Remote authentication

更新时间:
复制 MD 格式

If you have an authentication server, you can use remote authentication to forward user requests to it for validation.

How it works

Both remote authentication and URL signing are used to protect your content from unauthorized access. The main difference is how they are implemented:

  • URL signing: A user distributes the signing rules for a domain name to the DCDN nodes, and the DCDN nodes are responsible for the entire data interaction and authentication process.

  • Remote authentication: You provide your own authentication server. When a DCDN POP receives a request, it forwards the request to your server for validation. You must manage the authentication server.

The remote authentication process is as follows:

Step

Description

1

A client sends a request for a resource to a DCDN POP. The request includes authentication parameters. For example:

  • Original request URL: https://example.com/123/test.txt?key=xxxxxxxxxx

  • Original request header: test=123

2

The DCDN POP receives the request and forwards it to the authentication server, either directly or after applying specified rules. For example:

  • Authentication server address: https://192.0.2.1/auth

  • The remote authentication feature in the DCDN console is configured to Retain all parameters and Retain all headers.

  • The URL that DCDN forwards to the authentication server is https://192.0.2.1/auth?key=xxxxxxxxxx.

  • The request that DCDN forwards to the authentication server includes the header test=123.

3

The authentication server validates the request based on the authentication parameters and returns the result to the DCDN POP.

4

The DCDN POP acts on the authentication result and returns a response to the client.

Examples of authentication results:

  • Example 1: Authentication is successful. The DCDN POP serves the cached content to the client.

  • Example 2: Authentication fails. The DCDN POP returns a 403 status code to the client.

  • Example 3: Authentication fails. The DCDN POP applies throttling to the client's requests.

  • Example 4: Authentication times out. The DCDN POP performs the default action for timeouts, which is to either allow or reject the request.

Usage notes

  • After you configure remote authentication, requests that fail authentication can still reach the DCDN nodes. Although the requests are rejected by the DCDN nodes and a 403 status code is returned, the client requests are still recorded in the DCDN logs.

  • With remote authentication, requests are forwarded to your authentication server for validation. This means that you still incur minimal data transfer fees even when malicious requests are blocked by DCDN POPs. If the client uses HTTPS, you are also charged for the HTTPS requests because blocking malicious requests consumes DCDN POP resources.

  • Remote authentication does not support directory-based authentication scopes. You can set the authentication scope only by file type.

Procedure

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Configure.

  4. In the left-side navigation tree of the domain name, click Access Control.

  5. Click the Remote Authentication tab.

    1. Turn on the Remote Authentication switch and configure the parameters.

      Note

      After you enable remote authentication, every user request is forwarded to your authentication server for processing. If you expect high request volumes, ensure your authentication server has sufficient performance and capacity.

      Parameter

      Description

      Authentication Server Address

      The publicly accessible address of the authentication server. The system validates the format and value of the address that you enter.

      • Format requirements

        The address must use the HTTP or HTTPS protocol. Examples:

        • http://example.com/auth

        • https://example.com/auth

        • http://192.0.2.1/auth

        • https://192.0.2.1/auth

      • Value requirements

        The address cannot be 127.0.0.1 or localhost.

      Request Method

      The request method that is supported by the authentication server. You can select GET, HEAD, or POST. The default method is GET.

      File Types

      • All: All file types are subject to authentication.

      • Specified: Only the specified file types are subject to authentication.

        • To specify multiple file types, separate them with a vertical bar (|), for example, mp4|flv.

        • File types are case-sensitive. For example, .jpg and JPG are treated as different file types.

      URL signing parameters

      Parameters to Retain

      Controls which parameters from the user's request URL are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.

      • If you retain specified parameters, separate multiple parameters with a vertical bar (|), for example, user|token.

      • Parameters are case-sensitive. For example, key and KEY are treated as different parameters.

      Custom Parameters

      Adds custom parameters to the request URL that the DCDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the DCDN console.

      • When you define custom parameters:

        • Separate multiple parameters with a vertical bar (|), for example, token=$arg_token|vendor=ali_dcdn.

        • Parameter values are case-sensitive. For example, key and KEY are treated as different values.

      • If you use preset variables, their values are added to the request that DCDN forwards to the authentication server.

        For example, if you select the $http_host variable, host=$http_host is appended to the request URL, where $http_host is the value of the Host header in the original request. For more information, see Variables.

      Request header parameters

      Request Headers to Retain

      Controls which headers from the user's request are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.

      • If you retain specified headers, separate multiple headers with a vertical bar (|), for example, user_agent|referer|cookies.

      • Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.

      Note

      When you select "Keep All Parameters", the DCDN node deletes the Host header by default. If you need to retain the Host header, you can use "Keep Specified Parameters" or "Add Custom Parameters" to do so. The reason the DCDN node deletes the Host header by default is that the Host header in the authentication request that the DCDN node forwards to the authentication server is the accelerated domain name. This may cause the authentication server to fail to recognize the authentication request, which results in a 404 status code and authentication failure.

      Custom Parameters

      Adds custom headers to the request that the DCDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the DCDN console.

      • When you define custom parameters:

        • Separate multiple headers with a vertical bar (|), for example, User-Agent=$http_user_agent|vendor=ali_dcdn.

        • Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.

      • If you use preset variables, their values are added to the request that DCDN forwards to the authentication server.

        For example, if you select the $http_host variable, host=$http_host is appended to the request URL, where $http_host is the value of the Host header in the original request. For more information, see Variables.

      HTTP Status Code to Return

      Passes Authentication

      Description: The HTTP status codes that the authentication server returns to DCDN upon successful authentication. You can specify multiple status codes, separated by commas.

      Example: If you set this parameter to 200,206, a response of 200 or 206 from the authentication server indicates that authentication is successful.

      Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the request by default.

      Fails Authentication

      Description: The HTTP status codes that the authentication server returns to DCDN upon failed authentication. You can specify multiple status codes, separated by commas.

      Example: If you set this parameter to 400,403, a response of 400 or 403 from the authentication server indicates that authentication failed.

      Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the request by default.

      Allow other status codes

      • Yes: If the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the user request. This prevents service disruption from unexpected responses.

        Note

        For example:

        • If the success status code is set to 200 and the server returns 201, the request is allowed.

        • If the failure status code is set to 403 and the server returns 404, the request is allowed.

      • No: If the authentication server returns a status code that is not in the success or failure lists, the DCDN POP rejects the user request.

      Action performed by DCDN after authentication failure

      Custom HTTP Status Code

      The status code that the DCDN POP returns to the client when a request fails authentication.

      For example, if you set this to 403, the DCDN POP returns a 403 status code to the client upon authentication failure.

      Authentication timeout settings

      Timeout

      The time limit for an authentication request. The timer starts when the DCDN POP sends the request and it times out if the DCDN POP does not receive a response from the authentication server within this duration. Unit: milliseconds. The maximum value is 3000.

      Action After Timeout

      When the data interaction between DCDN and the authentication server times out, DCDN takes an action on the user request. The supported actions are Pass and Reject. The following describes the differences:

      • Allow: If authentication times out, the DCDN POP allows the user request.

      • Reject: If authentication times out, the DCDN POP rejects the user request and returns the Custom HTTP Status Code specified above.

  6. Click OK to save the configuration.

    After you successfully configure remote authentication, you can modify the settings or disable the feature on the Remote Authentication tab.

Variables

When you add custom parameters, you can use preset variables from the DCDN console. The following table describes the available variables.

Variable

Description

$http_host

The value of the Host request header.

$http_user_agent

The value of the User-Agent request header.

$http_referer

The value of the Referer request header.

$http_content_type

The value of the Content-Type request header.

$http_x_forward_for

The value of the X-Forwarded-For request header.

$remote_addr

The client IP address of the request.

$scheme

The protocol of the request.

$server_protocol

The protocol version of the request.

$uri

The original URI of the request.

$args

The query string of the request, which does not include the question mark (?).

$request_method

The request method.

$request_uri

The request URI and its query string.

FAQ