Remote Authentication
Huawei Cloud CDN supports remote authentication. When a user requests a resource from a CDN PoP, CDN forwards the user request to a specific authentication server and determines whether to return the resource to the user based on the result returned by the authentication server.
Background
Remote authentication is similar to token authentication. Differences are as follows:
- Token authentication: Authentication is performed by CDN PoPs.
- Remote authentication: CDN PoPs forward user requests to a server you specify for authentication.
The remote authentication process is as follows.
Step |
Description |
---|---|
1 |
A user carries authentication parameters to access a CDN PoP. |
2 |
CDN forwards the request to a remote authentication server. |
3 |
The remote authentication server verifies the request and returns a status code to the CDN PoP. |
4 |
The CDN PoP determines whether to return the requested resource to the user based on the received status code. |
Precautions
- Remote authentication is disabled by default.
Procedure
- Log in to Huawei Cloud console. Choose .
The CDN console is displayed.
- In the navigation pane, choose .
- In the domain list, click the target domain name or click Configure in the Operation column.
- Click the Access Control tab and click Edit next to Remote Authentication.
Figure 2 Configuring remote authentication
Table 2 Parameter description Parameter
Description
Example
Authentication Server Address
IP address of a reachable server.
- The address must include http:// or https://.
- The address cannot be a local address such as localhost or 127.0.0.1.
- The address cannot be an acceleration domain name added on CDN.
- The default ports of the remote authentication server are 80 and 443. To change them, submit a service ticket.
https://example.com/auth
Request Method
Request method supported by the authentication server. GET, POST, and HEAD are supported.
GET
File Type
- All: Requests for all files are authenticated.
- Specific file types: Requests for files of specified types are authenticated. Separate types by vertical bars (|), for example, jpg|MP4.
- Enter up to 512 characters, including letters and digits.
- File types are case insensitive. For example, jpg and JPG indicate the same file type.
All
Parameters to Retain
Parameters that need to be authenticated in user requests. You can retain or ignore all URL parameters or retain specific URL parameters.
- Parameters are case insensitive. Use vertical bars (|) to separate them.
All
Custom URL Parameters
Parameters to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset parameters or customize parameters (parameters and values are case insensitive).
- Custom: Customize a parameter and set the value to a string.
- Select: Select a preset or customized parameter and select a variable as the value.
Select http_host.
Value: $http_host.
Request Headers to Retain
Headers to be authenticated in user requests. You can retain or ignore all request headers or retain specific request headers.
Headers are case insensitive. Use vertical bars (|) to separate them.
All
Custom Request Header Parameters
Request headers to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset request headers or customize request headers (headers and values are case insensitive).
- Custom: Customize a parameter and set the value to a string.
- Select: Select a preset or customized parameter and select a preset variable as the value.
Select http_referer.
Value: $http_referer.
Success Status Code
Status code returned by the remote authentication server to CDN PoPs when authentication is successful.
- Value range: 2xx and 3xx.
200
Failure Status Code
Status code returned by the remote authentication server to CDN PoPs when authentication fails.
- Value range: 4xx and 5xx.
403
Custom Response Status Code
Status code returned by CDN PoPs to users when authentication fails.
- Value range: 2xx, 3xx, 4xx, and 5xx.
403
Timeout Interval
Duration from the time when a CDN PoP forwards an authentication request to the time when the CDN PoP receives the result returned by the remote authentication server. Enter 0 or a value ranging from 50 to 3,000. The unit is millisecond.
60
Action After Timeout
How CDN PoPs process a user request after authentication times out.
- Accept: The user request will be accepted and the requested resource will be returned.
- Reject: The user request will be rejected and the configured custom response status code will be returned.
Reject
Table 3 Preset parameters Variable
Description
Remarks
$http_host
Host value in the request header.
These values can be obtained only when client requests carry them.
$http_user_agent
User-Agent value in the request header.
$http_referer
Referer value in the request header.
$http_x_forwarded_for
X-Forwarded-For value in the request header.
$http_content_type
Content-Type value in the request header.
$remote_addr
IP address of the client.
-
$scheme
Protocol type of the request.
-
$server_protocol
Protocol version of the request.
-
$request_uri
Content of uri + ? + args
-
$uri
Original URI of the request.
-
$args
Query string of the request, excluding the question mark (?).
-
$request_method
Request method.
-
- Configure parameters as prompted and click OK.
- (Optional) Disable remote authentication.
- Switch off Status to disable remote authentication and clear all remote authentication settings. You need to set related parameters when enabling this function again.
Example
Assume that you have enabled remote authentication for example.com and configured settings shown in Figure 3.
- Original request URL: https://example.com/folder01/test.txt?key=***. The request carries header test=123.
- URL forwarded by CDN to the remote authentication server: GET https://192.168.9.1/remoteauth?key=***. The request carries header test=123.
- Possible authentication results:
- Successful. The CDN PoP serves cached content to the user.
- Failed. The CDN PoP returns status code 403 to the user.
- Timed out. The CDN PoP takes the action specified by Action After Timeout and accepts the user request.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.