Request CDN

Available in Classic and VPC

You can request a CDN service from the NAVER Cloud Platform’s console.

Request CDN

To request a new Global CDN service, do the following:

From NAVER Cloud Platform console, navigate to > Services > Content Delivery > Global CDN.
Click [Request CDN].
Proceed with the following steps in order:

1. Service settings

Set the attributes of the CDN service, including the service name, protocol and domain. The setting items are as follows:

Item	Description
Service name	Enter a unique name for the service. The name must be 3 to 35 characters long and only include English letters, numbers and the hyphen (-).
Service protocol	Set the protocol to use for the CDN service. Select from HTTP, HTTPS, and ALL. If you select HTTPS, you need to enable HTTPS communication on the origin server as well. If you are using a privately owned domain, you can only select HTTP.
Service domain	Set the CDN domain to be accessed by the client. Use CDN domain: Use the CDN domain of Naver Cloud Platform. Auto-generate: Auto-generate a domain in the format of "random ID.gcdn.ntruss.com." Enter manually: Create a domain in the format of "ID.gcdn.ntruss.com." The ID cannot be longer than 40 characters and must only include English letters, numbers and the hyphen (-). Use privately owned domain: Use a privately owned domain instead of one provided by NAVER Cloud Platform. Enter the domain you want to use manually. You can use up to 50 domains at a time. If you are entering multiple domains, insert a line break between the domains. After requesting a CDN, you need to Set the domain of NAVER Cloud Platform as CNAME in the DNS system or by contacting the hosting provider.
Access Log	Select whether to save the CDN access log in Object Storage. If you have selected Yes, select the Region and bucket for the Object Storage to use. The log data are saved in the bucket 20 minutes after each hour (saved every 1 hour) in the format of "service name_instance ID_YYYYMMDD_HH.log.gz." Generating a new log may take up to 24 hours.
Description	When necessary, you can enter a brief note concerning the CDN.

Note

To use the log saving option, you need to be subscribing to Object Storage and have buckets created. For more information on using the service, see Object Storage use guide.
The log file contains multiple items, which are separated by a blank space. If there is no data, the log shows "-."
Log file format
client_ip - - [date] "http_method url_stem HTTP/1.1" status_code total_bytes "referrer" "user_agent" "cookie"
- client_ip: Client IP
- - -: Unused value
- [date]: Date and time of request
- "http_method url_stem HTTP/1.1": HTTP request method, URI, HTTP version
- status_code: Response code
- total_bytes: Total volume of the server’s response to the client
- "referrer": Referrer of the request
- "user_agent": Agent of the client
- "cookie": Cookie value of the request
- Example:
```
211.249.40.9 - - [09/Feb/2018:03:50:01 +0000] "GET /nrbjdrlsuogw479257.gcdn.ntruss.com/sample_mv.mp4 HTTP/1.1" 200 20444604 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-"
```

2. Origin settings

Caution

When integrating Object Storage with Global CDN, you should not store any information that should not be made public in the Object Storage bucket.

Set the location of the content origin, and set the communication attributes between the origin server and the CDN cache server. The setting items are as follows:

Item	Description
Origin location	Set the location of the content origin for using the CDN service. Use Object Storage: If there is the origin in Object Storage on NAVER Cloud Platform, select it and designate the Region and the bucket. You cannot use buckets that have the Access restricted status allowing access to specific servers only. No fee is charged for network transfer between the CDN and the Object Storage. Enter manually: If your origin is outside Object Storage, select this option and enter the IP address or domain name. Entering the domain name is recommended. Enter the protocol's port number according to the service protocol type selected. If you wish to use other ports than the default ports of the HTTP protocol, only the following port numbers are allowed as per the security policy: 72, 80-89, 443, 488, 591, 777, 1080, 1088, 1111, 1443, 2080, 7001, 7070, 7612, 7777, 8000-9001, 9090, 9901-9908, 11080-11110, 12900-12949, 45002. When using HTTPS, validate the origin's certificate to prevent man-in-the-middle (MITM) attacks. For the list of valid certificate authorities, see Certificate Authority.
Origin path (optional)	Enter the subdirectory where the content origin is located. Specify it only if using a specific path instead of the full origin path. The subdirectory must in the format of "/base_directory_name." Omit "/" at the end of the last subdirectory in the path.
Forward Host Header	Set the host header to be sent when a request is made from the CDN to the origin server. If the origin is located in the Object Storage, you can only set Origin Hostname. Incoming Host Header: Use the host header sent upon the client’s request. Based on the host header of the service domain. This is selectable only if the selected service protocol is HTTP and the content origin is located externally. For example, if ex.gcdn.ntruss.com/img.jpg is requested, the host header is ex.gcdn.ntruss.com. Origin Hostname: If the origin server is set to receive a specific virtual host only, use the applicable host header. Custom Value: Set the host header to the value you specify. Enter the host header value manually.
Cache Key Hostname	Set the cache key, which is the unique identifier of the content. By setting this appropriately as per the service characteristics, you can enhance the caching efficiency. Incoming Host Header: Distinguish content with individual cache keys according to the domain name. Select this when different contents are transferred by different service domains. For example, for logo.gif, http://sample.gcdn.ntruss.com/logo.gif and http://example.gcdn.ntruss.com/logo.gif are different domains and thus the contents are cached as separate entities. Origin Hostname: Identify the content of different domains with the same cache key. Select this when the content transferred is the same as that from the service’s origin server. For example, for logo.gif, http://www.sample.com/logo.gif and http://www.sample.co.kr/logo.gif are identified as the same contents and thus are cached only once.
Gzip Compression	Select whether to compress the content to be transferred. Compressing content reduces the traffic on the origin server and improves the response speed. The CDN requests "Accept-Encoding: gzip" and receives the compressed content from the origin server. To use this option, the origin server must support Gzip compression.
Custom Header (for origin request)	Enable addition, editing and deletion of the header in requesting the origin. You can use this option to restrict access to the origin. The maximum header size is 256 bytes. Unavailable string characters: "(),/:;<=>?@[]{}", spaces, and characters other than the English alphabet and numbers. For example, Action: Add / Header Name: NCP-Custom-Header / Header Value: ncp

Certificate Authority

If you are using HTTPS, you need to validate the certificate of the origin server to prevent "man-in-the-middle(MITM)" attacks. Certificates issued by the following certificate authorities (CA) are valid:

Certificate Authority
VeriSign Class 4 Public Primary Certification Authority - G3
AddTrust External CA Root
Class 2 Primary CA
Network Solutions Certificate Authority
Entrust Root Certification Authority
thawte Primary Root CA
DigiCert Assured ID Root CA
QuoVadis Root CA 2 G3
GlobalSign Root CA
America Online Root Certification Authority 2
QuoVadis Root Certification Authority
QuoVadis Root CA 3
SwissSign Silver CA - G2
Certum CA
GlobalSign
SwissSign Gold CA - G2
SecureTrust CA
AffirmTrust Commercial
Go Daddy Root Certificate Authority - G2
Entrust Root Certification Authority - G2
Global Chambersign Root
thawte Primary Root CA - G3
Starfield Services Root Certificate Authority - G2
Baltimore CyberTrust Root
VeriSign Class 3 Public Primary Certification Authority - G5
VeriSign Universal Root Certification Authority
GeoTrust Global CA
AffirmTrust Premium
DigiCert High Assurance EV Root CA
QuoVadis Root CA 2
UTN-USERFirst-Hardware
Entrust.net Certification Authority (2048)
GeoTrust Primary Certification Authority
AffirmTrust Networking
GeoTrust Primary Certification Authority - G3
DST Root CA X3
COMODO Certification Authority
UTN - DATACorp SGC
VeriSign Class 3 Public Primary Certification Authority - G3
TC TrustCenter Class 2 CA II
Cybertrust Global Root
DigiCert Global Root CA

3. Caching settings

Set the caching attributes of the Global CDN, including caching options and caching expiry time. The setting items are as follows:

Item	Description
Caching Option	Set the basic options of the caching policy. Prioritize cache control and expires header of origin server: Run caching according to the `Cache-Control` or `Expires` header in the origin server. If the origin server does not respond with a header for caching, the Cache expiry setting is applied. Cache: Cache the object until Cache expiry or `max-age`. No Store: Run no caching on the CDN server. Bypass Cache: Send all requests as the response to the origin server without caching the object. Honor Origin Cache Control: Run caching according to the `Cache-Control` header set in the origin server. Honor Origin Expires: Run caching according to the `Expires` header set in the origin server.
Force Revalidation of Stale Objects	If communication with the origin server is difficult, select whether to provide cached content. Provide cached content regardless of validation status: Provide cached content to the origin server even when the content cannot be revalidated. Service is available even when the origin server undergoes a failure. Provide validated content only: Provide only revalidated content to the origin server. Select this if the origin server undergoing a failure and sending an unvalidated content to the server may affect the service.
Cache expiry	Set the cycle of checking for content change through comparison between the cached content and the origin. If `Cache-Control: max-age` exists in the response header from the origin server, this setting is prioritized. If the content update cycle is short, it is recommended to set this cycle to be short as well. However, if you do so, load is increased on the origin.
Ignore Query String	Select whether to ignore the query strings in the client’s request statement when a content is requested from the origin server. Enabling this option can improve caching efficiency. You can use it if the origin server responds with the same content regardless of the query strings.
Remove Vary Header	Select whether to delete the header when the origin responds with the Vary `Vary` header. Enabling this option can improve caching efficiency. Use this if the content remains the same even when the origin responds with a Vary header. Do not use this if the content has multiple versions and different content must be served based on Vary request headers, such as `User-Agent`, `Referer`, and `Cookie`.
Large File Optimization	Select whether to optimize transfer of large files to improve caching efficiency. For transfer of a file that is 100 MB or bigger, the file is cached 2 MB at a time. Supported extensions: 3g2, 3gp, asf, avi, bz2, dmg, exe, f4v, flv, gz, hdp, iso, jxr, m4v, mkv, mov, mp4, mpeg, mpg, mts, pkg, qt, rm, swf, tar, tgz, wdp, webm, webp, wma, wmv, and zip. Supported capacity: 100 MB to 323 GB To use this option, you need to enable Range response in the origin server. To run update without changing the content name, you need to perform purge first.

4. Viewer transfer settings

Set the attributes for content transfer from the CDN cache server to the user. The setting items are as follows:

Item	Description
Gzip Compression	Select whether to compress content when sending to the client. To follow the origin server's compression settings, which are applied flexibly based on content extension or request header, select Apply same as origin compression settings. To use this option, the client’s agent (browser or device) must support Gzip and Unzip. If you are serving an HTML, JavaScript or text-based content that is 10 KB or larger, using this option is recommended. If you are only serving already compressed content, such as images (jpg, png, etc.) and videos (mp4, flv, etc.), using this option is not recommended. If you are using compressed transfer, apply the following Mime Type to the content to be transferred. `Text/html, text/css, application/x-javascript, application/javascript`
Referrer Domain	Configure to respond only to requests containing specific domain referrers. Used for access control purposes. Enter referrers to allow responses to when enabled. Up to 50 entries allowed; wildcards (), hyphens (-), and periods (.) can be used. Using a wildcard () allows responses to subdomains as well. When enabled, responses to requests without a referrer are allowed by default. To allow responses only to requests with a registered referrer, select Do not allow.
Security Token	Allow response to only to requests permitted through token verification. To use this, select the token location between Query String and Cookie. Extensions exempt from authentication (optional): These extensions will allow content calls/responses without security token. Enter an extension and press [Enter] key to add it. For more information on how to create a token, see Create security token.
Custom Header (user response)	Enable addition, editing and deletion of the header in sending the response. The maximum header size is 256 bytes. Unavailable string characters: "(),/:;<=>?@[]{}", spaces, and characters other than the English alphabet and numbers. For example, Action: Add / Header Name: Access-Control-Allow-Origin / Header Value: *

Create security token

If you wish to use Security token, see the following documents to create tokens:

You can create tokens using the SDK provided for each available language.
- Python: https://github.com/akamai/EdgeAuth-Token-Python
- Java: https://github.com/akamai/EdgeAuth-Token-Java
- Ruby: https://github.com/akamai/EdgeAuth-Token-Ruby
- NodeJS: https://github.com/akamai/EdgeAuth-Token-Node
- Golang: https://github.com/mobilerider/EdgeAuth-Token-Golang
- C#: https://github.com/BookBeat/EdgeAuth-Token-CSharp
The following are the parameters needed to create a token:
- Token name: All tokens are named "token."
- Start(st)/End times(exp): Start and end times of the token’s validity period.
- Key: Verification password issued automatically when you create a Security token.
- ACL (Access Control List): URI to grant access to with the token. You can use the wildcard (*) to grant access to specific paths.

Example:

Create security token on Java

Sample code for token creation

package com.akamai.edgeauth;

public class ExampleEdgeAuth {
   public static void main(String[] args) {
   String hostname = "example.cdn.ntruss.com";   // Service domain name
   String ET_ENCRYPTION_KEY = "b2b1";            // Key for creating a token
   String tokenName = "token";                   // Token name is fixed as "token"
   long duration = 3600L;                        // 3600 seconds = 1 hour

   try {
         EdgeAuth ea = new EdgeAuthBuilder()
               .key(ET_ENCRYPTION_KEY)
               .startTime(EdgeAuth.NOW)
               .windowSeconds(duration)
               .tokenName(tokenName)
               .escapeEarly(false)
               .build();

         String acl = "/sample.pdf*"; //*/
         String file_url = "/sample.pdf";
         String token = ea.generateACLToken(acl);
         String url = String.format("http://%s%s?%s=%s", hostname, file_url, tokenName, token);

         System.out.println(url);

   } catch (EdgeAuthException e) {
         e.printStackTrace();
   }
   }
}

Request URL created after executing the code

http://example.cdn.ntruss.com/sample.pdf?token=st=1592202370~exp=1592205970~acl=/sample.pdf*~hmac=d422a548ae769bbaddc1d27f03fe6e096a4ba492928f3eb9c09824f93d78f507

Create security token on Python

Sample code for token creation

$ python cms_edgeauth.py -k b2b1 -n token -s now -w 3600 -a /sample.pdf* enter the input commands as shown in the example
=> The following result is output:
token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779

Request URL created after executing the code

http://example.cdn.ntruss.com/sample.pdf?token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779

Note

If the user's token generation server's clock is 2-4 seconds ahead of the CDN server, the CDN server may recognize the start_time token parameter as "too early," causing authentication to fail. To prevent this, set start_time and end_time to be 10 seconds earlier and later, respectively, than the current time. You need to use NTP to accurately synchronize the web servers for creating tokens.

5. Check results

Check the settings and then click [Request CDN] at the bottom of the screen.

The requested CDN is added to the list, showing the status Requested.
It takes at least 2 hours for the CDN to be configured in all global bases, and once configuration is complete, the status changes to Operating.

Client DNS settings for using CDN

If you have selected a privately owned domain as the service domain when requesting CDN, you need to connect the CDN service domain displayed after requesting the CDN service to the DNS in operation to be able to use the service.
Register the CDN service domain using the CNAME record on the DNS system in operation or through the hosting provider.

On the server, you can use the dig or nslookup command to check if the CNAME record is set properly.

Example: if the client’s domain is "sample.example.com" and the CDN service domain is "example.gcdn.ntruss.com"
```
sample.navercdn.com 600 IN  CNAME   example.gcdn.ntruss.com.
```