signing protects CDN assets by ensuring only authorized end users are able to access them. URL signing can be used to set an expiration time on a given URL, verify the URL was requested by the same IP address it was issued to, or only allow certain user agents to access your URLs. CDN assets with URL signing enabled will use an MD5 hash appended to the URL which validates access should be granted.
This rule can be configured with more options via the API call.
Add the Custom Rule
- Log into the Control Panel navigate to CDN → Site → Edge Rules.
- Select "Add Custom Rule".
- Depending on how you want to implement URL Signing, you can choose to do it for the entire site or for only certain file types. In this example, URL Signing will be configured for the playlist with an extension of .m3u8. To match all playlist files, you will use *://*.m3u8
- On this page you have four fields to configure.
- Passphrase - The secret key used to generate the hashed value used to sign the URL
- Passphrase Field - The URL parameter field that identifies the passphrase pre-hashing
- MD5 Token Field - The URL Parameter field that identifies the post-hash token
- TTL Field (Optional) - The URL Parameter that defines the Time To Live value to be hashed
Assembly of a Signed URL
Once configured here is how the Signed URL is assembled:
- Take everything after the apex of the domain (/path/to/playlist.m3u8) and add your passphrase field and passphrase as a query string. For example:
- Generate an md5 sum using the full file path of the desired asset
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5 output: 23b18cd9d9cc16e03fe3b94deb3a7894
- Append the md5 sum as a query string '?' defined by your token field. In the above example, the final product becomes:
Including a TTL Field
The URL signing rule includes an optional TTL Field to specify a time for asset expiration. Using this setting will create the URL Parameter for the value to be defined when generating the md5 sum and used for the final request.
The TTL must be defined by the Unix Epoch time of expiration and included in both the pre-hash and post-hash URLs.
- Append a newly defined TTL value and everything else defined above to the appropriate query string; using the above example this becomes:
/path/to/playlist.m3u8?expires=1542810073&passphrasefield=passphrase123(At the time of this article, 1542810073 is epoch time plus one day)
- Generate the md5 sum using this full file path.
echo -n "/path/to/playlist.m3u8?expires=1542810073&passphrasefield=passphrase123" | md5
- Append the TTL field, including the epoch time of expiry as a query string, along with the token field and hashed token for validation:
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5sum
### Variables set in control.stackpath.com
passphrasefield = "passphrasefield"
passphrase = "passphrase123"
tokenfield = "StackPath"
### Variables from your application
url = "/path/to/playlist.m3u8"
completeurl = url + "?" + passphrasefield + "=" + passphrase
print(url + "?" + tokenfield + "=" + hashlib.md5(completeurl.encode('utf-8')).hexdigest())