EdgeNext
Documentation home

EdgeNext Documentation

Product guides, setup instructions, and technical references.

Security CDN

Visitor Authentication

Visitor Authentication enables client identity verification and access control via specified HTTP request headers. SCDN edge nodes judge access permissions based on configured header fields and values, implementing a non-intrusive, flexible, and lightweight visitor authentication mechanism.

Integration Guide

  1. When initiating a request, the client must include the custom request header X-SCDN-Req-Token, whose value is the generated authentication token.

    Upon receiving the request, the edge node validates the value of X-SCDN-Req-Token.

    • If validation succeeds, the request is processed normally.
    • If validation fails, the request is rejected and an HTTP 464 response is returned.

    访客鉴权6.png

  2. Authentication Algorithm

    Field Description Example
    Timestamp Authentication expiration time in Unix timestamp (decimal). A clock skew of up to ±1 hour is allowed. 1581577282
    NONCE A random string. A unique value is recommended for each request. Zod2Lhy2nLj8
    AUTH_TOKEN Authentication secret automatically generated when Visitor Authentication is enabled. 1964c708b9f1231c96b3aa0db0d6772e
    URL The complete request URL, including query parameters. http://www.demo.com/token?auth=1

Concatenate Timestamp, NONCE, AUTH_TOKEN, and URL in the following order, and calculate the MD5 hash of the concatenated string. The resulting MD5 value must be in lowercase.

token = md5(Timestamp + NONCE + AUTH_TOKEN + URL)

Example:

token = md5(
1581577282
Zod2Lhy2nLj8
1964c708b9f1231c96b3aa0db0d6772e
http://www.demo.com/token?auth=1
)

Generated MD5:

fc7f02dc369206905f9a41a12297a783

Then concatenate Timestamp, NONCE, and MD5 using the pipe character (|) and assign the result to the X-SCDN-Req-Token request header.

Timestamp|NONCE|MD5

Example:

X-SCDN-Req-Token:
1581577282|Zod2Lhy2nLj8|fc7f02dc369206905f9a41a12297a783
  1. Sending an Authenticated Request

Include the X-SCDN-Req-Token request header when sending the request.

curl -v -o /dev/null
"http://www.demo.com/token?auth=1"
-H "X-SCDN-Req-Token: 1581577282|Zod2Lhy2nLj8|fc7f02dc369206905f9a41a12297a783"


WebSocket Notes

  1. Visitor Authentication applies only to the WebSocket Upgrade HTTP request. Once the WebSocket connection has been successfully established, subsequent WebSocket data frames are not authenticated.

  2. When calculating the authentication MD5 for a WebSocket request, the URL used in the calculation must use the HTTP or HTTPS scheme, not the WS or WSS scheme.

  3. Specifically:

    For a ws:// request, use the corresponding http:// URL when calculating the MD5.
    For a wss:// request, use the corresponding https:// URL.

    For example, if the original WebSocket URL is:

    wss://ws.example.com/?arg1=value1

    the URL used for MD5 calculation should be:

    https://ws.example.com/?arg1=value1

    Example Description
    Incorrect MD5=md5(1581577282Zod2Lhy2nLj81964c708b9f1231c96b3aa0db0d6772ewss://ws.example.com/?arg1=value1) 
    Correct MD5=md5(1581577282Zod2Lhy2nLj81964c708b9f1231c96b3aa0db0d6772ehttps://ws.example.com/?arg1=value1)

Notes

  • The client must support custom HTTP request headers to use this feature. Before integration, verify that your client application can send the X-SCDN-Req-Token header. Native browser WebSocket APIs do not support custom request headers.
  • Once Visitor Authentication is enabled, all requests to the protected domain must pass authentication. Requests that fail authentication will be rejected. Thorough integration testing is strongly recommended before enabling this feature in production.
  • Visitor Authentication is recommended for API and mobile application (App) scenarios.

Configuration Guide

  1. Log in to the Security CDN Console.

  2. In the left navigation pane, go to Security > Web Security.

    访客鉴权1.png

  3. Switch to either the Domain-level Security Policy or the Template-Based Security Policy tab.

  4. Click Policy Management to enter the corresponding configuration page.

    访客鉴权2.png

  5. Scroll down to DDoS Protection > Visitor Authentication module.

    访客鉴权3.png

  6. In the top-right dropdown menu, select ON/OFF. The feature is OFF by default.

  7. Click Access Help to open a step-by-step integration and debugging panel.

    • If the programmatically generated token matches the one from the tool, integration is successful.

    访客鉴权4.png

  8. If you want further security inspection after authentication, enable "Continue the perform security checks".

    访客鉴权5.png

  9. Click OK to apply the configuration to the Global Security Policy.

Need help? Contact our support team at support@edgenext.com.

Back to documentation home