Webair CDN Secure URLs



Similar documents
Fairsail REST API: Guide for Developers

HireDesk API V1.0 Developer s Guide

Integrations. Help Documentation

Qualtrics Single Sign-On Specification

Setting up single signon with Zendesk Remote Authentication

MONETA.Assistant API Reference

Project 2: Web Security Pitfalls

Login with Amazon. Getting Started Guide for Websites. Version 1.0

ANZ egate Virtual Payment Client

Manual. Netumo NETUMO HELP MANUAL Copyright Netumo 2014 All Rights Reserved

Forumbee Single Sign- On

Credomatic Integration Resources. Browser Redirect API Documentation June 2007

MiGS Virtual Payment Client Integration Guide. July 2011 Software version: MR 27

Chapter 7 Managing Users, Authentication, and Certificates

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Version 1.0. ASAM CS Single Sign-On

Exchange Service ReadMe and Configuration Setup

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

PaperCut Payment Gateway Module CommWeb Quick Start Guide

How To Secure An Emr-Link System Architecture

Cloud Elements! Marketing Hub Provisioning and Usage Guide!

Application note: Connecting the to a Database

Online signature API. Terms used in this document. The API in brief. Version 0.20,

UFTP AUTHENTICATION SERVICE

How to install phpbb forum on NTU student club web server

PHP Integration Kit. Version User Guide

PHP Tutorial From beginner to master

Certified Secure Web Application Secure Development Checklist

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Working With Virtual Hosts on Pramati Server

Single Sign-On Implementation Guide

THE CHALLENGE OF ADMINISTERING WEBSITES OR APPLICATIONS THAT REQUIRE 24/7 ACCESSIBILITY

This script is called by an HTML form using the POST command with this file as the action. Example: <FORM METHOD="POST" ACTION="formhandler.

PaperCut Payment Gateway Module - RBS WorldPay Quick Start Guide

AS DNB banka. DNB Link specification (B2B functional description)

Messaging API. API Specification Document Messaging API. Functionality: Send SMS Messages.

Configuring Single Sign-on for WebVPN

Criteria for web application security check. Version

Interzoic Single Sign-On for DotNetNuke Portals Version 2.1.0

Web Application Security

UPG plc Atlas Technical Integration Guide

Bypassing CAPTCHAs by Impersonating CAPTCHA Providers

SER Authentication with Radius and LDAP

Webapps Vulnerability Report

EdgeCast Networks Inc. Token-Based Authentication Administration Guide

IDAM Most frequently encountered messages / known issues document

ipayment Gateway API (IPG API)

Cardsave Payment Gateway

MasterCard In tern et Gateway Service (MIGS)

Contents. 2 Alfresco API Version 1.0

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

Hosted Credit Card Forms Implementation Guide

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

PaperCut Payment Gateway Module PayPal Website Payments Standard Quick Start Guide

PaperCut Payment Gateway Module Realex Realauth Redirect Quick Start Guide

A BETTER WAY TO PAY Unified Merchants API (UMAPI).Net Integration Manual

PowerCenter Real-Time Development

Logging and SNMP Trap Notification Of Events. Isonas Access Control System. Release 12 June 2007

How To Secure An Rsa Authentication Agent

E*TRADE Developer Platform. Developer Guide and API Reference. October 24, 2012 API Version: v0

Direct Post. Integration Guide

JAVASCRIPT AND COOKIES

Tableau Server Trusted Authentication

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

White Paper BMC Remedy Action Request System Security

Linklok URL TM V2.90

Easy CollECt and the transaction ManagEr interface

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Columbia University Web Security Standards and Practices. Objective and Scope

Forumbee Single Sign- On

Buckaroo Payment Engine 3.0 Implementation Manual HTML gateway

Audi Virtual Payment Client Integration Manual

Recommended Solutions for Installing Symantec Endpoint Protection 12.1.x in Shared and PvD Virtual Machines

Guide to Analyzing Feedback from Web Trends

Solve network scan problems. Common problems and solutions Scan to status Scan to FTP status Job Accounting status...

PHP Authentication Schemes

MAGENTO Migration Tools

Database Extension 1.5 ez Publish Extension Manual

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

Technical documentation

Web Services Credit Card Errors A Troubleshooter

Server Protocol and Integration Guideline (Protocol v3.00) Published Date 27/08/2013

API documentation - 1 -

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Online Auction Software Fundamentals

2.2 CloudStack User Interface Customization

Documentation for the SMSWay API v1.5. API for SMSWay Gateway. Documentation for the SMSWay API v

FileCloud Security FAQ

Merchant Reporting Tool

Barclaycard SmartPay. Hosted Payment Page Integration Guide. Version 3.0 released April 2012

Access Control and Audit Trail Software

Grandstream Networks, Inc. UCM6100 Series IP PBX Appliance CDR and REC API Guide

CONTRACT MODEL IPONZ DESIGN SERVICE VERSION 2. Author: Foster Moore Date: 20 September 2011 Document Version: 1.7

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

EHR OAuth 2.0 Security

Secure Hosting and Payments Technical Integration Guide

Transcription:

Webair CDN Secure URLs Webair provides a URL signature mechanism for securing access to your files. Access can be restricted on the basis of an expiration date (to implement short-lived URLs) and/or on the basis of the geographic location of the client requesting the download (to restrict the download of certain files to certain countries). Any tampering with the URL in an attempt to circumvent these restrictions will result in an invalid URL. URL Signatures URLs are protected from alteration by generating a MD5 digest of the valid URL and checking that against the actual URL requested. Thus, if an end user tries to alter the expiry time or allowed country for the URL the server will reject the request since the MD5 is no longer valid. A shared secret is used to prevent unauthorized regeneration of the MD5 (the "secret" is a password known to Webair and you, the owner of the protected content). Secure URLs can be generated using the provided PHP script (see genbgsec at the end of this document). Secure URLs are typically generated on the web server that serves the pages with links to the content. Any language that provides the means to generate an MD5 digest of a string can be used to implement the simple algorithm which generates the secure URL. URI Signature Algorithm A secure URI consists of several parts: The file to be served (e.g. /content/secure.ext) An expiry date (e.g. e=1182665958) An optional list of allowed countries (e.g. a=us,ca) An optional list of disallowed countries (e.g. d=ly,cd) An optional "unlock" or "global" parameter (e.g. g=1) The MD5 hash that secures the URI (e.g. h=886dbef7390dfd70aea27fd41e459e7f) The expiration time is specified as a standard POSIX timestamp (seconds since January 1 1970 00:00:00 UTC). The server compares this timestamp with the current time to determine if the URL has expired. A signature (MD5 hash) is generated for the URL using the following data: secret + file +?e=timestamp + &a=allowed-countries + &d=disallowed-countries + &g=1. The timestamp can be 0 (zero) which disables expiry of the URL (i.e. it never expires). Allowed, disallowed, and unlock parameters are mutually exclusive (i.e. it is only valid to specify one of them). For example, with: a file of /content/protected.flv with a shared secret of mysecret an allowed country of US and an expiry timestamp of 1182665958 the resulting hash, MD5(mySecret/content/protected.flv?e=1182665958&a=US) will be 886dbef7390dfd70aea27fd41e459e7f. The resulting URI for this secure download would be: /content/protected.flv?e=1182665958&a=us&h=886dbef7390dfd70aea27fd41e459e7f Restrictions by country can be specified either when the URL is created (as shown above) or by configuration settings on the Webair servers that correspond to directories (e.g. /content/us/us_only_file.ext). If content is being restricted by server-side setup then it's possible to generate a URL that overrides this so that it will work for any geographic location. This might be done, say, if an application wants to allow the user to email a link to a friend in another country. To generate such a link, append the parameter g=1 to the URI used to generate the MD5 digest: /content/us/us_only_file.ext?e=1182669982&g=1 The resulting URI would look like this: /content/us/us_only_file.ext?e=1182669982&g=1&h=0c19945a45f7e97bc4177fde22b41ebc Note the additional g=1 parameter on the URL, this is how the server knows whether to treat it as a (potentially) unlocked URL. Also note that the allowed and disallowed parameters are not specified.

PHP Sample Code for Generating Keys This PHP script implements generation of secure URIs. <?php Generate a Webair CDN secure download link for the given parameters. Compute a secure URI. INPUTS: $file - base URI (no query parameters) $secret - shared secret $expiry - expiry in seconds since January 1 1970 00:00:00 UTC $unlock - override server GeoIP security $allowed - list of allowed countries for GeoIP security $disallowed - list of disallowed countries for GeoIP security function bg_gen_secure_uri($file, $secret, $expiry = 0, $unlock = "", $allowed = "", $disallowed = "") if($file == '' $secret == '') return false; Restricting Content by Geographic Location URLs can be geographically restricted in the following ways: The allowed countries can be specified The disallowed countries can be specified A URL that would otherwise be blocked (because it's URI corresponds to an area on the server that is configured to only allow content to be downloaded by certain countries) can be unlocked so it can be viewed anywhere. This is typically combined with an expiry date so the URL will stop working at some point. Countries are specified using the two character ISO 3166 (http://www.maxmind.com/app/iso3166) country codes. For example, US specifies the United States and IE specifies Ireland. Only one of allowed, disallowed, or unlocked should be specified. The allowed and disallowed lists can contain a comma separated list of any number of country codes. // Construct the values for the MD5 salt... if ($unlock) $unlock = "&g=1"; if ($allowed) $allowed = "&a=$allowed"; if ($disallowed)

$disallowed = "&d=$disallowed"; // Generate the MD5 salt... $salt = $secret. $file. "?e=". $expiry. $allowed. $disallowed. $unlock; // Generate the MD5 hash... $m = md5($salt); // Generate the link... $uri = $file. "?e=". $expiry. $allowed. $disallowed. $unlock. "&h=". $m; return $uri;?> Error Reporting The server either successfully returns the requested content or it indicates that access was not allowed due to either expiration or country of access using HTTP code 403 ("Forbidden"). If the URL is invalid (i.e. has been altered since it was generated) then HTTP code 400 ("Bad request") is returned to the client. When 403 is returned the Webair servers can be set up to serve custom error page to the user. If this page is a PHP script (its name ends in ".php") then the server arranges for several possible parameters to be passed to it: "e" will contain the expiry date if the content has expired "a" will contain the list of allowed countries if the content was refused on because the client is not in one of those countries "d" will contain the list of disallowed countries if the client is in one of those countries The script can then either display a message to the user or (more commonly) redirect the user's browser to an alternative location. genbgsec #!/usr/local/bin/php <?php Generate a Webair CDN secure download link for the given parameters. Compute a secure URI. INPUTS: $file - base URI (no query parameters) $secret - shared secret $expiry - expiry in seconds since January 1 1970 00:00:00 UTC $unlock - override server GeoIP security $allowed - list of allowed countries for GeoIP security $disallowed - list of disallowed countries for GeoIP security function bg_gen_secure_uri($file, $secret, $expiry = 0, $unlock = "", $allowed = "", $disallowed = "") if($file == '' $secret == '') return false;

// Construct the values for the MD5 salt... if ($unlock) $unlock = "&g=1"; if ($allowed) $allowed = "&a=$allowed"; if ($disallowed) $disallowed = "&d=$disallowed"; // Generate the MD5 salt... $salt = $secret. $file. "?e=". $expiry. $allowed. $disallowed. $unlock; // Generate the MD5 hash... $m = md5($salt); // Generate the link... $uri = $file. "?e=". $expiry. $allowed. $disallowed. $unlock. "&h=". $m; return $uri; if($argc < 4) echo "Usage: $argv[0] file secret timeout [allowed_countries] [disallowed_countries] [unlock]\n"; // Read in the parameters... $file = $argv[1]; $secret = $argv[2]; $timeout = $argv[3]; $allowed = $argv[4]; $disallowed = $argv[5]; $unlock = $argv[6]; // Convert timeout in seconds to UTC timestamp... if($timeout) $now = time() - date('z'); // use UTC time since the server does $expiry = $now + $timeout; else $expiry = 0; if ($allowed && $disallowed) echo $argv[0]. ": allowed and disallowed countries are exclusive\n"; if ($unlock && ($allowed $disallowed)) echo $argv[0]. ": unlock and allowed or disallowed countries are exclusive\n";

$url = bg_gen_secure_uri($file, $secret, $expiry, $unlock, $allowed, $disallowed); if ($url) echo "$url\n"; else echo "Could not generate a URI with those parameters\n";?>

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information