Restricting access to your origin server

Introduction

The following applies only to CDN Static and CDN Video services, it does not apply to CDN Static Push, CDN Video Push and CDN Live services.

Let's look at how you can restrict access to your origin server. In the following let's assume this CDN service:

  • Service Domain - cdn.mycompany.com
  • Service Identifier - 12345.r.cdnsun.net
  • Origin Domain - mycompany.com

Please refer here for more details. Moreover let's assume that you want to allow CDN edge servers to access the Origin Domain (for pull requests) but you want to restrict others from accessing it.

Allow only requests containing X-Resource header

This section applies only to CDN Static services. All requests from our CDN edge servers contain X-Resource HTTP header similarly as in the following example of a pull request from a CDN edge server for the CDN service 12345.r.cdnsun.net.

X-Resource: 12345    

The number 12345 corresponds to the Service Identifier 12345.r.cdnsun.net. You can find Service Identifier of your CDN service on the Services/Settings page.

To allow only requests containing X-Resource HTTP header you can use the following.

Apache

RewriteEngine On
SetEnvIf X-Resource !"NUMBER" IS_CDNSUN_REQUEST="no"
RewriteCond %{ENV:IS_CDNSUN_REQUEST} "no"
RewriteRule ^.*$ - [R=403,L]

Nginx

location /
{
    if ($http_x_resource != "NUMBER") 
    { 
        return 403;
    }    
}   

Replace NUMBER with the number obtained from the Service Identifier of your CDN service.

Restart or reload your web server.

Test your origin server

You can use command line curl tool to test your origin web server. You should receive 200 OK response if and only if you include the X-Resource HTTP header to your request.

Request without X-Resource header

curl http://mycompany.com/image.jpeg

You should receive 403 Forbidden.

Request with X-Resource header

curl --header 'X-Resource: NUMBER' http://mycompany.com/image.jpeg

You should receive 200 OK.

Replace NUMBER with the number obtained from the Service Identifier of your CDN service.

A note on 403 vs. 404

You can also return 404 Not Found response code instead of 403 Forbidden. 403 response code indicates that the content exists so it exposes some information about your content to public. Read about similar scenario here.

Use not obvious Origin Domain

Let's assume that your have the following URL Signing protected CDN URL in your website source code.

http://cdn.mycompany.com/your-paid-software.zip?secure=DMF1ucDxtHCxwYQ 

An attacker may try to bypass the URL Signing protection by downloading the content directly from your origin. Please note that except you no one is able find out what is Origin Domain of your CDN service. However there are obvious candidates that an attacker may try such as in the following example.

http://mycompany.com/your-paid-software.zip    
http://origin.mycompany.com/your-paid-software.zip
http://source.mycompany.com/your-paid-software.zip

In our case an attacker would succeed with the first URL because mycompany.com really is Origin Domain of our CDN service. So to protect your origin content it is recommended to use not obvious Origin Domain such as in the following example.

8h73dh73hfd7dw.mycompany.com
27ddmc02usks29.mycompany.com
90jeidmaqwpzox.mycompany.com

If you will not expose this information to public then it will be impossible for an attacker to find out your origin content.

Firewall your origin server

It is not exactly straightforward but doable to allow access to your origin server only from our CDN edge servers by setting up a firewall (e.g. iptables) on your origin server, please read more here.

Contact Us

   _____   _    _     _  __  
  / ___// | || | ||  | |/ // 
  \___ \\ | || | ||  | ' //  
  /    // | \\_/ ||  | . \\  
 /____//   \____//   |_|\_\\ 
`-----`     `---`    `-` --`