Configure custom access paths for Functions and Pages - Edge Security Acceleration

You can configure a domain name as a trigger to access Functions and Pages through a custom public path. Edge Security Acceleration (ESA) provides two methods to direct HTTP or HTTPS requests to your Functions and Pages service: Custom Domains and Routes.

Before you begin

Both Custom Domains and Routes require an active site in your account.

An active site is a site that has a purchased plan and is connected using an NS or CNAME record.

Choose the right configuration method

Attribute	Custom Domains	Routes
Core purpose	Forwards all requests from a specified domain name, such as `api.example.com`, to the same Functions and Pages for processing.	Routes only the requests that match a preset path, such as `example.com/api/*`, under a specific domain name to Functions and Pages for processing. Requests for other paths are not affected.
Scope	All traffic under the domain name	Partial traffic that matches the rule
Configuration method	Simple, one-step configuration	Flexible. Requires configuring matching rules.
Scenarios	Dedicated API Gateway functions Complete server-side rendering (SSR) applications	Authenticate or record logs for specific API paths Implement A/B testing for specific page paths Intercept specific requests and return custom content

Use domain binding

Use Custom Domains to direct all traffic from a domain name to a specific Functions and Pages service for processing.

The domain binding feature lets you link a Functions and Pages service to your site's domain name. After the domain name is bound, you can use it to directly access the Functions and Pages service. The domain name bound to the Functions and Pages service must belong to an active site. After you configure the binding in the console, ESA automatically adds a DNS record for the bound domain name to the site.

Log on to the ESA console. In the navigation pane on the left, choose Edge Computing > Functions and Pages. Click the Functions and Pages service that you want to configure.
Click the Domain Names tab. In the Custom Domains section, click Add Domain Name.
Enter the domain name that you want to bind to the Functions and Pages service, such as pages.example.com. After the domain name is added, a new DNS record is created for the corresponding site.
Note
The new domain name inherits the configurations of its site. If the site does not have an SSL/TLS certificate, the bound domain name cannot be accessed over HTTPS. For more information about how to enable SSL/TLS for a site, see SSL/TLS.
Follow the steps that correspond to your site's connection type:
Site connected using NS setup
If your site is connected using an NS record, wait for the DNS record to take effect. This process takes about one minute. Then, access the newly bound custom domain name, such as pages.example.com, in a browser to view the result.
Site connected using CNAME setup
If your site is connected using a CNAME record, you must configure a CNAME record with your DNS provider for the binding to take effect.
1. Click View DNS Records to the right of the newly added custom domain name.
2. Copy the CNAME value that ESA generated for the new DNS record.
3. Go to your DNS provider and add a CNAME record to your domain name's DNS settings:
  - Host Record: Enter the prefix of the custom domain name. In this example, enter pages.
  - Record Type: Select CNAME.
  - Record Value: Paste the CNAME value that you copied in the previous step.
4. Return to the ESA console. Wait until the CNAME Status changes to Configured.Then, access the newly bound custom domain name, such as pages.example.com, in a browser to view the result.

Use routing configuration

You can use routing to forward requests for specific URL paths to a Functions and Pages service. This method provides fine-grained traffic shaping. If a request matches a configured URL pattern, the Functions and Pages service processes it. Otherwise, the request continues through the ESA accelerated back-to-origin process. For example, if you configure the routing rule example.com/a* for the example.com site, all requests to matching paths, such as /a, /a1, and /a2, are processed by the Functions and Pages service. Requests to non-matching paths, such as /b, /c, and /d, follow the standard back-to-origin or caching process.

Log on to the ESA console. In the navigation pane on the left, choose Edge Computing > Functions and Pages. Click the Functions and Pages service that you want to configure.
Click the Domain Names tab. In the Routes section, click Add Route.
Enter a Routing Name. In the Select Site list, select the target site, for example, example.com.
Select a Routing Pattern:
1. Basic mode: This pattern matches requests based only on the URL, which includes the hostname and path. For example, you can configure all requests with the URL prefix pages.example.com to be routed to a Functions and Pages service:
2. Custom Pattern: This pattern is suitable for scenarios that require complex logical matching based on multiple conditions, such as request headers, cookies, and request methods. You can add multiple matching conditions and specify the logical relationship between them as either "meet all" or "meet any". For example, you can configure a rule that forwards a request to a Functions and Pages service only if the hostname equals www.example.com and the User-Agent request header contains Mobile:
Access a matching routing path in a browser to view the result.

Important

If you use basic mode and enter a domain name with a prefix, such as *.example.com or www.example.com, a corresponding record must exist in the DNS Records section of the ESA console. You can also manually add a record. Otherwise, access to the domain name fails.
If multiple routing rules are configured, they are matched sequentially from top to bottom. After a match is found, subsequent rules are not checked.

Matching rules

A routing configuration must include both the domain hostname and the path URI. Therefore, you cannot configure a routing rule that contains only a path URI, such as /path.
You can add a wildcard character (*) at the beginning or end of a routing configuration to match more requests. The wildcard character * matches zero or more of any character. For example, example.com/* matches all requests to example.com.
Routing configurations are case-sensitive. For example, example.com/a and example.com/A are two different routing rules.
Routing configurations do not support wildcard characters (*) in the middle of a path or in parameters. For example, example.com/*/path and example.com/path?param=1 are not allowed.
If a request matches multiple routing rules, the first matching rule in the list takes precedence.

Bypass mode

After you enable bypass mode for a routing rule, when a request matches the routing policy, the request is sent to the Functions and Pages service as a sub-request. The overall process of bypass mode is as follows:

A client sends a request to an ESA point of presence (POP).
The request matches a routing policy and is forwarded to the Functions and Pages service for processing. In the Functions and Pages service, you can perform operations such as logging and authentication based on the request content. Note that when bypass mode is enabled, the request body is not forwarded to the Functions and Pages service.
If the response from the Functions and Pages service has a status code of 200, the request proceeds to the next processing step. If the status code is not 200, ESA aborts the request and returns a 403 status code to the client.
The request is then matched against subsequent policies and proceeds through the ESA cache matching or accelerated back-to-origin logic.
The response from a cache hit or from the origin server is returned to the ESA POP. At this point, the response is no longer processed by the Functions and Pages service.
The response is forwarded to the client.

Common scenarios

Logging: If you want to generate logs for some requests, you can forward the requests to a Functions and Pages service in bypass mode and define custom logging logic in the function.
Authentication for large file downloads: When an edge function forwards a response to a client, it consumes CPU time. If the response is too large, it can exceed the CPU time slice limit and incur extra costs. You can use bypass mode to perform authentication with a Functions and Pages service to avoid these issues.

FAQ

How do I modify code for bypass mode?

Take type A URL signing as an example:

Change the entry function from async fetch() to async bypass().
The function's return value must be constructed using new ResponseBypass(). This constructor takes two parameters:
- The first parameter is `true` or `false`, indicating whether authentication succeeded or failed.
- If the first parameter is `false`, you can pass a second parameter, `status`, to specify the status code returned to the client.

Example code for original type A signing

import { createHash } from "node:crypto";

async function handleRequest(request) {
  const url = new URL(request.url);
  const path = url.pathname;
  const delta = 3600;

  const authKeyTypeA = url.searchParams.get('auth_key');

  const privateKey = 'your_secret_key'
  const currentTimestamp = Math.floor(Date.now() / 1000);

  if (!authKeyTypeA) {
    // Authentication failed. The edge returns a 403 status code to the client by default.
    return new Response('Unauthorized', { 
      status: 401,
    });
  }

  const [timestamp, rand, uid, signature] = authKeyTypeA.split('-');

  if (currentTimestamp > parseInt(timestamp)+ delta) {
    // Authentication failed. The edge returns a 403 status code to the client by default.
    return new Response('Link expired', {
      status: 403,
    });
  }

  const signString = [path, timestamp, rand, uid, privateKey].join('-');

  const md5 = createHash('md5').update(signString).digest('hex');

  if (md5 !== signature) {
  
    return new Response('Unauthorized', {
      status: 401
    });
  }

  // If the resource is on another domain name, send a request and return the response.
  // const yourUrl = `https://your-dcdn-domain.com${path}${url.search}`
  // const cdnResponse = await fetch(yourUrl, request)
  // return new Response(cdnResponse.body, cdnResponse)

  // In most cases, you can just fetch from the origin.
  return fetch(request.url)
}

export default {
  async fetch(request) {
    return handleRequest(request)
  }
}

Example code for type A signing using bypass mode

import { createHash } from "node:crypto";

async function handleRequest(request) {
  const url = new URL(request.url);
  const path = url.pathname;
  const delta = 3600;

  const authKeyTypeA = url.searchParams.get("auth_key");

  const privateKey = "your_secret_key";
  const currentTimestamp = Math.floor(Date.now() / 1000);

  if (!authKeyTypeA) {
    // Authentication failed. Pass false. The edge returns a 403 status code to the client by default.
    return new ResponseBypass(false, {
      status: 401,
    });
  }

  const [timestamp, rand, uid, signature] = authKeyTypeA.split("-");

  if (currentTimestamp > parseInt(timestamp) + delta) {
    // Authentication failed. Pass false. The edge returns a 403 status code to the client by default.
    return new ResponseBypass(false, {
      status: 403,
    });
  }

  const signString = [path, timestamp, rand, uid, privateKey].join("-");

  const md5 = createHash("md5").update(signString).digest("hex");

  if (md5 !== signature) {
    // Authentication failed. Pass false. The edge returns a 403 status code to the client by default.
    return new ResponseBypass(false, {
      status: 401,
    });
  }

  // Authentication succeeded. Pass true. The request continues to the origin, and the response is no longer processed by the function.
  const resSuccess = new ResponseBypass(true);
  return resSuccess;
}

export default {
  async bypass(request) {
    return handleRequest(request);
  },
};

How do I modify a domain name binding?

If your current domain name bindings and routing rules do not meet your business needs, you can edit or delete them.

Log on to the ESA console. In the navigation pane on the left, choose Edge Computing > Functions and Pages. Click the Functions and Pages service that you want to modify.
Click the Domain Names tab.
On the Domain Names page, you can Remove domain name bindings, and Edit or Delete routing rules.