origin

Suggest Edits

Version: `v2025-01-13`	Includes use: Yes

Behavior name: Origin Server

Specify the hostname and settings used to contact the origin once service begins. You can use your own origin, NetStorage, an Edge Load Balancing origin, or a SaaS dynamic origin.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "origin" {
  rules_v2025_02_18 {
    name     = "Origin Server"
    comments = "Specifies the hostname and settings used to contact the origin once service begins."
    behavior {
      origin {
        min_tls_version               = "DYNAMIC"
        enable_true_client_ip         = true
        compress                      = true
        true_client_ip_header         = "True-Client-IP"
        verification_mode             = "PLATFORM_SETTINGS"
        origin_sni                    = true
        true_client_ip_client_setting = false
        hostname                      = ""
        http_port                     = 80
        cache_key_hostname            = "ORIGIN_HOSTNAME"
        forward_host_header           = "REQUEST_HOST_HEADER"
        https_port                    = 443
        ip_version                    = "IPV4"
        origin_type                   = "CUSTOMER"
      }
    }
  }
}

"behaviors": [
  {
    "name": "origin",
    "options": {
      "minTlsVersion": "DYNAMIC",
      "enableTrueClientIp": true,
      "compress": true,
      "trueClientIpHeader": "True-Client-IP",
      "verificationMode": "PLATFORM_SETTINGS",
      "originSni": true,
      "trueClientIpClientSetting": false,
      "hostname": "",
      "httpPort": 80,
      "cacheKeyHostname": "ORIGIN_HOSTNAME",
      "forwardHostHeader": "REQUEST_HOST_HEADER",
      "httpsPort": 443,
      "ipVersion": "IPV4",
      "originType": "CUSTOMER"
    }
  }
]

Options

Option	Description
`origin_type`	Enum Choose where your content is retrieved from. Value is one of: `CUSTOMER`. From your own server. `NET_STORAGE`. From your NetStorage account. This option is most appropriate for static content. `MEDIA_SERVICE_LIVE`. From a Media Services Live origin. `EDGE_LOAD_BALANCING_ORIGIN_GROUP`. From any available Edge Load Balancing origin. `SAAS_DYNAMIC_ORIGIN`. From a SaaS dynamic origin if SaaS acceleration is available on your contract.
`net_storage`	Object \| Requires: `origin_type` is `NET_STORAGE` Specifies the details of the NetStorage server. Contains: `cpCode`. Identifies a CP code assigned to this storage group. `downloadDomainName`. Domain name from which content can be downloaded. `g2oToken`. Signature Header Authentication key. `id`. Unique identifier for the storage group. `name`. Name of the storage group.
`origin_id`	String \| Requires: `origin_type` is `EDGE_LOAD_BALANCING_ORIGIN_GROUP` Identifies the Edge Load Balancing origin. This needs to correspond to an `edge_load_balancing_origin` behavior's `id` attribute within the same property.
`hostname`	String \| Requires: `origin_type` is `CUSTOMER` Specifies the hostname or IPv4 address of your origin server, from which edge servers can retrieve your content.
`second_hostname_enabled`	Boolean Available only for certain products. This specifies whether you want to use an additional origin server address.
`second_hostname`	String \| Requires: `second_hostname_enabled` is `true` Specifies the origin server's hostname, IPv4 address, or IPv6 address. Edge servers retrieve your content from this origin server.
`mslorigin`	String \| Requires: `origin_type` is `MEDIA_SERVICE_LIVE` This specifies the media's origin server.
`saas_type`	Enum \| Requires: `origin_type` is `SAAS_DYNAMIC_ORIGIN` Specifies the part of the request that identifies this SaaS dynamic origin. Value is one of: `COOKIE` `HOSTNAME` `PATH` `QUERY_STRING`
`saas_cname_enabled`	Boolean \| Requires: `saas_type` is `HOSTNAME` Enabling this allows you to use a CNAME chain to determine the hostname for this SaaS dynamic origin.
`saas_cname_level`	Number \| Requires: `saas_cname_enabled` is `true` Specifies the desired number of hostnames to use in the CNAME chain, starting backwards from the edge server.
`saas_cookie`	String \| Requires: `saas_type` is `COOKIE` Specifies the name of the cookie that identifies this SaaS dynamic origin.
`saas_query_string`	String \| Requires: `saas_type` is `QUERY_STRING` Specifies the name of the query parameter that identifies this SaaS dynamic origin.
`saas_regex`	String \| Requires: `origin_type` is `DYNAMIC_ORIGIN` Specifies the Perl-compatible regular expression match that identifies this SaaS dynamic origin.
`saas_replace`	String \| Requires: `origin_type` is `SAAS_DYNAMIC_ORIGIN` Specifies replacement text for what `saas_regex` matches.
`saas_suffix`	String \| Requires: `origin_type` is `SAAS_DYNAMIC_ORIGIN` Specifies the static part of the SaaS dynamic origin.
`forward_host_header`	Enum \| Requires Requires `origin_type` is one of: `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Specifies which `Host` header to pass to the origin. Value is one of: `REQUEST_HOST_HEADER`. Passes the original request's header. `ORIGIN_HOSTNAME`. Passes the current origin's `HOSTNAME`. `CUSTOM`. Passes the value of `custom_forward_host_header`. Use this option if you want requests handled by different properties to converge on the same cached object.
`custom_forward_host_header`	String \| Requires: `forward_host_header` is `CUSTOM` Specifies the name of the custom host header the edge server should pass to the origin.
`cache_key_hostname`	Enum \| Requires Requires `origin_type` is one of: `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Specifies the hostname to use when forming a cache key. Value is one of: `REQUEST_HOST_HEADER`. Specify when using a virtual server. `ORIGIN_HOSTNAME`. Specify if your origin server's responses do not depend on the hostname.
`ip_version`	Enum \| Requires Requires `origin_type` is one of: `EDGE_LOAD_BALANCING_ORIGIN_GROUP` `CUSTOMER` Specifies which IP version to use when getting content from the origin. Value is one of: `IPV4`. Use IPv4. `DUALSTACK`. Use both versions. `IPV6`. Use IPv6. Note: When using IPv6-Only or Dual Stack and the Origin IP Access Control List feature, add the `origin_ip_acl` behavior to the same rule or a parent rule.
`use_unique_cache_key`	Boolean With a shared `hostname` such as provided by Amazon AWS, sets a unique cache key for your content.
`compress`	Boolean \| Requires Requires `origin_type` is one of: `EDGE_LOAD_BALANCING_ORIGIN_GROUP` `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Enables gzip compression for non-NetStorage origins.
`enable_true_client_ip`	Boolean \| Requires Requires `origin_type` is one of: `EDGE_LOAD_BALANCING_ORIGIN_GROUP` `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Sends a custom header the identifying the IP address of the immediate client connecting to the edge server and provides more information than the standard `X-Forward-For` header, which proxies may modify.
`true_client_ip_header`	String \| Requires: `enable_true_client_ip` is `true` This specifies the name of the field that identifies the end client's IP address, for example `True-Client-IP`.
`true_client_ip_client_setting`	Boolean \| Requires: `enable_true_client_ip` is `true` If a client sets the `True-Client-IP` header, the edge server allows it and passes the value to the origin. Otherwise the edge server removes it and sets the value itself.
`verification_mode`	Enum \| Requires Requires `origin_type` is one of: `EDGE_LOAD_BALANCING_ORIGIN_GROUP` `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` For non-NetStorage origins, maximize security by controlling which certificates edge servers should trust. Value is one of: `PLATFORM_SETTINGS`. Trust platform settings. `CUSTOM`. Only applies if the property is marked as secure. See Secure property requirements for guidance. Under some products, you may also need to enable the Secure Delivery - Customer Cert module. See the verification settings in the Origin Server behavior or contact your Akamai representative for details. `THIRD_PARTY`. When your origin server references certain types of third-party hostname.
`origin_sni`	Boolean \| Requires Requires one of: `origin_type` is either `CUSTOMER` or `EDGE_LOAD_BALANCING_ORIGIN_GROUP` `SAAS_DYNAMIC_ORIGIN` and `verification_mode` are set to `PLATFORM_SETTINGS`, `CUSTOM`, or `THIRD_PARTY` For non-NetStorage origins, enabling this adds a Server Name Indication (SNI) header in the SSL request sent to the origin, with the origin hostname as the value. See the verification settings in the Origin Server behavior or contact your Akamai representative for more information. If you want to use TLS version 1.3 in your existing properties, enable this option. New properties have this enabled by default.
`custom_valid_cn_values`	String array \| Requires: `verification_mode` is `CUSTOM` Specifies values to look for in the origin certificate's `Subject Alternate Name` or `Common Name` fields. Specify `{{Origin Hostname}}` and `{{Forward Host Header}}` within the text in the order you want them to be evaluated. Note: These template items are not the same as in-line variables that use the same curly-brace syntax.
`origin_certs_to_honor`	Enum \| Requires: `verification_mode` is `CUSTOM` Specifies which certificate to trust. Value is one of: `COMBO`. May rely on all three other inputs. `STANDARD_CERTIFICATE_AUTHORITIES`. Any certificate signed by an Akamai-managed authority set. `CUSTOM_CERTIFICATE_AUTHORITIES`. Any certificate signed by a custom authority set you manage. `CUSTOM_CERTIFICATES`. Pinned origin server certificates.
`custom_certificate_authorities`	Object array \| Requires Requires `origin_certs_to_honor` is one of: `CUSTOM_CERTIFICATE_AUTHORITIES` `COMBO` Specifies an array of certification objects. See the verification settings in the Origin Server behavior or contact your Akamai representative for details on this object's requirements.
`custom_certificates`	Object array \| Requires Requires `origin_certs_to_honor` is one of: `CUSTOM_CERTIFICATE_AUTHORITIES` `COMBO` Specifies an array of certification objects. See the verification settings in the Origin Server behavior or contact your Akamai representative for details on this object's requirements.
`http_port`	Number \| Requires Requires `origin_type` is one of: `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Specifies the port on your origin server to which edge servers should connect for HTTP requests, customarily `80`.
`https_port`	Number \| Requires Requires `origin_type` is one of: `SAAS_DYNAMIC_ORIGIN` `CUSTOMER` Specifies the port on your origin server to which edge servers should connect for secure HTTPS requests, customarily `443`. This option only applies if the property is marked as secure. See Secure property requirements for guidance.
`min_tls_version`	Enum \| Requires Requires `origin_type` is one of: `MEDIA_SERVICE_LIVE` `CUSTOMER` Specifies the minimum TLS version to use for connections to your origin server. Value is one of: `DYNAMIC`. Supports all currently public versions of TLS. `TLSV1_1`. Supports TLS version 1.1. `TLSV1_2`. Supports TLS version 1.2. `TLSV1_3`. Supports TLS version 1.3. This behavior supports TLS 1.3 by default.
`max_tls_version`	Enum Specifies the maximum TLS version to use for connections to your origin server. Value is one of: `DYNAMIC`. Supports all currently public versions of TLS. `TLSV1_1`. Supports TLS version 1.1. `TLSV1_2`. Supports TLS version 1.2. `TLSV1_3`. Supports TLS version 1.3. This behavior supports TLS 1.3 by default. Note: Use `DYNAMIC` to automatically apply the latest supported version.

Updated about 1 hour ago