If you have an authentication server, you can use remote authentication to forward user requests to it for validation.
How it works
Both remote authentication and URL signing are used to protect your content from unauthorized access. The main difference is how they are implemented:
-
URL signing: A user distributes the signing rules for a domain name to the DCDN nodes, and the DCDN nodes are responsible for the entire data interaction and authentication process.
-
Remote authentication: You provide your own authentication server. When a DCDN POP receives a request, it forwards the request to your server for validation. You must manage the authentication server.
The remote authentication process is as follows:
|
Step |
Description |
|
1 |
A client sends a request for a resource to a DCDN POP. The request includes authentication parameters. For example:
|
|
2 |
The DCDN POP receives the request and forwards it to the authentication server, either directly or after applying specified rules. For example:
|
|
3 |
The authentication server validates the request based on the authentication parameters and returns the result to the DCDN POP. |
|
4 |
The DCDN POP acts on the authentication result and returns a response to the client. Examples of authentication results:
|
Usage notes
-
After you configure remote authentication, requests that fail authentication can still reach the DCDN nodes. Although the requests are rejected by the DCDN nodes and a 403 status code is returned, the client requests are still recorded in the DCDN logs.
-
With remote authentication, requests are forwarded to your authentication server for validation. This means that you still incur minimal data transfer fees even when malicious requests are blocked by DCDN POPs. If the client uses HTTPS, you are also charged for the HTTPS requests because blocking malicious requests consumes DCDN POP resources.
-
Remote authentication does not support directory-based authentication scopes. You can set the authentication scope only by file type.
Procedure
-
Log on to the DCDN console.
-
In the left-side navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Configure.
-
In the left-side navigation tree of the domain name, click Access Control.
-
Click the Remote Authentication tab.
-
Turn on the Remote Authentication switch and configure the parameters.
NoteAfter you enable remote authentication, every user request is forwarded to your authentication server for processing. If you expect high request volumes, ensure your authentication server has sufficient performance and capacity.
Parameter
Description
Authentication Server Address
The publicly accessible address of the authentication server. The system validates the format and value of the address that you enter.
-
Format requirements
The address must use the HTTP or HTTPS protocol. Examples:
-
http://example.com/auth
-
https://example.com/auth
-
http://192.0.2.1/auth
-
https://192.0.2.1/auth
-
-
Value requirements
The address cannot be 127.0.0.1 or localhost.
Request Method
The request method that is supported by the authentication server. You can select GET, HEAD, or POST. The default method is GET.
File Types
-
All: All file types are subject to authentication.
-
Specified: Only the specified file types are subject to authentication.
-
To specify multiple file types, separate them with a vertical bar (|), for example, mp4|flv.
-
File types are case-sensitive. For example, .jpg and JPG are treated as different file types.
-
URL signing parameters
Parameters to Retain
Controls which parameters from the user's request URL are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.
-
If you retain specified parameters, separate multiple parameters with a vertical bar (|), for example, user|token.
-
Parameters are case-sensitive. For example, key and KEY are treated as different parameters.
Custom Parameters
Adds custom parameters to the request URL that the DCDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the DCDN console.
-
When you define custom parameters:
-
Separate multiple parameters with a vertical bar (|), for example,
token=$arg_token|vendor=ali_dcdn. -
Parameter values are case-sensitive. For example, key and KEY are treated as different values.
-
-
If you use preset variables, their values are added to the request that DCDN forwards to the authentication server.
For example, if you select the $http_host variable,
host=$http_hostis appended to the request URL, where$http_hostis the value of the Host header in the original request. For more information, see Variables.
Request header parameters
Request Headers to Retain
Controls which headers from the user's request are included in the authentication request. Options include Retain All Parameters, Retain Specified Parameters, and Delete All URL Parameters.
-
If you retain specified headers, separate multiple headers with a vertical bar (|), for example, user_agent|referer|cookies.
-
Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.
NoteWhen you select "Keep All Parameters", the DCDN node deletes the Host header by default. If you need to retain the Host header, you can use "Keep Specified Parameters" or "Add Custom Parameters" to do so. The reason the DCDN node deletes the Host header by default is that the Host header in the authentication request that the DCDN node forwards to the authentication server is the accelerated domain name. This may cause the authentication server to fail to recognize the authentication request, which results in a 404 status code and authentication failure.
Custom Parameters
Adds custom headers to the request that the DCDN POP forwards to the authentication server. You can define custom key-value pairs or use preset variables from the DCDN console.
-
When you define custom parameters:
-
Separate multiple headers with a vertical bar (|), for example,
User-Agent=$http_user_agent|vendor=ali_dcdn. -
Header names are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are treated as the same header.
-
-
If you use preset variables, their values are added to the request that DCDN forwards to the authentication server.
For example, if you select the $http_host variable,
host=$http_hostis appended to the request URL, where$http_hostis the value of the Host header in the original request. For more information, see Variables.
HTTP Status Code to Return
Passes Authentication
Description: The HTTP status codes that the authentication server returns to DCDN upon successful authentication. You can specify multiple status codes, separated by commas.
Example: If you set this parameter to
200,206, a response of200or206from the authentication server indicates that authentication is successful.Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the request by default.
Fails Authentication
Description: The HTTP status codes that the authentication server returns to DCDN upon failed authentication. You can specify multiple status codes, separated by commas.
Example: If you set this parameter to
400,403, a response of400or403from the authentication server indicates that authentication failed.Exception handling: To prevent all user traffic from being blocked due to an issue, if the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the request by default.
Allow other status codes
-
Yes: If the authentication server returns a status code that is not in the success or failure lists, the DCDN POP allows the user request. This prevents service disruption from unexpected responses.
NoteFor example:
-
If the success status code is set to 200 and the server returns 201, the request is allowed.
-
If the failure status code is set to 403 and the server returns 404, the request is allowed.
-
-
No: If the authentication server returns a status code that is not in the success or failure lists, the DCDN POP rejects the user request.
Action performed by DCDN after authentication failure
Custom HTTP Status Code
The status code that the DCDN POP returns to the client when a request fails authentication.
For example, if you set this to 403, the DCDN POP returns a 403 status code to the client upon authentication failure.
Authentication timeout settings
Timeout
The time limit for an authentication request. The timer starts when the DCDN POP sends the request and it times out if the DCDN POP does not receive a response from the authentication server within this duration. Unit: milliseconds. The maximum value is 3000.
Action After Timeout
When the data interaction between DCDN and the authentication server times out, DCDN takes an action on the user request. The supported actions are Pass and Reject. The following describes the differences:
-
Allow: If authentication times out, the DCDN POP allows the user request.
-
Reject: If authentication times out, the DCDN POP rejects the user request and returns the Custom HTTP Status Code specified above.
-
-
-
Click OK to save the configuration.
After you successfully configure remote authentication, you can modify the settings or disable the feature on the Remote Authentication tab.
Variables
When you add custom parameters, you can use preset variables from the DCDN console. The following table describes the available variables.
|
Variable |
Description |
|
$http_host |
The value of the Host request header. |
|
$http_user_agent |
The value of the User-Agent request header. |
|
$http_referer |
The value of the Referer request header. |
|
$http_content_type |
The value of the Content-Type request header. |
|
$http_x_forward_for |
The value of the X-Forwarded-For request header. |
|
$remote_addr |
The client IP address of the request. |
|
$scheme |
The protocol of the request. |
|
$server_protocol |
The protocol version of the request. |
|
$uri |
The original URI of the request. |
|
$args |
The query string of the request, which does not include the question mark (?). |
|
$request_method |
The request method. |
|
$request_uri |
The request URI and its query string. |