Important note

The EdgeRules feature is available only on Enterprise plans.

  1. Background

    If you have a system that requires cookies in order to perform or prevent certain operations, you can use the $http_cookie variable to verify the content of a cookie sent.

    In the following scenario, we have described how you can prevent the CDN from serving certain content if a cookie’s value does not match. As shown below, we have cookie sid=ab10d438 defined as valid, so any request that sends a different value when requesting CSS and JS files will result in a “403 forbidden” HTTP message.

    Essentially, what we want to do here is to use cookies so we can set the access handler based on cookie values. These values (if not valid), can then forbid access to resources by redirecting requests to “forbidden location” here defined as http://domain.com/403.html.

  2. Curl With Valid Cookie In Request

          curl -I http://foo.bar.netdna-cdn.com/example.css -b "sid=ab10d438"
          HTTP/1.1 200 OK
          Date: Sun, 26 Jan 2014 02:01:56 GMT
          Content-Type: text/css
          Connection: keep-alive
          Last-Modified: Fri, 13 Dec 2013 13:39:59 GMT
          Expires: Mon, 26 Jan 2015 02:01:54 GMT
          Cache-Control: public, max-age=31536000
          Pragma: public
          Server: NetDNA-cache/2.2
          X-Cache: HIT
          
  3. Curl With Invalid Cookie In Request

          curl -I http://foo.bar.netdna-cdn.com/example.css -b "sid=invalid_value"
          HTTP/1.1 301 Moved Permanently
          Date: Sun, 26 Jan 2014 01:50:30 GMT
          Content-Type: text/html
          Content-Length: 185
          Connection: keep-alive
          Location: http://domain.com/403.html
          Server: NetDNA-cache/2.2
          
  4. Regular Expression Visualization
  5. Resulting Nginx Configuration Block

          location ~ \.(css|js)$ {
                    set $no_cache_ 0;
                    if ($http_cookie != 'sid=ab10d438') {
                    set $no_cache_ 1;
                    }
          
  6. Playground

    Different requirements need different setup scenarios, so to show the flexibility of these rules we can distinguish a production environment from development by forwarding requests with cookies containing STATE=DEBUG to the origin location – keeping CDN resources for production requests only.

  7. Curl Showing Response To Request Without Cookie

          curl -I http://foo.bar.netdna-cdn.com/image.svg
          HTTP/1.1 200 OK
          Date: Sun, 26 Jan 2014 18:26:29 GMT
          Content-Type: image/svg+xml
          Content-Length: 9838
          Connection: keep-alive
          Last-Modified: Wed, 11 Sep 2013 22:32:41 GMT
          X-Type: static/known
          Cache-Control: public, max-age=2592000
          Vary: Accept-Encoding
          Access-Control-Allow-Origin: *
          Server: NetDNA-cache/2.2
          X-Cache: HIT
          Accept-Ranges: bytes
          
  8. Curl Showing Response To Request With Cookie Different Than The One We Want To Track

          curl -I http://foo.bar.netdna-cdn.com/image.svg -b "state=live"
          HTTP/1.1 200 OK
          Date: Sun, 26 Jan 2014 18:28:51 GMT
          Content-Type: image/svg+xml
          Content-Length: 9838
          Connection: keep-alive
          Last-Modified: Wed, 11 Sep 2013 22:32:41 GMT
          X-Type: static/known
          Cache-Control: public, max-age=2592000
          Vary: Accept-Encoding
          Access-Control-Allow-Origin: *
          Server: NetDNA-cache/2.2
          X-Cache: HIT
          Accept-Ranges: bytes
          
  9. Curl Showing Response To Request With Debug Cookie In Request

          curl -I http://foo.bar.netdna-cdn.com/image.svg -b "state=debug"
          HTTP/1.1 301 Moved Permanently
          Date: Sun, 26 Jan 2014 18:31:43 GMT
          Content-Type: text/html
          Content-Length: 185
          Connection: keep-alive
          Location: http://www.origin.com/wp-content/themes/maxcdnv4/img/svg/top-blurb-lines.svg
          Server: NetDNA-cache/2.2
          
  10. Resulting Nginx Configuration Block

          location / {
                    set $origin_ http://www.origin.com;
                    if ($http_cookie = 'state=debug') {
                    rewrite ^ $origin_$request_uri permanent;
                    }