This document describes how CDN service is configured and applied on NHN Cloud CDN console.
Go to Content Delivery > CDN and to CDN Service and click Create, and the Creating CDN window pops up. CDN service domain is automatically created in the [ServiceID].toastcdn.net format. To use your own domain, enable Domain Alias. It takes up to 2 hours to complete deployment after service is requested for creation. Service becomes available after it is completely deployed.
[Note] Duration for download optimization when creating a CDN for the first time Download speed might become slightly slower for up to 3 days after CDN is first created.
Set basic information.
Service Region GLOBAL service is provided via CDN edge servers located around the globe. Note, however, China and Russia are excluded from service regions.
Description More description is added on CDN service.
Domain Alias The default service domain address of NHN Cloud CDN is provided in the [ServiceID].toastcdn.net format. To use CDN service with your own domain, enable Domain Alias. To use HTTPS protocol with your own domain, get a certificate issued from Certificate Management and set domain alias. After domain alias is set, register CNAME record at DNS provider of domain, like follows. Please consult your DNS provider regarding DNS settings.
Callback It takes hours to create and change CDN service. (e.g. Modify, Suspend/Resume, and Delete). After a task is completed, enable the callback setting to receive change status via callback URL and CDN setting information. See API Guide to find information sent to callback.
Path Variables | Description | Delivered Value |
---|---|---|
{appKey} | Appkey of CDN Service | Appkey issued on console |
{domain} | Name of CDN Service | [ServiceID].toastcdn.net |
{status} | Current status of CDN | OPEN, SUSPEND, CLOSE, ERROR |
{isSuccessful} | Whether service change is successful (API v1.0 is not supported.) | "true" or "false" |
Set server providing original files to be deployed to CDN.
Origin Type
Origin Server The origin server is the server that provides original files to be distributed by the CDN service. The origin server can be entered in IPv4 or fully qualified domain name (FQDN) format. It is recommended to set the server as a domain because an IP address is likely to change. If there is no running origin server, select the Instance option in Original Type to use an instance of the NHN Cloud Instance service, or select the Object Storage option to use a container in the NHN Cloud Object Storage service. To support secure transport (HTTPS) via the CDN service domain, the origin server must support HTTPS response. This means that the origin server must have a certificate trusted by NHN Cloud CDN installed. Refer to the following table for trusted certificates. If the origin server cannot support HTTPS response, use the Downgrading HTTP Protocols Requesting Originals setting. However, Downgrading HTTP Protocols Requesting Originals has constraints, so it is recommended that the origin server support HTTPS protocol.
[Table 1] List of Trusted Certificates
Common Name | Expiration Date | SHA-1 Fingerprint |
---|---|---|
SecureTrust CA | 1.Jan.30 | 8782c6c304353bcfd29692d2593e7d44d934ff11 |
Entrust.net Certification Authority (2048) | 24.Jul.29 | 503006091d97d4f5ae39f7cbe7927d7d652d3431 |
DigiCert Global Root CA | 10.Nov.31 | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 |
30.Sep.23 | 36b12b49f9819ed74c9ebc380fc6568f5dacb2f7 | |
QuoVadis Root CA 2 G3 | 13.Jan.42 | 093c61f38b8bdc7d55df7538020500e125f5c836 |
thawte Primary Root CA | 17.Jul.36 | 91c6d6ee3e8ac86384e548c299295c756c817b81 |
Go Daddy Root Certificate Authority - G2 | 1.Jan.38 | 47beabc922eae80e78783462a79f45c254fde68b |
GeoTrust Primary Certification Authority | 17.Jul.36 | 323c118e1bf7b8b65254e2e2100dd6029037f096 |
VeriSign Class 3 Public Primary Certification Authority - G4 | 19.Jan.38 | 22d5d8df8f0231d18df79db7cf8a2d64c93f6c3a |
Entrust Root Certification Authority | 28.Nov.26 | b31eb1b740e36c8402dadc37d44df5d4674952f9 |
29.May.29 | 5f3b8cf2f810b37d78b4ceec1919c37334b9c774 | |
AffirmTrust Commercial | 31.Dec.30 | f9b5b632455f9cbeec575f80dce96e2cc7b278b7 |
Amazon Root CA 4 | 26.May.40 | f6108407d6f8bb67980cc2e244c2ebae1cef63be |
Certum CA | 11.Jun.27 | 6252dc40f71143a22fde9ef7348e064251b18118 |
DST Root CA X3 | 30.Sep.21 | dac9024f54d8f6df94935fb1732638ca6ad77c13 |
TC TrustCenter Class 2 CA II | 1.Jan.26 | ae5083ed7cf45cbc8f61c621fe685d794221156e |
SwissSign Gold CA - G2 | 25.Oct.36 | d8c5388ab7301b1b6ed47ae645253a6f9f1a2761 |
USERTrust ECC Certification Authority | 19.Jan.38 | d1cbca5db2d52a7f693b674de5f05a1d0c957df0 |
QuoVadis Root CA 2 | 25.Nov.31 | ca3afbcf1240364b44b216208880483919937cf7 |
COMODO ECC Certification Authority | 19.Jan.38 | 9f744e9f2b4dbaec0f312c50b6563b8e2d93c311 |
USERTrust RSA Certification Authority | 19.Jan.38 | 2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e |
ISRG Root X1 | 4.Jun.35 | cabd2a79a1076a31f21d253635cb039d4329a5e8 |
DigiCert High Assurance EV Root CA | 10.Nov.31 | 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25 |
VeriSign Class 3 Public Primary Certification Authority - G5 | 17.Jul.36 | 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5 |
GlobalSign | 15.Dec.21 | 75e0abb6138512271c04f85fddde38e4b7242efe |
QuoVadis Root CA 3 | 25.Nov.31 | 1f4914f7d874951dddae02c0befd3a2d82755185 |
GlobalSign | 18.Mar.29 | d69b561148f01c77c54578c10926df5b856976ad |
Starfield Services Root Certificate Authority - G2 | 1.Jan.38 | 925a8f8d2c6d04e0665f596aff22d863e8256f3f |
Baltimore CyberTrust Root | 13.May.25 | d4de20d05e66fc53fe1a50882c78db2852cae474 |
AAA Certificate Services | 1.Jan.29 | d1eb23a46d17d68fd92564c2f1f1601764d8e349 |
Amazon Root CA 3 | 26.May.40 | 0d44dd8c3c8c1a1a58756481e90f2e2affb3d26e |
VeriSign Class 3 Public Primary Certification Authority - G3 | 17.Jul.36 | 132d0d45534b6997cdb2d5c339e25576609b5cc6 |
GlobalSign Root CA | 28.Jan.28 | b1bc968bd4f49d622aa89a81f2150152a41d829c |
Actalis Authentication Root CA | 22.Sep.30 | f373b387065a28848af2f34ace192bddc78e9cac |
AffirmTrust Networking | 31.Dec.30 | 293621028b20ed02f566c532d1d6ed909f45002f |
AffirmTrust Premium | 31.Dec.40 | d8a6332ce0036fb185f6634f7d6a066526322827 |
QuoVadis Root Certification Authority | 18.Mar.21 | de3f40bd5093d39b6c60f6dabc076201008976c9 |
6.Jun.37 | feb8c432dcf9769aceae3dd8908ffd288665647d | |
GeoTrust Primary Certification Authority - G3 | 2.Dec.37 | 039eedb80be7a03c6953893b20d2d9323a4c2afd |
thawte Primary Root CA - G2 | 19.Jan.38 | aadbbc22238fc401a127bb38ddf41ddb089ef012 |
VeriSign Universal Root Certification Authority | 2.Dec.37 | 3679ca35668772304d30a5fb873b0fa77bb70d54 |
Cybertrust Global Root | 15.Dec.21 | 5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6 |
Global Chambersign Root | 1.Oct.37 | 339b6b1450249b557a01877284d9e02fc3d2d8e9 |
SwissSign Silver CA - G2 | 25.Oct.36 | 9baae59f56ee21cb435abe2593dfa7f040d11dcb |
Amazon Root CA 1 | 17.Jan.38 | 8da7f965ec5efc37910f1c6e59fdc1cc6a6ede16 |
Entrust Root Certification Authority - G2 | 8.Dec.30 | 8cf427fd790c3ad166068de81e57efbb932272d4 |
Amazon Root CA 2 | 26.May.40 | 5a8cef45d7a69859767a8c8b4496b578cf474b1a |
DigiCert Assured ID Root CA | 10.Nov.31 | 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43 |
30.Jun.34 | 2796bae63f1801e277261ba0d77770028f20eee4 | |
COMODO Certification Authority | 1.Jan.30 | 6631bf9ef74f9eb6c9d5a60cba6abed1f7bdef7b |
AddTrust External CA Root | 30.May.20 | 02faf3e291435468607857694df5e45b68851868 |
COMODO RSA Certification Authority | 19.Jan.38 | afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 |
thawte Primary Root CA - G3 | 2.Dec.37 | f18b538d1be903b6a6f056435b171589caf36bf2 |
DigiCert Global Root G3 | 15.Jan.38 | 7e04de896a3e666d00e687d33ffad93be83d349e |
GeoTrust Global CA | 21.May.22 | de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 |
DigiCert Global Root G2 | 15.Jan.38 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
[Table 2] Available Origin Server Port Numbers
Port Number |
---|
72, 488, 1080, 1443, 7070 |
8000-9001 |
11080-11110 |
80-89 |
591, 1088, 2080, 7612 |
12900-12949 |
443, 777, 1111, 7001, 7777 |
9901-9908 |
45002 |
[Example] When the original path is set with /files/images
- URL of Original File: http://your.origin.com/files/images/logo.png
- URL of CDN Service: http://[ServiceID].toastcdn.net/logo.png
- Origin paths may be missing from URL of CDN service when it is requested.
Downgrading HTTP Protocols Requesting Originals The CDN edge server requests origin server of the original files via service protocol (HTTP/HTTPS) of client's original request. That is, when a client requests via HTTPS but if the origin server does not support HTTPS response, original files do not come as response. If the origin server operates HTTPS protocols only, enable the Downgrading HTTP Protocols Requesting Originals setting and make a request from CDN edge server to origin server by downgrading HTTPS to HTTP protocol. In short, the CDN edge server section of client is communicated via HTTPS, while the origin server section of CDN edge server is communicated via HTTP. Note the following constraints when downgrading HTTP protocols requesting originals:
[Caution] Constraints for Downgrading HTTP Protocols Requesting Originals 1. Protocol downgrade is not applied to the entire website address. For instance, www.nhn.com, which is the entire site address of the origin server, cannot be downgraded. 2. No other methods than GET, HEAD, or OPTIONS, are supported. 3. When a downgrade is requested from CDN to an origin server, following headers may be excluded: Origin, Referer, Cookie, Cookie2, sec-*, proxy-*
Forward Host Header Set Host header value to be sent along with a request of CDN server for original files to origin server. If the origin server is run as name-based virtual host, Request Host Header setting may be required. Select an appropriate value depending on the operating type of an origin server.
[Caution] Validation of host header and origin server certificate when using secure transport (HTTPS) When a client requests content over secure transport (HTTPS), the CDN server checks whether the origin server's certificate is valid. The origin server must have a certificate of Common Name (CN) or Subject Alternate Name (SAN) that matches the host request header installed. A secure transport error occurs if the certificate matching the host request header is not installed on the origin server. Note that the host request header is set as the request host header or the original host name according to the Forward Host Header setting.
You can set the access control for the root path of the CDN service.
By default, the allowed methods for CDN include GET, HEAD, and OPTIONS, the request for other methods is denied. To allow methods other than the allowed methods, select and set a method you want.
CDN cache operations and expiration time can be set.
Configuration of Cache Expiration Cache can be configured from the response header of cache control at the origin server. - Use Original Configuration: Apply the cache control header first, as provided by the origin server's response. If cache control header is not valid or unavailable, it is cached during specified cache expiration time (seconds). Use Original Configuration is default. - Use User Configuration: Cached during specified cache expiration time (seconds). - Bypass Cache: Maintain the cache created before the configuration and do not cache content requests after the configuration. - No Store: Remove all the existing caches and disable CDN caching.
Cache Expiration Time (seconds) To specify a cache expiration time, click the Use User Configuration button and change the cache expiration time in Cache Expiration Time (seconds).
Set Inclusion of Query String in Cache Key You can set whether to include the request query string in the cache key generated based on the URL.
[Note] Default value and valid range of cache expiration time The default cache expiration time is 0. With 0 as default, the cache expiration time is 604,800 (seconds) = 1 week. Cache expiration time is available from 0 (default) to 2,147,483,647 (seconds).
[Note] Using the container created by the NHN Cloud Object Storage service as the origin server For the Large File Optimization feature to work normally, the ETag response header delivered from the origin server must be enclosed in double quotation marks. For more information about setting the ETag response header format for NHN Cloud Object Storage containers, see Change Container Settings > Use the RFC-compliant ETag Format in the API guide of Object Storage.
Content access management is set with the referer request header.
The referer request header includes the webpage address of previous links of the currently requested page. It helps to find the paths a request comes from. With referer header access management, only particular request headers can be configured to access user content. Enter in regex, and break the lines to enter many.
Access control types
Content Access if Referer Header is Unavailable Select whether to allow access to content if referer request header is not available.
[Example]
- Typ: Whitelist
- Regex:
^https://[a-zA-Z0-9._-]*\.nhn\.com/.*
Content access is allowed only when resources are requested from a sub-path of a nhn.com sub-domain.[Note] Regex Escape Characters Some characters are used as special characters for regex. For instance, a period (
.
) indicates agreement with all characters for regex. To understand a special character as a general one, add backlash before it.(e.g.:\.
). Regex special characters include^, ., [, ], $, (, ), |, *, +, ?, {, }, and \
. To control many referrers, enter in consecutive lines. To set many referrers with APIs, delimit with \n tokens.
The Access Control for Auth Token authentication is a security feature that allows only verified tokens to access content from CDN edge server, by adding authentication token to a content request. You may control by allowing one-time access to content or only restricted users to access content. If content is requested with an invalid token, 403 Forbidden is sent as response and access to content is forbidden.
To apply the access of Auth Token Authentication to the CDN service, you need to follow the steps below.
[Caution]
Access Control for Auth Token authentication requires the following implementation, even on applications using NHN Cloud CDN. 1. Create a token required to access content. 2. Client (final content consumer) must request content including created token. If access management is configured without this process, content request may fail due to failed token authentication.
On CDN console, set Access Control for Auth Token authentication by referring to the following.
[Caution] Path of Request URL and File Extension When request URL path and file extension are all set, only one match of the two conditions enables token access control. [Example] When the setting for request URL path is /nhn/*, with png as file extension: Verify token for all files under /nhn or content with png as file extension.
To allow the final content user to access content, content must be requested along with a token. Therefore, a token must be created to get issued to the final content user. Token creation must be implemented on an application using NHN Cloud CDN. To create a token, refer to the following sample code:
import org.apache.commons.lang3.StringUtils;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.net.URLEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Calendar;
import java.util.TimeZone;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class NhnCloudAuthTokenAccessControlExample {
// Token encryption key for authentication verified on NHN Cloud console
private static final String AUTH_TOKEN_ENCRYPT_KEY = "{Token encryption key of NHN Cloud CDN}";
// Valid token time (seconds)
private static final Long TOKEN_DURATION_SECONDS = 3600L;
public static void main(String[] args) throws AuthTokenException {
String path = "/nhn/%EC%9D%B8%EC%A6%9D/%E1%84%91%E1%85%A1%E1%84%8B%E1%85%B5%E1%86%AF.png";
String singleWildcardPath = "/nhn/%EC%9D%B8%EC%A6%9D/*";
String[] multipleWildcardPath = {"/nhn/%EC%9D%B8%EC%A6%9D*", "/nhn/auth/*"};
System.out.println(" ----------------- ");
System.out.println(" Issue Default Token ");
System.out.println(" ----------------- ");
AuthToken authToken = new AuthToken(AUTH_TOKEN_ENCRYPT_KEY, TOKEN_DURATION_SECONDS);
System.out.println("Single URL Token: token=" + authToken.generateURLToken(path));
System.out.println("Wildcard Token: token=" + authToken.generateWildcardPathToken(singleWildcardPath));
System.out.println("Multiple Wildcard Token: token=" + authToken.generateWildcardPathToken(multipleWildcardPath));
System.out.println(" ----------------- ");
System.out.println("Issue token including session identifier ");
System.out.println(" ----------------- ");
AuthToken authTokenWithSession = new AuthToken(AUTH_TOKEN_ENCRYPT_KEY, TOKEN_DURATION_SECONDS, "example-sessionId");
System.out.println("Single URL Token: token=" + authTokenWithSession.generateURLToken(path));
System.out.println("Wildcard Token: token=" + authTokenWithSession.generateWildcardPathToken(singleWildcardPath));
System.out.println("Multiple Wildcard Token: token=" + authTokenWithSession.generateWildcardPathToken(multipleWildcardPath));
}
public static class AuthToken {
/** Token Encryption Algorithm (fixed with SHA256) **/
private static final String HMAC_SHA_256 = "HmacSHA256";
/** Token Encryption Key (NHN Cloud CDN Console > Access Control for Auth Token authentication > Encryption key) **/
private String key;
/** Session Identifier */
private String sessionId;
/** Token Valid Time (Unit: Second) */
private Long durationSeconds;
/** Enable url encode application before token is created */
private Boolean escapeEarly;
/** Delimiter of Body Field of Token */
private final String fieldDelimiter = "~";
/** wildcardPath Delimiter */
private final String aclDelimiter = "!";
public AuthToken(String key, Long durationSeconds) {
this.key = key;
this.sessionId = null;
this.durationSeconds = durationSeconds;
this.escapeEarly = true;
}
public AuthToken(String key, Long durationSeconds, String sessionId) {
this.key = key;
this.sessionId = sessionId;
this.durationSeconds = durationSeconds;
this.escapeEarly = true;
}
/**
* Create a token for a single URL.
* @param path : contents url (example: /auth/contents/example.png)
* @return created token
* @throws AuthTokenException
*/
public String generateURLToken(String path) throws AuthTokenException {
return generateToken(createExpireTime(), this.sessionId, path, null);
}
/**
* Create token for wildcard path.
* @param wildcardPath : "/auth/contents/*"
* @return Created token value
* @throws AuthTokenException
*/
public String generateWildcardPathToken(String wildcardPath) throws AuthTokenException {
return generateWildcardPathToken(new String[] {wildcardPath});
}
/**
* Create token for multiple wildcard paths.
* @param wildcardPaths (example: ["/auth/contents/*", "/auth/*/images/*"])
* @return Created token value
* @throws AuthTokenException
*/
public String generateWildcardPathToken(String... wildcardPaths) throws AuthTokenException {
return generateToken(createExpireTime(), this.sessionId, null, wildcardPaths);
}
private String createExpireTime() {
Long nowSeconds = Calendar.getInstance(TimeZone.getTimeZone("UTC")).getTimeInMillis() / 1000L;
Long exp = nowSeconds + this.durationSeconds;
return exp.toString();
}
private String generateToken(String exp, String sessionId, String path, String[] wildcardPaths) throws AuthTokenException {
try {
StringBuilder token = new StringBuilder();
token.append("exp=")
.append(exp)
.append(this.fieldDelimiter);
if (wildcardPaths != null && wildcardPaths.length > 0) {
token.append("acl=")
.append(escapeEarly(StringUtils.join(wildcardPaths, this.aclDelimiter)))
.append(this.fieldDelimiter);
}
if (sessionId != null && sessionId.length() > 0) {
token.append("id=")
.append(escapeEarly(sessionId))
.append(this.fieldDelimiter);
}
StringBuilder hashSource = new StringBuilder(token);
if (path != null && path.length() > 0) {
hashSource.append("url=")
.append(escapeEarly(path))
.append(this.fieldDelimiter);
}
// remove last fieldDelimiter char
hashSource.deleteCharAt(hashSource.length() - 1);
Mac hmac = Mac.getInstance(HMAC_SHA_256);
byte[] keyBytes = DatatypeConverter.parseHexBinary(this.key);
SecretKeySpec secretKey = new SecretKeySpec(keyBytes, HMAC_SHA_256);
hmac.init(secretKey);
byte[] hmacBytes = hmac.doFinal(hashSource.toString().getBytes());
return token.toString() + "hmac=" + String.format("%0" + (2 * hmac.getMacLength()) + "x", new BigInteger(1, hmacBytes));
} catch (NoSuchAlgorithmException e) {
throw new AuthTokenException(e.getMessage());
} catch (InvalidKeyException e) {
throw new AuthTokenException(e.getMessage());
}
}
private String escapeEarly(final String text) throws AuthTokenException {
if (this.escapeEarly == true) {
try {
StringBuilder newText = new StringBuilder(URLEncoder.encode(text, "UTF-8"));
Pattern pattern = Pattern.compile("%..");
Matcher matcher = pattern.matcher(newText);
String tmpText;
while (matcher.find()) {
tmpText = newText.substring(matcher.start(), matcher.end()).toLowerCase();
newText.replace(matcher.start(), matcher.end(), tmpText);
}
return newText.toString();
} catch (UnsupportedEncodingException e) {
return text;
} catch (Exception e) {
throw new AuthTokenException(e.getMessage());
}
} else {
return text;
}
}
}
public static class AuthTokenException extends Exception {
private static final long serialVersionUID = 1L;
public AuthTokenException(String msg) {
super(msg);
}
}
}
Client (final content consumer) must request content including the token value which is created from the location as configured on the console.
curl --cookie "token={Created token value}" \
-X GET http://xxx.toastcdn.net/auth/contents/example.png
curl -H "token: {Created token value}" \
-X GET http://xxx.toastcdn.net/auth/contents/example.png
curl -d "token={Created token value}" \
-X GET http://xxx.toastcdn.net/auth/contents/example.png
This is a feature to add, modify, and delete the headers sent when CDN responds to users. You can set up to 10 headers with non-duplicate header names.
[Note] Set CORS (Cross-Origin Resource Sharing) You can allow CORS by setting HTTP response headers as follows. - Action: Modify - Header Name: Access-Control-Allow-Origin - Header Value: * (wildcard) or the original URI to be allowed
CDN service settings can be modified, except for the service domain name.
Then, navigates to the Modify CDN Service page as shown below.
Modification takes dozens of minutes, but change of domain alias may take a few hours.
[Note] Deployment Status while Modifying CDN and Service Status If service is under modification, CDN runs in the existing service setting. If it fails to modify, it is rolled back to the existing setting information and the deployment status shows red circle on CDN list. Modification fails if there is error in setting information, or internal error occurs.
CDN service can be suspended or resumed.
[Note] Delays in Suspension and Resumption Suspension and resumption of CDN service operates by changing DNS records of CDN domain. Accordingly, even if it is cached during TTL at cache DNS server or suspension/resumption is completed, immediate suspension/resumption may not work depending on DNS transfer.
[Caution] Suspending CDN Service Integrated with Issued Certificate When a CDN service integrated with certificate is suspended, the certificate cannot be renewed. Please resume CDN before Start Day of Certificate Renewal from Certificate Management > Certificate List. A certificate is allowed to be renewed for 5 days after start day of renewal, and a suspension during the period may cause the certificate to get expired.
CDN service can be deleted. Once deleted, however, a service cannot be recovered.
[Note] Required Time to Delete CDN It may take a few hours (up to 3) to delete CDN service.
[Caution] Deleting CDN Service Integrated with Issued Certificate When a CDN service integrated with certificate is deleted, the certificate cannot be renewed. Please integrate the certificate with another running CDN before Start Day of Certificate Renewal from Certificate Management > Certificate List. A certificate is allowed to be renewed for 5 days after start day of renewal, and deletion during the period may cause the certificate to get expired.
CDN cache server caches origin server files during specified expiration time depending on the cache setting. When a file is cached, the original file before change shall be maintained until cache is expired, even if there is a change in the original file. To immediately update content to changed original file, Purge must be requested. By purging cache, outdated cache data are deleted from requested content while a new original file is cached again at the origin server.
Click the Purge tab to click Purge.
Select a purge type.
Cache purge has a usage limit, so refer to the table below and be careful not to exceed the usage limit.
Category | [ServiceID].toastcdn.net |
---|---|
Unit of Restrictions | Per project (Appkey) |
Particular Files | Requests per second: 1 time, URLs per request: 200 URLs |
All File Types | Requests per 5 minutes: 1 time |
[Caution] Failed Cache Purge after [ServiceID].toastcdn.net is created Cache purge request may fail within about an hour after CDN service is created. If failure continues afterwards, contact the NHN Cloud Customer Center.
You can view network transfer volume, statistics by HTTP status code, and ranking statistics for your most downloaded content. Please note that statistics within 7 days are inaccurate and should be used as a guide only. For accurate statistics, check after 7 days.
[Note] Maximum search period You can view statistics data for up to 90 days. [Note] Restrictions for statistics of Top Contents By Hits Viewing is available up to one day in advance, with a range of one day or more. Content that is 100 KB or smaller or has fewer than 50 requests per day is excluded from statistics.
To use secure transport (HTTPS) via your own domain, certificate of your own domain must be deployed to CDN server. Without a certificate, secured communication (HTTPS) is unavailable between client (browser) and CDN edge server, causing error of certificate. Certificate management of NHN Cloud CDN provides the following features:
Certificates can be issued from the Certificate Management tab.
[Caution] Checkpoints before Getting a Certificate 1. Purchase a domain first, if not owned, because certificates can be issued to owned domains only. 2. Certificates issued from other certificate authorities are not allowed. 3. Only single-domain certificates can be issued. Wildcard or multi-domain certificates are not supported. 4. Each project allows no more than 5 certificates. If you need more than that, contact NHN Cloud Customer Center. 5. After certificate issuance is requested, the Validate Domain phase may be activated in several tens of minutes (up to 2 hours). If your certificate changes status to Validate Domain, email shall be sent to NHN Cloud project members. If email is not sent due to system error, check status on console.
You're ready to validate domain, after a new certificate is requested, when certificate status is changed to 'Validate Domain'. You may select a domain on console or refer to domain validation guide via email sent to project members.
Domain validation is required to see if the requester for certificate is the actual owner of its domain. Without this process, certificate cannot be issued. As part of a domain validation method to check domain owner, domain control role must be validated. Domain validation can be carried out by Adding DNS TXT Recors or Adding HTTP Pages, and you can Choose Either of the Two Methods.
Check DNS control role of domain to validate domain.
Record Value: Random Character String (fill in the Record Value of console or email guide as sent.)
See if TXT record, added for nslookup command, is well queried. It may take some time to query depending on the DNS transfer time.
nslookup -type=TXT _acme-challenge.[Certificate Domain Requested of Issuance].
Following page shows a setting example for NHN Cloud DNS+. Each DNS provider may provide different configuration method.
Add an HTTP page to a web server connected with domain to validate the domain.
[Caution] Cautions for Domain Validation 1. Domain must be validated within 5 days since when a certificate is requested of issuance. Otherwise, getting a certificate shall be automatically revoked. 2. When domain is successfully validated, certificate is to be issued and deployed within hours. Unless it proceeds more than a day, check if domain has been properly validated. If it still does not proceed, contact NHN Cloud Customer Center. 3. Adding HTTP Pages is available only when the HTTP server runs on 80 ports. If port change is unavailable, please take another option of Adding DNS TXT Records.
Once domain is validated, a certificate shall be issued and deployed within hours. Certificate status on console shows the phase of Issue and Deploy Certificates, and notification mail is sent to project members. This phase requires no specific tasks.
[Note] Time Required to Issue and Deploy Certificates It may take up to 9 hours to issue and deploy a certificate.
A certificate must be integrated with CDN service to be enabled. If this task is undone or not maintained, issued certificate may expire.
CNAME Record Setting: Add the following CNAME record to DNS management of DNS service provider of certificate domain.
Domain Alias Setting: Add domain alias setting for the CDN to use certificate.
[Note] CNAME record propagation time When setting the CNAME record, DNS propagation can take time depending on various factors. Therefore, the certificate issuance status may be displayed as [Waiting for CDN service integration] for a certain period of time even after performing the service integration process correctly. If the [Waiting for CDN service integration] status persists for more than 24 hours even though the settings are correct, please contact the NHN Cloud Customer Center.
[Caution] Caution for certificate expiration Certificates provided by NHN Cloud CDN are automatically renewed before expired. For auto-renewal, user's certificate must be integrated with CDN service. Otherwise, certificates may not be renewed during specific period and get expired. A certificate shall be renewed within 5 days after a renewal start day as indicated on the list of Certificate Management. To prevent certificates from expired, maintain the following settings at all times:
- Assign domain of a certificate to the domain address of CDN service which is to be integrated with CNAME record.
- Set certificate domain for domain alias of CDN service to be integrated with.
- When a CDN service integrated with certificate is suspended, the certificate cannot be renewed. Resume before a renewal start day or integrate it to another running CDN service.
- When a CDN service integrated with certificate is deleted, the certificate cannot be renewed: integrate it to another running CDN service before deleting.
When certificate is fully integration with CDN, the certificate status shows 'Activated'.
[Note] Measures required when an error occurs in the issued certificate IdenTrust DST Root CA x3, one of the root certificates among the certificates provided by NHN Cloud CDN, expired on September 30, 2021, and users of some older devices or browsers may experience problems. If an issue occurs due to an ERR_CERT_DATE_INVALID error on the client, refer to the following and take measures such as updating after changing the OS settings or manually installing the root certificate. 1. ISRG x1 certificate download link: Download link 2. Windows OS settings change reference guide: Link 3. Chrome browser reference guide: Link