Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Remote Authentication

Updated on 2024-08-22 GMT+08:00

Huawei Cloud CDN supports remote authentication. When a user requests a resource from a CDN PoP, CDN forwards the user request to a specific authentication server and determines whether to return the resource to the user based on the result returned by the authentication server.

Background

Remote authentication is similar to token authentication. Differences are as follows:

  • Token authentication: Authentication is performed by CDN PoPs.
  • Remote authentication: CDN PoPs forward user requests to a server you specify for authentication.

The remote authentication process is as follows.

Figure 1 Remote authentication process
Table 1 Process description

Step

Description

1

A user carries authentication parameters to access a CDN PoP.

2

CDN forwards the request to a remote authentication server.

3

The remote authentication server verifies the request and returns a status code to the CDN PoP.

4

The CDN PoP determines whether to return the requested resource to the user based on the received status code.

Precautions

  • Remote authentication is disabled by default.
  • Domain names with special configurations do not support remote authentication.

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the Access Control tab and click Edit next to Remote Authentication.
    Figure 2 Configuring remote authentication
    Table 2 Parameter description

    Parameter

    Description

    Example

    Authentication Server Address

    IP address of a reachable server.

    • The address must include http:// or https://.
    • The address cannot be a local address such as localhost or 127.0.0.1.
    • The address cannot be an acceleration domain name added on CDN.
    • The default ports of the remote authentication server are 80 and 443. To change them, submit a service ticket.

    https://example.com/auth

    Request Method

    Request method supported by the authentication server. GET, POST, and HEAD are supported.

    GET

    File Type

    • All: Requests for all files are authenticated.
    • Specific file types: Requests for files of specified types are authenticated. Separate types by vertical bars (|), for example, jpg|MP4.
      • Enter up to 512 characters, including letters and digits.
    • File types are case insensitive. For example, jpg and JPG indicate the same file type.

    All

    Parameters to Retain

    Parameters that need to be authenticated in user requests. You can retain or ignore all URL parameters or retain specific URL parameters.

    • Parameters are case insensitive. Use vertical bars (|) to separate them.

    All

    Custom URL Parameters

    Parameters to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset parameters or customize parameters (parameters and values are case insensitive).

    • Custom: Customize a parameter and set the value to a string.
    • Select: Select a preset or customized parameter and select a variable as the value.

    Select http_host.

    Value: $http_host.

    Request Headers to Retain

    Headers to be authenticated in user requests. You can retain or ignore all request headers or retain specific request headers.

    Headers are case insensitive. Use vertical bars (|) to separate them.

    All

    Custom Request Header Parameters

    Request headers to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset request headers or customize request headers (headers and values are case insensitive).

    • Custom: Customize a parameter and set the value to a string.
    • Select: Select a preset or customized parameter and select a preset variable as the value.

    Select http_referer.

    Value: $http_referer.

    Success Status Code

    Status code returned by the remote authentication server to CDN PoPs when authentication is successful.

    • Value range: 2xx and 3xx.

    200

    Failure Status Code

    Status code returned by the remote authentication server to CDN PoPs when authentication fails.

    • Value range: 4xx and 5xx.

    403

    Custom Response Status Code

    Status code returned by CDN PoPs to users when authentication fails.

    • Value range: 2xx, 3xx, 4xx, and 5xx.

    403

    Timeout Interval

    Duration from the time when a CDN PoP forwards an authentication request to the time when the CDN PoP receives the result returned by the remote authentication server. Enter 0 or a value ranging from 50 to 3,000. The unit is millisecond.

    60

    Action After Timeout

    How CDN PoPs process a user request after authentication times out.

    • Accept: The user request will be accepted and the requested resource will be returned.
    • Reject: The user request will be rejected and the configured custom response status code will be returned.

    Reject

    Table 3 Preset parameters

    Variable

    Description

    Remarks

    $http_host

    Host value in the request header.

    These values can be obtained only when client requests carry them.

    $http_user_agent

    User-Agent value in the request header.

    $http_referer

    Referer value in the request header.

    $http_x_forwarded_for

    X-Forwarded-For value in the request header.

    $http_content_type

    Content-Type value in the request header.

    $remote_addr

    IP address of the client.

    -

    $scheme

    Protocol type of the request.

    -

    $server_protocol

    Protocol version of the request.

    -

    $request_uri

    Content of uri + ? + args

    -

    $uri

    Original URI of the request.

    -

    $args

    Query string of the request, excluding the question mark (?).

    -

    $request_method

    Request method.

    -

  5. Configure parameters as prompted and click OK.
  6. (Optional) Disable remote authentication.
    • Switch off Status to disable remote authentication and clear all remote authentication settings. You need to set related parameters when enabling this function again.

Example

Assume that you have enabled remote authentication for example.com and configured settings shown in Figure 3.

  • Original request URL: https://example.com/folder01/test.txt?key=***. The request carries header test=123.
  • URL forwarded by CDN to the remote authentication server: GET https://192.168.9.1/remoteauth?key=***. The request carries header test=123.
  • Possible authentication results:
    • Successful. The CDN PoP serves cached content to the user.
    • Failed. The CDN PoP returns status code 403 to the user.
    • Timed out. The CDN PoP takes the action specified by Action After Timeout and accepts the user request.
Figure 3 Remote authentication

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback