Remote authentication is an access control feature that is used to protect resources. You can configure remote authentication to authenticate user requests that are sent to points of presence (POPs) of Alibaba Cloud CDN and process the requests based on the authentication results. If you enable remote authentication, only authorized users can access resources. This topic describes how remote authentication works and how to enable remote authentication in the ApsaraVideo VOD console. This topic also provides relevant API references.
How it works
ApsaraVideo VOD supports URL signing and remote authentication to help prevent site resources from being illegally downloaded or used. The following section describes the differences between URL signing and remote authentication:
URL signing: After you apply signing rules that are created for a domain name to POPs, the POPs complete the signing process. For more information about URL signing, see Configure URL signing.
Remote authentication: You can specify a self-managed authentication server. After POPs receive client requests, the requests are redirected to the specified authentication server.
The following figure shows how remote authentication works.
A client sends a request to a CDN POP. The request carries parameters that are used for authentication.
The POP redirects the request to the authentication server.
The authentication server checks the request parameters and returns the authentication result to the POP.
The POP processes the request based on the authentication result that is returned from the authentication server. If the request passes the authentication, access is allowed. If the request fails the authentication, access is denied or restricted. Examples:
Example 1: The request passes the authentication. The POP returns the requested resources to the user.
Example 2: The request fails the authentication. The POP returns the HTTP status code 404 to the user.
Example 3: The request fails the authentication. The POP throttles requests from the user.
Example 4: The authentication times out. The POP performs the specified action such as the allow action.
Usage notes
After you enable remote authentication, the authentication server checks each request. If you estimate a large number of requests to be sent to the POP, make sure that the authentication server can handle traffic spikes without compromising performance.
Procedure
Log on to the ApsaraVideo VOD console.
In the left-side navigation pane, click Configuration Management.
Choose CDN Configuration > Domain Names. The Domain Names page appears.
Find the domain name that you want to configure and click Configure in the Actions column.
On the page that appears, click Resource Access Control.
Click the Remote Authentication tab.
Turn on Remote Authentication and configure remote authentication.
The following table describes the parameters for remote authentication.
Parameter
Description
Authentication Server Address
Enter the address of the authentication server. The address must be publicly accessible. Alibaba Cloud CDN checks the specified server address and the format of the address.
Supported formats
The server address must be in one of the following formats:
http://example.com/auth
https://example.com/auth
http://192.0.2.1/auth
https://192.0.2.1/auth
Address requirements
The server address cannot contain 127.0.0.1 or localhost. Otherwise, the server address is considered invalid.
Request Method
Select a request method that is supported by the authentication server. Valid values: GET, HEAD, and POST.
POST
Parameters are transmitted in the request body and the address bar remains unchanged.
The size for data transmission is unlimited.
Requests are not cached or stored in browser history.
Security is high.
GET
Parameters are transmitted in the request line, and the address bar displays the values of the parameters.
A maximum of 1,024 bytes can be transmitted for a request due to browser limits.
Requests are cached and stored in browser history.
Security is low.
HEAD
The HEAD method is similar to the GET method. However, the server does not return the request body after you call the HEAD method.
File Types
All: The authentication server checks all file types.
Specified: The authentication server checks only the file types that you specify.
If you specify multiple file types, separate the file types with vertical bars (|). Example: mp4|flv.
File types are case-sensitive. For example, jpg and JPG are considered different file types.
Parameters to Retain
Specify the URL parameters that you want the authentication server to check. Valid values: Retain All URL Parameters, Retain Specified URL Parameters, and Delete All URL Parameters.
If you specify multiple parameters, separate the parameters with vertical bars (|). Example: user|token.
Parameters are case-sensitive. For example, key and KEY are considered different parameters.
Add Custom Parameters
Add custom parameters to the URLs of requests before the requests are redirected to the authentication server.
You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console.
When you specify key-value pairs, take note of the following rules:
Separate values with vertical bars (|). Example: token=$arg_token|vendor=ali_cdn.
Parameters are case-sensitive. For example, key and KEY are considered different parameters.
If you use preset variables, the values of the selected variables are added to client requests before the requests are redirected to the authentication server.
For example, if you select the $http_host variable, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see the Variables section of this topic.
Request Headers to Retain
Specify the request headers that you want the authentication server to check. Valid values: Retain All Request Headers, Retain Specified Request Headers, and Delete All Request Headers.
If you specify multiple request headers, separate the request headers with vertical bars (|). Example: user_agent|referer|cookies.
Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header.
NoteIf you select Retain All Request Headers, the POP deletes the Host header from requests. If you want to retain the Host header in requests, you can configure Retain Specified Request Headers or Add Custom Parameters. By default, the POP deletes the Host header from requests because the Host header in requests that are redirected to the authentication server specifies the accelerated domain name. In this case, the authentication server may fail to identify the requests, which may cause authentication errors such as the HTTP status code 404.
Add Custom Parameters
Add custom request headers to requests that are sent to the POP before the requests are redirected to the authentication server.
You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console.
When you specify key-value pairs, take note of the following rules:
Separate multiple request headers with vertical bars (|). Example: User-Agent=$http_user_agent|vendor=ali_cdn.
Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header.
If you use preset variables, the values of the variables are added to requests that are sent to the POP before the requests are redirected to the authentication server.
For example, if you select the $http_host variable, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see the Variables section of this topic.
Successful Authentication
Specify the HTTP status code that is returned by the authentication server if a request passes the authentication. We recommend that you set the HTTP status code for successful authentication to 2XX.
If you set the HTTP status code to 200, the authentication server returns the HTTP status code 200 to CDN POPs for client requests that pass the authentication. If the authentication server returns an HTTP status code that does not indicate whether the request passes or fails the authentication, the authentication times out.
Failed Authentication
Specify the HTTP status code that is returned by the authentication server if a request fails the authentication. We recommend that you set the HTTP status code for failed authentication to 4XX.
If you set the HTTP status code to 403, the authentication server returns the HTTP status code 403 to CDN POPs for client requests that fail the authentication. If the authentication server returns an HTTP status code that indicates whether the request passes or fails the authentication, the authentication times out.
Custom HTTP Status Code
Specify the HTTP status code that is returned from the POP to the user after the POP receives an HTTP status code indicating failed authentication from the authentication server.
If you set Custom HTTP Status Code to 403, the POP returns the HTTP status code 403 to the user for requests that fail the authentication.
Timeout
The timeout period starts when the POP redirects a request to the authentication server. The timeout period ends when the POP receives the authentication result from the authentication server.
Unit: milliseconds. Maximum value: 3000.
Action
Specify the action that the POP performs on a request if the authentication times out. Valid values:
Allow: The POP returns the requested resources to the user.
Reject: The POP rejects the request and returns the HTTP status code that you specify in the Custom HTTP Status Code field to the user.
Click OK.
After you enable remote authentication, you can modify the settings of remote authentication or disable remote authentication on the Remote Authentication tab.
Variables
If you add custom parameters, you can select preset variables that are provided by ApsaraVideo VOD. The following table describes the variables.
Variable | Description |
$http_host | The value of the Host header field. |
$http_user_agent | The value of the User-Agent header field. |
$http_referer | The value of the Referer header field. |
$http_content_type | The value of the Content-Type header field. |
$http_x_forward_for | The value of the X-Forwarded-For header field. |
$remote_addr | The IP address of the client that sends the request. |
$scheme | The protocol of a request. |
$server_protocol | The protocol version of the request. |
$uri | The original URI of the request. |
$args | The query string of the request URL. The query string does not include the question mark (?). |
$request_method | The request method. |
$request_uri | The content of uri+'?'+args. |