External Web Servers (Customer Origin)

This article explains how to set up customer origins. If your account has been updated to use customer origin groups, please refer to the External Servers (Customer Origin Group) article for setup information.

Serve content stored or generated by third-party web servers (e.g., web hosting) via the CDN by:

  1. Creating a customer origin configuration. This type of configuration maps one or more servers to a CDN URL.
  2. Optional. Creating an edge CNAME configuration that allows you to serve traffic via the CDN without having to update your links. This type of configuration maps a customer origin configuration to a CNAME record.

Key information:

IP Version

Hostnames associated with a customer origin configuration must be resolved to an IP address before a request can be served to it. The Origin Configuration option determines whether our servers will prefer to resolve a hostname to an IPv4 or IPv6 address.

Setting Description

Default

Indicates that hostnames should be resolved to IPv4 addresses only.

We reserve the right to change the behavior of this default setting at any time.

V6 Preferred Over V4

Indicates that our edge servers will resolve hostnames to IPv6 addresses whenever possible. If an IPv6 address for that hostname does not exist, then the hostname will be resolved to an IPv4 address.

V4 Preferred Over V6

Indicates that our edge servers will resolve hostnames to IPv4 addresses whenever possible. If an IPv4 address for that hostname does not exist, then the hostname will be resolved to an IPv6 address.

V4 Only

Indicates that hostnames should be resolved to IPv4 addresses only.

V6 Only

Indicates that hostnames should be resolved to IPv6 addresses only.

Directory Name

The Directory Name option uniquely identifies your customer origin configuration. This name is included as a URL segment within a CDN URLA system-defined URL that points to a CDN hostname. A CDN URL allows content delivery via our network. Simplify your CDN setup by also creating an edge CNAME configuration which potentially allows you to deliver traffic via the CDN using the same links as your current setup. as indicated below.

Set up a friendlier and shorter URL (i.e., edge CNAME URLThis type of URL takes advantage of an edge CNAME configuration and a CNAME record to provide a friendlier alternative to a CDN URL. An edge CNAME URL is specific to the platform from which it was configured.) by creating an edge CNAME configuration and defining a CNAME record.
Learn more.

CDN and edge CNAME URLs are case-sensitive.

Sample Directory Name

If the primary purpose of your web servers is to serve images, then you might create a customer origin configuration whose Directory Name option is set to "images." An example of what a CDN URL for this type of customer origin might look like is provided below.

The above sample CDN URL points to the root folder on the server(s) associated with the "images" customer origin configuration. Append the desired relative path to the content that you would like to request. For example, the following sample CDN URL points to this location "http://www.myserver.com/photography/clientX/" on your web servers:

http://wpc.0001.edgecastcdn.net/800001/images/photography/clientX/

Hostname and IP Address Configuration

A customer origin configuration must point to one or more web servers. These web servers are defined through the Hostname Configuration section (shown below).

A customer origin's web servers are defined through the following two options:

Option Description

HTTP Edge Protocol

Defines the set of servers that can fulfill HTTP requests.

HTTPS Edge Protocol

Defines the set of servers that can fulfill HTTPS requests.

This capability requires the following items:

  • SSL Traffic feature for the desired HTTP platform

    Please contact your CDN account manager to activate this feature.

  • TLS certificate
  • Edge CNAME configuration
  • CNAME record

The above setup allow the use of a HTTP Secure (HTTPS) URL when delivering content over our network.

Learn more.

Key information:

A hostname must be resolved to an IP address before a request can be forwarded to it. The Origin Configuration option defines how hostnames will be resolved to an IP address.
Learn more.

HTTP Requests

The HTTP Edge Protocol option defines the set of web servers that can handle HTTP requests.

Key information:

HTTPS Requests

The SSL Traffic feature enables an additional customer origin configuration option called "HTTPS Edge Protocol." This option functions in the same way as the HTTP Edge Protocol option, except that it determines how HTTPS requests are handled.

Learn how to implement an HTTPS solution.

Key information:

HTTP Host Header

HTTP 1.1 requires a Host header to be sent with each request. A Host header identifies the hostname/IP address and port associated with a request. This information is especially useful when there are multiple virtual domains hosted on a single physical server or load-balanced set of servers.

Each customer origin configuration allows a Host header value to be configured. Typically, the Host header value should be set to either of the following:

Key information:

Load Balancing

A load balancing configuration defines how traffic will be managed between the edge of our network and a customer origin for a particular protocol (i.e., HTTP or HTTPS).

Traffic may only be served over the protocols that have been enabled on a customer origin. If the HTTPS Edge Protocol option is unavailable, then the SSL Traffic feature has not been enabled on the current platform. Please contact your CDN account manager for more information.

If multiple unique IP addresses are associated with either option, then the selected load balancing mode determines which IP address will handle the next request.

The available load balancing options are:

The above load-balancing options are completely independent from any load balancing configuration that may already distribute traffic to your web servers. For instance, traffic for a single IP address might be balanced across several physical servers.

Unavailable Servers

A server is considered unavailable when either of the following conditions are true:

The manner in which an unavailable server affects load balancing is described below.

  1. Once a server is designated as unavailable, CDN traffic will not be load balanced to the corresponding hostname or IP address for a brief time period.
  2. Upon the expiration of this time period, CDN traffic may once again flow through the corresponding hostname or IP address according to the customer origin's load balancing configuration (i.e., Round Robin or Primary & Failover).
  3. If the server is still unavailable, then CDN traffic will not be load balanced to the corresponding hostname or IP address for a brief, but slightly longer time period.
  4. Steps 2 and 3 repeat until the server becomes available.

Origin Shield

Origin Shield establishes an additional buffer between a customer origin server and your clients. This buffer is useful for protecting a customer origin server from:

  • Denial of service attacks
  • Spikes in traffic

The Origin Shield feature is only available after it has been activated on the HTTP Large and/or the HTTP Small platform. This feature is unavailable for all other platforms. For more information, please contact your CDN account manager.

How Does It Work?

The Origin Shield feature reduces the number of requests that are sent to the customer origin server. This results in reduced server and network load on the customer origin server. It is able to accomplish this by establishing an intermediate caching layer between the customer origin server and an edge server. This intermediate caching layer is illustrated below.

This intermediate caching layer augments the default CDN caching behavior in the following ways:

Origin Shield Configuration

Protecting a customer origin through the use of the Origin Shield feature requires the selection of a single (recommended) or multiple origin shield locations. Each configuration method is described below.

Each origin shield server is identified by the city and the three-letter abbreviation for the POP where it is located. The use of a POP abbreviation allows you to distinguish between multiple origin shield servers in the same city.

Single Origin Shield Location (Recommended)

The recommended configuration for reducing requests to your customer origin server is to define a single origin shield location. This can be achieved by selecting the Single POP option and then selecting the location closest to the server(s) associated with the customer origin.

The workflow through which a request for content protected by Origin Shield is handled by our CDN service is illustrated below.

The above workflow is described below.

  1. If an edge server does not have a cached version of the requested content, then it will forward the request to the specified origin shield location.

    If a cached version is found, the requested content will be served immediately to the client.

  2. If an origin shield server does not have the requested asset, it will forward the request to your web servers.

    If a cached version is found, then the origin shield server will serve it immediately to the client via the edge server from the previous step. Proceed to step 5.

  3. Once the origin shield server receives the requested content from your web servers, it will forward it to the edge server that requested it. After which, it may cache the requested content.
  4. The edge server will deliver the content to the client that requested it.
  5. The edge server may then cache it.

Multiple Origin Shield Locations

An alternative configuration is to define several origin shield locations for a single customer origin configuration. This can be accomplished by selecting the Multiple POPs option and then choosing how requests are handled for each of the following regions: North America: West Coast United States, North America: East Coast United States, Europe, and Asia/South America. Choose one of the following options for each region:

  • Blank: Leaving a region blank indicates that requests for this region will skip the origin shield server in the selected POP and attempt to retrieve it from the next closest origin shield server.
  • POP: Selecting a POP activates origin shield for that region. Requests for this region will go through the selected origin shield. If the origin shield does not have the requested asset, it will request it from the customer origin server.
  • Bypass: Selecting to bypass a region indicates that requests for this region will bypass the origin shield and go directly to the customer origin server. This type of configuration is the equivalent of turning origin shield off for a particular region.

Origin shield locations in Asia and South America require the activation of the Premium Asia and Latin America geographic delivery regions, respectively.

ADN Gateway

ADN Gateway servers are responsible for ensuring efficient data delivery between the CDN and external web servers (i.e., customer origin servers). Before anADN Gateway server can assume this responsibility, our network will need to calculate the top three ADN Gateway servers that can provide the best performance for a customer origin configuration. This is calculated by requesting an asset from each web server associated with a customer origin configuration.

Configuration:

Key information:

Sample Validation Path

The following sample scenario provides an example as to how the Validation Path option should be configured.

Item Scenario Description

HTTP Host Header

A customer origin server's HTTP Host header is set to:

adn.mydomain.com

Sample Asset Configuration

A sample asset has been uploaded to all of the servers defined under the Hostname Configuration section. The relative path to this sample asset is:

/Permanent/Background.png

Validation Path

The Validation Path option should be set to:

http://adn.mydomain.com/permanent/background.png

Key Response Headers

Configure your web server(s) or Rules Engine to include key headers in the response sent to the client to ensure optimal CDN performance.

Cache Revalidation

The web server(s) associated with a customer origin should include one of the following headers with each response that should be cached:

The above response headers allow our edge servers to perform cache revalidationRefers to the process that occurs when a request for stale content requires that our edge servers check for a new version of the requested content on the origin server. when staleIdentifies cached content whose TTL has expired. Our edge servers revalidate stale content with the origin server. This step ensures that the latest version of the requested content is served to the requester. content is requested. If both response headers are missing, then our edge servers will perform an unconditional GET request to the customer origin server.

QUIC

Allow QUIC-compatible clients to leverage QUIC by including the alt-svc header in the response.

The easiest way to enable QUIC for all CDN traffic is to add the QUIC feature under the Always match condition.

Learn more.

Setting Response Headers

Response headers may be defined via either of the following methods:

Google QUIC

QUIC is an emerging technology that is developing at a rapid pace. For this reason, we are occasionally required to temporarily suspend this capability when upgrading our QUIC implementation. Although QUIC will be disabled during these maintenance windows, your traffic will continue to be accelerated via our network.

Google QUIC, which stands for Quick UDP Internet Connections, is a new transport protocol developed by Google that reduces latency and provides better HTTP/2 stream-multiplexing support when compared to TCP. QUIC provides functionality equivalent to TCP + TLS + HTTP/2 except that it is implemented over UDP.

QUIC is only supported for client-to-edge traffic to customer origins that have been configured to support TLS.
Learn more.

According to The Chromium Projects, it provides the following advantages over TCP + TLS + HTTP/2:

QUIC Setup

Enable QUIC by setting up a rule within Rules Engine that either:

To enable QUIC via Rules Engine

Before enabling QUIC, please verify that the desired customer origin(s) support TLS.

  1. Create a draft.
  2. Update a rule within that draft to define the condition(s) under which QUIC should be enabled.

  3. Add the QUIC feature directly below the match condition(s) created in the previous step. Set it to Yes.
  4. Click Save to save the rule.
  5. Click Lock Draft as Policy to convert the draft into a policy.
  6. Deploy the policy to the Production or Staging environment.

How Does QUIC Work?

Before a user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). may leverage QUIC, it must be informed via the alt-svc (Alternative Service) response header that it may communicate with the CDN via QUIC. This response header also informs the client the set of supported QUIC versions and the length of time that this data should be cached by the client.

By default, QUIC is supported on the latest versions of Google Chrome, Chromium, and Opera. However, it may require enablement. If a user agent doesn't support QUIC, then it will communicate with the CDN using HTTP/2 over TCP.

Our QUIC implementation supports the Bottleneck Bandwidth and Round-trip propagation time (BBR) congestion control algorithm without requiring additional CDN setup. However, BBR will only be used when a QUIC-enabled client (e.g., Google Chrome) requests it.

Sample alt-svc header name/value:

alt-svc: quic=":443"; ma=2592000; v="49,48,46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

The above sample response header indicates to the client that:

WebSocket Protocol

The WebSocket protocol is a TCP-based protocol that enables an open, continuous, and full-duplex connection between a client (e.g., web browser) and a server. This allows a server to send data to a client without requiring the client to request it. In contrast, the HTTP protocol only allows a server to respond when a client requests content.

Leverage the WebSocket protocol for low latency applications that require real-time, interactive communication. For example, WebSocket communication improves the user experience for multiplayer games and chat applications by providing higher responsiveness via lower latency.

Key benefits:

WebSocket Setup

Set up involves:

  1. WebSocket Protocol Activation

    You must activate support for the WebSocket protocol before you can leverage it.

    Contact your CDN account manager to request support for the WebSocket protocol. We will determine whether to activate it based on an analysis of your use case.

  2. Web Server Setup

    Verify that your web server supports the use of the WebSocket protocol. After which, you should implement a WebSocket server-side application and verify that it allows bidirectional communication with your client.

    Our network acts as a middleman between your client and server for bidirectional communication via the WebSocket protocol. If your web server does not properly support WebSocket communication, then a client's request to upgrade to the WebSocket protocol will fail and communication will proceed via HTTP.

  3. Client Setup

    1. Verify that the client natively supports the WebSocket protocol. Most modern browsers already support the WebSocket protocol. If your custom application does not already support it, then you will need to add support for it before proceeding to the next step.
    2. Update your client to include the following request headers when initially requesting a connection that requires low latency:

      Connection: Upgrade

      Upgrade: websocket

      These headers indicate that the client wants to change the protocol from HTTP to WebSocket.

    3. Update your client to re-initiate the connection with the server upon disconnection.

      A client, server, or a network disruption may disconnect a WebSocket connection.

How Does the WebSocket Protocol Work?

A WebSocket connection starts when a client submits a request to the CDN over HTTP. This request must inform an edge serverThis type of server is located near the edge of our network where its close proximity to your end-users allows it to deliver data more quickly than normal Internet communication. It is responsible for handling requests and caching assets. that the client would like to upgrade the connection to use the WebSocket protocol via the following request headers:

Connection: Upgrade

Upgrade: websocket

If the WebSocket protocol has been activated on your account, an edge server will forward the request to your web server(s). Your web server must then either:

Firewall Access

For the purpose of fulfilling requests, our edge servers require access to all servers associated with a customer origin configuration. Please ensure that your firewall allows access to all of the IP blocks listed in the Whitelist IP Blocks section of the Customer Origin page.

Export a list of the IPv4 and IPv6 blocks that should be whitelisted by clicking from the Whitelist IP Blocks header.

The Whitelist IP Blocks section contains a superset of IP addresses that includes:

Once the IP blocks defined under the Whitelist IP Blocks section have been whitelisted on your firewall, it is unnecessary to add the IP blocks defined under the The following CDN IPs can access your origin section.

Best Practices (Dynamic Application)

If your customer origin hosts a dynamic application, then it is highly recommended that you do not use a user's IP address to maintain a session instance. This type of configuration is unsupported, since the client does not connect directly to the customer origin server. Instead, the client connects to a server on our network, and then that server connects to a customer origin server. If you would like to maintain a session for your dynamic application, we recommend that you use a cookie to identify the session. For example, a cookie could keep track of a unique ID for each client's session.

Creating a Customer Origin Configuration

This section provides step-by-step instructions on how to create a customer origin configuration.

Key information:

The maximum number of customer origin configurations per platform is 100.

To create a customer origin configuration

  1. Navigate to the Customer Origin page corresponding to the desired platform. ClosedHow?From the main menu, navigate to [HTTP Large, HTTP Small, or ADN] | Customer Origin.

  2. In the Directory Name option, type the name of the directory that will be associated with the desired customer origin server.

    The specified name will become a URL segment within the CDN URLSample URL: http://wpc.0001.edgecastcdn.net/800001/DirectoryName.

  3. Perform the following steps to provide access to content stored on your customer origin server through the HTTP protocol:

    1. Make sure that the HTTP Edge Protocol option is marked.
    2. Set the Hostname or IP Address option to one of the following:
      • http://Hostname:port
      • http://IPAddress:port
    3. Click Add.
    4. Repeat steps ii and iii until you have finished adding all of the web servers that will be associated with this customer origin for http:// requests.

    HTTPS support requires the configuration of the HTTPS Edge Protocol option. Please contact your CDN account manager to request HTTPS support.
    Learn more.

  4. Verify or set the HTTP Host Header option to one of the following:
    • A hostname defined in step 3.
    • An edge CNAME whose configuration points to this customer origin.
    • Blank. The request will determine the value assigned to the Host request header.
  5. ADN: Perform the following steps when creating a customer origin configuration for the ADN platform:
    1. Upload a sample asset to each server that has been specified for this customer origin configuration.

      Our servers use this asset to choose the optimal ADN Gateway servers and data routes for your customer origin configuration. The optimal file size for this sample asset is 5 KB.

      Download a sample performance test asset.

    2. In the Validation Path option, specify a URL that points to a sample asset on your customer origin server.

      The hostname specified in this URL should match the one defined in the HTTP Host Header option unless that option has been set to blank.

    3. Click Validate. If the result returns "200 OK" for all hostnames/IP addresses, then proceed to the next step.
  6. Origin Shield Only: Origin Shield, which must be purchased separately, is available on the HTTP Large and HTTP Small platforms.

    • Set up origin shield on a customer origin by performing the following steps:

      1. Mark the Enable Origin Shield option.
      2. Perform one of the following:

        • Set up a recommended origin shield configuration by selecting the Single POP option. You should then select the POP closest to your customer origin server(s) from the ALL POPs list.
        • Create a custom origin shield configuration by selecting the Multiple POPs option and then selecting the origin shield action that will take place for each region.

          Learn more.

    • Set up a customer origin to handle all requests that are not served from cache by clearing the Enable Origin Shield option.
  7. Click Add to save your customer origin configuration.

Modifying a Customer Origin Configuration

A customer origin configuration can be modified at any time by clicking the next to the desired customer origin. The configuration associated with that customer origin will appear. Simply make the desired changes and then click Update to apply them.

If an edge CNAME points to a customer origin configuration, then you will not be allowed to modify the name of the folder associated with that customer origin configuration. If you would like to change the folder name, you will need to first delete the associated edge CNAME.

It may take up to an hour for changes to your customer origin configuration to take effect.

Deleting a Customer Origin Configuration

A customer origin configuration can be deleted at any time by clicking the next to the desired customer origin. Once you have confirmed the deletion, it will be removed from the list.

If an edge CNAME points to a customer origin configuration, then you will not be allowed to delete the associated customer origin configuration. If you would like to delete it, you will need to first delete the associated edge CNAME configuration.

It may take up to an hour for customer origin configuration deletions to take effect.

More Information