Origin Shield – Extra CDN Caching Layer

origin shield

KeyCDN is excited to provide the Origin Shield feature for free to all customers. This extra caching layer reduces the load on your origin server and accelerates the distribution of your content from the origin server to our edge servers. The shield servers are highly redundant and automatically select the optimal location using our geolocation technology.

How Does Origin Shield work?

When a client requests content from your website and that content has never been cached by any of KeyCDN’s edge servers, this is what happens with that request when Origin Shield is enabled: Requests don’t come from our growing number of edge servers but are filtered through selected shield servers.

With Origin Shield enabled, when the first request for content arrives at our edge server and that edge server does not have the content cached, it passes the request along to our shield server, which also doesn’t have the content cached. The shield server passes the request along to your origin server. The shield server caches the content that it has retrieved from your origin server and passes it along to our edge server. Finally, our edge server passes the content along to the client.

origin shield first request

The following requests for the same content that arrives at the same edge server serves the content out of its cache, so no request goes to the shield servers or to your origin server.

origin shield following requests

If another request arrives at a different edge server instead of the previous one, however, the request would be passed along to the shield server. That shield server already has a cached copy from the first request originated from the first edge server. No future requests for the content would be passed along to your origin server until the shield servers cached content expires or you purge the cache for your zone. The edge and shield servers honor the settings you have defined for your pull zone (incl. MaxExpire, strip cookies, etc).

The shield servers make use of collapsed forwarding to merges multiple requests for the same URL into a single request to your origin server. Keep-alives avoid excessive TCP handshakes to your origin server.

Where are the Shield Servers Located?

The shield servers are highly redundant and scalable clusters that are positioned in the following locations:

  • United States, East Coast
  • United States, West Coast
  • Netherlands, Amsterdam
  • Asia, Singapore

Our geolocation technology (based on IP anycast, geo IP detection with EDNS client subnet support and latency based probing) automatically selects the optimal location for every request.

How to Enable Origin Shield?

Simply activate the feature by enabling Origin Shield for your pull zones in the KeyCDN dashboard. Once you’ve enabled this feature and saved for your zone’s settings, ensure that you purge your entire zone. Similarly, if you disable Origin Shield, also ensure that your entire zone is purged once the change is made.

cdn origin shield setting

With Origin Shield enabled, there will be an additional HTTP response header for all static assets delivered via the CDN. The new response header is called X-Shield: active.

Origin Shield is a great feature to reduce the traffic on your origin server to an absolute minimum and protect your infrastructure from abuse or traffic spikes. Recovery of the edge caches after clearing the zone cache will be smoother as well.

Related Articles

6 Comments

  1. Alex Lindgren

    The x-cache header informs one if the edge server had the resource in cache, but is there a way to tell if it a MISS was came from Origin Shield server?

    1. Sven

      The x-cache header only tells you about the state of the actual edge system it was delivered from, which means there is no insight if that came from a shield system.

  2. mcrummey

    Does a zone purge invalidate the Origin shield cache? Should I expect to see the changes I made in origin immediately after a purge completes?

Leave A Comment?