Updated on 2024-10-16 GMT+08:00

Remote Authentication

Huawei Cloud CDN supports remote authentication. When a user requests a resource from a CDN PoP, CDN forwards the user request to a specific authentication server and determines whether to return the resource to the user based on the result returned by the authentication server.

Background

Remote authentication is similar to token authentication. Differences are as follows:

  • Token authentication: Authentication is performed by CDN PoPs.
  • Remote authentication: CDN PoPs forward user requests to a server you specify for authentication.

The remote authentication process is as follows.

Figure 1 Remote authentication process
Table 1 Process description

Step

Description

1

A user carries authentication parameters to access a CDN PoP.

2

CDN forwards the request to a remote authentication server.

3

The remote authentication server verifies the request and returns a status code to the CDN PoP.

4

The CDN PoP determines whether to return the requested resource to the user based on the received status code.

Precautions

  • Remote authentication is disabled by default.

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab and click Edit next to Remote Authentication.
    Figure 2 Configuring remote authentication
    Table 2 Parameter description

    Parameter

    Description

    Example

    Authentication Server Address

    IP address of a reachable server.

    • The address must include http:// or https://.
    • The address cannot be a local address such as localhost or 127.0.0.1.
    • The address cannot be an acceleration domain name added on CDN.
    • The default ports of the remote authentication server are 80 and 443. To change them, submit a service ticket.

    https://example.com/auth

    Request Method

    Request method supported by the authentication server. GET, POST, and HEAD are supported.

    GET

    File Type

    • All: Requests for all files are authenticated.
    • Specific file types: Requests for files of specified types are authenticated. Separate types by vertical bars (|), for example, jpg|MP4.
      • Enter up to 512 characters, including letters and digits.
    • File types are case insensitive. For example, jpg and JPG indicate the same file type.

    All

    Parameters to Retain

    Parameters that need to be authenticated in user requests. You can retain or ignore all URL parameters or retain specific URL parameters.

    • Parameters are case insensitive. Use vertical bars (|) to separate them.

    All

    Custom URL Parameters

    Parameters to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset parameters or customize parameters (parameters and values are case insensitive).

    • Custom: Customize a parameter and set the value to a string.
    • Select: Select a preset or customized parameter and select a variable as the value.

    Select http_host.

    Value: $http_host.

    Request Headers to Retain

    Headers to be authenticated in user requests. You can retain or ignore all request headers or retain specific request headers.

    Headers are case insensitive. Use vertical bars (|) to separate them.

    All

    Custom Request Header Parameters

    Request headers to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset request headers or customize request headers (headers and values are case insensitive).

    • Custom: Customize a parameter and set the value to a string.
    • Select: Select a preset or customized parameter and select a preset variable as the value.

    Select http_referer.

    Value: $http_referer.

    Success Status Code

    Status code returned by the remote authentication server to CDN PoPs when authentication is successful.

    • Value range: 2xx and 3xx.

    200

    Failure Status Code

    Status code returned by the remote authentication server to CDN PoPs when authentication fails.

    • Value range: 4xx and 5xx.

    403

    Custom Response Status Code

    Status code returned by CDN PoPs to users when authentication fails.

    • Value range: 2xx, 3xx, 4xx, and 5xx.

    403

    Timeout Interval

    Duration from the time when a CDN PoP forwards an authentication request to the time when the CDN PoP receives the result returned by the remote authentication server. Enter 0 or a value ranging from 50 to 3,000. The unit is millisecond.

    60

    Action After Timeout

    How CDN PoPs process a user request after authentication times out.

    • Accept: The user request will be accepted and the requested resource will be returned.
    • Reject: The user request will be rejected and the configured custom response status code will be returned.

    Reject

    Table 3 Preset parameters

    Variable

    Description

    Remarks

    $http_host

    Host value in the request header.

    These values can be obtained only when client requests carry them.

    $http_user_agent

    User-Agent value in the request header.

    $http_referer

    Referer value in the request header.

    $http_x_forwarded_for

    X-Forwarded-For value in the request header.

    $http_content_type

    Content-Type value in the request header.

    $remote_addr

    IP address of the client.

    -

    $scheme

    Protocol type of the request.

    -

    $server_protocol

    Protocol version of the request.

    -

    $request_uri

    Content of uri + ? + args

    -

    $uri

    Original URI of the request.

    -

    $args

    Query string of the request, excluding the question mark (?).

    -

    $request_method

    Request method.

    -

  5. Configure parameters as prompted and click OK.
  6. (Optional) Disable remote authentication.
    • Switch off Status to disable remote authentication and clear all remote authentication settings. You need to set related parameters when enabling this function again.

Example

Assume that you have enabled remote authentication for example.com and configured settings shown in Figure 3.

  • Original request URL: https://example.com/folder01/test.txt?key=***. The request carries header test=123.
  • URL forwarded by CDN to the remote authentication server: GET https://192.168.9.1/remoteauth?key=***. The request carries header test=123.
  • Possible authentication results:
    • Successful. The CDN PoP serves cached content to the user.
    • Failed. The CDN PoP returns status code 403 to the user.
    • Timed out. The CDN PoP takes the action specified by Action After Timeout and accepts the user request.
Figure 3 Remote authentication