The behavior allows you to secure requests that come to your hostnames via the loopback IP address, also known as localhost.

Why you need it

​Akamai​'s servers use the loopback IP address - 127.0.0.1 (IPv4) or ::1 (IPv6) - also known as 'localhost', as a routing mechanism for certain functionality. Localhost is an internal address used for self-communication which allows a server to communicate with itself, without sending data packets across a network.

You can set up your properties to make localhost requests to hostnames defined on ​Akamai​. For example, the following requests use localhost:

• EdgeWorkers subrequests to a hostname defined on ​Akamai​.
• So-called '2-tree' requests, where the Origin Server Hostname defined in a property is the loopback IP address itself and the Forward Host Header is a hostname defined on ​Akamai​.

The hostname that receives these requests sees the incoming client IP address as the IPv4 loopback IP address 127.0.01.

Requests made from a property through localhost to a hostname defined on ​Akamai​ may bypass some of the security functionality implemented for that hostname using either security products (for example WAF) or delivery features (for example the Request Control cloudlet), because they are executed within a single ​Akamai​ server.

It is possible for one customer SourceCustomer to make a request from their property via localhost to a hostname belonging to a different customer TargetCustomer. This is called a 'cross account' localhost request.

How it works

This behavior allows you (Customer TargetCustomer in the above scenario) to explicitly allow or deny cross-account incoming localhost requests from SourceCustomer.

All incoming localhost requests to your hostnames from properties in your account are always allowed. This behavior only applies to localhost requests from other customer accounts.

You can add this behavior to do any of the following:

• Deny all incoming cross-account localhost requests to hostname(s) on your property. This is the default option.
• Allow all cross-account incoming localhost requests to hostname(s) on your property. This is not recommended.
• Allow incoming cross-account localhost requests to hostname(s) on your property only from certain specific customer accounts. Incoming localhost requests from any other customer accounts are denied.

📘

If you don’t add this behavior, all incoming localhost requests from other customer accounts are denied.

To specify customer accounts from which you want to allow localhost requests, you must directly contact the other customer and request their Virtual Customer Domain (VCD). The VCD is a numeric string which uniquely identifies a customer account within ​Akamai​'s request infrastructure. You can then add this VCD in the Allowed VCD IDs for Loopback list of allowed customers.

If your delivery property makes localhost requests to another customer (if you are SourceCustomer in the above scenario), the other customer (TargetCustomer in the above scenario) may contact you to ask for your VCD, in order to allow you to continue to make localhost requests to their hostname. Your VCD is available in the Property Version Information section for your property.

Features and options