Skip to main content

Signed URLs

Overview

IO River provides the ability to protect access to your content using signed URLs. This feature enforces signature verification by CDNs before allowing access to your content. For an end-user to access the content, the URL must include a valid signature in the query string. The Signed URLs feature by IO River generates a single signature that can be verified by all the CDNs in your service.

The URL accessed by the end-user should follow this format:
https://test.example.com/some-resource&YourQueryParams&SignatureQueryParams

The SignatureQueryParams part should be generated in your backend and verified by the different CDNs.

Configuring Keys

Signed URLs use keys to verify signatures. To add a verification key:

  1. Navigate to your service.
  2. In the sidebar, under Security, select Signed URLs.
  3. Click the Add New Key button.
  4. Complete the key creation form:
    • Key Name - Enter a name for the new key.
    • Choose to either create the keys yourself or click Generate Keys to generate them automatically. If creating keys manually, provide the Public Key and Encryption Key.

Note: It is crucial to securely store both the private key and the encryption key, as both are required to generate signatures.

Once created, the new key will appear in the list of keys. By clicking on the code icon, you can retrieve and copy the provider's key information. Refer to Generating Signatures for instructions on generating signatures.

Configuring Behavior

To enable Signed URLs for your traffic, you need to create the appropriate behavior. Follow these steps to create a behavior:

  1. Navigate to your service.
  2. Go to the Behaviors tab.
  3. Click the Add New Behavior button.
  4. Complete the behavior configuration form:
    • Name - Enter the name of the new behavior.
    • Path Pattern - Provide a wildcard expression identifying the paths where this behavior will apply.
    • Click Add Action.
    • In the Action Type dropdown, select URL Signing and enable it.

Important: Once you add this behavior, requests to your protected content without a valid signature will be blocked by your CDNs.