Edge Acceleration
  • Site Acceleration
    • Overview
    • Access Control
      • Token Authentication
    • File Optimization
      • Smart Compression
    • Network Optimization
      • HTTP/2
      • HTTP/3(QUIC)
        • Overview
        • Enable HTTP/3
        • QUIC SDK
          • SDK Overview
          • SDK Download and Integration
          • Sample Code
            • Android
            • iOS
          • API Documentation
            • Android
            • iOS
      • IPv6 Access
      • Maximum Upload Size
      • WebSocket
      • Client IP Geolocation Header
      • Client IP Geographical Location
      • gRPC
    • URL Rewrite
      • Access URL Redirection
      • Origin-Pull URL Rewrite
    • Modifying Header
      • Modifying HTTP Response Headers
      • Modifying HTTP Request Headers
    • Custom Error Page
    • Request and Response Actions
      • Processing order
      • Default HTTP Headers of Origin-Pull Requests
      • Default HTTP Response Headers
    • Media Services
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Just-in-Time Media Processing
      • VOD Media Origin
  • Smart Acceleration
  • L4 Proxy
    • Creating an L4 Proxy Instance
    • Overview
    • Modifying an L4 Proxy Instance
    • Disabling or Deleting an L4 Proxy Instance
    • Batch Configuring Forwarding Rules
    • Obtaining Real Client IPs
      • Obtaining Real TCP Client IPs via TOA
      • Obtaining Real Client IPs Through Protocol V1/V2
        • Overview
        • Method 1: Obtaining Real Client IPs Through Nginx
        • Method 2: Parsing Real Client IPs on Application Server
        • Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
      • Transmitting Client Real IP via SPP Protocol
  • Edge DNS
    • Hosting DNS Records
      • Modifying DNS Servers
      • Configuring DNS Records
      • Advanced DNS Configuration
    • Domain Connection
      • Adding A Domain Name for Acceleration
      • Ownership Verification
      • Modifying CNAME Records
    • Domain alias
      • Overview
      • Configuration Guide
      • Batch Connecting SaaS Domain Names
      • Configuring Alias Domain Names for Disaster Recovery
    • Traffic Scheduling
      • Traffic Scheduling Management
    • Origin Configuration
      • Load Balancing
        • Overview
        • Quickly Create Load Balancers
        • Health Check Policies
        • Viewing the Health Status of Origin Server
        • Related References
          • Load Balancing-Related Concepts
          • Introduction to Request Retry Strategy
      • Origin Group Configuration
      • Origin-pull configuration
        • Configuring Origin-Pull HTTPS
        • Host Header Rewrite
        • Controlling Origin-pull Requests
        • Redirect Following During Origin-Pull
        • HTTP/2 Origin-Pull
        • Range GETs
      • Related References
        • ld Version Origin Group Compatible Related Issues
      • Collect EdgeOne origin-pull node IP
  • Edge Cache
    • Overview
    • EdgeOne Cache Rules
      • Content Cache Rules
      • Cache Key Introduction
      • Vary Feature
    • Cache Configuration
      • Custom Cache Key
      • Node Cache TTL
      • Status Code Cache TTL
      • Browser Cache TTL
      • Offline Caching
      • Cache Prefresh
    • Clear and Preheat Cach
      • Cache Purge
      • URL Pre-Warming
    • How to improve the Cache Hit Rate of EdgeOne
  • Rules Engine
    • Overview
    • Supported Matching Types and Actions
    • Rule Management
    • variables

Token Authentication

Overview

Token authentication is a simple and reliable access control strategy that verifies URL access through authentication rules, effectively preventing malicious brushing of site resources. The usage of this function requires the cooperation of the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for verifying the legality of the URL based on pre-set rules.

Function principle

The implementation of Token authentication mainly consists of the following two parts:
Client: Initiate the authentication URL request based on the authentication rules (including authentication algorithm, key).
EdgeOne node: Verify the authentication information (MD5 string + timestamp) in the authentication URL. When the verification is passed, the access request will be considered as a valid request, and the node will respond normally. If the verification fails, the node will reject the access and directly return 403.

Token authentication URL generation and verification tool

EdgeOne provides a generation tool and verification tool for Token authentication URLs. Developers can use this tool to quickly and accurately generate and verify anti-leeching URLs that meet the requirements.

Directions

1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration to enter the global configuration page for the site, then click the Rule Engine tab.
3. On the Rule Engine Management page, click Create rule and select Add blank rule.
4. On the rule editing page, set the matching conditions that trigger this rule.
5. Click Action > Select Box, and select Token authentication in the pop-up operation list. The parameter configuration instructions are as follows:
Parameter
Description
Method
Currently, 5 authentication signature calculation methods are supported. Please choose the appropriate method based on the access URL format. For details, please refer to the authentication method.
Primary key (Required)
The primary password, consisting of 6-40 uppercase and lowercase English letters,numbers and special characters(Except " and $).
Backup key (optional)
The secondary password, consisting of 6-40 uppercase and lowercase English letters,numbers and special characters(Except " and $).
Authentication encryption string
An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes.
Validity period
Validity period of the authentication URL (1-630720000 seconds). It determines whether a client request is valid:
If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned.
If the current time does not exceed the "timestamp + valid duration" time, the request is not expired and continues to verify the MD5 string.

Must-knows

1. After Authentication is passed, the node will automatically ignore the Authentication-related parameters in the URL to improve the Cache hit rate and reduce the amount of origin-pull.
2. The origin-pull request URL cannot contain any Chinese characters.