Origin Server: configure "Your origin"
This configuration scenario applies if you're using your own unique origin to house the original version of content for delivery. This is where edge servers can retrieve your content from.
Origin Server Hostname field
When you set up the origin server, you define a unique hostname for it. Akamai refers to this as the origin hostname. This name represents your origin in your origin DNS.
When setting up your property in Property Manager, you need to fill in the Origin Server Hostname field. This setting requires special attention and additional work with your actual origin before you promote the property to the production network.
Sometimes the origin hostname is the same as the hostname you use in the property hostname to edge hostname association, but this isn't always the case. A request for content at www.example.com
may be set up to retrieve that content from Akamai NetStorage, or it may be hosted somewhere else entirely. For a description of the relationship between the origin-server hostname and the edge hostname, see Types of hostnames.
Variable support
This field supports variable expression syntax. Typing "{{" in the option field triggers a list of objects to select. Additional details on this support are available by mousing over this option in the UI. Also see Variables overview.
Origin naming
When you set the origin in your configuration, you also assign an origin hostname to use in your DNS.
Origin server hostnames typically follow theorigin-<Media Origin>
formula:
-
origin
is the DNS A-record. As a best practice you should conceal your origin server, so replace it with a random string, for example,[1]hkeh1g76
. -
<Media Origin>
: This is the hostname of the server housing your original content.
The table that follows shows some examples.
Hostname | Origin-server hostname |
---|---|
streaming.media.com | [1]hkeh1g76-streaming.media.com |
www.mymedia.com | [1]hkeh1g76-www.mymedia.com |
Once established, make note of this value for future use.
IP addresses as origin server hostnames
You can specify the IPv4 address in the Origin Server Hostname field. However, you need to closely monitor any address changes or reassignments, as they may render your domain unreachable and result in a denial of service. Currently, IPv6 format is not supported.
Forward Host Header
In this field, select which Host
header you want the Akamai product to pass to your origin server. This is referred to as the Forward Host Header because it is the hostname the product "forwards" to the origin server in the HTTP Host
request header.
The web server on your origin uses this value to determine what content to send. Typically, the expected host is the same name as the hostname received in the request from the client, but you can also customize it.
-
Incoming Host Header (Default): When selected, the product sends what you've set as the Hostname in the property hostname to edge hostname association. Typically, it's the end-user-facing hostname for your site or app, and it's used in the connection between the client and Akamai edge servers. This is a generic option that varies depending on the Hostname received in the request. For example, a client request for your website at
www.mymedia.com
sendswww.mymedia.com
in the Host header to the origin. -
Origin Hostname: When selected, the product sends what you've set as in the Origin Server Hostname. Select this option if you configured your origin to listen for this specific value. For example, assume your origin's hostname is
[1]hkeh1g76-www.mymedia.com
and this is what you've defined in the Origin Server Hostname field. A client request for your website atwww.mymedia.com
sends[1]hkeh1g76-www.mymedia.com
in theHost
header to the origin. -
Custom Value: Select this option if you want to send a custom value in the
Host
header to the origin. Define the appropriate value in theCustom Forward Host Header field. This applies if you've configured your origin to listen for a hostname other than what was included in theHost
header in the incoming request, or what you set up as its assigned Origin Server Hostname. For example, an end-user request forwww.mymedia.com
could sendwww.mymedia.com.akamaized.net
in the Host header to the origin.
Cache Key Hostname
The cache key is the information the Akamai product uses to identify the content in caches. Assuming your application includes at least some cacheable content—the edge network uses keys based on the entire origin URI path and query string, if there is one.
Specify the hostname to use when forming a cache key:
- Origin Hostname: All objects requested using this origin hostname and the same path and query string are treated as the same object, including the content served from any other configuration with the same origin hostname. For example, once cached, these objects would be treated as the same object:
http://www.mymedia.com/logo.gif
http://www.mymedia.co.uk/logo.gif
- Incoming Host Header (Virtual Server Option): Objects requested with the same path and query string are given a unique cache key by digital property. Select this option if your origin is a virtual server. For example, once cached, these objects would be treated as different objects:
http://www.mymedia.com/logo.gif
http://www.mymedia.co.uk/logo.gif
If you have an active property and you create a new property version that has a different cache key for all target content, you can potentially create severe problems for your origin when you activate the new version on production. Any change to the cache key invalidates the cached content using the existing cache key. Akamai edge servers will request new objects from your origin at a level that can create severe spikes in bandwidth.
Gzip Compression
Compression is important in optimizing performance. Verify if it applies to your environment.
Disable this only if your origin server does not support delivery of content using Gzip compression, or if for some reason you want to have content served uncompressed. When this feature is enabled, the product sends an Accept-Encoding: gzip
header in requests to the origin in order to support Gzip compression.
True Client IP Header
If you enable the Send True Client IP Header option, edge servers pass the original client IP address to the origin.
Normally, the client IP is passed in the X-Forwarded-For
header that is routinely modified by proxies along the way. With this option ebaled, the default header name True-Client-IP
is used unless you set a custom name for the header in the True Client IP Header Name field. Additionally, with the Allow Clients To Set True Client IP Header toggle you can determine if the client name for this header is passed through and accepted, or whether to apply the value you defined in the True Client IP Header Name field instead.
Verification Settings
Use the Origin SSL Certificate Verification options to control how your origin server is authenticated. The verification prevents 'man-in-the-middle' (MITM) attacks, where a malicious entity directs end-user traffic to the attacker's server, instead of your origin.
When an edge server sends a request to your origin, it first establishes a secure connection through an SSL handshake—your origin provides the Akamai edge server with a certificate to for validation. If the validation is succeeds, the request goes forward. If the certificate is not valid, the connection fails.
Prerequisites:
-
These options require secure delivery. These settings are only available if you are using a product or module that includes secure delivery, for example, you're using Enhanced TLS, Standard TLS, or Shared edge certificate with your property.
-
Your origin must support HTTPS. An HTTPS request is comprised of two sets of connections. The client request to an edge server where this property is read, and the request from the edge server to your origin to access content. These options apply to the latter part of the connection. Before you apply any of these settings, you need to configure your origin outside of Property Manager. See HTTPS prerequisites.
Decide what criteria you want to use to verify the origin certificate.
Platform Settings option
Select this if you want to use the settings that the Akamai Secure Network platform applies for Origin SSL certificate verification.
This is the default value for this option that instructs edge servers to trust any certificate signed by the authorities listed in the Akamai Certificate Store. The Common Name (CN) or Subject Alternate Name (SAN) in your origin certificate must also match what you've set in the Forward Host Header field in this behavior.
The platform settings may automatically change at any time.
If you enable the SNI TLS Extension, the Server Name Indication (SNI) header is sent in the SSL request to the origin. The SNI header value is the same as value you have set for the Forward Host Header.
Choose Your Own option
Select this to control exactly which certificates or certificate authorities Akamai edge servers should trust when connecting with your origin.
This method offers the least vulnerability to man-in-the-middle attacks in case a certificate authority gets compromised. For example, if a common certificate authority is compromised, but you directly provided a certificate, your certificate still remains secure.
With this option selected, several other fields appear.
Use SNI TLS Extension
If you enable the SNI TLS Extension, the Server Name Indication (SNI) header is sent in the SSL request to the origin. The SNI header value is the same as value you have set for the Forward Host Header.
Match CN/SAN To
Specify the values Akamai edge servers should look for in your origin certificate's Common Name (CN) or Subject Alternate Name (SAN) fields. When a Subject Alternate Name field is present in the certificate, the Common Name field is ignored. These values are included by default:
-
{{Origin Server}}: The edge server scans either a CN or SAN for the value you've set as the Origin Server Hostname .
-
{{Forward Host Header}}: The edge server scans either a CN or SAN for the value you've set as the Forward Host Header.
Additional considerations:
-
The values you provide can contain an asterisk (_) character, but it's treated as a literal character and not as a wildcard. For example, if the certificate's CN/SAN value is
www.example.com
, a match value of.example.com
will not work. However, wildcards in the certificate's CN/SAN value are still honored. For example, if the CN/SAN value is *.example.com, a match value of either\*.example.com
orwww.example.com\
will work. -
The values must include all of the CN/SAN match values from an Auxiliary Certificates List (aux-list), if it exists for your property. If one of these values is missing, a certificate normally trusted from the aux-list may not be trusted and result in a service outage. To include all of these values, import them directly from the aux-list using the Import aux-list button.
Trust
Decide what type of certificate or certificate authority the edge server should trust. For an overview of advantages and disadvantages of each option, see Create an origin certificate. The process varies depending on your selection:
-
Akamai-managed Certificate Authority Set: Your origin certificate only needs to be trusted by a supported CA. You are not including the specific origin certificate in the property. The sub-options include:
-
Akamai Certificate Store: The CAs tested and known to be trusted for use with Akamai. Click View CA Set to see a complete list.
-
Third Party Certificate Store: The CAs associated with third party origins that are currently trusted for use. Click View CA Set to see a complete list.
-
-
Custom Certificate Authority Set: Identify the specific CAs that should be used in validation. Click Add Certificate and in the pop-up window select how to apply the certificate authorities:
-
Retrieve for Origin: The edge server retrieves existing certificate authorities from your origin. You need to provide the applicable Hostname / IP for your origin, and the applicable HTTPS Port, typically 443.
-
Paste (PEM-encoded): Paste the PEM-encoded certificate directly into the box provided to add a certificate authority associated with the pasted certificate as a trusted CA. You may need to convert another format into
PEM
.
-
-
Specific Certificate (pinning): Use this trust method to "pin" a specific certificate to the property for validation. Either enter your origin's hostname so the edge server can retrieve the specific certificate for you, or paste the PEM-encoded certificate directly into the box provided. You can add multiple certificates, as necessary.
-
Satisfies any of the trust options below: This allows you to incorporate both custom CAs, as well as pin specific certificates. If any are sent in the connection, the edge server trusts the origin. Follow the instructions previously listed for each of the corresponding fields.
Third Party Settings option
Select this for Verification Settings if you are using a supported third party origin, such as Amazon AWS.
Akamai creates a separate certificate authority (CA) set for these third parties, and manages the certificate for you. You don't have to do anything to upgrade your verification settings.
If you enable the SNI TLS Extension, the Server Name Indication (SNI) header is sent in the SSL request to the origin. The SNI header value is the same as value you have set for the Forward Host Header.
Ports
Specify the ports on your origin server you want edge servers to connect to for HTTP and HTTPS requests, respectively.
The standard ports are 80 for HTTP and 443 for HTTPS.
Acceptable Port Numbers | ||||||
---|---|---|---|---|---|---|
72 | 488 | 1080 | 1443 | 7070 | 8000-9001 | 11080-11110 |
80-89 | 591 | 1088 | 2080 | 7612 | 9090 | 12900-12949 |
443 | 777 | 1111 | 7001 | 7777 | 9901-9908 | 45002 |
Updated 12 months ago