Remote Authentication

Huawei Cloud CDN supports remote authentication. When a user requests a resource from a CDN PoP, CDN forwards the user request to a specific authentication server and determines whether to return the resource to the user based on the result returned by the authentication server.

Background

Remote authentication is similar to token authentication. Differences are as follows:

Token authentication: Authentication is performed by CDN PoPs.
Remote authentication: CDN PoPs forward user requests to a specific authentication server for authentication.

The remote authentication process is as follows.

Figure 1 Remote authentication process
Click to enlarge

**Table 1** Process description
Step	Description
1	A user carries authentication parameters to access a CDN PoP.
2	CDN forwards the request to a remote authentication server.
3	The remote authentication server verifies the request and returns a status code to the CDN PoP.
4	The CDN PoP determines whether to return the requested resource to the user based on the received status code.

Precautions

Remote authentication is disabled by default.
Domain names with special configurations do not support remote authentication.

Procedure

Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.
The CDN console is displayed.
In the navigation pane, choose Domains.
In the domain list, click the target domain name or click Configure in the Operation column.

Click the Access Control tab and click Remote Authentication.

Figure 2 Configuring remote authentication
Click to enlarge

**Table 2** Parameter description
Parameter	Description	Example
Authentication Server Address	IP address of a reachable server. The address must include http:// or https://. The address cannot be a local address such as localhost or 127.0.0.1. The address cannot be an acceleration domain name added on CDN. The default ports of the remote authentication server are 80 and 443. To change them, submit a service ticket.	https://example.com/auth
Request Method	Request method supported by the authentication server. GET, POST, and HEAD are supported.	GET
File Type	All: Requests for all files are authenticated. Specific file types: Requests for files of specified types are authenticated. Separate types by vertical bars (\|), for example, jpg\|MP4. Enter up to 512 characters, including letters and digits. File types are case insensitive. For example, jpg and JPG indicate the same file type.	All
Parameters to Retain	Parameters that need to be authenticated in user requests. You can retain or ignore all URL parameters or retain specific URL parameters. Parameters are case insensitive. Use vertical bars (\|) to separate them.	All
Custom URL Parameters	Parameters to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset parameters or customize parameters (parameters and values are case insensitive). Customize a parameter, which does not support variables. Select a preset or customized parameter, which supports variables.	Select http_host. Value: $http_host.
Request Headers to Retain	Headers to be authenticated in user requests. You can retain or ignore all request headers or retain specific request headers. Headers are case insensitive. Use vertical bars (\|) to separate them.	All
Custom Request Header Parameters	Request headers to be added when CDN PoPs forward user requests to the remote authentication server. You can select preset request headers or customize request headers (headers and values are case insensitive). Customize a parameter, which does not support variables. Select a preset or customized parameter, which supports preset variables.	Select http_referer. Value: $http_referer.
Success Status Code	Status code returned by the remote authentication server to CDN PoPs when authentication is successful. Value range: 2xx and 3xx.	200
Failure Status Code	Status code returned by the remote authentication server to CDN PoPs when authentication fails. Value range: 4xx and 5xx.	403
Custom Response Status Code	Status code returned by CDN PoPs to users when authentication fails. Value range: 2xx, 3xx, 4xx, and 5xx.	403
Timeout Interval	Duration from the time when a CDN PoP forwards an authentication request to the time when the CDN PoP receives the result returned by the remote authentication server. Enter 0 or a value ranging from 50 to 3,000. The unit is millisecond.	60
Action After Timeout	How CDN PoPs process a user request after authentication times out. Accept: The user request will be accepted and the requested resource will be returned. Reject: The user request will be rejected and the configured custom response status code will be returned.	Reject

**Table 3** Preset parameters
Variable	Description	Remarks
$http_host	Host value in the request header.	These values can be obtained only when client requests carry them.
$http_user_agent	User-Agent value in the request header.
$http_referer	Referer value in the request header.
$http_x_forwarded_for	X-Forwarded-For value in the request header.
$http_content_type	Content-Type value in the request header.
$remote_addr	IP address of the client.	-
$scheme	Protocol type of the request.	-
$server_protocol	Protocol version of the request.	-
$request_uri	Content of uri + ? + args	-
$uri	Original URI of the request.	-
$args	Query string of the request, excluding the question mark (?).	-
$request_method	Request method.	-

Configure parameters as prompted and click OK.
(Optional) Disable remote authentication.
- Switch off Status to disable remote authentication and clear all remote authentication settings. You need to set related parameters when enabling this function again.