This chapter introduces the CC protection strategy for the API interface. As we all know, when adding a domain name to the CDN system, the most difficult thing is the protection setting of the API interface. The reason is that many cc strategies for the domain name of the API interface cannot be turned on. Once turned on, the API interface will not be able to communicate normally between the client side and the node.
Therefore, this site has specially made a set of signature encryption protection schemes for API interfaces, which can effectively handle any CC attacks, and the protection scheme will not be easily cracked at the CDN level. It can effectively resist all CC attacks against API interfaces for a long time. As shown in the figure:
API-specific defense instructions
1. Overview of signature algorithms
Algorithm type: ECDSA (secp256k1)
哈希算法:SHA256
输出格式:r(32 bytes) || s(32 bytes) || recid(1 byte),总长度65 bytes
2. Signature process
- Build message msg → hash = SHA256 (msg)
- Sign with the private key, get (r, s), low-s normalization
- Calculate recid (0 or 1) and output raw_signature = r | | s | | recid
3. Example (javascript)
const ec = new EC('secp256k1')
const key = ec.keyFromPrivate(SIGNKEY, 'hex')
const ts = Math.floor(Date.now() / 1000) // 获取当前时间戳
const content = md5('hello world'); // hello world 可以替换成其他的
const message = `${ts}_${content}_${ts}`; // 签名的原始内容
const hash = CryptoJS.SHA256(message).toString(CryptoJS.enc.Hex)
const signature = key.sign(hash, { canonical: true })
const recid = key.getPublic(true)
const r = signature.r.toArrayLike(Buffer, 'be', 32)
const s = signature.s.toArrayLike(Buffer, 'be', 32)
// 最终签名结果
const rawSigHex = Buffer.concat([r, s, Buffer.from([recid])]).toString('hex')