- Property Manager name: Signature Header Authentication
- Behavior version: The
v2024-01-09rule format supports theg2oheaderbehavior v1.1. - Rule format status: GA, stable
- Access: Read/Write
- Allowed in includes: Yes
The signature header authentication (g2o) security feature provides header-based verification of outgoing origin requests. Edge servers encrypt request data in a pre-defined header, which the origin uses to verify that the edge server processed the request. This behavior configures the request data, header names, encryption algorithm, and shared secret to use for verification.
| Option | Type | Description | Requires | |
|---|---|---|---|---|
enabled | boolean | Enables the g2o verification behavior. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
data_header | string | Specifies the name of the header that contains the request data that needs to be encrypted. | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"enabled","op":"eq","value":true}} | |
signed_header | string | Specifies the name of the header containing encrypted request data. | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"enabled","op":"eq","value":true}} | |
encoding_version | enum | Specifies the version of the encryption algorithm as an integer from | {"displayType":"enum","options":["1","2","3","4","5"],"tag":"select"}{"if":{"attribute":"enabled","op":"eq","value":true}} | |
Supported values: 1 2 3 4 5 | ||||
use_custom_sign_string | boolean | When disabled, the encrypted string is based on the forwarded URL. If enabled, you can use | {"displayType":"boolean","tag":"input","type":"checkbox"}{"if":{"attribute":"enabled","op":"eq","value":true}} | |
custom_sign_string | string array | Specifies the set of data to be encrypted as a combination of concatenated strings. | use_custom_sign_string is true | {"displayType":"string array","options":["AK_METHOD","AK_SCHEME","AK_HOSTHEADER","AK_DOMAIN","AK_URL","AK_PATH","AK_QUERY","AK_FILENAME","AK_EXTENSION","AK_CLIENT_REAL_IP"],"tag":"select"}{"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"useCustomSignString","op":"eq","value":true}]}} |
AK_METHOD | Incoming request method. | |||
AK_SCHEME | Incoming request scheme (HTTP or HTTPS). | |||
AK_HOSTHEADER | Incoming request hostname. | |||
AK_DOMAIN | Incoming request domain. | |||
AK_URL | Incoming request URL. | |||
AK_PATH | Incoming request path. | |||
AK_QUERY | Incoming request query string. | |||
AK_FILENAME | Incoming request filename. | |||
AK_EXTENSION | Incoming request filename extension. | |||
AK_CLIENT_REAL_IP | Incoming client IP. | |||
secret_key | object array | Specifies the shared secret key. | {"displayType":"object array","tag":"input","todo":true}{"if":{"attribute":"enabled","op":"eq","value":true}} | |
nonce | string | Specifies the cryptographic nonce string. | {"displayType":"string","tag":"input","type":"text"}{"if":{"attribute":"enabled","op":"eq","value":true}} |