Asians Group

Sec Link

Protect links in your domain with a token

Asians Cloud CDN has Sec Link feature which can protect certain links of your domain with auto expiring token.

This token can be generated automatically by our CDN if Sec Redirect feature is enabled. Otherwise, you can generate the token in your application, we have put code samples.

Configuration

The following configurations are needed for the setting to work properly.

  1. Enable Sec Redirect: If Sec Redirect feature is enabled, then the

  2. Protected paths: The list of paths that will be protected with token.

  3. API Secret: A secret string that is used in the token to prevent forgery.

  4. Expire Seconds: The number of seconds each token should be valid for.

  5. Sleep Seconds: The number of seconds the plugin should sleep to make the visitor wait before redirecting them when Enable Sec Redirect is enabled. Note: Sleep Seconds should always be less than Expire Seconds.

How does Sec Redirection work?

The Sec Redirection inside Sec Link is used for automatically generating the token and redirecting the user.

To use it, we have to add /sec/ in front of the URL. So if our original link is https://www.example.com/some-url/ then it will become https://www.example.com/sec/some-url/

When the user visit the new url (https://www.example.com/sec/some-url), they will wait for some time (sleep seconds) and they will be redirected to the original link with the security parameters. For Example, https://www.example.com/some-url?md5=NH1XQCFoTWszY1xGZ01wRg&expires=1669140298

The md5 query parameter contains the token The expires parameter contains the timestamp of when the link will expire.

We can use this tool to convert the timestamp to date.

What are some scenarios in which the Sec Link plugin can be used?

1. Protect download link with an auto expiring link: When you have an apk download link and you want to protect it with an redirecting and auto expiring link to avoid CC attack which leads huge traffics, you can use this setting:

  • Enable Sec Redirect: True

  • Protected paths: e.g. /download The dictionary of paths to protect. The key is the path to protect, the value is the path to redirect to. For example, if you want to protect /download/1.apk, you can set it to or /download/1.apk.

  • API Secret: e.g. 6f0e2f08cc80f45ad3004e16af1e2cd6 . A string that is used in the token to prevent forgery. It should be a secret string that only you know.

  • Expire Seconds: 1200 The number of seconds each token should be valid for. Do not set it too small when you have a big file to download.

  • Sleep Seconds: 2. The number of seconds to sleep before returning the redirect. This is to prevent the token from being used in a DOS attack.

Then you can add /sec/ as the prefix of all your protected url path, e.g. /download/1.apk will be /sec/download/1.apk. The original download link will be protected with sec parameters and directly access is invalid.

2. Protect API with an auto expiring link: When you have an API and you want to protect it with an auto expiring link to avoid CC attack which leads huge traffics, you can use this setting.

  • Enable Sec Redirect: False

  • Protected paths: e.g. /api/hello The dictionary of paths to protect. The key is the path to protect, the value is the path to redirect to. For example, if you want to protect /api/hello, you can set it to /api/hello

  • API Secret: e.g. 6f0e2f08cc80f45ad3004e16af1e2cd6. A string that is used in the token to prevent forgery. It should be a secret string that only you know.

  • Expire Seconds: 60. The number of seconds each token should be valid for.

  • Sleep Seconds: 2. Any number because it is not used in this scenario.

Then you need to add validation parameters into you url. e.g, /api/hello will be /api/hello?md5=xxx&expires=xxx . The original api link will be protected with sec parameters and directly access is invalid.

How can we generate the token?

General Algorithm for generating the token

  1. Calculate the expiry time by adding Expire Seconds to the current epoch time

  2. Concatenate X = Expiry Time + the URL path to be protected + Expire Seconds + the IP address of the requestor + " " + API Secret

  3. Take the binary form of the MD5 of X

  4. Encode the binary form as base64

  5. Replace "+" with "-", "/" with "_" and strip all "=" to make it URL friendly

Code Example of generating the token

Bash

#!/bin/bash

export DOMAIN="test2.kqcdn.com"
export API_SECRET="fa58edb2"

urlpath="/api/hello"   #需要请求URL,不包括query参数
time_now=$(date +%s)
expiry_seconds=86400
expires=$(expr $time_now + $expiry_seconds)    #时间撮
ip=$(curl -s ifconfig.me)      #自己的IP

echo "${expires}${urlpath}${expiry_seconds}${ip} ${API_SECRET}"
md5value=$(echo -n "${expires}${urlpath}${expiry_seconds}${ip} ${API_SECRET}" \
 | openssl md5 -binary \
 | openssl base64 | tr +/ -_ | tr -d = )
echo $md5value
echo curl "http://${DOMAIN}${urlpath}?md5=${md5value}&expires=${expires}"
curl "http://${DOMAIN}${urlpath}?md5=${md5value}&expires=${expires}"

Python

import time
import hashlib
import base64

domain = "test2.kqcdn.com"
api_secret = "fa58edb2"

urlpath = "/api/hello"
time_now = int(time.time())
expiry_seconds = 86400
expires = time_now + expiry_seconds
ip = "139.162.103.25"

a = f"{expires}{urlpath}{expiry_seconds}{ip} {api_secret}"
m = hashlib.md5(a.encode())
b = base64.b64encode(m.digest()).decode()
md5 = b.replace("/", "_").replace("+", "-").strip("=")
print(md5)

url = f"http://{domain}{urlpath}?md5={md5}&expires={expires}"
print(url)

Go

package main

import (
	"crypto/md5"
	"encoding/base64"
	"fmt"
	"strings"
	"time"
)

func GetMD5Hash(text string) string {
	h := md5.New()
	h.Write([]byte(text))
	b := base64.StdEncoding.EncodeToString(h.Sum(nil))
	replacer := strings.NewReplacer("+", "-", "/", "_", "=", "")
	c := replacer.Replace(b)
	return c
}

func main() {
	domain := "test2.kqcdn.com"
	apiSecret := "fa58edb2"
	urlpath := "/api/hello"
	timeNow := int(time.Now().Unix())
	expirySeconds := 86400
	expires := timeNow + expirySeconds
	ip := "139.162.102.25"

	a := fmt.Sprintf("%d%s%d%s %s", expires, urlpath, expirySeconds, ip, apiSecret)
	m := GetMD5Hash(a)
	url := fmt.Sprintf("http://%s%s?md5=%s&expires=%d", domain, urlpath, m, expires)
	fmt.Println(url)
}

PHP

<?php

$domain = "test2.kqcdn.com";
$api_secret = "fa58edb2";

$urlpath = "/api/hello";
$time_now = time();
$expiry_seconds = 86400;
$expires = $time_now + $expiry_seconds;
$ip = "139.162.103.25";

$a = $expires.$urlpath.$expiry_seconds.$ip." ".$api_secret;
$m = md5($a);
$b = base64_encode($m);
$md = str_replace(["/", "+", "="], ["_", "-", ""], $b);
$url = "http://".$domain.$urlpath."?md5=".$md."&expires=".$expires ;
print_r($url);

PreviousCustom Error pageNextAutomatic L7 CC Protection

Last updated