Remote Authentication

Background

Remote authentication is similar to token authentication. Differences are as follows:

• Token authentication: Authentication is performed by CDN PoPs.
• Remote authentication: CDN PoPs forward user requests to a server you specify for authentication.

The remote authentication process is as follows.

Figure 1 Remote authentication process

Precautions

• Remote authentication is disabled by default.

Procedure

1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

   The CDN console is displayed.

2. In the navigation pane, choose Domains.
3. In the domain list, click the target domain name or click Configure in the Operation column.
4. Click the Access Control tab and click Edit next to Remote Authentication.
   Figure 2 Configuring remote authentication
   

   Table 2 Parameter description

   Parameter	Description	Example
   Authentication Server Address	IP address of a reachable server. The address must include http:// or https://. The address cannot be a local address such as localhost or 127.0.0.1. The address cannot be an acceleration domain name added on CDN. The default ports of the remote authentication server are 80 and 443. To change them, submit a service ticket.	https://example.com/auth
   Request Method	Request method supported by the authentication server. GET, POST, and HEAD are supported.	GET
   File Type	All: Requests for all files are authenticated. Specific file types: Requests for files of specified types are authenticated. Separate types by vertical bars (|), for example, jpg|MP4. Enter up to 512 characters, including letters and digits. File types are case insensitive. For example, jpg and JPG indicate the same file type.	All
   Parameters to Retain	Parameters that need to be authenticated in user requests. You can retain or ignore all URL parameters or retain specific URL parameters. Parameters are case insensitive. Use vertical bars (|) to separate them.	All
   Custom URL Parameters	Parameters to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset parameters or customize parameters (parameters and values are case insensitive). Custom: Customize a parameter and set the value to a string. Select: Select a preset or customized parameter and select a variable as the value.	Select http_host. Value: $http_host.
   Request Headers to Retain	Headers to be authenticated in user requests. You can retain or ignore all request headers or retain specific request headers. Headers are case insensitive. Use vertical bars (|) to separate them.	All
   Custom Request Header Parameters	Request headers to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset request headers or customize request headers (headers and values are case insensitive). Custom: Customize a parameter and set the value to a string. Select: Select a preset or customized parameter and select a preset variable as the value.	Select http_referer. Value: $http_referer.
   Success Status Code	Status code returned by the remote authentication server to CDN PoPs when authentication is successful. Value range: 2xx and 3xx.	200
   Failure Status Code	Status code returned by the remote authentication server to CDN PoPs when authentication fails. Value range: 4xx and 5xx.	403
   Custom Response Status Code	Status code returned by CDN PoPs to users when authentication fails. Value range: 2xx, 3xx, 4xx, and 5xx.	403
   Timeout Interval	Duration from the time when a CDN PoP forwards an authentication request to the time when the CDN PoP receives the result returned by the remote authentication server. Enter 0 or a value ranging from 50 to 3,000. The unit is millisecond.	60
   Action After Timeout	How CDN PoPs process a user request after authentication times out. Accept: The user request will be accepted and the requested resource will be returned. Reject: The user request will be rejected and the configured custom response status code will be returned.	Reject

   Table 3 Preset parameters

   Variable	Description	Remarks
   $http_host	Host value in the request header.	These values can be obtained only when client requests carry them.
   $http_user_agent	User-Agent value in the request header.
   $http_referer	Referer value in the request header.
   $http_x_forwarded_for	X-Forwarded-For value in the request header.
   $http_content_type	Content-Type value in the request header.
   $remote_addr	IP address of the client.	-
   $scheme	Protocol type of the request.	-
   $server_protocol	Protocol version of the request.	-
   $request_uri	Content of uri + ? + args	-
   $uri	Original URI of the request.	-
   $args	Query string of the request, excluding the question mark (?).	-
   $request_method	Request method.	-

5. Configure parameters as prompted and click OK.
6. (Optional) Disable remote authentication.
   • Switch off Status to disable remote authentication and clear all remote authentication settings. You need to set related parameters when enabling this function again.

Example

Assume that you have enabled remote authentication for example.com and configured settings shown in Figure 3.

• Original request URL: https://example.com/folder01/test.txt?key=***. The request carries header test=123.
• URL forwarded by CDN to the remote authentication server: GET https://192.168.9.1/remoteauth?key=***. The request carries header test=123.
• Possible authentication results:
  • Successful. The CDN PoP serves cached content to the user.
  • Failed. The CDN PoP returns status code 403 to the user.
  • Timed out. The CDN PoP takes the action specified by Action After Timeout and accepts the user request.

Figure 3 Remote authentication