Pull Zones: CDN


Pull Zones accelerate the distribution of static files. From this page you can view, add, edit and delete Pull Zones. For CDN to serve traffic, a minimum of one zone must be created. Each zone can be uniquely configured.


Adding a Pull Zone

Perform the following steps while logged into the CDN Control Panel to add a Pull Zone:

  • In the menu bar, under "Manage Zones", select "Pull Zones".
    The Pull Zones page is displayed. 

  • Click the "Add" button.
    Choose one of the following 5 types:

    Pull Zones

    • Site Acceleration: Select this zone type to cache a preset list of files ( <500mb ) from your website and serve it from the platform.
      • File types include:   css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, ejs, swf, midi, mid, ttf, eot, woff, otf, svg, svgz, webp, docx, xlsx, xls, pptx, ps, class, jar
    • Small files: Select this zone type to cache small (< 10mb) static content (Images, CSS, JavaScript) from your website and serve it from the platform. It is not recommended to select this this zone for large content (> 10mb), dynamic content or media streaming.
    • Large files: Select this zone type to cache large (> 10mb) static content (Software updates, File archives) from your website and serve it from the platform. It is not recommended to select this this zone for dynamic content or media streaming.
    • Video On Demand: Select this zone type to distribute video files that have been pre-recorded. The VoD Zone supports both pseudo streaming (seek to not-yet-downloaded portions of a video) for FLV and MP4 files, and Adaptive streaming (HLS).
    • Live Streaming: Select this zone type to distribute an HLS Live Stream. As the playlist file for HLS (m3u8) is dynamically generated for a Live Stream, the playlist file is only cached for a minimal time on the platform.
  • Each of the 5 zone types have basic settings for which you need to enter values and click the "Save" button. 

    Field NameDescription
    StatusCDN Zone can be Activate or Inactivate. The zone needs to be activated in order to serve traffic.
    TargetThe Target is the CDN Domain where the CNAME points to. The URL is calculated from your CNAME value.

    A CNAME, or Canonical Name record, is an entry within the Domain Name System (DNS) that specifies where a user can find your web pages. A CNAME is required to associate your domain with your CDN service.
    For example, you first create a CDN Zone and then create a DNS record for your domain (e.g. static.example.com) and point it to the CDN Domain of your zone (e.g. a2a23913007f60933db72f23f7462584.lswcdn.net). 


    Defines the URL (HTTP) of the customer’s source, on domain level.
    Example: http://source.example.com
    Content will be pulled from the customer’s origin and cached on the LeaseWeb CDN network when it is served to end-user for the first time. A request for http://static.example.com/file.jpg will be fetched from http://source.example.com/file.jpg and cached on the platform.

    The sub path is appended to the origin URL when fetching files for this zone. For example, with the following configuration:

    Origin: http://source.example.com
    Sub path: sub/path/

    A request for http://static.example.com/file.jpg will be fetched from http://source.example.com/sub/path/file.jpg.

  • Click the "Save" button.

Advanced settings for adding a Pull Zone

When adding a Pull Zone, you need to set the following advanced settings:

Alias domain

Sets an CNAME alias. An Alias can be used to have more than one name to point to the host.

Cache settings

Cache-control header

Defines the cache-control header that is served. By default, the cache-control headers are inherited from the origin.

The content is cached on your browser. If website content changes frequently, set a lower value. The options you can select are explained below:

- Inherit from origin (disabled): The CDN platform will not modify the cache headers, but will provide the cache headers that are provided by the origin server.

- No caching: Your browser will not cache the data.

- Re-validate: Your browser will request the CDN platform to verify if the content has changed. If yes, the CDN platform provides the updated file to the browser. If not, the browser cache is used.

- <select any time period>: Your browser will cache the data based on the time that you set.


When using Live streaming pull zone type there is a special handling for playlist files. They are always sent with "Cache-Control: no-cache, no-store" irregardless of settings defined in this section. In addition to that they are cached by CDN for 1 second to alleviate the origin load. In live streaming playlist files are very short-lived objects and there is no reason to cache them for longer.

404 response caching

Defines the time in seconds the 'Not found' (404) responses are cached for. The default value is 5 seconds.

Cold hit seeking

This setting is only available for Video on Demand pull zone type. Enabling it will allow your visitors to have a better experience when they try to seek videos (for example watching the video starting from the middle) that are not yet cached by CDN with the cost of the increased origin load. This works by proxying seeking cold hits directly to origin while full file is also requested from the origin to be cached in CDN.

This setting is only available for the Site Acceleration pull zone type. When enabled it will configure the zone to cache all object types including HTML web pages. Please note that depending on your zone and origin setup enabling this option can pose the privacy risks. For example, if your origin supports site management web interface (e.g. a CMS system) with cookie based logins and you enable 'Cache all objects' and 'Ignore cookies' then the management pages with sensitive information will probably get cached. This is just one example, there other types of setup that can leak private information.

Headers settings

Add HTTP Headers

Specify which HTTP headers you want to add to the HTTP request.


  • Access-Control-Allow-Origin: *
  • Cache-Control: must-revalidate
Remove HTTP Headers

 Specify which HTTP headers you want to remove from the HTTP request.


  • Cache-Control
  • X-AspNet-Version

For Small Files and Site Acceleration pull zone types you can override the HTTP Host header field value that CDN sends to the origin. Usually the value of the header depends on the domain name of the origin, but you may choose to override the default. This might be useful if for example you want to avoid creating additional DNS entries when switching over to CDN.

Rate limit settings

Transfer rate

Limits the bandwidth per single connection. Bandwidth throttling is set in kB/s (i.e. 1000 Bytes per second.) By default, no bandwidth throttling is applied. Changing this value will not affect existing connections.

Burst size

The initial data that can be downloaded at full speed before the above transfer rate takes effect.

Edge settings

Gzip compression

Reduces the size of web content and improves the overall speed.
LeaseWeb CDN currently only gzips the following types:


Ignore cookies

When set to Active the edge servers will ignore cookies. This will affect the server side cookies but not the client side cookies (e.g.: Google analytics).

When working with cookies, each user will get their own cached version due to the unique session ID. By activating the "Ignore Cookies" the edge will be able to cache your content more effectively.

Ignore Vary Headers

When set to Inactive the Vary headers will be taken into account for caching.

Because many web servers send incorrect Vary headers they are ignored by default. However, if you've put hard work into getting the Vary settings right, then this option can be used to optimize the CDN caching, resulting in better performance and more value.

Cache query string

By default the query string is not used to determine the cache key. For example, the URI's http://example.com/file?key=val1 will result in the same cache key as http://example.com/file?key=val2

If the query string determines the content of an object, you can use this option to specify what part of the query string is important. If the whole query string determines the content of the object, then select Full. If only part of the query string is relevant, then you can select Partial and provide a list of important parameters.

Use Stale

When set to Active the edge servers will server stale/expired content when your Origin server is down.

Content Disposition

Force web browsers to download the file instead of displaying it. The following options are available:

  • Inherit from origin: disable the CDN management of "Content-Disposition" header and use what's being sent by origin in this regard
  • Always download: override origin and always send "Content-Disposition: attachment"
  • Query argument: check query argument (with the name specified below) and when it's set to "1" send "Content-Disposition: attachment", otherwise use origin headers

This setting is only available for Live Streaming pull zone type. Enabling this option will forward query arguments supplied for playlist and manifest files to origin. For example this allows video players to request specific date and time intervals for playing back recorded live event in case visitors missed it.

HTTP redirect

Use this option to redirect users from http to https with either the "Temporary" (302) or "Permanent" (301) HTTP response.

Security Settings

Blocked Countries

Blocked countries will block users based their IP address. We use the GeoIP database from MaxMind to match the IP to a country. Although this database is very accurate, we can not guarantee a 100% correctness when you enable this feature.


If you blacklisted any countries, but you allow specific IP's to have access, you can use the Whitelist to realize this. Add individual IP addresses or IP subnets to this list to ensure those users are allowed to access your content.

  • For example: you have added United States to the Block Countries list, but want to allow users from the IP subnet ( and Simply add this subnet to the whitelist to ensure users from those IP addresses to have access to your content.
  • Subnets /24 and up are supported.

Protects customer's content from hot linking, also called inline linking, by setting HTTP referral restrictions. By enabling this option, you can restrict direct linking to one or multiple entries, which may be a single word, a partial one, or a full domain name.

Secure URL

When activated, the zone will be protected, and files will be accessible with either a simple secret or a AES/SHA key.

If Secure URL is activated, the Cache query string settings will be ignored, and query parameters will not be treated as unique cacheable item.

Simple Secure URL

The following PHP script will generate the URL with secure tokens allowing you to access content

$cname = 'cdn.example.com'; // This is the CNAME of the CDN Zone.
$path = '/path/to/secret_file.pdf'; // This is the file that is served to the visitor.
$secret = '<secret>'; // The Global Secret configured in the Pull Zone.
$expire = time() + 86400; // At which point in time the file should expire. time() + x; would be the usual usage.
$ip = "";  // IP address allowed to access the URL, leave empty for no restriction.
$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected, -1 stands for "Whole URL".

if ($number_of_path_components == -1) {
    $secured_path = $path;
} else {
    $matches = [];
    if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
        $secured_path = $matches[0];
    } else {
        $secured_path = $path;
$secure_url = $secret . $ip . $secured_path . $expire;
$secure_url_md5 = md5($secure_url, true);
$secure_url_base64 = base64_encode($secure_url_md5);
$secure_url_strtr = strtr($secure_url_base64, "+/", "-_");
$secure_url_replace = str_replace("=", "", $secure_url_strtr);

if ($embed_into_path) {
    $secret_url_final = "http://$cname/$secure_url_replace/$expire" . $path;
} else {
    $secret_url_final = "http://$cname" . $path . '?st=' . $secure_url_replace . '&e=' . $expire;
echo $secret_url_final . "\n";

Note that there is no slash (/) at the end of the $path variable, it's important not to include it during hashing.

When enabled a page can be viewed by the visitor even if its URL doesn't contain valid tokens as long as the Referer HTTP header is a URL with valid secure url tokens. This can be useful if you want to secure an index page with the links to the content, but you want to keep the page and links to the content static and not update them with secure tokens on every page view. Please note that if both page and Referer URLs contain secure tokens those from the page URL will be used.

Secure URL IP Restriction

When Secure URL is activated, you can choose to restrict protected links to the visitors IP address.

Only Secure Manifest

Applicable only to Live Streaming pull zones, if enabled then only the manifest and playlist files will be covered by the Secure URL, the video chunks will be freely available for download.

Embed token into path

When activated changes the position of Secure URL tokens from query arguments to the beginning of the path. It can be useful for e.g. securing the video chunks under the specific path without changing the playlist that contains relative paths. The URL is changed as follows: st argument value becomes the first path component, the e argument becomes the second path component, the actual path starts with the third component.




Number of path components

When set to the value other than “Whole URL” this option allows you to limit the amount of path components that are protected by the Secure URL. So you have the ability to secure the directory and all its files and subdirectories with a single Secure URL generated token.

Encrypted Secure URL

PHP example
function base64url_encode($data)
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');

function base64url_decode($data)
    return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));

function aes_encrypt($data, $aes_key, $sha_key)
    // apply PKCS#7 padding
    $pad = 16 - strlen($data) % 16;
    $data .= str_repeat(chr($pad), $pad);
    // generate random IV
    $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
    // apply AES-256-CBC
    $crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $aes_key, $data, MCRYPT_MODE_CBC, $iv);
    // add SHA-256 HMAC
    $sha = hash_hmac('sha256', $iv . $crypt, $sha_key, true);
    // return everything
    return $iv . $crypt . $sha;

$aes_key = pack('H*', '<aes_key>'); // e.g. 34B6337D3F9A0F35F7705F6B97419A05DA5CF013CD2C03DC4D5D00A183FF286A
$sha_key = pack('H*', '<sha_key>'); // e.g. A018E6F952A89E7E5A0DD1C5FD36530351FD22324CB4084DA4EA903E690697A4

$scheme = "http"; // http or https.
$cname = 'cdn.example.com'; // This is the CNAME of the CDN Zone.
$path = '/path/to/secret_file.pdf'; // This is the path/file that is served to the visitor.

$expire = time() + 3600; // At which point in time the file should expire. time() + x; would be the usual usage.
$remote_address = ""; // ipv4 or ipv6 network range that is allowed to access url in CIDR notation.
$transfer_rate = "256"; // the maximum speed per connection at which an individual visitor can download.
$burst_size = "4096"; // the data that can be downloaded before the transfer rate applies.

$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected.

if ($number_of_path_components == -1) {
    $secured_path = $path;
} else {
    $matches = [];
    if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
        $secured_path = $matches[0];
    } else {
        $secured_path = $path;
$args = "path=$secured_path&expire=$expire&ip=$remote_address&ri=$burst_size&rs=$transfer_rate";
$token = base64url_encode(aes_encrypt($args, $aes_key, $sha_key));
if ($embed_into_path) {
    $final_url = "$scheme://$cname/$token$path";
} else {
    $final_url = "$scheme://$cname$path?key=$token";
echo $final_url . "\n";

SSL certificate

This option allows you to use HTTPS with your own certificate for the specified pull zone.

SSL support

Activate this option to enable the ability to upload custom SSL certificate.

Private key

SSL private key that corresponds to the site certificate. Private key must have no password protection set. Private key is usually generated by you and a Domain certificate is issued by the external Certificate Authority based on your Private key.

Domain certificate

Certificate for the domain of your pull zone. It must correspond to the Private key you provided earlier. The certificate must be valid at the time of the upload and must contain Common Name or Subject Alternative Name fields that correspond to the domain of the pull zone. Domain certificate is usually issued by the Certificate Authority based on your Private key.

Intermediate CA bundle (optional)

Intermediate certificates of the Certificate Authority that issued your Domain certificate. Can contain several certificates one after another. They must form a proper chain of trust between Domain certificate and one of the common Root certificates. Intermediate CA bundle is usually provided by the Certificate Authority that issued your Domain certificate.

Let's Encrypt

Unfortunately we do not yet support Let's Encrypt.

Viewing a Pull Zone

Perform the following steps while logged into the CDN Control Panel to add a Pull Zone:

  1. On the Pull Zones page click the "View" button for the zone for which you want to view the details.
  2. The Pull Zone details page is displayed.

Editing a Pull Zone

Perform the following steps while logged into the CDN Control Panel to edit a Pull Zone:

  1. On the Pull Zones page click the "Edit" button next to the zone that you want to edit.
    The Edit page for that particular zone type is displayed.

  2. Update the information and click the "Save" button. 

Deleting a Pull Zone

Perform the following steps while logged into the CDN Control Panel to delete a Pull Zone:

  1. On the Pull Zones page click the "Delete" button for the zone that you want to delete.
  2. A confirmation box is displayed.

  3. Click the "OK" button to confirm deleting the selected zone.