URL Signing protects CDN assets by ensuring only authorized end users are able to access them. URL signing can be used to set an expiration time on a given URL, verify the URL was requested by the same IP address it was issued to, or only allow certain user agents to access your URLs. CDN assets with URL signing enabled will use an MD5 hash appended to the URL which validates access should be granted.
This rule can also be configured with more options via the StackPath API.
Add the Custom Rule
- Log into the StackPath Control Portal and navigate to Sites → Website Domain → Edge Rules.
- Select "Add Delivery Rule" under the Delivery Rules section.
- Depending on the desired implementation of URL Signing, it can be set up to work for the entire site or for only certain file types. In this example, URL Signing will be configured for the playlist with an extension of .m3u8. To match all playlist files, please use *://*.m3u8
- On this page, there are four fields to configure.
- Passphrase - The secret key used to generate the hashed value used to sign the URL
- Passphrase Field - The URL parameter field that identifies the passphrase pre-hashing
- MD5 Token Field - The URL Parameter field that identifies the post-hash token
- TTL Field (Optional) - The URL Parameter that defines the Time To Live value to be hashed
- IP Address Allowed List (Optional) - A comma-separated list of IP addresses allowed to view the signed content.
Assembly of a Signed URL
Once configured, here is how the Signed URL is assembled:
- Take everything after the apex of the domain (/path/to/playlist.m3u8) and add the passphrase field and passphrase as a query string. For example:
/path/to/playlist.m3u8?passphrasefield=passphrase123
- Generate an md5 sum using the full file path of the desired asset
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5 output: 23b18cd9d9cc16e03fe3b94deb3a7894
- Append the md5 sum as a query string '?' defined by your token field. In the above example, the final product becomes:
https://yourdomain.com/path/to/playlist.m3u8?StackPath=23b18cd9d9cc16e03fe3b94deb3a7894
Including a TTL Field
The URL signing rule includes an optional TTL Field to specify a time for asset expiration. Using this setting will create the URL Parameter for the value to be defined when generating the md5 sum and used for the final request.
The TTL must be defined by the Unix Epoch time of expiration and included in both the pre-hash and post-hash URLs.
- Append a newly defined TTL value and everything else defined above to the appropriate query string; using the above example this becomes:
/path/to/playlist.m3u8?expires=1542810073&passphrasefield=passphrase123
(At the time of this article, 1542810073 is epoch time plus one day) - Generate the md5 sum using this full file path.
echo -n "/path/to/playlist.m3u8?expires=1542810073&passphrasefield=passphrase123" | md5
output: 3fa69bc7d3678d7a500b57a31a433522 - Append the TTL field, including the epoch time of expiry as a query string, along with the token field and hashed token for validation:
https://yourdomain.com/path/to/playlist.m3u8?expires=1542810073&StackPath=3fa69bc7d3678d7a500b57a31a433522
Code Examples
Bash
Mac:
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5
Other Linux:
echo -n "/path/to/playlist.m3u8?passphrasefield=passphrase123" | md5sum
Python3
import hashlib
### Variables set in control.stackpath.com
passphrasefield = "passphrasefield"
passphrase = "passphrase123"
tokenfield = "StackPath"
### Variables from your application
url = "/path/to/playlist.m3u8"
completeurl = url + "?" + passphrasefield + "=" + passphrase
print(url + "?" + tokenfield + "=" + hashlib.md5(completeurl.encode('utf-8')).hexdigest())
If any questions arise or any assistance can be further provided, feel free to drop us a line at hi@stackpath.com, we'll be happy to help you out.