Limit Access Using a Secret Key

Limiting access by a secret key is a security feature that can protect your web resource from bandwidth theft by prohibiting hotlinking and sharing your content to other websites or applications.


To limit the access using a secret key, follow the steps outlined below: 


1. Log in to the Universal CDN Control Panel at my.ucdn.com.

2. Navigate to the My Zones tab located in the top left corner.

3. Click on the cogwheel icon next to the CDN zone which access will be restricted. 

4. Navigate to the Limit Access tab. 

5. Scroll down to the Limit access using secret key feature and check the box next to it.

6. Choose the desired hash algorithm (md5 or sha1), enter the password you want to use, and specify the default time each link will be valid.

The secret key entered in the Control Panel must be used when generating links to your resources. 

After making any changes in the Universal CDN Control Panel do not forget to click on the Save Changes button. 


Generating URLs to your resources using a secret key 


Limiting access using a secret key requires including two mandatory parameters (cdn_hash and cdn_creation_time) and may include several optional parameters (cdn_ttl, cdn_net, cdn_bw, cdn_bw_fs, cdn_cv_ ).  

In case of the incomplete, wrong, or missing hash value, the CDN edge servers return 405 “Method Not Allowed” HTTP status code. 


Mandatory parameters
:

cdn_hash

The parameter is mandatory. The value of this parameter is the returned hash value (called a checksum).

The checksum is a unique digital fingerprint of the data of the included parameters generated by using the hash function of the chosen md5 or sha1 algorithm.

The following part of the PHP script illustrates the algorithm in which order the hash value should be generated: 

cdn_hash:

$cdn_hash = md5(
     $request_path
    .$secret_key
    .$cdn_creation_time
    .$cdn_ttl
    .$cdn_net
    .$cdn_bw
    .$cdn_bw_fs
    .$cdn_cv_user_id
);

 It needs to be added as described below: 

cdn_hash=f1485ee14fb9a05b288836b5f61d071e


cdn_creation_time

This is a mandatory parameter only if the time for which the hash will be valid is specified from the Universal CDN Control Panel or by including it with the cdn_ttl parameter. It specifies the time when the hash was generated in Unix timestamp format. It needs to be added as described below: 

cdn_creation_time=1601038498


Optional parameters:

cdn_ttl 

This parameter specifies the time for which the hash will be valid. The value of the parameter must be specified in seconds. It needs to be added as described below:


cdn_ttl=86400

The TTL value can be specified through the Universal CDN Control Panel as well (as shown on the screenshot above). Adding the cdn_ttl parameter when a hash value for your asset is generated will override the value specified in the Universal Control Panel if such has been set. 


cdn_net 

This parameter is used to allow access only from an IP address or from an entire IP Network. It needs to be added as described below: 

cdn_net=209.58.157.175 

Where “209.58.157.175” is an example IP address. 

cdn_net=209.58.157.0.24 

Where “209.58.157.0.24” is an example IP network (209.58.157.0/24). Тhe Slash notation “/” must be replaced with dot “.” since the forward “/” is a reserved character used to separate different parts of the URL.


cdn_bw
 

This parameter limits the rate of downloading speed. The values must be specified in bytes per second. It needs to be added as described below: 

cdn_bw=10240


cdn_bw_fs 

This parameter sets the amount of data that will be served at full speed (support “k”, “m”, and “g” for KB, MB, and GB respectively). This parameter should be used along with the cdn_bw parameter that limits the rate of the downloading speed after serving the data at full speed. It needs to be added as described below: 

cdn_bw_fs=10m                                      


cdn_cv_
<user_defined_name> 

The cdn_cv_ prefix allows adding a custom parameter. It needs to be added as described below: 

cdn_cv_user_id=1997

Where “cdn_cv_” is an integral part of the parameter – it cannot be changed or omitted, “user_id” is the custom part of the parameter (it can be changed to whatever value you define), “1997” is the value of the parameter.


Example PHP script for generating a secret key 


Let’s assume that the CNAME you have added to your CDN zone is with the following name test.example.com, the URI path the example file is /video/example-video.mp4, you have selected md5 for the encryption type, and the password you have entered is “sfKlt1!54hF4_%”. 


For the purposes of this tutorial, we have created a simple PHP script that allows us to generate the required hash for your URLs. We have added the following values for the parameters specified in the script below: 

<?php
$secret_key = '<place your secret key here>';

$request_path = '/video/example-video.mp4';

/* Current Unix timestamp */
$cdn_creation_time = time();

/* For how long the generated URL will be active in seconds */
$cdn_ttl = 86400;

/* Allow access only to specified ip address or IP network */
$cdn_net = "207.138.234.91";

/* Limit download speed to bytes per second (10KB) */
$cdn_bw = "10240";

/* The amount of data served at maximum speed MB */
$cdn_bw_fs = "10m";

/* Generating the hash */
$hash = md5($request_path . $secret_key . $cdn_creation_time . 
            $cdn_ttl . $cdn_net . $cdn_bw . $cdn_bw_fs);

/* Generating the URL with a secret key by concatenating host, path, and parameters */
$access_url = 'https://test.example.com'
    .$request_path
    .'?cdn_hash='.$hash
    .'&cdn_creation_time='.$cdn_creation_time
    .'&cdn_ttl='.$cdn_ttl
    .'&cdn_net='.$cdn_net
    .'&cdn_bw='.$cdn_bw
    .'&cdn_bw_fs='.$cdn_bw_fs;

echo $access_url . "n";
?>


The following URL has been generated as output after running the script above:

https://test.example.com/video/example-video.mp4?cdn_hash=a2231dbf86c4017a62ce9cca0decd108&cdn_creation_time=1616488870&cdn_ttl=86400&cdn_net=207.138.234.91&cdn_bw=10240&cdn_bw_fs=10m


Add a CDN Zone

Limit Access

Limit Access By Referer

Limit Access by Country

Limit Access by a Single IP Address / IP Network

Cache Management

Download Speed

Error Pages Handling

Instructions