CDN dashboard


Logging into the CDN dashboard

There are two ways with which you can login to the CDN:

1. Logging in from the Leaseweb Customer Portal

When logged into the customer portal, you should see a CDN menu item on the left panel. If you click on it, the option Control Panel will appear. On clicking it, you will be redirected to the CDN login page. There you can use your CDN credentials to login. 

origin in the Select origin pan


2. Logging in directly

You can also login directly by visiting the following URL: https://portal.cdn.leaseweb.com/ and using your username and password. The field 2FA code is optional: If you are not using two-factor authentication you can leave it blank.

CDN IP ranges

Depending on your security requirements, you may want to keep your origin server(s) inaccessible from the public Internet by means of a firewall. In this case, it is necessary to explicitly allow CDN nodes to connect to your origin setup by allowing (whitelisting) their IP addresses on your firewall setup.

The CDN is constantly changing, adding new locations and new partner CDNs, which means that the IP addresses of the edge nodes that may connect to your origin(s) also change. For that reason we provide an API endpoint that lists all IP address ranges that our CDN uses. You can find this API endpoint in the following URL: https://portal.leasewebultracdn.com/apidoc.html#!/Infrastructure/getIps

CDN API

You can use the CDN dashboard to easily manage all aspects of your CDN account and settings. This method of manual settings management does not allow for automating tasks or interfacing with other systems however, and becomes cumbersome in setups with a large amount of properties. For these situations we offer a RESTful API with which you can access all of the CDN's features in an a structured and platform-agnostic way. For authentication, the CDN API uses OAuth2.

To see an overview of all API capabilities and how to access them, please visit this URL: https://portal.cdn.leaseweb.com/apidoc.html

Origins

Origin servers are the hosts which the CDN fetches content from. For that reason, your origin servers are probably the first thing you should setup in your account to be able to use the CDN.

There are four (4) different types of origins that can be setup: Simple, advanced, object storage and origin group. To create a new origin or modify an existing one, look for the menu item "Origins", below "Configuration" on the main menu on the left side of the dashboard. If you click on it, the four different types will appear beneath it. By clicking on any of the four types, you'll get a list of all the existing origins of that specific type. The list allows you to edit or delete any existing origins. You can add a new origin of the selected type by clicking on the "plus" icon at the top-right corner of the origin list.

Simple origin

This is the simplest type of origin available on the CDN. For each origin, you only need to provide a description which is meaningful to you and a host. In the host field you can specify the hostname or the IP address of your origin. You shouldn't specify a protocol (http:// or https://) in this field, as this is configured in the distribution's cache policy.

Advanced origin

An advanced origin works exactly like a simple one, except that it allows you to modify three additional options:


HTTP port

Here you can specify if your origin listens on a port for HTTP requests that is different from the standard (80),

HTTPS port

If your origin listens for HTTPS requests on a port different than the standard (443), you can specify that port number here.

Path / subdirectory

In the case that the origin's contents exist within a specific subdirectory, you can specify this path here. By doing this, you avoid having to include this subdirectory in the path of the requests sent to the CDN.

Object storage origin

This is a special type of origin that supports the Amazon S3 object storage protocol instead of plain HTTP/HTTPS. Object storage origins are also compatible with alternative implementations of the protocol, like the ceph/RADOS object storage system.

You can use object storage origins with single and shield CDN distributions only. Multi CDN distributions cannot be setup with object storage origins directly because most 3rd-party CDNs do not support this functionality. This can be remedied by using a shield CDN distribution as origin to your multi CDN one.

The following fields can be configured:

Description

A name for this origin that is meaningful to you

Host

The hostname (or IP address) of the S3 object storage endpoint to use. For example: s3.eu-central-1.amazonaws.com

Access Key ID

In S3 lingo, this is equivalent to the username to use in order to access the object storage service. It's usually a random alphanumeric string

Bucket

The bucket name to use in order to pull content from the S3 storage.

Secret access key

Here you can specify the secret access key that allows you to access the S3 content. This is equivalent to the password value in S3 lingo.

Origin group

An origin group offers the most intricate origin setup possible. Origin groups support multiple origin hosts using different load-balancing methods and additionally allow origins to be setup as backups that will only be used if the main origins become inaccessible. Due to the nature of the Multi CDN platform, origin groups can only be used with Single CDN and shield distributions.

Before setting up an origin group, all of its individual origins need to be setup first as simple origins. You can find instructions on how to do this in the previous section called Simple origin. Advanced origins cannot be used within an origin group, only simple origins can. Object storage origins can be used within an origin group, but only if they are setup as simple origins, meaning without using any authentication.

To configure an origin group, the following fields need to be specified:

Description

A name for this origin that is meaningful to you

Load-balancing method

This field specifies how to distribute outgoing requests to the origins of the group. It provides the following four options:

  • Round-robin: requests are distributed evenly across all origins

  • Consistent: requests to the same URI are sent to the same origin based on a hash produced by the URI.

  • Sticky: requests from the same IP address are sent to the same origin based on a hash produced by the IP address.

  • Failover: requests are sent to the first origin in the group. If it becomes unavailable, requests are sent to the second origin and so on.

Fail time-out

If a request towards an origin is not successful within this time-out period, the request is considered as failed and is retried by another origin from the same group.

Keep Alive

Keep connections towards the origins open after making a request, so that the connection can be re-used by future requests. This improves performance because making a new connection takes time and server resources, but also increases the number of connections that are active at any given time.

Keep Alive Seconds

The amount of time in seconds to keep connections towards the origins open if Keep Alive is enabled. This value cannot be larger than 30 seconds, and should be lower than the read timeout settings on the origin.

Members

The origins that make up this origin group. Up to ten (10) different origins can be added here, and all of them need to be unique. For each member, the following two fields can be configured:

Origin

This field allows you to select an origin to add to the group from a list of already configured simple origins.

Status

Can be set as Active or Backup. Under normal operation, requests are only sent to Active origins. Requests are sent to Backup origins only if all the Active ones have become unreachable or otherwise inoperable.

Distributions

A distribution is a CDN property that provides caching and web acceleration for one or more origins. In simpler terms, while an origin is a service which the CDN fetches files from, a distribution is the service that caches and serves those files to customers.

The distribution configuration specifies how it can be accessed by customers. Its settings include its domain name, whether it should have HTTPS enabled and if so, which SSL certificate to use. More importantly, a distribution also contains a distribution policy (or more than one, depending on the distribution type). Policies dictate what, how and for how long content from the origin(s) will be cached, which directly affects the performance of content delivery. This makes distributions and policies arguably the most important part of the CDN configuration.

Our CDN platform supports different types of distributions which offer a variety of advantages but are also subject to different restrictions. Depending on the type of your account, you may not have access to some of them.

Multi-CDN distributions

Multi-CDN is the most popular type of distribution, because it allows content distribution by 3rd-party CDN systems. This greatly increases the amount of available locations to serve content from, which in turn results in higher speeds and lower latency for customers. The downside is that the features of this type of distribution are limited to the common subset that all our partner CDN systems support. For example, it is currently not possible to use URL protection (also known as URL tokens) with multi CDN distributions.

Before you create a Multi-CDN distribution, please make sure that you have first configured any origins you intent to use. Then on the main menu on the left, click Configuration > Distributions to expand the menu, then click Multi CDN to expand it. This will show the list of current Multi-CDN distributions under your account.

For each distribution, the following information is shown: number, description, status and target CNAME. While most of these are self-explanatory, the status icon shows whether the distribution configuration has been applied on all nodes. After you create a new distribution this icon will be red for a short amount of time, while waiting for the configuration to propagate on all relevant CDN nodes. Then it will turn in to a green check mark.

On the right side, buttons are provided which allow you to either modify or delete each distribution.

Add a Multi-CDN distribution

To create a new distribution, click on the + icon at the top-right corner of the list. In the form that appears, you'll be prompted to first enter the TLS settings for this distribution, which dictates whether your distribution will support HTTPS:

  • Select None if you don't use HTTPS.

  • If you have your own SSL certificates and you have uploaded them in Configuration > Certificates, select SNI TLS/SSL and choose the appropriate certificate in the field below.

  • If you don't have any SSL certificates of your own, you can select Shared TLS/SSL. This will allow you to use HTTPS with the CDN's own certificates, but that will only work correctly for the CNAME target, not your own domains.

If you haven't yet uploaded any SSL certificates and the dashboard shows none you can choose from, it is possible to create a new one right here in the wizard. Simply click on Create certificate and fill-in your SSL certificate and key.

If you click on Next, you'll be able to add a Description to the distribution. Please fill-in a description that is meaningful to you. Usually the endpoint hostname is used, for example "cdn.mysite.com".

Domain(s) are the entries within the Domain Name System (DNS) that specify where a user can find your web content (example: cdn.yourdomain.com). You can add one or more domains to a distribution. To do so, click Add domain and fill in the field that appears.

At this point, please click on the Next button to continue with the configuration of the distribution's cache policy. In the new screen that appears, you'll be able to specify the origin service where the CDN will pull content from.

In the field Pull origin in the Select origin pane, you have the option to quickly select one of the origins you may have already configured in the Configuration > Origins section. Alternatively, you can opt to pull content from a previously configured shield distribution, by selecting it in the field Shield distribution in the same pane. Only one of those two options can be selected and doing so will automatically de-select the other one. More information about what shield distributions are and why they are used can be found in the section Shield CDN distributions.

If you haven't yet setup any origins or shields, it is possible to add a new simple origin in the same window. Just expand the pane Create origin, fill-in the description field with a name that clearly identifies this origin to you (usually its own hostname is used) and finally fill in its actual hostname in the field Host. As described in the section Simple origins, a hostname or an IP address can be used in this field, without the protocol (http) or port (:443).

Click Next to go to the last stage of the setup wizard. You'll be presented with a window that describes how to point your domain name towards the automatically generated target CNAME in order to start sending traffic to your brand-new distribution. Finally, click on Save to finish saving the distribution configuration.


Modify a Multi-CDN distribution

Whereas adding a Multi-CDN distribution requires minimal configuration from your part in order to help you get started quickly, modifying a distribution allows you to manage all the possible configuration options at your disposal. You can modify an existing distribution by clicking on the appropriate orange icon with the white magnifying glass in the column Action(s) of the distributions list.

The first tab presented to you after clicking on the modify icon is similar to the basic distribution settings you already specified while creating the distribution. There are only two differences:

1. The Read only switch at the top-right side of the window, which is enabled by default. If you need to make any changes to the distribution settings, please click on the Read only switch to unlock

2. The setting Logging settings, which instructs the CDN to generate web logs for this distribution, that you can then download and perform log analysis on. If you enable this option, you'll be asked to type-in a password for the FTP account that will provide access to those logs. Please refer to the section ‘Rawlogs’ for more information.

For the rest of the settings, please follow the instructions in the "Add a Multi CDN distribution" section.

The second tab is called Policy settings and it's here where most of the distribution performance-related options are hosted. In this tab you'll find a list with the existing policy settings. Multi-CDN distributions only support a single policy, therefore you'll normally see one existing policy here with the ability to edit or delete it. If that policy has been deleted for any reason, you'll be able to add one by clicking on the orange + icon at the top-right side of the list.

In either case, you'll be presented with the Edit policy window, which contains all the possible settings, organized in five (5) tabs:

Basic settings

Description

Should be filled with a name that helps you identify the policy, although since only one policy is allowed in the Multi CDN, setting this option is not very important. "Default policy" is a good choice.

Allowed methods

Specifies which HTTP methods should be allowed for this distribution. By default only "GET" requests are allowed which is a good default for static content distributions. All others (POST, PUT, DELETE and OPTIONS) are disabled by default for both performance and security reasons, and the CDN will refuse to servce them. You can enable any combination of these if they make sense for the type of content you wish to accelerate, like full website acceleration for example.

Cache settings

Cache Query String

If disabled (the default), the CDN ignores the query string of your URLs (everything after the "?"). Therefore the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will always serve the same content despite the fact that they have a different query string. If this setting is enabled on the other hand, the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will be treated by the CDN as different URLs and will be cached independently. Enabling this option makes the cache less efficient, because the CDN needs to keep many different copies of content for the same base URL.

Honor Origin TTL

By default the CDN respects the caching settings the origin provides via HTTP headers. If you disable this setting, the CDN will ignore the origin's caching settings and use the "Default TTL" setting instead.

Default TTL

The time in seconds during which content fetched from the origin is considered fresh and served from cache, in cases where the origin does not provide caching headers of its own.

Serve stale content

When this option is enabled (the default) and a requested URL has expired in the cache and cannot be refreshed from the origin, the CDN will serve the expired (stale) cached version anyway. If the option is disabled, the CDN will serve an error response instead, which may be needed in cases where cache lifetime needs to be enforced for security or content protection reasons.

Pull origin settings

Pull Origin

Here you can select which origin to pull content from. If no options appear, make sure you have specified an origin in the section "Configuration > Origins".

Shield distribution

Allows you to select a shield distribution to fetch content from, instead of an origin. This option is mutually exclussive with the Pull Origin setting above it. Please see the section about Shield origins for more details.

Protocol

Whether to use HTTP or HTTPS to make requests to the origin server(s). HTTP has lower overhead and is therefore faster, but unless special precautions are taken it can compromise the security of your content delivery.

Compressed

Specifies whether the CDN nodes will enable HTTP compression in their requests to the origin(s). This option is disabled by default because in most situations static content is compressed already, but you may want to enable it if your distribution is setup for full website acceleration which includes uncompressed text files like html and css.

Host header

This option allows overriding the "Host:" header the CDN nodes send to the origin with each request. Normally this value is taken from the hostname of the origin itself, but you may need to override it for an origin which hosts many different sites with incomplete or non-existent DNS records.

X-Forwarded-For

When origins receive connections from CDN nodes, they log the CDN node's IP address as the source of the connection, not the real user's IP address. To remedy that, CDN nodes send the X-Forwarder-For HTTP header which contains the IP address of the user who actually made the request. Origins can then use that header value, usually for logging purposes. This option enables the X-Forwarded-For header generation by the CDN nodes and it's enabled by default.

Delivery settings

Force HTTPS

If you enable this option, users who make HTTP requests to the distribution will be automatically redirected to the same URL but using HTTPS instead.

Inherit TTL

If enabled, the CDN will provide the end-users with the caching headers that it received from the origin, allowing them to also cache the content. If disabled, the option "TTL Override" will be used instead, specifying statically how long in seconds user browsers can cache the content.

Compression

Automatically compress compression-friendly content (javascript, css, xml etc) during delivery to users.

Passthrough headers

Origin generated header names that should be allowed to be passed through to the users. By default origin headers are suppressed to improve caching efficiency. You can add more than one header names by clicking on the "Add" button. Example: 'X-Cache-Status'

Static headers

With this setting you can specify one or more custom headers that the CDN nodes will deliver to the end users. To do so, click on the 'Add' button and fill-in the desired header names and values.

Security settings

GEO targetting / blocking

Denies content delivery to country codes you specify, while allowing delivery to all other countries. If you enable this option, you'll be presented with a list of countries to choose from.

IP subnet targeting / blocking

Denies content delivery to subnets you specify, while allowing delivery to the rest of the Internet. You can add one or more subnets by clicking on the 'Add' button.

Referrer blocking

If enabled, this option will deny content delivery to all incoming requests, except for the ones that contain a specific string in the referrer field. You can add one or more referrer strings by clicking on the "Add" button. Each referrer needs to be in the form "*www.mysite.com*" and the only allowed action is "Allow", since non-matched requests are denied by default. This option is used primarily to counter hot-linking.

After filling in all the relevant fields, save your changes by clicking on Save.

Single CDN distributions

Single CDN distributions deliver content through our own CDN infrastructure. This allows the use of more advanced features (like secure URL or multiple cache policies per distribution) at the cost of lower overall performance. Setting up a Single CDN distribution is quite similar to the Multi CDN type.

Before you create a Single CDN distribution, please make sure that you have first configured any origins you intent to use. Then on the main menu on the left, click on Configuration > Distributions to expand the menu, then click on Single CDN to expand it. This will show the list of current Single CDN distributions under your account.

For each distribution, the following information is shown: number, description, status and target CNAME. While most of these are self-explanatory, the Status icon shows whether the distribution configuration has been applied on all nodes. After you create a new distribution this icon will be red for a short amount of time, while waiting for the configuration to propagate on all relevant CDN nodes. Then it will turn in to a green check mark.

On the right side, buttons are provided which allow you to either modify or delete each distribution.


Add a Single CDN distribution

To create a new distribution, click on the + icon at the top-right corner of the list. In the form that appears, you'll be prompted to first enter the TLS settings for this distribution, which dictates whether your distribution will support HTTPS:

  • Select None if you don't use HTTPS.

  • If you have your own SSL certificates and you have uploaded them in Configuration > Certificates, select SNI TLS/SSL and choose the appropriate certificate in the field below.

  • If you don't have any SSL certificates of your own, you can select Shared TLS/SSL. This will allow you to use HTTPS with the CDN's own certificates, but that will only work correctly for the CNAME target, not your own domains.

If you haven't yet uploaded any SSL certificates and the dashboard shows none you can choose from, it is possible to create a new one right here in the wizard. Simply click on Create certificate and fill-in your SSL certificate and key.

If you click on Next, you'll be able to add a Description to the distribution. Please fill-in a description that is meaningful to you. Usually the endpoint hostname is used, for example "cdn.mysite.com".

Domain(s) are the entries within the Domain Name System (DNS) that specify where a user can find your web content (example: cdn.yourdomain.com). You can add one or more domains to a distribution. To do so, click Add domain and fill in the field that appears.

At this point, please click on the Next button to continue with the configuration of the distribution's cache policy. In the new screen that appears, you'll be able to specify the origin service where the CDN will pull content from.

In the field Pull origin in the Select origin pane, you have the option to quickly select one of the origins you may have already configured in the Configuration > Origins section. Alternatively, you can opt to pull content from a previously configured shield distribution, by selecting it in the field Shield distribution in the same pane. More information about what shield distributions are and why they are used can be found in the section Shield CDN distributions. Compared to Multi CDN, Single CDN distributions support an additional third type of origin called Origin group which you can select in the drop-down field with the same name. More information about origin groups and their fail-over capabilities can be found in the section Origin groups. Only one of these three origin types can be selected and doing so will automatically de-select the others.

If you haven't yet setup any origins or shields, it is possible to add a new simple origin in the same window. Just expand the pane Create origin, fill-in the description field with a name that clearly identifies this origin to you (usually its own hostname is used) and finally fill in its actual hostname in the field Host. As described in the section Simple origins, a hostname or an IP address can be used in this field, without the protocol (http) or port (:443).

Click on Next to go to the last stage of the setup wizard. You'll be presented with a window that describes how to point your domain name towards the target CNAME in order to start sending traffic to your brand-new distribution. Finally, click on "Save" to finish saving the distribution configuration.


Modify a Single CDN distribution

Whereas adding a Single CDN distribution requires minimal configuration from your part in order to help you get started quickly, modifying a distribution allows you to manage all the possible configuration options at your disposal. You can modify an existing distribution by clicking on the appropriate orange icon with the white magnifying glass in the column Action(s) of the distributions list.

The first tab presented to you after clicking on the modify icon, is similar to the basic distribution settings you already specified while creating the distribution. The only difference is the Read only switch at the top-right side of the window, which is enabled by default. If you need to make any changes to the distribution settings, please click on the Read only switch to unlock and then follow the instructions in the "Add a Single CDN distribution" section.

The second tab is called Policy settings and it's here where most of the distribution performance-related options are hosted. In this tab you'll find a list with the existing policy settings. Single CDN distributions support multiple policies, and they decide which one to use for each incoming request based on the policy's Path field. Therefore, if we have two different policies, one for path "/" and another for path "/assets", a request like "https://cdn.mysite.net/myfile" will use the first policy and a request like "http://cdn.mysite.net/assets/my.css" will use the second one. This allows you to use different origins depending on the path of the incoming request, a feature that is not available in Multi CDN distributions.

A new policy can be added by clicking on the orange + icon at the top-right side of the list. An existing one can be modified by clicking on the Edit action button which looks like a pencil. In either case, you'll be presented with the Edit policy window, which contains all the possible settings, organized in six (6) tabs:

Basic settings

Path / regex

The path this policy applies to. This field also supports regular expressions to match the desired path. If you are just using a single policy, please set this value to "/".

Description

Should be filled with a name that helps you distinguish the policies among each-other. If you only use one, the value Default policy is a good choice.

Allowed methods

Specifies which HTTP methods should be allowed for this distribution. By default only GET requests are allowed which is a good default for static content distributions. All others (POST, PUT, DELETE and OPTIONS) are disabled by default for both performance and security reasons, and the CDN will refuse to service them. You can enable any combination of these if they make sense for the type of content you wish to accelerate, like full website acceleration for example.

Cache settings

Bypass caching rules

If this option is enabled, the CDN will perform no caching at all, which might be needed in very specific scenarios or for debugging purposes. It is disabled by default for obvious reasons.

Segmented downloads

When this option is enabled, the CDN will fetch files in chunks (segments) instead of a single file. This improves performance and reduces latency in RANGE requests against files that are larger than a few megabytes and do not exist in the cache yet. It is enabled by default.

Cache Query String

If disabled (the default), the CDN ignores the query string of your URLs (everything after the "?"). Therefore the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will always serve the same content despite the fact that they have a different query string. If this setting is enabled on the other hand, the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will be treated by the CDN as different URLs and will be cached independently. Enabling this option makes the cache less efficient, because the CDN needs to keep many different copies of content for the same base URL.

Honor Origin TTL

By default the CDN respects the caching settings the origin provides via HTTP headers. If you disable this setting, the CDN will ignore the origin's caching settings and use the "Default TTL" setting instead.

Default TTL

The time in seconds during which content fetched from the origin is considered fresh and served from cache, in cases where the origin does not provide caching headers of its own.

Serve stale content

When this option is enabled (the default) and a requested URL has expired in the cache and cannot be refreshed from the origin, the CDN will serve the expired (stale) cached version anyway. If the option is disabled, the CDN will serve an error response instead, which may be needed in cases where cache lifetime needs to be enforced for security or content protection reasons.

Pull origin settings

The options Pull Origin, Origin group and Shield distribution are mutually exclusive. Selecting one will automatically de-select the other two.

Pull Origin

Here you can select which origin to pull content from. If no options appear, make sure you have specified an origin in the section Configuration > Origins. Origins of type Simple, Advanced and Object storage appear in this selection.

Origin group

Selects an origin group as origin for this policy. More information about origin groups and their fail-over capabilities can be found in the section "Origin groups"

Shield distribution

Allows you to select a shield distribution to fetch content from. Please see the section about "Shield CDN distributions" for more details.

Protocol

Whether to use HTTP or HTTPS to make requests to the origin server(s). HTTP has lower overhead and is therefore faster, but unless special precautions are taken it can compromise the security of your content delivery.

Compressed

Specifies whether the CDN nodes will enable HTTP compression in their requests to the origin(s). This option is disabled by default because in most situations static content is compressed already, but you may want to enable it if your distribution is setup for full website acceleration which includes uncompressed text files like html and css.

Host header

This option allows overriding the "Host:" header the CDN nodes send to the origin with each request. Normally this value is taken from the hostname of the origin itself, but you may need to override it for an origin which hosts many different sites and has has incomplete or non-existent DNS records for them.

X-Forwarded-For

When origins receive connections from CDN nodes, they log the CDN node's IP address as the source of the connection, not the real user's IP address. To remedy that, CDN nodes send the X-Forwarder-For HTTP header which contains the IP address of the user who actually made the request. Origins can then use that header value, usually for logging purposes. This option enables the X-Forwarded-For header generation by the CDN nodes and it's enabled by default.

Upstream headers

By clicking on the "Add" button, you can configure one or more headers to be sent to the origin with each request. For each header, its name and value need to be specified separately.

Delivery settings

Force HTTPS

If you enable this option, users who make HTTP requests to the distribution will be automatically redirected to the same URL but using HTTPS instead.

Inherit TTL

If enabled, the CDN will provide the end-users with the caching headers that it received from the origin, allowing them to also cache the content. If disabled, the option "TTL Override" will be used instead, specifying statically how long in seconds user browsers can cache the content.

Compression

Automatically compress compression-friendly content (javascript, css, xml etc) during delivery to users.

Rate limiting

Enables transfer rate limiting per each connection, based on the values below. Does not apply to existing connections.


Transfer Rate

Maximum bandwidth per connection in kB/s (i.e. 1000 Bytes per second).

Burst size

The initial data that can be downloaded at full speed before the above transfer rate takes effect.

Passthrough headers

Origin generated header names that should be allowed to be passed through to the users. By default origin headers are suppressed to improve caching efficiency. You can add more than one header names by clicking on the "Add" button. Example: 'X-Cache-Status'

Static headers

With this setting you can specify one or more custom headers that the CDN nodes will deliver to the end users. To do so, click on the 'Add' button and fill-in the desired header names and values.

Secured (tokenized) URLs

Secured URLs offer the best protection against hot-linking and link sharing. Using a common secret or a pre-shared pair of keys, websites can encrypt URLs using the options below. The CDN can in turn decrypt those URLs and serve them without revealing the real URL to the user.

Method

Choose between:

  • “Simple” secure URL with global secret.

  • “Encrypted” which uses a pair of AES and SHA keys.

Secret

The secret to use when generating secured URLs using the “simple” method. This value must be the same as in the code which generates the URLs on the website.

Vendor

Since there is no standard secured URL implementation, here you can choose which vendor implementation to use. Currently, only vendor “Leaseweb” is supported.

Use client IP

Include the user’s IP address in the secret used to generate a “simple” secured URL. This makes the generated secure URLs accessible only by the user that requested them.

Number of path components

Number of path components to protect, counting from the beginning. Set to “-1” to protect the entire URL. This doesn’t include tokens if they are embedded into the path.

Embed into path

Enable this option to embed the secure URL tokens (st, e and/or key) into the beginning of the path. Example for “simple” secure URL:

Enabled: /9vvJQlqkDmEgMeSDgjiaOA/1484062002/file.pdf
Disabled: /file.pdf?st=9vvJQlqkDmEgMeSDgjiaOA&e=1484062002

For this to work however, the secured URLs need to be prepared beforehand. Usually the website that distributes the URLs executes some code that takes care of that. Below we offer examples that demonstrate how to generate a secure URL. Both examples are written in the PHP language, but should be fairly easy to port to any other language you may be using.

This first example shows how to produce a "Simple" type of secure URL. This is the most common type in use.

<?php

$cname = 'cdn.example.com'; // This is the CNAME of the CDN distribution.
$path = '/path/to/secret_file.pdf'; // This is the file that is served to the visitor.
$secret = '<secret>'; // The Global Secret configured in the distribution.
$expire = time() + 86400; // At which point in time the file should expire. time() + x; would be the usual usage.
$ip = ""; // IP address allowed to access the URL, leave empty for no restriction.
$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected, -1 stands for "Whole URL".
if ($number_of_path_components == -1) {
    $secured_path = $path;
} else {
    $matches = [];
    if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
        $secured_path = $matches[0];
    } else {
        $secured_path = $path;
    }
}
$secure_url = $secret . $ip . $secured_path . $expire;
$secure_url_md5 = md5($secure_url, true);
$secure_url_base64 = base64_encode($secure_url_md5);
$secure_url_strtr = strtr($secure_url_base64, "+/", "-_");
$secure_url_replace = str_replace("=", "", $secure_url_strtr);
if ($embed_into_path) {
    $secret_url_final = "http://$cname/$secure_url_replace/$expire" . $path;
} else {
    $secret_url_final = "http://$cname" . $path . '?st=' . $secure_url_replace . '&e=' . $expire;
}
echo $secret_url_final . "\n";

The second example shows how to create an "Encrypted" type of secure URL.

<?php

function base64url_encode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function base64url_decode($data) {
    return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
}

function aes_encrypt($data, $aes_key, $sha_key) {
// apply PKCS#7 padding
    $pad = 16 - strlen($data) % 16;
    $data .= str_repeat(chr($pad), $pad);
// generate random IV
    $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
// apply AES-256-CBC
    $crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $aes_key, $data, MCRYPT_MODE_CBC, $iv);
// add SHA-256 HMAC
    $sha = hash_hmac('sha256', $iv . $crypt, $sha_key, true);
// return everything
    return $iv . $crypt . $sha;
}

$aes_key = pack('H*', '<aes_key>'); // e.g. 34B6337D3F9A0F35F7705F6B97419A05DA5CF013CD2C03DC4D5D00A183FF286A
$sha_key = pack('H*', '<sha_key>'); // e.g. A018E6F952A89E7E5A0DD1C5FD36530351FD22324CB4084DA4EA903E690697A4
$scheme = "http"; // http or https.
$cname = 'cdn.example.com'; // This is the CNAME of the distribution.
$path = '/path/to/secret_file.pdf'; // This is the path/file that is served to the visitor.
$expire = time() + 3600; // At which point in time the file should expire. time() + x; would be the usual usage.
$remote_address = "0.0.0.0/0"; // ipv4 or ipv6 network range that is allowed to access url in CIDR notation.
$transfer_rate = "256"; // the maximum speed per connection at which an individual visitor can download.
$burst_size = "4096"; // the data that can be downloaded before the transfer rate applies.
$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected.
if ($number_of_path_components == -1) {
    $secured_path = $path;
} else {
    $matches = [];
    if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
        $secured_path = $matches[0];
    } else {
        $secured_path = $path;
    }
}
$args = "path=$secured_path&expire=$expire&ip=$remote_address&ri=$burst_size&rs=$transfer_rate";
$token = base64url_encode(aes_encrypt($args, $aes_key, $sha_key));
if ($embed_into_path) {
    $final_url = "$scheme://$cname/$token$path";
} else {
    $final_url = "$scheme://$cname$path?key=$token";
}
echo $final_url . "\n";

Rewrites

Allows performing URL rewrites on the CDN, off-loading this responsibility from the origin(s). One or more rules can be added by clicking on Add.

flag

Standard URL rewrite flags that dictate what to do when a URL matches this rewrite rule.

break

Stop processing any other rewrite rules after this one.

last

Stop processing rewrite rules for this URL and start processing them again using the replacement URL.

permanent

Return the replacement as a permanent redirect with the 301 code.

redirect

Return the replacement as a temporary redirect with the 302 code.

Regex

Regular expression to apply on the URL.

Replacement

Replacement string to apply to the URL matched by the regular expression. Match variables (like $1) are supported.

After filling in all the relevant fields, save your changes by clicking on Save.

Shield CDN distributions

An origin shield is an additional caching layer between the actual CDN nodes and the origin. They are used in cases where the CDN nodes are numerous and the origin does not have enough capacity to serve them all. Using an origin shield reduces the amount of nodes that connect directly to the origin, therefore reducing the origin's load.

Origin shields are also used to fetch content from origins with specialized setups that 3rd-party CDNs do not support. One such example is origins that use the S3 object storage protocol (instead of common HTTP) and require S3 authentication.

Shield CDN distributions allow you to setup such an origin shield. After setting up a shield CDN distribution, it can then be configured as an origin in a normal (single or multi) CDN distribution.


Create a shield CDN distribution

You can create a new shield distribution by navigating to Configuration > Shield CDN. On the list that will appear, click on the orange icon at the top right side.

Shield CDN distributions should not serve content directly, they should be used as origins to normal distributions instead. For that reason, when adding a new one, only a description field needs to be specified, one that is meaningful to you. Adding custom domains or SSL certificates on a shield distribution is not supported.

If you click on Next, you’ll be able to choose an existing origin / origin group, or add a new simple origin the same way as you would do for a normal distribution. Click on Next again, followed by Save in order to finish creating the new shield distribution.

Modify a Shield CDN distribution

As discussed in “Creating a shield CDN distribution”, only the description field can be modified in the distribution settings.

The policy settings are also the same with Single CDN distribution, with a single exception: You cannot assign a Shield distribution as an origin to another shield distribution, as that would potentially create a cache loop. Apart from that, please refer to “Modify a Single CDN distribution” for the remaining configuration options.

Rawlogs

As already shown in the distribution settings, each distribution has a setting named Logging which, when enabled, keeps copies of the logfiles generated by said distribution that can be downloaded for further processing or examination. These logfiles are also known as rawlogs. Under the Logging option, an additional FTP password field needs to be input. This password should be used to retrieve the generated logs as described further below.

It is worth noting that you can additionally enable the Logging option using the appropriate API call to update the distribution’s settings.

When you enable the option, rawlogs will start being generated from that point on. This means that previous logs from when the option was still disabled will not be available.

The generated rawlogs can then be downloaded from the address “ftp.logs.leasewebultracdn.com” using any FTP client. Authentication is required to use this service. As username, please use the distribution ID (di-xxxxxx) and as password the password you specified in the distribution settings, below the Logging option itself. For FTP clients that don’t offer separate username and password fields, the full connection string is:

<distribution ID>:<FTP password>@ftp.logs.leasewebultracdn.com

Invalidations

Under normal conditions, the lifetime (TTL) of an object in the CDN cache should be determined by standard HTTP caching headers like Cache-Control produced by the origin(s). In certain situations however, specific URLs may be required to be removed from the cache so that a fresh copy of the content can be fetched from the origin. This could happen for example when:

  • A specific file on the origin was damaged or malformed at the time when it was cached, it has now been fixed and the CDN needs to get the new fixed version of that file.

  • Some files on the origin with long TTLs were changed because of a site re-design or major upgrade and the CDN needs to re-cache those files to reflect the changes.

  • A copyright claim has been issued about a specific file and, regardless of its TTL, the file needs to be removed from the cache as soon as possible to comply with the law.

This process is called invalidation and can be accessed through the Invalidate option at the bottom of the main menu on the left of the dashboard. Invalidations are resource intensive operations and should only be used on occasion, never as part of the normal workflow of the distribution. This is especially true for Multi CDN distributions, where invalidation requests and their completion status need to be communicated with 3rd-party platforms. For that reason, invalidations can take up to a few minutes to complete and are restricted in the following ways, to ensure the proper function of the CDN platform:

  • There is a limit on the frequency of invalidation requests. Each customer is allowed to submit at most one request every minute.

  • An individual invalidation request can contain up to 75 URLs. This allows a batch of invalidations to be requested by a single action.

  • There are fair-use policies in place to ensure that a single customer cannot overwhelm the invalidation request queue. A customer who submitted just 1 request will not have to wait for another customer's 100 invalidation requests to complete first.

To request an invalidation, click on the Invalidate menu item on the dashboard's main menu. In the screen that appears, type in the desired URL in the "Invalidate URLs" field and click on Add URL. Every added URL will appear directly below, in the "Invalidation list". As already mentioned, you can add up to 75 URLs to the invalidation request this way.

Using the Invalidation list, you can review the URLs destined for invalidation before actually submitting the request. The list allows you to un-check any URLs you wish to remove from the request, in case you added the wrong URL by accident. The invalidation request is finally queued for processing when you click on the button Submit invalidations.

All already submitted invalidation requests are then shown in the last pane of the page called Invalidations. For each request, an ID is displayed, which can be used for tracking purposes, as well as its status. Invalidation requests that are waiting their turn to be processed in the queue show as Pending, and this can last a few minutes depending on the type of distribution and the size of the current invalidation queue. After the invalidation request is processed, its status will be automatically set to Complete or Error depending on if it succeeded or not.

In the Action(s) column, you can click on the Details button to see more information about which invalidations succeeded, which failed and why. It is possible for an invalidation request to expire if it remains pending for too long, in which case it will receive the status Expired. Such requests can be re-queued for processing if you click the right-most Re-submit action button.

Resellers

Reseller accounts allow the operator to create sub-accounts which they can distribute among their customers. Each sub-customer can then create their own properties separate from all others. This helps with accounting of each sub-customer’s properties and how much resources they consume.

Reseller accounts themselves cannot host distributions and other CDN properties, only their sub-accounts can. Therefore, if as a reseller you need to create distributions for your own use, you should create a sub-account to host them in.

The main consequence of this, is that the reseller account dashboard looks slightly different compared to a normal CDN account. Only a list of sub-customers is shown for you to manage. In this interface, for each sub-customer the following information is shown:

  • Customer name

  • Customer description

  • Bandwidth used

Furthermore, the following controls are available for each sub-customer:

  • A switch to enable or disable the customer’s account. If you click it, a confirmation dialog will appear. Please note that changing an account’s status requires considerable processing in order to (among other things) disable or enable the account’s distributions, which results in a noticeable delay before changes actually take effect.

  • A button to “impersonate” the customer. This allows you access to the customer’s account as they see it when they log in. This is how you’ll be able to access your own CDN account or assist any of your customers with their configuration settings in theirs. When you click it, a yellow bar appears at the bottom of the dashboard, showing you which account you are currently impersonating. To stop impersonating a customer, click on this yellow bar and you’ll return to the reseller’s dashboard showing the list of your customers.

  • A trashcan action icon which allows you to delete a customer and all of their properties. A confirmation dialog will appear if you click on it.

Add a (sub)customer

You can add a customer by clicking on the orange icon at the top-right side of the customer list.

There is currently no option to edit a customer’s details. Therefore, please take good care when creating one.

The required fields that need to be filled when setting up a customer are the following:

Account name

Usually the company name or owner is set here.

Account description

Secondary information about the customer, like third-party reference IDs for example

Email address

This is in effect the username the customer will use to login. It is unique to the CDN platform, so the customer creation will fail if the email address is used by another account.

Password

The password the customer will need to use in order to login.

First / last name

The interface uses the customer’s first and last name in the account overview on the top-right side of the dashboard. Here is where this information is setup.

Phone number

The customer’s phone number where they can be reached in an emergency.

After filling in all the above details, the customer creation can be completed by clicking on the Save button.


Get Support

Need Technical Support?

Have a specific challenge with your setup?

Create a Ticket