Logging into the CDN dashboard
There are ways with which you can login to the CDN:
Logging in from the Leaseweb Customer Portal
When logged into the customer portal, you should see a CDN menu item on the left panel. If you click on it, the option Control Panel will appear. On clicking it, you will be redirected to the CDN login page. There you can use your CDN credentials to login.
origin in the Select origin pan
Logging in directly
You can also login directly by visiting the following URL: https://portal.cdn.leaseweb.com/ and using your username and password. The field 2FA code is optional: If you are not using two-factor authentication you can leave it blank.
Setting Two-Factor Authentication for CDN
To increase the security of your account, it is possible to add an extra login step. With two-factor authentication, you will have to enter a security code after your regular login. The two-factor authentication code changes every minute. Without the code, you will not be to login. You will need Google Authenticator or Microsoft Authenticator.
Perform the following steps to set up two-factor authentication:
- Navigate to My Profile page.
- Scroll to the bottom of the page, and toggle the Activate 2FA authentication option to activate it.
- Confirm the activation by clicking the Confirm button.
- Scan the QR Code with an authenticator application, so that you can use the code generated by the app on the next login. You can use Google Authenticator or Microsoft Authenticator to scan the QR code.
CDN API
You can use the CDN dashboard to easily manage all aspects of your CDN account and settings. This method of manual settings management does not allow for automating tasks or interfacing with other systems however, and becomes cumbersome in setups with a large amount of properties. For these situations we offer a RESTful API with which you can access all of the CDN's features in an a structured and platform-agnostic way. For authentication, the CDN API uses OAuth2.
To see an overview of all API capabilities and how to access them, please visit this URL: https://api.cdn.leaseweb.com/
Origins
Origin servers are the hosts which the CDN fetches content from. For that reason, your origin servers are probably the first thing you should setup in your account to be able to use the CDN.
There are four (4) different types of origins that can be setup: Simple, advanced, object storage and origin group. To create a new origin or modify an existing one, look for the menu item "Origins", below "Configuration" on the main menu on the left side of the dashboard. If you click on it, the four different types will appear beneath it. By clicking on any of the four types, you'll get a list of all the existing origins of that specific type. The list allows you to edit or delete any existing origins. You can add a new origin of the selected type by clicking on the "plus" icon at the top-right corner of the origin list.
Simple origin
This is the simplest type of origin available on the CDN. For each origin, you only need to provide a description which is meaningful to you and a host. In the host field you can specify the hostname or the IP address of your origin. You shouldn't specify a protocol (http:// or https://) in this field, as this is configured in the distribution's cache policy.
Advanced origin
An advanced origin works exactly like a simple one, except that it allows you to modify three additional options:
HTTP port | Here you can specify if your origin listens on a port for HTTP requests that is different from the standard (80), |
HTTPS port | If your origin listens for HTTPS requests on a port different than the standard (443), you can specify that port number here. |
Path / subdirectory | In the case that the origin's contents exist within a specific subdirectory, you can specify this path here. By doing this, you avoid having to include this subdirectory in the path of the requests sent to the CDN. |
Object storage origin
This is a special type of origin that supports the Amazon S3 object storage protocol instead of plain HTTP/HTTPS. Object storage origins are also compatible with alternative implementations of the protocol, like the ceph/RADOS object storage system.
You can use object storage origins with shield CDN distributions only. Multi CDN distributions cannot be setup with object storage origins directly because most 3rd-party CDNs do not support this functionality. This can be remedied by using a shield CDN distribution as origin to your multi CDN one.
The following fields can be configured:
Description | A name for this origin that is meaningful to you |
Host | The hostname (or IP address) of the S3 object storage endpoint to use. For example: s3.eu-central-1.amazonaws.com |
Access Key ID | In S3 lingo, this is equivalent to the username to use in order to access the object storage service. It's usually a random alphanumeric string |
Bucket | The bucket name to use in order to pull content from the S3 storage. |
Secret access key | Here you can specify the secret access key that allows you to access the S3 content. This is equivalent to the password value in S3 lingo. |
Origin group
An origin group offers the most intricate origin setup possible. Origin groups support multiple origin hosts using different load-balancing methods and additionally allow origins to be setup as backups that will only be used if the main origins become inaccessible. Due to the nature of the Multi CDN platform, origin groups can only be used with shield CDN distributions.
Before setting up an origin group, all of its individual origins need to be setup first as simple origins. You can find instructions on how to do this in the previous section called Simple origin. Advanced origins cannot be used within an origin group, only simple origins can. Object storage origins can be used within an origin group, but only if they are setup as simple origins, meaning without using any authentication.
To configure an origin group, the following fields need to be specified:
Description | A name for this origin that is meaningful to you | ||||
Load-balancing method | This field specifies how to distribute outgoing requests to the origins of the group. It provides the following four options:
| ||||
Fail time-out | If a request towards an origin is not successful within this time-out period, the request is considered as failed and is retried by another origin from the same group. | ||||
Keep Alive | Keep connections towards the origins open after making a request, so that the connection can be re-used by future requests. This improves performance because making a new connection takes time and server resources, but also increases the number of connections that are active at any given time. | ||||
Keep Alive Seconds | The amount of time in seconds to keep connections towards the origins open if Keep Alive is enabled. This value cannot be larger than 30 seconds, and should be lower than the read timeout settings on the origin. | ||||
Members | The origins that make up this origin group. Up to ten (10) different origins can be added here, and all of them need to be unique. For each member, the following two fields can be configured:
|
Distributions
A distribution is a CDN property that provides caching and web acceleration for one or more origins. In simpler terms, while an origin is a service which the CDN fetches files from, a distribution is the service that caches and serves those files to customers.
The distribution configuration specifies how it can be accessed by customers. Its settings include its domain name, whether it should have HTTPS enabled and if so, which SSL certificate to use. More importantly, a distribution also contains a distribution policy (or more than one, depending on the distribution type). Policies dictate what, how and for how long content from the origin(s) will be cached, which directly affects the performance of content delivery. This makes distributions and policies arguably the most important part of the CDN configuration.
Our CDN platform supports different types of distributions which offer a variety of advantages but are also subject to different restrictions. Depending on the type of your account, you may not have access to some of them.
Multi-CDN distributions
Multi-CDN is the most popular type of distribution, because it allows content distribution by 3rd-party CDN systems. This greatly increases the amount of available locations to serve content from, which in turn results in higher speeds and lower latency for customers. The downside is that the features of this type of distribution are limited to the common subset that all our partner CDN systems support. For example, it is currently not possible to use URL protection (also known as URL tokens) with multi CDN distributions.
Before you create a Multi-CDN distribution, please make sure that you have first configured any origins you intent to use. Then on the main menu on the left, click Configuration > Distributions to expand the menu, then click Multi CDN to expand it. This will show the list of current Multi-CDN distributions under your account.
For each distribution, the following information is shown: number, description, status and target CNAME. While most of these are self-explanatory, the status icon shows whether the distribution configuration has been applied on all nodes. After you create a new distribution this icon will be red for a short amount of time, while waiting for the configuration to propagate on all relevant CDN nodes. Then it will turn in to a green check mark.
On the right side, buttons are provided which allow you to either modify or delete each distribution.
Add a Multi-CDN distribution
To create a new distribution, click on the + icon at the top-right corner of the list. In the form that appears, you'll be prompted to first enter the TLS settings for this distribution, which dictates whether your distribution will support HTTPS:
Select None if you don't use HTTPS.
If you have your own SSL certificates and you have uploaded them in Configuration > Certificates, select SNI TLS/SSL and choose the appropriate certificate in the field below.
If you don't have any SSL certificates of your own, you can select Shared TLS/SSL. This will allow you to use HTTPS with the CDN's own certificates, but that will only work correctly for the CNAME target, not your own domains.
If you haven't yet uploaded any SSL certificates and the dashboard shows none you can choose from, it is possible to create a new one right here in the wizard. Simply click on Create certificate and fill-in your SSL certificate and key.
If you click on Next, you'll be able to add a Description to the distribution. Please fill-in a description that is meaningful to you. Usually the endpoint hostname is used, for example "cdn.mysite.com".
Domain(s) are the entries within the Domain Name System (DNS) that specify where a user can find your web content (example: cdn.yourdomain.com). You can add one or more domains to a distribution. To do so, click Add domain and fill in the field that appears.
At this point, please click on the Next button to continue with the configuration of the distribution's cache policy. In the new screen that appears, you'll be able to specify the origin service where the CDN will pull content from.
In the field Pull origin in the Select origin pane, you have the option to quickly select one of the origins you may have already configured in the Configuration > Origins section. Alternatively, you can opt to pull content from a previously configured shield distribution, by selecting it in the field Shield distribution in the same pane. Only one of those two options can be selected and doing so will automatically de-select the other one. More information about what shield distributions are and why they are used can be found in the section Shield CDN distributions.
If you haven't yet setup any origins or shields, it is possible to add a new simple origin in the same window. Just expand the pane Create origin, fill-in the description field with a name that clearly identifies this origin to you (usually its own hostname is used) and finally fill in its actual hostname in the field Host. As described in the section Simple origins, a hostname or an IP address can be used in this field, without the protocol (http) or port (:443).
Click Next to go to the last stage of the setup wizard. You'll be presented with a window that describes how to point your domain name towards the automatically generated target CNAME in order to start sending traffic to your brand-new distribution. Finally, click on Save to finish saving the distribution configuration.
Modify a Multi-CDN distribution
Whereas adding a Multi-CDN distribution requires minimal configuration from your part in order to help you get started quickly, modifying a distribution allows you to manage all the possible configuration options at your disposal. You can modify an existing distribution by clicking on the appropriate orange icon with the white magnifying glass in the column Action(s) of the distributions list.
The first tab presented to you after clicking on the modify icon is similar to the basic distribution settings you already specified while creating the distribution. For more details, please follow the instructions in the "Add a Multi CDN distribution" section.
The second tab is called Policy settings and it's here where most of the distribution performance-related options are hosted. In this tab you'll find a list with the existing policy settings. Multi-CDN distributions only support a single policy, therefore you'll normally see one existing policy here with the ability to edit or delete it. If that policy has been deleted for any reason, you'll be able to add one by clicking on the orange + icon at the top-right side of the list.
In either case, you'll be presented with the Edit policy window, which contains all the possible settings, organized in five (5) tabs:
Basic settings
Description | Should be filled with a name that helps you identify the policy, although since only one policy is allowed in the Multi CDN, setting this option is not very important. "Default policy" is a good choice. |
Allowed methods | Specifies which HTTP methods should be allowed for this distribution. By default only "GET" requests are allowed which is a good default for static content distributions. All others (POST, PUT, DELETE and OPTIONS) are disabled by default for both performance and security reasons, and the CDN will refuse to servce them. You can enable any combination of these if they make sense for the type of content you wish to accelerate, like full website acceleration for example. |
Cache settings
Cache Query String | If disabled (the default), the CDN ignores the query string of your URLs (everything after the "?"). Therefore the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will always serve the same content despite the fact that they have a different query string. If this setting is enabled on the other hand, the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will be treated by the CDN as different URLs and will be cached independently. Enabling this option makes the cache less efficient, because the CDN needs to keep many different copies of content for the same base URL. |
Honor Origin TTL | By default the CDN respects the caching settings the origin provides via HTTP headers. If you disable this setting, the CDN will ignore the origin's caching settings and use the "Default TTL" setting instead. |
Default TTL | The time in seconds during which content fetched from the origin is considered fresh and served from cache, in cases where the origin does not provide caching headers of its own. |
Serve stale content | When this option is enabled (the default) and a requested URL has expired in the cache and cannot be refreshed from the origin, the CDN will serve the expired (stale) cached version anyway. If the option is disabled, the CDN will serve an error response instead, which may be needed in cases where cache lifetime needs to be enforced for security or content protection reasons. |
Pull origin settings
Pull Origin | Here you can select which origin to pull content from. If no options appear, make sure you have specified an origin in the section "Configuration > Origins". |
Shield distribution | Allows you to select a shield distribution to fetch content from, instead of an origin. This option is mutually exclussive with the Pull Origin setting above it. Please see the section about Shield origins for more details. |
Protocol | Whether to use HTTP or HTTPS to make requests to the origin server(s). HTTP has lower overhead and is therefore faster, but unless special precautions are taken it can compromise the security of your content delivery. |
Compressed | Specifies whether the CDN nodes will enable HTTP compression in their requests to the origin(s). This option is disabled by default because in most situations static content is compressed already, but you may want to enable it if your distribution is setup for full website acceleration which includes uncompressed text files like html and css. |
Host header | This option allows overriding the "Host:" header the CDN nodes send to the origin with each request. Normally this value is taken from the hostname of the origin itself, but you may need to override it for an origin which hosts many different sites with incomplete or non-existent DNS records. |
X-Forwarded-For | When origins receive connections from CDN nodes, they log the CDN node's IP address as the source of the connection, not the real user's IP address. To remedy that, CDN nodes send the X-Forwarder-For HTTP header which contains the IP address of the user who actually made the request. Origins can then use that header value, usually for logging purposes. This option enables the X-Forwarded-For header generation by the CDN nodes and it's enabled by default. |
Delivery settings
Force HTTPS | If you enable this option, users who make HTTP requests to the distribution will be automatically redirected to the same URL but using HTTPS instead. |
Inherit TTL | If enabled, the CDN will provide the end-users with the caching headers that it received from the origin, allowing them to also cache the content. If disabled, the option "TTL Override" will be used instead, specifying statically how long in seconds user browsers can cache the content. |
Compression | Automatically compress compression-friendly content (javascript, css, xml etc) during delivery to users. |
Passthrough headers | Origin generated header names that should be allowed to be passed through to the users. By default origin headers are suppressed to improve caching efficiency. You can add more than one header names by clicking on the "Add" button. Example: 'X-Cache-Status' |
Static headers | With this setting you can specify one or more custom headers that the CDN nodes will deliver to the end users. To do so, click on the 'Add' button and fill-in the desired header names and values. |
Security settings
GEO targetting / blocking | Denies content delivery to country codes you specify, while allowing delivery to all other countries. If you enable this option, you'll be presented with a list of countries to choose from. |
IP subnet targeting / blocking | Denies content delivery to subnets you specify, while allowing delivery to the rest of the Internet. You can add one or more subnets by clicking on the 'Add' button. |
Referrer blocking | If enabled, this option will deny content delivery to all incoming requests, except for the ones that contain a specific string in the referrer field. You can add one or more referrer strings by clicking on the "Add" button. Each referrer needs to be in the form "*www.mysite.com*" and the only allowed action is "Allow", since non-matched requests are denied by default. This option is used primarily to counter hot-linking. |
After filling in all the relevant fields, save your changes by clicking on Save.
Shield CDN distributions
An origin shield is an additional caching layer between the actual CDN nodes and the origin. They are used in cases where the CDN nodes are numerous and the origin does not have enough capacity to serve them all. Using an origin shield reduces the amount of nodes that connect directly to the origin, therefore reducing the origin's load.
Origin shields are also used to fetch content from origins with specialized setups that the multi CDN does not support. One such example is origins that use the S3 object storage protocol (instead of common HTTP) and require S3 authentication.
Shield CDN distributions allow you to setup such an origin shield. After setting up a shield CDN distribution, it can then be configured as an origin in a multi CDN distribution.
Before you create a Shield CDN distribution, please make sure that you have first configured any origins you intent to use. Then on the main menu on the left, click on Configuration > Distributions to expand the menu, then click on Shield CDN to expand it. This will show the list of current Shield CDN distributions under your account.
For each distribution, the following information is shown: number, description, status and target CNAME. While most of these are self-explanatory, the Status icon shows whether the distribution configuration has been applied on all nodes. After you create a new distribution this icon will be yellow for a short amount of time, while waiting for the configuration to propagate on all relevant CDN nodes. Then it will turn in to a green check mark.
On the right side, buttons are provided which allow you to either modify or delete each distribution.
Add a Shield CDN distribution
You can create a new shield distribution by navigating to Configuration > Shield CDN. On the list that will appear, click on the orange + icon at the top right side.
In the window that will appear, you'll be able to add a Description to the distribution. Please fill-in a description that is meaningful to you. Example origin.mysite.com shield.
At this point, please click on the Next button to continue with the configuration of the distribution's cache policy. In the new screen that appears, you'll be able to specify the origin service where the shield will pull content from.
In the field Pull origin in the Select origin pane, you have the option to quickly select one of the origins you may have already configured in the Configuration > Origins section. Compared to Multi CDN, Shield CDN distributions support an additional type of origin called Origin group which you can select in the drop-down field with the same name. More information about origin groups and their fail-over capabilities can be found in the section Origin groups. Only one of these two origin types can be selected and doing so will automatically de-select the other.
If you haven't yet setup any origins, it is possible to add a new simple origin in the same window. Just expand the pane Create origin, fill-in the description field with a name that clearly identifies this origin to you (usually its own hostname is used) and finally fill in its actual hostname in the field Host. As described in the section Simple origins, a hostname or an IP address can be used in this field, without the protocol (http) or port (:443).
Click on Next to go to the last stage of the setup wizard. You'll be presented with a window that shows if the creation of the shield distribution completed successfully. Click on Close to finish the distribution configuration.
Modify a Shield CDN distribution
Whereas adding a Shield CDN distribution requires minimal configuration from your part in order to help you get started quickly, modifying a distribution allows you to manage all the possible configuration options at your disposal. You can modify an existing distribution by clicking on the appropriate orange icon with the white magnifying glass in the column Action(s) of the distributions list.
The first tab presented to you after clicking on the modify icon, is similar to the basic distribution settings you already specified while creating the distribution. The only difference is the Enabled switch at the top-right side of the window, which allows the activation / de-activation of the distribution and is enabled by default.
The second tab is called Policy settings and it's here where most of the distribution performance-related options are hosted. In this tab you'll find a list with the existing policy settings. Shield CDN distributions support multiple policies, and they decide which one to use for each incoming request based on the policy's Path field. Therefore, if we have two different policies, one for path "/" and another for path "/assets", a request like "https://cdn.mysite.net/myfile" will use the first policy and a request like "http://cdn.mysite.net/assets/my.css" will use the second one. This allows you to use different origins depending on the path of the incoming request, a feature that is not available in Multi CDN distributions.
A new policy can be added by clicking on the orange + icon at the top-right side of the list. An existing one can be modified by clicking on the Edit action button which looks like a pencil. In either case, you'll be presented with the Edit policy window, which contains all the possible settings, organized in six (6) tabs:
Basic settings
Path / regex | The path this policy applies to. This field also supports regular expressions to match the desired path. If you are just using a single policy, please set this value to "/". |
Description | Should be filled with a name that helps you distinguish the policies among each-other. If you only use one, the value Default policy is a good choice. |
Allowed methods | Specifies which HTTP methods should be allowed for this distribution. By default only GET requests are allowed which is a good default for static content distributions. All others (POST, PUT, DELETE and OPTIONS) are disabled by default for both performance and security reasons, and the CDN will refuse to service them. You can enable any combination of these if they make sense for the type of content you wish to accelerate, like full website acceleration for example. |
Cache settings
Bypass caching rules | If this option is enabled, the CDN will perform no caching at all, which might be needed in very specific scenarios or for debugging purposes. It is disabled by default for obvious reasons. |
Segmented downloads | When this option is enabled, the CDN will fetch files in chunks (segments) instead of a single file. This improves performance and reduces latency in RANGE requests against files that are larger than a few megabytes and do not exist in the cache yet. It is enabled by default. |
Cache Query String | If disabled (the default), the CDN ignores the query string of your URLs (everything after the "?"). Therefore the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will always serve the same content despite the fact that they have a different query string. If this setting is enabled on the other hand, the URLs http://cdn.mysite.com/output?format=pdf and http://cdn.mysite.com/output?format=csv will be treated by the CDN as different URLs and will be cached independently. Enabling this option makes the cache less efficient, because the CDN needs to keep many different copies of content for the same base URL. |
Honor Origin TTL | By default the CDN respects the caching settings the origin provides via HTTP headers. If you disable this setting, the CDN will ignore the origin's caching settings and use the "Default TTL" setting instead. |
Default TTL | The time in seconds during which content fetched from the origin is considered fresh and served from cache, in cases where the origin does not provide caching headers of its own. |
Serve stale content | When this option is enabled (the default) and a requested URL has expired in the cache and cannot be refreshed from the origin, the CDN will serve the expired (stale) cached version anyway. If the option is disabled, the CDN will serve an error response instead, which may be needed in cases where cache lifetime needs to be enforced for security or content protection reasons. |
Pull origin settings
The options Pull Origin and Origin group are mutually exclusive. Selecting one will automatically de-select the other.
Pull Origin | Here you can select which origin to pull content from. If no options appear, make sure you have specified an origin in the section Configuration > Origins. Origins of type Simple, Advanced and Object storage appear in this selection. |
Origin group | Selects an origin group as origin for this policy. More information about origin groups and their fail-over capabilities can be found in the section "Origin groups" |
Protocol | Whether to use HTTP or HTTPS to make requests to the origin server(s). HTTP has lower overhead and is therefore faster, but unless special precautions are taken it can compromise the security of your content delivery. |
Compressed | Specifies whether the CDN nodes will enable HTTP compression in their requests to the origin(s). This option is disabled by default because in most situations static content is compressed already, but you may want to enable it if your distribution is setup for full website acceleration which includes uncompressed text files like html and css. |
Host header | This option allows overriding the "Host:" header the CDN nodes send to the origin with each request. Normally this value is taken from the hostname of the origin itself, but you may need to override it for an origin which hosts many different sites and has has incomplete or non-existent DNS records for them. |
X-Forwarded-For | When origins receive connections from CDN nodes, they log the CDN node's IP address as the source of the connection, not the real user's IP address. To remedy that, CDN nodes send the X-Forwarder-For HTTP header which contains the IP address of the user who actually made the request. Origins can then use that header value, usually for logging purposes. This option enables the X-Forwarded-For header generation by the CDN nodes and it's enabled by default. |
Upstream headers | By clicking on the "Add" button, you can configure one or more headers to be sent to the origin with each request. For each header, its name and value need to be specified separately. |
Delivery settings
Force HTTPS | If you enable this option, users who make HTTP requests to the distribution will be automatically redirected to the same URL but using HTTPS instead. | ||||
Inherit TTL | If enabled, the CDN will provide the end-users with the caching headers that it received from the origin, allowing them to also cache the content. If disabled, the option "TTL Override" will be used instead, specifying statically how long in seconds user browsers can cache the content. | ||||
Compression | Automatically compress compression-friendly content (javascript, css, xml etc) during delivery to users. | ||||
Rate limiting | Enables transfer rate limiting per each connection, based on the values below. Does not apply to existing connections.
| ||||
Passthrough headers | Origin generated header names that should be allowed to be passed through to the users. By default origin headers are suppressed to improve caching efficiency. You can add more than one header names by clicking on the "Add" button. Example: 'X-Cache-Status' | ||||
Static headers | With this setting you can specify one or more custom headers that the CDN nodes will deliver to the end users. To do so, click on the 'Add' button and fill-in the desired header names and values. |
Secured (tokenized) URLs
Secured URLs offer the best protection against hot-linking and link sharing. Using a common secret or a pre-shared pair of keys, websites can encrypt URLs using the options below. The CDN can in turn decrypt those URLs and serve them without revealing the real URL to the user.
Method | Choose between:
|
Secret | The secret to use when generating secured URLs using the “simple” method. This value must be the same as in the code which generates the URLs on the website. |
Vendor | Since there is no standard secured URL implementation, here you can choose which vendor implementation to use. Currently, only vendor “Leaseweb” is supported. |
Use client IP | Include the user’s IP address in the secret used to generate a “simple” secured URL. This makes the generated secure URLs accessible only by the user that requested them. |
Number of path components | Number of path components to protect, counting from the beginning. Set to “-1” to protect the entire URL. This doesn’t include tokens if they are embedded into the path. |
Embed into path | Enable this option to embed the secure URL tokens (st, e and/or key) into the beginning of the path. Example for “simple” secure URL: Enabled: /9vvJQlqkDmEgMeSDgjiaOA/1484062002/file.pdf |
For this to work however, the secured URLs need to be prepared beforehand. Usually the website that distributes the URLs executes some code that takes care of that. Below we offer examples that demonstrate how to generate a secure URL. Both examples are written in the PHP language, but should be fairly easy to port to any other language you may be using.
This first example shows how to produce a "Simple" type of secure URL. This is the most common type in use.
<?php
$cname = 'cdn.example.com'; // This is the CNAME of the CDN distribution.
$path = '/path/to/secret_file.pdf'; // This is the file that is served to the visitor.
$secret = '<secret>'; // The Global Secret configured in the distribution.
$expire = time() + 86400; // At which point in time the file should expire. time() + x; would be the usual usage.
$ip = ""; // IP address allowed to access the URL, leave empty for no restriction.
$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected, -1 stands for "Whole URL".
if ($number_of_path_components == -1) {
$secured_path = $path;
} else {
$matches = [];
if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
$secured_path = $matches[0];
} else {
$secured_path = $path;
}
}
$secure_url = $secret . $ip . $secured_path . $expire;
$secure_url_md5 = md5($secure_url, true);
$secure_url_base64 = base64_encode($secure_url_md5);
$secure_url_strtr = strtr($secure_url_base64, "+/", "-_");
$secure_url_replace = str_replace("=", "", $secure_url_strtr);
if ($embed_into_path) {
$secret_url_final = "http://$cname/$secure_url_replace/$expire" . $path;
} else {
$secret_url_final = "http://$cname" . $path . '?st=' . $secure_url_replace . '&e=' . $expire;
}
echo $secret_url_final . "\n";
The second example shows how to create an "Encrypted" type of secure URL.
<?php
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
function base64url_decode($data) {
return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
}
function aes_encrypt($data, $aes_key, $sha_key) {
// apply PKCS#7 padding
$pad = 16 - strlen($data) % 16;
$data .= str_repeat(chr($pad), $pad);
// generate random IV
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_URANDOM);
// apply AES-256-CBC
$crypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $aes_key, $data, MCRYPT_MODE_CBC, $iv);
// add SHA-256 HMAC
$sha = hash_hmac('sha256', $iv . $crypt, $sha_key, true);
// return everything
return $iv . $crypt . $sha;
}
$aes_key = pack('H*', '<aes_key>'); // e.g. 34B6337D3F9A0F35F7705F6B97419A05DA5CF013CD2C03DC4D5D00A183FF286A
$sha_key = pack('H*', '<sha_key>'); // e.g. A018E6F952A89E7E5A0DD1C5FD36530351FD22324CB4084DA4EA903E690697A4
$scheme = "http"; // http or https.
$cname = 'cdn.example.com'; // This is the CNAME of the distribution.
$path = '/path/to/secret_file.pdf'; // This is the path/file that is served to the visitor.
$expire = time() + 3600; // At which point in time the file should expire. time() + x; would be the usual usage.
$remote_address = "0.0.0.0/0"; // ipv4 or ipv6 network range that is allowed to access url in CIDR notation.
$transfer_rate = "256"; // the maximum speed per connection at which an individual visitor can download.
$burst_size = "4096"; // the data that can be downloaded before the transfer rate applies.
$embed_into_path = false; // Set to true if tokens should be part of the URL.
$number_of_path_components = -1; // Number of first path components that will be protected.
if ($number_of_path_components == -1) {
$secured_path = $path;
} else {
$matches = [];
if (preg_match("!^(?:/[^/]+){{$number_of_path_components}}!", $path, $matches)) {
$secured_path = $matches[0];
} else {
$secured_path = $path;
}
}
$args = "path=$secured_path&expire=$expire&ip=$remote_address&ri=$burst_size&rs=$transfer_rate";
$token = base64url_encode(aes_encrypt($args, $aes_key, $sha_key));
if ($embed_into_path) {
$final_url = "$scheme://$cname/$token$path";
} else {
$final_url = "$scheme://$cname$path?key=$token";
}
echo $final_url . "\n";
Rewrites
Allows performing URL rewrites on the CDN, off-loading this responsibility from the origin(s). One or more rules can be added by clicking on Add.
flag | Standard URL rewrite flags that dictate what to do when a URL matches this rewrite rule.
| ||||||||
Regex | Regular expression to apply on the URL. | ||||||||
Replacement | Replacement string to apply to the URL matched by the regular expression. Match variables (like $1) are supported. |
After filling in all the relevant fields, save your changes by clicking on Save.
Invalidations
Under normal conditions, the lifetime (TTL) of an object in the CDN cache should be determined by standard HTTP caching headers like Cache-Control produced by the origin(s). In certain situations however, specific URLs may be required to be removed from the cache so that a fresh copy of the content can be fetched from the origin. This could happen for example when:
A specific file on the origin was damaged or malformed at the time when it was cached, it has now been fixed and the CDN needs to get the new fixed version of that file.
Some files on the origin with long TTLs were changed because of a site re-design or major upgrade and the CDN needs to re-cache those files to reflect the changes.
A copyright claim has been issued about a specific file and, regardless of its TTL, the file needs to be removed from the cache as soon as possible to comply with the law.
This process is called invalidation and can be accessed through the Invalidate option at the bottom of the main menu on the left of the dashboard. Invalidations are resource intensive operations and should only be used on occasion, never as part of the normal workflow of the distribution. This is especially true for Multi CDN distributions, where invalidation requests and their completion status need to be communicated with 3rd-party platforms. For that reason, invalidations can take up to a few minutes to complete and are restricted in the following ways, to ensure the proper function of the CDN platform:
There is a limit on the frequency of invalidation requests. Each customer is allowed to submit at most one request every minute.
An individual invalidation request can contain up to 75 URLs. This allows a batch of invalidations to be requested by a single action.
There are fair-use policies in place to ensure that a single customer cannot overwhelm the invalidation request queue. A customer who submitted just 1 request will not have to wait for another customer's 100 invalidation requests to complete first.
To request an invalidation, click on the Invalidate menu item on the dashboard's main menu. In the screen that appears, type in the desired URL in the "Invalidate URLs" field and click on Add URL. Every added URL will appear directly below, in the "Invalidation list". As already mentioned, you can add up to 75 URLs to the invalidation request this way.
Using the Invalidation list, you can review the URLs destined for invalidation before actually submitting the request. The list allows you to un-check any URLs you wish to remove from the request, in case you added the wrong URL by accident. The invalidation request is finally queued for processing when you click on the button Submit invalidations.
All already submitted invalidation requests are then shown in the last pane of the page called Invalidations. For each request, an ID is displayed, which can be used for tracking purposes, as well as its status. Invalidation requests that are waiting their turn to be processed in the queue show as Pending, and this can last a few minutes depending on the type of distribution and the size of the current invalidation queue. After the invalidation request is processed, its status will be automatically set to Complete or Error depending on if it succeeded or not.
In the Action(s) column, you can click on the Details button to see more information about which invalidations succeeded, which failed and why. It is possible for an invalidation request to expire if it remains pending for too long, in which case it will receive the status Expired. Such requests can be re-queued for processing if you click the right-most Re-submit action button.
Resellers
Reseller accounts allow the operator to create sub-accounts which they can distribute among their customers. Each sub-customer can then create their own properties separate from all others. This helps with accounting of each sub-customer’s properties and how much resources they consume.
Reseller accounts themselves cannot host distributions and other CDN properties, only their sub-accounts can. Therefore, if as a reseller you need to create distributions for your own use, you should create a sub-account to host them in.
The main consequence of this, is that the reseller account dashboard looks slightly different compared to a normal CDN account. Only a list of sub-customers is shown for you to manage. In this interface, for each sub-customer the following information is shown:
Customer name
Customer description
Bandwidth used
Furthermore, the following controls are available for each sub-customer:
A switch to enable or disable the customer’s account. If you click it, a confirmation dialog will appear. Please note that changing an account’s status requires considerable processing in order to (among other things) disable or enable the account’s distributions, which results in a noticeable delay before changes actually take effect.
A button to “impersonate” the customer. This allows you access to the customer’s account as they see it when they log in. This is how you’ll be able to access your own CDN account or assist any of your customers with their configuration settings in theirs. When you click it, a yellow bar appears at the bottom of the dashboard, showing you which account you are currently impersonating. To stop impersonating a customer, click on this yellow bar and you’ll return to the reseller’s dashboard showing the list of your customers.
A trashcan action icon which allows you to delete a customer and all of their properties. A confirmation dialog will appear if you click on it.
Add a (sub)customer
You can add a customer by clicking on the orange + icon at the top-right side of the customer list.
There is currently no option to edit a customer’s details. Therefore, please take good care when creating one.
The required fields that need to be filled when setting up a customer are the following:
Account name | Usually the company name or owner is set here. |
Account description | Secondary information about the customer, like third-party reference IDs for example |
Email address | This is in effect the username the customer will use to login. It is unique to the CDN platform, so the customer creation will fail if the email address is used by another account. |
Password | The password the customer will need to use in order to login. |
First / last name | The interface uses the customer’s first and last name in the account overview on the top-right side of the dashboard. Here is where this information is setup. |
Phone number | The customer’s phone number where they can be reached in an emergency. |
After filling in all the above details, the customer creation can be completed by clicking on the Save button.