How to Restrict CDN Traffic to Your Origin Server

As a CDN, we need to fetch content from your origin server if you’re using a pull zone. Each POP will fetch the content individually right at the first request. Customers often want to control who’s accessing the origin server. We offer the feature “X-Pull” that allows you to precisely control the request to your origin server. 

There are various situations where you want to restrict access to your origin server. Some of the reasons could be:

  • You want to rate limit bandwidth on your origin server
  • You want to make sure everyone is using the CDN for better performance and not linking traffic to your server directly
  • Create a custom logic on your origin server

There are different concepts how to restrict CDN traffic. Making use of the feature “X-Pull” is the easiest way to conveniently restrict CDN traffic.

Why IP Whitelisting Doesn’t Work

Most people think of IP whitelisting when it comes to allowing traffic from certain locations. This works fine for some particular locations which won’t change over time. As a CDN we deploy new servers almost on a daily basis. This would make it very cumbersome for you to update all the new IPs. That’s why we offer the feature “X-Pull” where the IP address does not matter any more, it’s all about the HTTP header.

How to Restrict CDN Traffic With the Feature “X-Pull”

There are a few simple steps needed to restrict CDN traffic.

1. Define your own key in the dashboard.

Restrict CDN traffic

Restrict CDN traffic with X-Pull

Each HTTP request to your origin server will now contain the key in the HTTP header “X-Pull”

How to verify KeyCDN sends the X-Pull header field?

Simply use tcpdump on your origin server to observe the “X-Pull” header:

tcpdump -s 1024 -l -A dst example.com

2. Allow requests on your origin server with the key in the header X-Pull

You need to make sure that your origin server is allowing request with the right key in the header X-Pull

X-Pull on Apache2

Ensure that the snippet below is added at the top of your .htaccess access file, otherwise it may not work.

        RewriteEngine on 
        RewriteCond %{HTTP:X-Pull} Your_secret_key 
        RewriteRule \.(php|html)$ - [F,NC]

X-Pull on Nginx

        location ~ (\.php|\.html) {
                if ($http_x_pull ~* "Your_secret_key") {
                        return 405;
                }
         }

It only takes these simple steps and you’re all set!

Related Articles

How to Restrict CDN Traffic to Your Origin Server was last modified: April 25th, 2016 by Jonas Krummenacher
  • mickylmartin

    In #2 direction, you say “allow requests”. But in the code what you are doing is denying request.

    • Hey Micky, it depends which way you look at it, but in fact if you add the above code to your origin server you are allowing requests from the CDN to your origin via the X-Pull Header.

      • mickylmartin

        Cody, would you explain please?
        Both “F” in RewriteRule and “405” in Nginx configuration, mean “Forbidden”.

        • Hi Micky, the web server will return a forbidden error if the X-Pull header’s Key set in the KeyCDN dashboard does not match up to what is set on the origin server. We have implemented a similar rule on the KeyCDN website to restrict access to https://cdn.keycdn.com/ by returning a 405.

  • i dont understand

  • this is causing errors on our website. We use nginx with PFM….and it just restrict all our access. The CDN is only used for images, stylesheet and javascript files

Share This