- Print
- PDF
Requesting CDN
- Print
- PDF
Available in Classic and VPC
This document describes how to request a CDN service on NAVER Cloud Platform’s console.
Requesting CDN
To request a new Global CDN service, do the following:
- Click the environment you are using in the Region menu and Platform menu of NAVER Cloud Platform console.
- Click Services > Content Delivery > Global CDN.
- Click [Request CDN].
- Proceed with the following steps in order.
1. Setting up service
Set the attributes of the CDN service, including the service name, protocol and domain. The setting items are as follows:
Item | Description |
---|---|
Service name | Enter a unique name for the service
|
Service protocol | Set the protocol to use for the CDN service
|
Service domain | Set the CDN domain to be accessed by the client
|
Access Log | Select whether to save the CDN access log in Object Storage.
|
Description | When necessary, you can enter a brief note concerning the CDN |
- To use the log saving option, you need to be subscribing to Object Storage and have buckets created. For more information on using the service, see Object Storage use guide.
- The log file contains multiple items, which are separated by a blank space. If there is no data, the log shows "-."
- Log file format
client_ip - - [date] "http_method url_stem HTTP/1.1" status_code total_bytes "referrer" "user_agent" "cookie"
client_ip
: client IP- -
: unused value[date]
: date and time of request"http_method url_stem HTTP/1.1"
: HTTP request method, URI, HTTP versionstatus_code
: response codetotal_bytes
: total volume of the server’s response to the client"referrer"
: referrer of the request"user_agent"
: agent of the client"cookie"
: cookie value of the request- <example>
211.249.40.9 - - [09/Feb/2018:03:50:01 +0000] "GET /nrbjdrlsuogw479257.gcdn.ntruss.com/sample_mv.mp4 HTTP/1.1" 200 20444604 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-"
2. Setting up original server
Set the location of the original content, and set the communication attributes between the original server and the CDN cache server. The setting items are as follows:
Item | Description |
---|---|
Origin location | Set the location of the original content for using the CDN service.
|
Original content path (optional) | Enter the subdirectory where the original content is located. This is needed only if you are storing the original content in a subdirectory instead of the default directory.
|
Forward Host Header | Set the host header to be sent when a request is made from the CDN to the original server. If the original content is located in the Object Storage, you can only set Origin Hostname.
|
Cache Key Hostname | Set the cache key, which is the unique identifier of the content. By setting this appropriately as per the service characteristics, you can enhance the caching efficiency.
|
Gzip Compression | Select whether to compress the content to be transferred.
|
Custom Header (for original content request) | Enable addition, editing and deletion of the header in requesting the original content. You can use this option to restrict access to the original content.
|
Certificate authority
If you are using HTTPS, you need to validate the certificate of the original server to prevent "man-in-the-middle(MITM)" attacks. Certificates issued by the following certificate authorities (CA) are valid.
Certificate Authority |
---|
VeriSign Class 4 Public Primary Certification Authority - G3 |
AddTrust External CA Root |
Class 2 Primary CA |
Network Solutions Certificate Authority |
Entrust Root Certification Authority |
thawte Primary Root CA |
DigiCert Assured ID Root CA |
QuoVadis Root CA 2 G3 |
GlobalSign Root CA |
America Online Root Certification Authority 2 |
QuoVadis Root Certification Authority |
QuoVadis Root CA 3 |
SwissSign Silver CA - G2 |
Certum CA |
GlobalSign |
SwissSign Gold CA - G2 |
SecureTrust CA |
AffirmTrust Commercial |
Go Daddy Root Certificate Authority - G2 |
Entrust Root Certification Authority - G2 |
Global Chambersign Root |
thawte Primary Root CA - G3 |
Starfield Services Root Certificate Authority - G2 |
Baltimore CyberTrust Root |
VeriSign Class 3 Public Primary Certification Authority - G5 |
VeriSign Universal Root Certification Authority |
GeoTrust Global CA |
AffirmTrust Premium |
DigiCert High Assurance EV Root CA |
QuoVadis Root CA 2 |
UTN-USERFirst-Hardware |
Entrust.net Certification Authority (2048) |
GeoTrust Primary Certification Authority |
AffirmTrust Networking |
GeoTrust Primary Certification Authority - G3 |
DST Root CA X3 |
COMODO Certification Authority |
UTN - DATACorp SGC |
VeriSign Class 3 Public Primary Certification Authority - G3 |
TC TrustCenter Class 2 CA II |
Cybertrust Global Root |
DigiCert Global Root CA |
3. Setting up caching
Set the caching attributes of the Global CDN, including caching options and caching expiry time. The setting items are as follows:
Item | Description |
---|---|
Caching Option | Set the basic options of the caching policy
|
Force Revalidation of Stale Objects | If communication with the original server is difficult, select whether to provide cached contents
|
Cache expiry | Set the cycle of checking for content change through comparison between the cached and the original contents.
|
Ignore Query String | Select whether to ignore the query strings in the client’s request statement when a content is requested from the original server. Enabling this option can improve caching efficiency.
|
Remove Vary Header | Select whether to delete the header when the original server responds with the Vary header. Enabling this option can improve caching efficiency.
|
Large File Optimization | Select whether to optimize transfer of large files to improve caching efficiency.
|
4. Setting up viewer transfer
Set the attributes for content transfer from the CDN cache server to the user. The setting items are as follows:
Item | Description |
---|---|
Gzip Compression | Select whether to compress the content to be sent to the client.
|
Referrer Domain | Allow response only to requests including a specified domain referrer. You can use this option to restrict access.
|
Security Token | Allow response to only to requests permitted through token verification.
|
Custom Header (user response) | Enable addition, editing and deletion of the header in sending the response.
|
Creating security token
If you wish to use security tokens, refer to the following documents to create tokens.
- You can create tokens using the SDK provided for each available language.
- Python: https://github.com/akamai/EdgeAuth-Token-Python
- Java: https://github.com/akamai/EdgeAuth-Token-Java
- Ruby: https://github.com/akamai/EdgeAuth-Token-Ruby
- NodeJS: https://github.com/akamai/EdgeAuth-Token-Node
- Golang: https://github.com/mobilerider/EdgeAuth-Token-Golang
- C#: https://github.com/BookBeat/EdgeAuth-Token-CSharp
- The following are the parameters needed to create a token:
- Token name: all tokens are named "token"
- Start(st)/End times(exp): start and end times of the token’s validity period
- Key: verification password issued automatically when you create a security token
- ACL (Access Control List): URI to grant access to with the token. You can use the wildcard (*) to grant access to specific paths.
- <example>
Creating security token on Java
- Sample code for token creation
package com.akamai.edgeauth; public class ExampleEdgeAuth { public static void main(String[] args) { String hostname = "example.cdn.ntruss.com"; // service domain name String ET_ENCRYPTION_KEY = "b2b1"; // Key for creating a token String tokenName = "token"; // Token name is fixed as "token." long duration = 3600L; // 3600 seconds = 1 hour try { EdgeAuth ea = new EdgeAuthBuilder() .key(ET_ENCRYPTION_KEY) .startTime(EdgeAuth.NOW) .windowSeconds(duration) .tokenName(tokenName) .escapeEarly(false) .build(); String acl = "/sample.pdf*"; //*/ String file_url = "/sample.pdf"; String token = ea.generateACLToken(acl); String url = String.format("http://%s%s?%s=%s", hostname, file_url, tokenName, token); System.out.println(url); } catch (EdgeAuthException e) { e.printStackTrace(); } } }
- Request URL created after executing the code
http://example.cdn.ntruss.com/sample.pdf?token=st=1592202370~exp=1592205970~acl=/sample.pdf*~hmac=d422a548ae769bbaddc1d27f03fe6e096a4ba492928f3eb9c09824f93d78f507
Creating security token on Python
- Sample code for token creation
$ python cms_edgeauth.py -k b2b1 -n token -s now -w 3600 -a /sample.pdf* enter the input command as shown in the example => The following result is output: token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779
- Request URL created after executing the code
http://example.cdn.ntruss.com/sample.pdf?token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779
If the user’s server creates a token 2-4 seconds faster than the CDN server, the CDN server recognizes the value of the token parameter start_time as "Too early," causing the verification to fail. To prevent this, set start_time and end_time to be 10 seconds earlier and later, respectively, than the current time. You need to use NTP to accurately synchronize the web servers for creating tokens.
5. Checking result
Check the settings and then click [Request CDN] at the bottom of the screen.
- The requested CDN is added to the list, showing the status Requested.
- It takes at least 2 hours for the CDN to be configured in all global bases, and once configuration is complete, the status changes to Operating.
Setting client DNS for using CDN
If you have selected a privately owned domain as the service domain when requesting CDN, you need to connect the CDN service domain displayed after requesting the CDN service to the DNS in operation to be able to use the service.
Register the CDN service domain using the CNAME record on the DNS system in operation or through the hosting provider.
On the server, you can use the dig
or nslookup
command to check if the CNAME record is set properly.
- <example> If the client’s domain is "sample.example.com" and the CDN service domain is "example.gcdn.ntruss.com"
sample.navercdn.com 600 IN CNAME example.gcdn.ntruss.com.