All Products
Search
Document Center

Configure remote authentication

Last Updated: Dec 08, 2021

Remote authentication is an access control feature that is used to protect resources. You can configure remote authentication to authenticate user requests that are sent to Alibaba Cloud CDN nodes and process the requests based on the authentication results. If you enable remote authentication, resources can be accessed only by authorized users. This topic describes how remote authentication works and how to enable remote authentication in the ApsaraVideo VOD console. This topic also provides relevant API references.

How remote authentication works

ApsaraVideo VOD supports URL authentication and remote authentication to help prevent site resources from being illegally downloaded or used. The differences between URL authentication and remote authentication:

  • URL authentication: You apply the authentication rules for a domain name to a CDN node. After receiving a user request, the CDN node authenticates the request and determines how to process the request. For more information about URL authentication, see Configure URL authentication.

  • Remote authentication: After receiving a user request, a CDN node redirects the request to the specified authentication server that you manage. The authentication server authenticates the request and returns the authentication result to the CDN node. The CDN node processes the request based on the authentication result.

The following figure shows how remote authentication works. Schematic diagram of remote authentication
  1. A user sends a request to a CDN node. The request contains parameters that are used for authentication.

  2. The CDN node redirects the request to the authentication server.

  3. The authentication server checks the request parameters and returns the authentication result to the CDN node.

  4. The CDN node processes the request based on the authentication result that is returned by the authentication server. If the request passes the authentication, access is allowed. If the request fails the authentication, access is denied or restricted. Examples:

    • Example 1: The request passes the authentication. The CDN node returns the requested resources to the user.

    • Example 2: The request fails the authentication. The CDN node returns the HTTP status code 404 to the user.

    • Example 3: The request fails the authentication. The CDN node throttles requests sent from the user.

    • Example 4: The authentication times out. The CDN node performs the specified action, for example, the allow action.

Usage

After you enable remote authentication, the authentication server checks each request. If you estimate a large number of requests to be sent to the CDN node, make sure that the authentication server can handle traffic spikes without compromising performance.

Procedure

  1. Log on to the ApsaraVideo VOD console.

  2. In the left-side navigation pane, find Configuration Management.

  3. Choose CDN Configuration > Domain Names. The Domain Names page is displayed.

  4. Find the domain name that you want to configure and click Configure.

  5. Click Resource Access Control.

  6. Click the Remote Authentication tab.

  7. Turn on Remote Authentication and configure remote authentication.

    Configure remote authentication in the console

    The following table describes the parameters of remote authentication.

    Parameter

    Description

    Authentication Server Address

    Enter the address of the authentication server. Make sure that the authentication server can connect to the Internet by using the address. Alibaba Cloud CDN checks the server address and the format of the address that you specify.

    • Supported formats

      Enter the server address in one of the following formats:

      • http://example.com/auth

      • https://example.com/auth

      • http://192.0.2.1/auth

      • https://192.0.2.1/auth

    • Address requirements

      The server address cannot contain the string 127.0.0.1 or localhost. Otherwise, the server address is invalid.

    Request Method

    Select a request method that is supported by the authentication server. The supported request methods are: GET, HEAD, and POST.

    • POST

      • Parameters are transmitted in the request body and the address bar remains unchanged.

      • The size of data transmission is not limited.

      • Requests are not cached or stored in browser history.

      • Security is high.

    • GET

      • Parameters are transmitted in the request line, and the address bar displays the values of the parameters.

      • Depending on the browser, a maximum of 1,024 bytes can be transmitted for a request.

      • Requests are cached and stored in browser history.

      • Security is low.

    • HEAD

      The HEAD method is similar to the GET method but in the HEAD method, the request body is not returned by the server.

    File Types

    • All: The authentication server checks all file types.

    • Specified: The authentication server checks only the file types that you specify.

      • If you specify multiple file types, separate the file types with vertical bars (|). Example: mp4|flv.

      • File types are case-sensitive. For example, jpg and JPG are considered different file types.

    Parameters to Retain

    Specify the URL parameters that you want the authentication server to check. You can select one of the following options: Retain All URL Parameters, Retain Specified URL Parameters, and Delete All URL Parameters.

    • If you specify multiple parameters that you want to retain, separate the parameters with vertical bars (|). Example: user|token.

    • Parameters are case-sensitive. For example, key and KEY are considered different parameters.

    Add Custom Parameters

    Add custom parameters to the URLs of requests that are sent to the CDN node before the requests are redirected to the authentication server.

    You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console.

    • When you specify key-value pairs, take note of the following rules:

      • Separate multiple parameters with vertical bars (|). Example: token=$arg_token|vendor=ali_cdn.

      • Parameters are case-sensitive. For example, key and KEY are considered different parameters.

    • If you use preset variables, the values of the variables are added to requests that are sent to the CDN node before the requests are redirected to the authentication server.

      For example, if you select the variable $http_host, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see Variables.

    Request Headers to Retain

    Specify the request headers that you want the authentication server to check. You can select one of the following options: Retain All Request Headers, Retain Specified Request Headers, and Delete All Request Headers.

    • If you specify multiple request headers that you want to retain, separate the request headers with vertical bars (|). Example: user_agent|reffer|cookies.

    • Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header.

    Note
    If you select Retain All Request Headers, the CDN node deletes the Host header from requests by default. If you want to retain the Host header in requests, you can configure Retain Specified Request Headers or Add Custom Parameters. By default, the CDN node deletes the Host header from requests because the Host header in requests that are redirected to the authentication server specifies the accelerated domain name. The authentication server may fail to identify the requests, and this may cause errors such as the HTTP status code 404 or authentication errors.

    Add Custom Parameters

    Add custom request headers to requests that are sent to the CDN node before the requests are redirected to the authentication server.

    You can select Customize to specify key-value pairs, or Select to use preset variables in the ApsaraVideo VOD console.

    • When you specify key-value pairs, take note of the following rules:

      • Separate multiple request headers with vertical bars (|). Example: User-Agent=$http_user_agent|vendor=ali_cdn.

      • Request headers are not case-sensitive. For example, http_remote_addr and HTTP_Remote_Addr are considered the same request header.

    • If you use preset variables, the values of the variables are added to requests that are sent to the CDN node before the requests are redirected to the authentication server.

      For example, if you select the variable $http_host, host=$http_host is added to the URLs of requests before the requests are redirected to the authentication server. host indicates the value of the Host header field. For more information about the variables, see Variables.

    Successful Authentication

    Specify the HTTP status code that is returned by the authentication server if a request passes the authentication. We recommend that you set the HTTP status code for successful authentication to 2XX.

    For example, if you set the HTTP status code for successful authentication to 200, the authentication server returns the HTTP status code 200 to the CDN node for requests that pass the authentication. If the authentication server returns an HTTP status code that does not indicate whether the request passes or fails the authentication, the authentication times out.

    Failed Authentication

    Specify the HTTP status code that is returned by the authentication server if a request fails the authentication. We recommend that you set the HTTP status code for failed authentication to 4XX.

    If you set the HTTP status code for failed authentication to 403, the authentication server returns the HTTP status code 403 to the CDN node for requests that fail the authentication. If the authentication server returns an HTTP status code that does not indicate whether the request passes or fails the authentication, the authentication times out.

    Custom HTTP Status Code

    Specify the HTTP status code that is returned from the CDN node to the user after the CDN node receives an HTTP status code indicating failed authentication from the authentication server.

    If you set Custom HTTP Status Code to 403, the CDN node returns the HTTP status code 403 to the user for requests that fail the authentication.

    Timeout

    The timeout period starts when the CDN node redirects a request to the authentication server. The timeout period ends when the CDN node receives the authentication result from the authentication server.

    Unit: milliseconds. Maximum value: 3000.

    Action

    Specify the action that the CDN node performs on a request if the authentication times out. Valid values:

    • Allow: If the authentication times out, the CDN node returns the requested resources to the user.

    • Reject: If the authentication times out, the CDN node rejects the request and returns the HTTP status code that you specify in the Custom HTTP Status Code field to the user.

  8. Click OK.

    After remote authentication is configured, you can modify the settings of remote authentication or disable remote authentication on the Remote Authentication tab.

Variables

If you add custom parameters, you can select variables that are provided by ApsaraVideo VOD. The following table describes the variables.

Variable

Description

$http_host

Indicates the value of the Host header field.

$http_user_agent

Indicates the value of the User-Agent header field.

$http_referer

Indicates the value of the Referer header field.

$http_content_type

Indicates the value of the Content-Type header field.

$http_x_forward_for

Indicates the value of the X-Forwarded-For header field.

$remote_addr

Indicates the IP address of the client that sends the request.

$scheme

Indicates the protocol of the request.

$server_protocol

Indicates the protocol version of the request.

$uri

Indicates the original URI of the request.

$args

Indicates the query string of the request URL. The query string does not include the question mark (?).

$request_method

Indicates the request method.

$request_uri

uri+'?'Indicates the content of +args.

Related API operations

BatchSetVodDomainConfigs