CDN Linker with Secure Token

Applying a secure token to each CDN link will decrease leaching, and provide more secure access to your CDN resources by switching off access after a specified time period.

This article will serve as a walkthrough to show how to set up Secure Token in your MaxCDN portal.

Setting Up Secure Token

1. Enable Secure Token and define your secret in the provided field under zone Security settings:

   

2. Linker has two files:

   1. One that contains the main configuration for DSN Linker (ossdl-cdn-off-linker/wp-cdn-linker.php).

   2. Another that contains all rewrite logic (ossdl-cdn-off-linker/cdn-linker-base.php).

3. Add a text box where the token will be placed in and register this option properly:
   

   1. Open ossdl-cdn-off-linker/wp-cdn-linker.php and add HTML tags that will display the label and text field with a notification text:

      <label for="ossdl_off_cdn_url">SECURE TOKEN</label> <input type="text" name="ossdl_off_token" size="64" value="<?php echo(get_option('ossdl_off_token')); ?>" /> <span>USE THIS OPTION ONLY IF YOU HAVE SECURE TOKEN ENABLED</span>

   2. This piece of code will show something like this in CDN Linker configuration page: 

      
4. Register option -> set activate action:
   

   function ossdl_off_activate() {add_option('ossdl_off_cdn_url', get_option('siteurl')); add_option('ossdl_off_include_dirs', 'wp-content,wp-includes'); add_option('ossdl_off_exclude', '.php'); add_option('ossdl_off_rootrelative', ''); add_option('ossdl_off_www_is_optional', ''); add_option('ossdl_off_disable_cdnuris_if_https', '1'); add_option('ossdl_off_token', ''); }

5. Set deactivate action:
   

   function ossdl_off_deactivate() {delete_option('ossdl_off_cdn_url'); delete_option('ossdl_off_include_dirs'); delete_option('ossdl_off_exclude'); delete_option('ossdl_off_rootrelative'); delete_option('ossdl_off_www_is_optional'); delete_option('ossdl_off_disable_cdnuris_if_https'); delete_option('ossdl_off_token'); }

6. Set update action:
   

   function ossdl_off_options() {if (!empty($_POST) && check_admin_referer('save-options', 'ossdl-nonce')) {update_option('ossdl_off_cdn_url', $_POST['ossdl_off_cdn_url']); update_option('ossdl_off_token', $_POST['ossdl_off_token']); … }

   1. Open ossdl-cdn-off-linker/cdn-linker-base.php and create a function. "sec" is used for the name in this example:
      

      function sec($rel){$secret = get_option('ossdl_off_token'); //Get token value from text field in settings section $path = $rel; $expire = time() + 3600; //One day validity $md5 = base64_encode(md5($secret . $path . $expire, true)); $md5 = strtr($md5, '+/', '-_'); $md5 = str_replace('=', '', $md5); $url = "{$path}?st={$md5}&e={$expire}"; }

   2. Under function rewrite_single find:

      return str_replace($blog_url, $this->cdn_url->get_for($match[0]), $match[0]);

      1. Replace with:

                        if(get_option('ossdl_off_token') != ""){$relative1 = str_replace($this->cdn_url->get_for($match[0]), '', $match[0]); $relative2 = sec($relative1); $abs = str_replace($blog_url, '', $match[0]); $abs = sec($abs); return $this->cdn_url->get_for($match[0]) . $abs; } else{return str_replace($blog_url, $this->cdn_url->get_for($match[0]), $match[0]); }

         If ossdl_off_token option is not set (text field contains token value), call sec function and pass URI to it for secure string composition.
         
         If ossdl_off_token is empty (token not set), simply rewrite the URL by predefined CDN URL.

   3. Resulting source code portion:

      <link rel='stylesheet' id='dashicons-css'  href='http://foo.bar.netdna-cdn.com/wp-includes/css/dashicons.min.css?st=RiIb3samLXPHiuMd30U_Dw&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='admin-bar-css'  href='http://foo.bar.netdna-cdn.com/wp-includes/css/admin-bar.min.css?st=RoOgowtm2Fjyxa8yhfzfsQ&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='genericons-css'  href='http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css?st=IJBVawC0fuzC9cSov2FMjA&e=1398811628' type='text/css' media='all' /> <link rel='stylesheet' id='twentyfourteen-style-css'  href='http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/style.css?st=9P2LcL8cBUz7JbZiBiwslg&e=1398811628' type='text/css' media='all' />

Comparison

Let see how does the response look like in both cases - with and without Secure Token (whether leaching is a possibility):

1. With regular token query string

   curl -I "http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css?st=IJBVawC0fuzC9cSov2FMjA&e=1398811628"HTTP/1.1 200 OK Date: Tue, 29 Apr 2014 21:51:29 GMT Content-Type: text/css Content-Length: 22680 Connection: keep-alive Last-Modified: Tue, 12 Nov 2013 18:38:10 GMT Pragma: public Cache-Control: public, must-revalidate, proxy-revalidate Cache-Control: public, max-age=604800 Expires: Tue, 06 May 2014 21:51:26 GMT Server: NetDNA-cache/2.2 X-Cache: HIT Accept-Ranges: bytes

2. Without token

   curl -I http://foo.bar.netdna-cdn.com/wp-content/themes/twentyfourteen/genericons/genericons.css HTTP/1.1 403 Forbidden Date: Tue, 29 Apr 2014 21:53:49 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Server: NetDNA-cache/2.2

To ensure you implemented MaxCDN correctly, you can view the source code of any page to confirm that the CDN domain is being used for static assets instead of your origin domain. You can also use tools like pingdom or webpagetest that can give you more detailed reports on your CDN implementation status.

If you have any questions about the content of this article, please feel free to reach out to the Support Team for assistance, we're available 24/7 for your convenience.