If you have questions when you configure user access to DCDN resources, see the following frequently asked questions and their solutions.
Is there a limit on the number of IP addresses for IP blacklists and whitelists? Does an IP address range count as one or multiple IP addresses?
When you configure an IP blacklist or whitelist for CDNDCDN, you can add up to 2,000 IPv4 addresses and 700 IPv6 addresses.
An IP address range counts as one IP address.
Why can an IP address on a blacklist still access resources?
CDNDCDN is a server-side service and cannot control client access. After you configure an IP blacklist, if a request is sent from a blacklisted IP address to CDNDCDN, DCDN returns a 403 error code. The request is still recorded in the CDNDCDN logs. For more information about how to view logs, see Quick Start.
How do I get the originating IP address of a client?
Retrieve it from the X-Forwarded-For header. For details, see Retrieve the originating IP addresses of clients.
A URL signing failure leads to access toCDNDCDN accelerated resources returning a 403 error?
URL signing protects your origin resources from being downloaded or used by unauthorized sites. If you enable the URL signing feature of Alibaba Cloud CDNDCDN and receive a 403 error when you access CDNDCDN-accelerated resources, you can use the developer tools in your browser to view the detailed error message in the Response Header. The following sections describe common error messages:
Error message: X-Tengine-Error:denied by req auth: no url arg auth_key
Cause: The authentication parameter is missing. URL signing is enabled for CDNDCDN, but the access URL does not contain the required authentication parameter.
Solution: If you want to use the CDNDCDN URL signing feature, configure it by following the instructions in Configure URL signingConfigure URL signing. If you do not need the CDNDCDN URL signing feature, log on to the CDN consoleDCDN console and disable it.
Error message: X-Tengine-Error: denied by req auth: expired timestamp
Cause: The signed URL has expired. This occurs because URL signing is enabled for CDNDCDN and the timestamp in the authentication parameter has passed.
Solution: If the signed URL has expired, generate a new signed URL. For more information, see Configure URL signingConfigure URL signing.
Error message: X-Tengine-Error: denied by req auth: invalid md5hash
Cause: A computation error occurred during authentication. The MD5 hash of the authentication parameter is incorrect.
Solution: You can use the URL generator in the CDNDCDN console to generate a URL and compare it with your signing code. You can also refer to Signing code examplesSigning code examples.
Can I enable DCDN URL signing and remote authentication at the same time?
Yes, you can. If both features are enabled, requests are first processed by URL signing and then by remote authentication.
Can I use a private network address for the remote authentication server?
No, you cannot. The remote authentication server must have a public network address.
If the authentication server returns a status code that is neither a success nor a failure code, why does DCDN grant access?
To prevent unexpected responses from blocking all user requests, DCDN grants access by default when the authentication server returns a status code that is not defined as a success or failure code. For example, if the success status code is set to 200 and the authentication server returns 201, the user request is granted.
In the console, you can set the Allow Other Status Codes parameter to specify whether to grant access for other status codes returned by the authentication server.
If the remote authentication server has a fault or is down, does DCDN grant access to all requests?
No, it does not. If the remote authentication server has a fault or is down, the connection between DCDN and the authentication server times out. DCDN then processes user requests based on the setting of the Action on Timeout parameter.