Configure remote authentication

更新时间:
复制 MD 格式

If you have an authentication server, you can configure remote authentication to forward user requests to it for validation.

How it works

Both remote authentication and URL signing are used to protect your content from unauthorized access. The main difference is how they are implemented:

  • URL signing: A user distributes the signing rules for a domain name to the CDN nodes, and the CDN nodes are responsible for the entire data interaction and authentication process.

  • Remote authentication: You provide your own authentication server. When a CDN POP receives a request, it forwards the request to your server for validation. You must manage the authentication server.

The remote authentication process is as follows:远程鉴权交互图

Step

Description

1

A client sends a request for a resource to a CDN POP. The request includes authentication parameters. For example:

  • Original request URL: https://example.com/123/test.txt?key=xxxxxxxxxx

  • Original request header: test=123

2

The CDN POP receives the request and forwards it to the authentication server, either directly or after applying specified rules. For example:

  • Authentication server address: https://192.0.2.1/auth

  • The remote authentication feature in the CDN console is configured to Retain all parameters and Retain all headers.

  • The URL that CDN forwards to the authentication server is https://192.0.2.1/auth?key=xxxxxxxxxx.

  • The request that CDN forwards to the authentication server includes the header test=123.

3

The authentication server validates the request based on the authentication parameters and returns the result to the CDN POP.

4

The CDN POP acts on the authentication result and returns a response to the client.

Examples of authentication results:

  • Example 1: Authentication is successful. The CDN POP serves the cached content to the client.

  • Example 2: Authentication fails. The CDN POP returns a 403 status code to the client.

  • Example 3: Authentication fails. The CDN POP applies throttling to the client's requests.

  • Example 4: Authentication times out. The CDN POP performs the default action for timeouts, which is to either allow or reject the request.

Usage notes

  • After you configure remote authentication, requests that fail authentication can still reach the CDN nodes. Although the requests are rejected by the CDN nodes and a 403 status code is returned, the client requests are still recorded in the CDN logs.

  • With remote authentication, requests are forwarded to your authentication server for validation. This means that you still incur minimal data transfer fees even when malicious requests are blocked by CDN POPs. If the client uses HTTPS, you are also charged for the HTTPS requests because blocking malicious requests consumes CDN POP resources.

Procedure

  1. Log on to the CDN console.

  2. In the left navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Manage in the Actions column.

  4. In the domain's navigation pane, click Access Control.

  5. Click the Remote Authentication tab.

    1. Turn on the Remote Authentication switch and configure the parameters.

      Note

      After you enable remote authentication, every user request is forwarded to your authentication server for processing. If you expect high request volumes, ensure your authentication server has sufficient performance and capacity.

      Parameter

      Description

      Authentication Server Address

      The publicly accessible address of the authentication server. The system validates the format and value of the address that you enter.

      • Format requirements

        The address must use the HTTP or HTTPS protocol. Examples:

        • http://example.com/auth

        • https://example.com/auth

        • http://192.0.2.1/auth

        • https://192.0.2.1/auth

      • Value requirements

        The address cannot be 127.0.0.1 or localhost.

      Request Method

      The request method that is supported by the authentication server. You can select GET, HEAD, or POST. The default method is GET.

      File Types

      • All: All file types are subject to authentication.

      • Specified: Only the specified file types are subject to authentication.

        • To specify multiple file types, separate them with a vertical bar (|), for example, mp4|flv.

        • File types are case-sensitive. For example, .jpg and JPG are treated as different file types.

      URL signing parameters

      Parameters to Retain

      Controls which parameters from the user's request URL are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.

      • If you retain specified parameters, separate multiple parameters with a vertical bar (|), for example, user|token.

      • Parameters are case-sensitive. For example, key and KEY are treated as different parameters.

      Custom Parameters

      Adds custom parameters to the request URL that the CDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the CDN console.

      • When you define custom parameters:

        • Separate multiple parameters with a vertical bar (|), for example, token=$arg_token|vendor=ali_dcdn.

        • Parameter values are case-sensitive. For example, key and KEY are treated as different values.

      • If you use preset variables, their values are added to the request that CDN forwards to the authentication server.

        For example, if you select the $http_host variable, host=$http_host is appended to the request URL, where $http_host is the value of the Host header in the original request. For more information, see Variables.

      Request header parameters

      Request Headers to Retain

      Controls which headers from the user's request are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.

      • If you retain specified headers, separate multiple headers with a vertical bar (|), for example, user_agent|referer|cookies.

      • Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.

      Note

      When you select "Keep All Parameters", the CDN node deletes the Host header by default. If you need to retain the Host header, you can use "Keep Specified Parameters" or "Add Custom Parameters" to do so. The reason the CDN node deletes the Host header by default is that the Host header in the authentication request that the CDN node forwards to the authentication server is the accelerated domain name. This may cause the authentication server to fail to recognize the authentication request, which results in a 404 status code and authentication failure.

      Custom Parameters

      Adds custom headers to the request that the CDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the CDN console.

      • When you define custom parameters:

        • Separate multiple headers with a vertical bar (|), for example, User-Agent=$http_user_agent|vendor=ali_dcdn.

        • Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.

      • If you use preset variables, their values are added to the request that CDN forwards to the authentication server.

        For example, if you select the $http_host variable, host=$http_host is appended to the request URL, where $http_host is the value of the Host header in the original request. For more information, see Variables.

      HTTP Status Code to Return

      Passes Authentication

      Description: The HTTP status codes that the authentication server returns to CDN upon successful authentication. You can specify multiple status codes, separated by commas.

      Example: If you set this parameter to 200,206, a response of 200 or 206 from the authentication server indicates that authentication is successful.

      Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the CDN POP allows the request by default.

      Fails Authentication

      Description: The HTTP status codes that the authentication server returns to CDN upon failed authentication. You can specify multiple status codes, separated by commas.

      Example: If you set this parameter to 400,403, a response of 400 or 403 from the authentication server indicates that authentication failed.

      Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the CDN POP allows the request by default.

      Allow other status codes

      • Yes: If the authentication server returns a status code that is not in the success or failure lists, the CDN POP allows the user request. This prevents service disruption from unexpected responses.

        Note

        For example:

        • If the success status code is set to 200 and the server returns 201, the request is allowed.

        • If the failure status code is set to 403 and the server returns 404, the request is allowed.

      • No: If the authentication server returns a status code that is not in the success or failure lists, the CDN POP rejects the user request.

      Action performed by CDN after authentication failure

      Custom HTTP Status Code

      The status code that the CDN POP returns to the client when a request fails authentication.

      For example, if you set this to 403, the CDN POP returns a 403 status code to the client upon authentication failure.

      Authentication timeout settings

      Timeout

      The time limit for an authentication request. The timer starts when the CDN POP sends the request and it times out if the CDN POP does not receive a response from the authentication server within this duration. Unit: milliseconds. The maximum value is 3000.

      Action After Timeout

      When the data interaction between CDN and the authentication server times out, CDN takes an action on the user request. The supported actions are Pass and Reject. The following describes the differences:

      • Allow: If authentication times out, the CDN POP allows the user request.

      • Reject: If authentication times out, the CDN POP rejects the user request and returns the Custom HTTP Status Code specified above.

  6. Click OK to save the configuration.

    After you successfully configure remote authentication, you can modify the settings or disable the feature on the Remote Authentication tab.

Variables

When you add custom parameters, you can use preset variables from the CDN console. The following table describes the available variables.

Variable

Description

$http_host

The value of the Host request header.

$http_user_agent

The value of the User-Agent request header.

$http_referer

The value of the Referer request header.

$http_content_type

The value of the Content-Type request header.

$http_x_forward_for

The value of the X-Forwarded-For request header.

$remote_addr

The client IP address of the request.

$scheme

The protocol of the request.

$server_protocol

The protocol version of the request.

$uri

The original URI of the request.

$args

The query string of the request, which does not include the question mark (?).

$request_method

The request method.

$request_uri

The request URI and its query string.

FAQ

Related APIs

BatchSetCdnDomainConfig