Requesting CDN

release/20240425
English

Requesting CDN

Article Summary

Share feedback

Thanks for sharing your feedback!

Available in Classic and VPC

This document describes how to request a CDN service on NAVER Cloud Platform’s console.

Requesting CDN

To request a new Global CDN service, do the following:

Click the environment you are using in the Region menu and Platform menu of NAVER Cloud Platform console.
Click Services > Content Delivery > Global CDN.
Click [Request CDN].
Proceed with the following steps in order.

1. Setting up service

Set the attributes of the CDN service, including the service name, protocol and domain. The setting items are as follows:

Item	Description
Service name	Enter a unique name for the service The name must be 3 to 35 characters long and only include English letters, numbers and the hyphen (-)
Service protocol	Set the protocol to use for the CDN service Select from HTTP, HTTPS, and ALL If you select HTTPS, you need to enable HTTPS communication on the original server as well If you are using a privately owned domain, you can only select HTTP
Service domain	Set the CDN domain to be accessed by the client Use CDN domain: use the CDN domain of NAVER Cloud Platform. Auto-generate: auto-generate a domain in the format of "random ID.gcdn.ntruss.com." Enter manually: create a domain in the format of "ID.gcdn.ntruss.com." The ID cannot be longer than 40 characters and must only include English letters, numbers and the hyphen (-) Use privately owned domain: use a privately owned domain instead of one provided by NAVER Cloud Platform. Manually enter a domain to use You can use up to 50 domains at a time. If you are entering multiple domains, insert a line break between the domains. After requesting a CDN, you need to set the domain of NAVER Cloud Platform as CNAME in the DNS system or by contacting the hosting provider.
Access Log	Select whether to save the CDN access log in Object Storage. If you have selected Yes, select the Region and bucket for the Object Storage to use. The log data are saved in the bucket 20 minutes after each hour (saved every 1 hour) in the format of "service name_instance ID_YYYYMMDD_HH.log.gz." Generating a new log may take up to 24 hours.
Description	When necessary, you can enter a brief note concerning the CDN

Note

To use the log saving option, you need to be subscribing to Object Storage and have buckets created. For more information on using the service, see Object Storage use guide.
The log file contains multiple items, which are separated by a blank space. If there is no data, the log shows "-."
Log file format
client_ip - - [date] "http_method url_stem HTTP/1.1" status_code total_bytes "referrer" "user_agent" "cookie"
- client_ip: client IP
- - -: unused value
- [date]: date and time of request
- "http_method url_stem HTTP/1.1": HTTP request method, URI, HTTP version
- status_code: response code
- total_bytes: total volume of the server’s response to the client
- "referrer": referrer of the request
- "user_agent": agent of the client
- "cookie": cookie value of the request
- <example>
```
211.249.40.9 - - [09/Feb/2018:03:50:01 +0000] "GET /nrbjdrlsuogw479257.gcdn.ntruss.com/sample_mv.mp4 HTTP/1.1" 200 20444604 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "-"
```

2. Setting up original server

Set the location of the original content, and set the communication attributes between the original server and the CDN cache server. The setting items are as follows:

Item	Description
Origin location	Set the location of the original content for using the CDN service. Object Storage: if Object Storage of NAVER Cloud Platform contains the original content, select the content and select the Regions and buckets. You cannot use buckets that have the Access restrictedstatus allowing access to specific servers only. No fee is charged for network transfer between the CDN and the Object Storage. Enter manually: if the original content is located anywhere other than the Object Storage, enter the applicable IP address or the domain name. Entering the domain name is recommended. Enter the protocol's port number according to the service protocol type selected. If you wish to use other ports than the default ports of the HTTP protocol, only the following port numbers are allowed as per the security policy: 72, 80-89, 443, 488, 591, 777, 1080, 1088, 1111, 1443, 2080, 7001, 7070, 7612, 7777, 8000-9001, 9090, 9901-9908, 11080-11110, 12900-12949, 45002 If you are using HTTPS, validate the certificate of the original content to prevent "man-in-the-middle(MITM)" attacks.
Original content path (optional)	Enter the subdirectory where the original content is located. This is needed only if you are storing the original content in a subdirectory instead of the default directory. The subdirectory must in the format of "/base_directory_name." Omit "/" at the end of the last subdirectory in the path.
Forward Host Header	Set the host header to be sent when a request is made from the CDN to the original server. If the original content is located in the Object Storage, you can only set Origin Hostname. Incoming Host Header: use the host header sent upon the client’s request. Based on the host header of the service domain. This is selectable only if the selected service protocol is HTTP and the original content is located externally. <example> If ex.gcdn.ntruss.com/img.jpg is requested, the host header is ex.gcdn.ntruss.com. Origin Hostname: if the original server is set to receive a specific virtual host only, use the applicable host header. Custom Value: customize the host header. Enter the host header value manually.
Cache Key Hostname	Set the cache key, which is the unique identifier of the content. By setting this appropriately as per the service characteristics, you can enhance the caching efficiency. Incoming Host Header: distinguish contents with individual cache keys according to the domain name. Select this when different contents are transferred by different service domains. <example> For logo.gif, http://sample.gcdn.ntruss.com/logo.gif and http://example.gcdn.ntruss.com/logo.gif are different domains and thus the contents are cached as separate entities. Origin Hostname: identify the contents of different domains with the same cache key. Select this when the content transferred is the same as that from the service’s original server. <example> For logo.gif, http://www.sample.com/logo.gif and http://www.sample.co.kr/logo.gif are identified as the same contents and thus are cached only once.
Gzip Compression	Select whether to compress the content to be transferred. Compressing content reduces the traffic on the original server and improves the response speed. The CDN requests "Accept-Encoding: gzip" and receives the compressed content from the original server. To use this option, the original server must support Gzip compression.
Custom Header (for original content request)	Enable addition, editing and deletion of the header in requesting the original content. You can use this option to restrict access to the original content. The maximum header size is 256 bytes. Unavailable string characters: "(),/:;<=>?@[]{}", spaces, characters other than the English alphabet and numbers <example> Action: Add / Header Name: NCP-Custom-Header / Header Value: ncp

Certificate authority

If you are using HTTPS, you need to validate the certificate of the original server to prevent "man-in-the-middle(MITM)" attacks. Certificates issued by the following certificate authorities (CA) are valid.

Certificate Authority
VeriSign Class 4 Public Primary Certification Authority - G3
AddTrust External CA Root
Class 2 Primary CA
Network Solutions Certificate Authority
Entrust Root Certification Authority
thawte Primary Root CA
DigiCert Assured ID Root CA
QuoVadis Root CA 2 G3
GlobalSign Root CA
America Online Root Certification Authority 2
QuoVadis Root Certification Authority
QuoVadis Root CA 3
SwissSign Silver CA - G2
Certum CA
GlobalSign
SwissSign Gold CA - G2
SecureTrust CA
AffirmTrust Commercial
Go Daddy Root Certificate Authority - G2
Entrust Root Certification Authority - G2
Global Chambersign Root
thawte Primary Root CA - G3
Starfield Services Root Certificate Authority - G2
Baltimore CyberTrust Root
VeriSign Class 3 Public Primary Certification Authority - G5
VeriSign Universal Root Certification Authority
GeoTrust Global CA
AffirmTrust Premium
DigiCert High Assurance EV Root CA
QuoVadis Root CA 2
UTN-USERFirst-Hardware
Entrust.net Certification Authority (2048)
GeoTrust Primary Certification Authority
AffirmTrust Networking
GeoTrust Primary Certification Authority - G3
DST Root CA X3
COMODO Certification Authority
UTN - DATACorp SGC
VeriSign Class 3 Public Primary Certification Authority - G3
TC TrustCenter Class 2 CA II
Cybertrust Global Root
DigiCert Global Root CA

3. Setting up caching

Set the caching attributes of the Global CDN, including caching options and caching expiry time. The setting items are as follows:

Item	Description
Caching Option	Set the basic options of the caching policy Prioritize cache control and expires header of original server: run caching according to the `Cache-Control` or `Expires` header in the original server If the original server does not respond with a header for caching, the Cache expiry setting is applied Cache: cache the object until Cache expiry or `max-age` No Store: run no caching on the CDN server Bypass Cache: send all requests as the response to the original server without caching the object Honor Origin Cache Control: run caching according to the `Cache-Control` header set in the original server Honor Origin Expires: run caching according to the `Expires` header set in the original server
Force Revalidation of Stale Objects	If communication with the original server is difficult, select whether to provide cached contents Provide cached contents regardless of validation status: provide cached contents to the original server even when the contents cannot be revalidated.Service is available even when the original server undergoes a failure. Provide validated contents only: provide only revalidated contents to the original server.
Cache expiry	Set the cycle of checking for content change through comparison between the cached and the original contents. If `Cache-Control: max-age` exists in the response header from the original server, this setting is prioritized. If the content update cycle is short, it is recommended to set this cycle to be short as well. However, if you do so, load is increased on the original content.
Ignore Query String	Select whether to ignore the query strings in the client’s request statement when a content is requested from the original server. Enabling this option can improve caching efficiency. You can use it if the original server responds with the same contents regardless of the query strings.
Remove Vary Header	Select whether to delete the header when the original server responds with the `Vary` header. Enabling this option can improve caching efficiency. You can use it if the contents are the same even when the response is the Vary header. Do not use this if the content has various versions or the response content must vary according to the Vary request header, such as `User-Agent`, `Referer` and `Cookie`.
Large File Optimization	Select whether to optimize transfer of large files to improve caching efficiency. For transfer of a file that is 100 MB or bigger, the file is cached 2 MB at a time. Supported extensions: 3g2, 3gp, asf, avi, bz2, dmg, exe, f4v, flv, gz, hdp, iso, jxr, m4v, mkv, mov, mp4, mpeg, mpg, mts, pkg, qt, rm, swf, tar, tgz, wdp, webm, webp, wma, wmv, zip Supported capacity: 100 MB - 323 GB To use this option, you need to enable Range response in the original server. To run update without changing the content name, you need to perform purge first.

4. Setting up viewer transfer

Set the attributes for content transfer from the CDN cache server to the user. The setting items are as follows:

Item	Description
Gzip Compression	Select whether to compress the content to be sent to the client. Select Apply compression settings of original server to apply the original server’s compression settings which work flexibly according to the content extension or the request header. To use this option, the client’s agent (browser or device) must support Gzip and Unzip. If you are providing an HTML, JavaScript or text-based content that is 10 KB or larger, using this option is recommended. If you are only providing already compressed contents, such as images (jpg, png, etc.) and videos (mp4, flv, etc.), using this option is not recommended. If you are using compressed transfer, apply the following Mime Type to the content to be transferred. `Text/html, text/css, application/x-javascript, application/javascript`
Referrer Domain	Allow response only to requests including a specified domain referrer. You can use this option to restrict access. To use it, you need to enter a referrer to allow response to. You can enter up to 50 referrers, using the wildcard (* ), hyphen (-) and period (.) . If you are using the wildcard (* ), the referrer includes the subdomain. By default, requests without any referrer do receive the response. To allow response only to requests having the specified referrer, select Do not allow.
Security Token	Allow response to only to requests permitted through token verification. To use this, select the token location between Query String and Cookie. Extensions exempted from verification (optional): enter extensions for which to allow contents call and response without token verification. Enter an extension and press [Enter] to add it. For more information on how to create a token, see Creating security token.
Custom Header (user response)	Enable addition, editing and deletion of the header in sending the response. The maximum header size is 256 bytes. Unavailable string characters: "(),/:;<=>?@[]{}", spaces, characters other than the English alphabet and numbers <example> Action: Add / Header Name: Access-Control-Allow-Origin / Header Value: *

Creating security token

If you wish to use security tokens, refer to the following documents to create tokens.

You can create tokens using the SDK provided for each available language.
The following are the parameters needed to create a token:
- Token name: all tokens are named "token"
- Start(st)/End times(exp): start and end times of the token’s validity period
- Key: verification password issued automatically when you create a security token
- ACL (Access Control List): URI to grant access to with the token. You can use the wildcard (*) to grant access to specific paths.

Creating security token on Java

Sample code for token creation

package com.akamai.edgeauth;

public class ExampleEdgeAuth {
   public static void main(String[] args) {
   String hostname = "example.cdn.ntruss.com";   // service domain name
   String ET_ENCRYPTION_KEY = "b2b1";            // Key for creating a token
   String tokenName = "token";                   // Token name is fixed as "token."
   long duration = 3600L;                        // 3600 seconds = 1 hour

   try {
         EdgeAuth ea = new EdgeAuthBuilder()
               .key(ET_ENCRYPTION_KEY)
               .startTime(EdgeAuth.NOW)
               .windowSeconds(duration)
               .tokenName(tokenName)
               .escapeEarly(false)
               .build();

         String acl = "/sample.pdf*"; //*/
         String file_url = "/sample.pdf";
         String token = ea.generateACLToken(acl);
         String url = String.format("http://%s%s?%s=%s", hostname, file_url, tokenName, token);

         System.out.println(url);

   } catch (EdgeAuthException e) {
         e.printStackTrace();
   }
   }
}

Request URL created after executing the code

http://example.cdn.ntruss.com/sample.pdf?token=st=1592202370~exp=1592205970~acl=/sample.pdf*~hmac=d422a548ae769bbaddc1d27f03fe6e096a4ba492928f3eb9c09824f93d78f507

Creating security token on Python

Sample code for token creation

$ python cms_edgeauth.py -k b2b1 -n token -s now -w 3600 -a /sample.pdf* enter the input command as shown in the example
=> The following result is output:
token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779

Request URL created after executing the code

http://example.cdn.ntruss.com/sample.pdf?token=st=1592204787~exp=1592208387~acl=/sample.pdf*~hmac=79872098f16596c8c40ebab649ae2aac8cce3e3bece204b641c99b6cfac42779

Note

If the user’s server creates a token 2-4 seconds faster than the CDN server, the CDN server recognizes the value of the token parameter start_time as "Too early," causing the verification to fail. To prevent this, set start_time and end_time to be 10 seconds earlier and later, respectively, than the current time. You need to use NTP to accurately synchronize the web servers for creating tokens.

5. Checking result

Check the settings and then click [Request CDN] at the bottom of the screen.

The requested CDN is added to the list, showing the status Requested.
It takes at least 2 hours for the CDN to be configured in all global bases, and once configuration is complete, the status changes to Operating.

Setting client DNS for using CDN

If you have selected a privately owned domain as the service domain when requesting CDN, you need to connect the CDN service domain displayed after requesting the CDN service to the DNS in operation to be able to use the service.
Register the CDN service domain using the CNAME record on the DNS system in operation or through the hosting provider.

On the server, you can use the dig or nslookup command to check if the CNAME record is set properly.

<example> If the client’s domain is "sample.example.com" and the CDN service domain is "example.gcdn.ntruss.com"
```
sample.navercdn.com 600 IN  CNAME   example.gcdn.ntruss.com.
```

Was this article helpful?

What's Next

Managing CDN

Table of contents

Requesting CDN
Setting client DNS for using CDN