Version: v2025-01-13Includes use: Yes

Behavior name: Origin Server

Specify the hostname and settings used to contact the origin once service begins. You can use your own origin, NetStorage, an Edge Load Balancing origin, or a SaaS dynamic origin.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "origin" {
  rules_v2025_02_18 {
    name     = "Origin Server"
    comments = "Specifies the hostname and settings used to contact the origin once service begins."
    behavior {
      origin {
        min_tls_version               = "DYNAMIC"
        enable_true_client_ip         = true
        compress                      = true
        true_client_ip_header         = "True-Client-IP"
        verification_mode             = "PLATFORM_SETTINGS"
        origin_sni                    = true
        true_client_ip_client_setting = false
        hostname                      = ""
        http_port                     = 80
        cache_key_hostname            = "ORIGIN_HOSTNAME"
        forward_host_header           = "REQUEST_HOST_HEADER"
        https_port                    = 443
        ip_version                    = "IPV4"
        origin_type                   = "CUSTOMER"
      }
    }
  }
}
"behaviors": [
  {
    "name": "origin",
    "options": {
      "minTlsVersion": "DYNAMIC",
      "enableTrueClientIp": true,
      "compress": true,
      "trueClientIpHeader": "True-Client-IP",
      "verificationMode": "PLATFORM_SETTINGS",
      "originSni": true,
      "trueClientIpClientSetting": false,
      "hostname": "",
      "httpPort": 80,
      "cacheKeyHostname": "ORIGIN_HOSTNAME",
      "forwardHostHeader": "REQUEST_HOST_HEADER",
      "httpsPort": 443,
      "ipVersion": "IPV4",
      "originType": "CUSTOMER"
    }
  }
]

Options

Option Description
origin_type
Choose where your content is retrieved from. Value is one of:
  • CUSTOMER. From your own server.
  • NET_STORAGE. From your NetStorage account. This option is most appropriate for static content.
  • MEDIA_SERVICE_LIVE. From a Media Services Live origin.
  • EDGE_LOAD_BALANCING_ORIGIN_GROUP. From any available Edge Load Balancing origin.
  • SAAS_DYNAMIC_ORIGIN. From a SaaS dynamic origin if SaaS acceleration is available on your contract.
net_storage
Specifies the details of the NetStorage server. Contains:
  • cpCode. Identifies a CP code assigned to this storage group.
  • downloadDomainName. Domain name from which content can be downloaded.
  • g2oToken. Signature Header Authentication key.
  • id. Unique identifier for the storage group.
  • name. Name of the storage group.
origin_id
Identifies the Edge Load Balancing origin. This needs to correspond to an edge_load_balancing_origin behavior's id attribute within the same property.
hostname
Specifies the hostname or IPv4 address of your origin server, from which edge servers can retrieve your content.
second_hostname_enabled
Available only for certain products. This specifies whether you want to use an additional origin server address.
second_hostname
Specifies the origin server's hostname, IPv4 address, or IPv6 address. Edge servers retrieve your content from this origin server.
mslorigin
This specifies the media's origin server.
saas_type
Specifies the part of the request that identifies this SaaS dynamic origin. Value is one of:
  • COOKIE
  • HOSTNAME
  • PATH
  • QUERY_STRING
saas_cname_enabled
Enabling this allows you to use a CNAME chain to determine the hostname for this SaaS dynamic origin.
saas_cname_level
Specifies the desired number of hostnames to use in the CNAME chain, starting backwards from the edge server.
saas_cookie
Specifies the name of the cookie that identifies this SaaS dynamic origin.
saas_query_string
Specifies the name of the query parameter that identifies this SaaS dynamic origin.
saas_regex
Specifies the Perl-compatible regular expression match that identifies this SaaS dynamic origin.
saas_replace
Specifies replacement text for what saas_regex matches.
saas_suffix
Specifies the static part of the SaaS dynamic origin.
forward_host_header
Specifies which Host header to pass to the origin. Value is one of:
  • REQUEST_HOST_HEADER. Passes the original request's header.
  • ORIGIN_HOSTNAME. Passes the current origin's HOSTNAME.
  • CUSTOM. Passes the value of custom_forward_host_header. Use this option if you want requests handled by different properties to converge on the same cached object.
custom_forward_host_header
Specifies the name of the custom host header the edge server should pass to the origin.
cache_key_hostname
Specifies the hostname to use when forming a cache key. Value is one of:
  • REQUEST_HOST_HEADER. Specify when using a virtual server.
  • ORIGIN_HOSTNAME. Specify if your origin server's responses do not depend on the hostname.
ip_version
Specifies which IP version to use when getting content from the origin. Value is one of:
  • IPV4. Use IPv4.
  • DUALSTACK. Use both versions.
  • IPV6. Use IPv6.
Note: When using IPv6-Only or Dual Stack and the Origin IP Access Control List feature, add the origin_ip_acl behavior to the same rule or a parent rule.
use_unique_cache_key
With a shared hostname such as provided by Amazon AWS, sets a unique cache key for your content.
compress
Enables gzip compression for non-NetStorage origins.
enable_true_client_ip
Sends a custom header the identifying the IP address of the immediate client connecting to the edge server and provides more information than the standard X-Forward-For header, which proxies may modify.
true_client_ip_header
This specifies the name of the field that identifies the end client's IP address, for example True-Client-IP.
true_client_ip_client_setting
If a client sets the True-Client-IP header, the edge server allows it and passes the value to the origin. Otherwise the edge server removes it and sets the value itself.
verification_mode
For non-NetStorage origins, maximize security by controlling which certificates edge servers should trust. Value is one of:
  • PLATFORM_SETTINGS. Trust platform settings.
  • CUSTOM. Only applies if the property is marked as secure. See Secure property requirements for guidance. Under some products, you may also need to enable the Secure Delivery - Customer Cert module. See the verification settings in the Origin Server behavior or contact your Akamai representative for details.
  • THIRD_PARTY. When your origin server references certain types of third-party hostname.
origin_sni
For non-NetStorage origins, enabling this adds a Server Name Indication (SNI) header in the SSL request sent to the origin, with the origin hostname as the value. See the verification settings in the Origin Server behavior or contact your Akamai representative for more information. If you want to use TLS version 1.3 in your existing properties, enable this option. New properties have this enabled by default.
custom_valid_cn_values
Specifies values to look for in the origin certificate's Subject Alternate Name or Common Name fields. Specify {{Origin Hostname}} and {{Forward Host Header}} within the text in the order you want them to be evaluated.

Note: These template items are not the same as in-line variables that use the same curly-brace syntax.
origin_certs_to_honor
Specifies which certificate to trust. Value is one of:
  • COMBO. May rely on all three other inputs.
  • STANDARD_CERTIFICATE_AUTHORITIES. Any certificate signed by an Akamai-managed authority set.
  • CUSTOM_CERTIFICATE_AUTHORITIES. Any certificate signed by a custom authority set you manage.
  • CUSTOM_CERTIFICATES. Pinned origin server certificates.
custom_certificate_authorities
Specifies an array of certification objects. See the verification settings in the Origin Server behavior or contact your Akamai representative for details on this object's requirements.
custom_certificates
Specifies an array of certification objects. See the verification settings in the Origin Server behavior or contact your Akamai representative for details on this object's requirements.
http_port
Specifies the port on your origin server to which edge servers should connect for HTTP requests, customarily 80.
https_port
Specifies the port on your origin server to which edge servers should connect for secure HTTPS requests, customarily 443. This option only applies if the property is marked as secure. See Secure property requirements for guidance.
min_tls_version
Specifies the minimum TLS version to use for connections to your origin server. Value is one of:
  • DYNAMIC. Supports all currently public versions of TLS.
  • TLSV1_1. Supports TLS version 1.1.
  • TLSV1_2. Supports TLS version 1.2.
  • TLSV1_3. Supports TLS version 1.3. This behavior supports TLS 1.3 by default.
max_tls_version
Specifies the maximum TLS version to use for connections to your origin server. Value is one of:
  • DYNAMIC. Supports all currently public versions of TLS.
  • TLSV1_1. Supports TLS version 1.1.
  • TLSV1_2. Supports TLS version 1.2.
  • TLSV1_3. Supports TLS version 1.3. This behavior supports TLS 1.3 by default.
Note: Use DYNAMIC to automatically apply the latest supported version.