Cloud CDN signed URLs enable you to serve responses from Google Cloud Platform's globally distributed caches, even when you need requests to be authorized.
Signed URLs give a client temporary access to a private resource without requiring additional authorization. To achieve this, selected elements of a request are hashed and cryptographically signed using a strongly random key that you generate. When a request uses the signed URL that you provided, the request is considered authorized to receive the requested content. When Cloud CDN receives a request with a bad signature for an enabled service, the request is rejected and never goes to your backend for handling.
Generally, a signed URL can be used by anyone who has it. However, a signed URL is usually only intended to be used by the client to which the URL was given. To mitigate the risk of the URL being used by a different client, signed URLs expire at a time chosen by you. To minimize the risk of a signed URL being shared, set it to expire as soon as possible.
How URLs are signed
Before you can sign URLs, you create one or more cryptographic keys on a backend
service, backend bucket, or both. Then you sign and cryptographically hash a URL
gcloud command line tool or your own code.
Distributing signed URLs
When signed URL handling is enabled on a backend, Cloud CDN gives special
handling to requests with signed URLs. Specifically, requests with a
query parameter are considered signed. When such a request is received, Cloud
CDN verifies the following:
- The HTTP method is GET or HEAD.
Expiresparameter is set to a future time.
- The request's signature matches the signature computed using the named key.
If any of these checks fails, a
403 Forbidden response is served. Otherwise,
the request is either proxied to the backend or served from the cache. All valid
signed requests for a particular base url (the part before the
parameter) will share the same cache entry. Responses to signed and unsigned
requests do not share cache entries. Responses are cached and served until the
expiration time you set.
Content that requires signed requests is often marked as uncacheable using the
Cache-Control header. To make such objects compatible with Cloud CDN without
requiring backend changes, Cloud CDN overrides the Cache-Control header when
responding to requests that have valid signed URLs. Cloud CDN treats the
content as cacheable, and uses the
max-age parameter set in your Cloud CDN
configuration. The response served still has the Cache-Control headers that
the backend generated.
The URL returned from the
gcloud command line tool or produced by your
custom code can be distributed according to your needs. We recommend signing
only HTTPS URLs, because HTTPS provides a secure transport that will
prevent the Signature component of the signed URL from being intercepted.
Similarly, you should distribute the signed URLs over secure transport protocols
such as TLS/HTTPS.
- To configure URL signing, refer to Using signed URLs.