GuideReference
TrainingSupportCommunity
Reference

g2oheader

  • Property Manager name: Signature Header Authentication
  • Behavior version: The v2023-01-05 rule format supports the g2oheader behavior v1.1.
  • Rule format status: GA, stable
  • Access: Read/Write
  • Allowed in includes: Yes

The signature header authentication (g2o) security feature provides header-based verification of outgoing origin requests. Edge servers encrypt request data in a pre-defined header, which the origin uses to verify that the edge server processed the request. This behavior configures the request data, header names, encryption algorithm, and shared secret to use for verification.

OptionTypeDescriptionRequires
enabledboolean

Enables the g2o verification behavior.

{"displayType":"boolean","tag":"input","type":"checkbox"}
data_​headerstring

Specifies the name of the header that contains the request data that needs to be encrypted.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
signed_​headerstring

Specifies the name of the header containing encrypted request data.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
encoding_​versionenum

Specifies the version of the encryption algorithm as an integer from 1 through 5.

{"displayType":"enum","options":["1","2","3","4","5"],"tag":"select"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
Supported values:
1
2
3
4
5
use_​custom_​sign_​stringboolean

When disabled, the encrypted string is based on the forwarded URL. If enabled, you can use custom_​sign_​string to customize the set of data to encrypt.

{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"attribute":"enabled","op":"eq","value":true}}
custom_​sign_​stringstring array

Specifies the set of data to be encrypted as a combination of concatenated strings.

use_​custom_​sign_​string is true
{"displayType":"string array","options":["AK_METHOD","AK_SCHEME","AK_HOSTHEADER","AK_DOMAIN","AK_URL","AK_PATH","AK_QUERY","AK_FILENAME","AK_EXTENSION","AK_CLIENT_REAL_IP"],"tag":"select"}
{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"useCustomSignString","op":"eq","value":true}]}}
AK_​METHOD

Incoming request method.

AK_​SCHEME

Incoming request scheme (HTTP or HTTPS).

AK_​HOSTHEADER

Incoming request hostname.

AK_​DOMAIN

Incoming request domain.

AK_​URL

Incoming request URL.

AK_​PATH

Incoming request path.

AK_​QUERY

Incoming request query string.

AK_​FILENAME

Incoming request filename.

AK_​EXTENSION

Incoming request filename extension.

AK_​CLIENT_​REAL_​IP

Incoming client IP.

secret_​keyobject array

Specifies the shared secret key.

{"displayType":"object array","tag":"input","todo":true}
{"if":{"attribute":"enabled","op":"eq","value":true}}
noncestring

Specifies the cryptographic nonce string.

{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enabled","op":"eq","value":true}}