In a situation where a system requires cookies in order to perform or prevent certain operations, the $http_cookie variable can be used to verify the content of a cookie sent.
The EdgeRules feature is available only on Enterprise plans
In the following scenario, we have described how to prevent the CDN from serving certain content if a cookie's value does not match. As shown below, we have cookie sid=ab10d438 defined as valid, so any request that sends a different value when requesting CSS and JS files will result in a "403 forbidden" HTTP message.
Creating the Rule
Essentially, what we want to do here is to use cookies so we can set the access handler based on cookie values. These values (if not valid), can then forbid access to resources by redirecting requests to "forbidden location" here defined as http://domain.com/403.html.
Verifying the Rule
Curl With Valid Cookie In Request
curl -I http://foo.bar.netdna-cdn.com/example.css -b "sid=ab10d438"
HTTP/1.1 200 OK
Date: Sun, 26 Jan 2014 02:01:56 GMT
Content-Type: text/css
Connection: keep-alive
Last-Modified: Fri, 13 Dec 2013 13:39:59 GMT
Expires: Mon, 26 Jan 2015 02:01:54 GMT
Cache-Control: public, max-age=31536000
Pragma: public
Server: NetDNA-cache/2.2
X-Cache: HIT
Curl With Invalid Cookie In Request
curl -I http://foo.bar.netdna-cdn.com/example.css -b "sid=invalid_value"
HTTP/1.1 301 Moved Permanently
Date: Sun, 26 Jan 2014 01:50:30 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://domain.com/403.html
Server: NetDNA-cache/2.2
Regular Expression Visualization
Resulting Nginx Configuration Block
location ~ \.(css|js)$ {
set $no_cache_ 0;
if ($http_cookie != 'sid=ab10d438') {
set $no_cache_ 1;
}
Use-Cases
Different requirements need different setup scenarios, so to show the flexibility of these rules we can distinguish a production environment from development by forwarding requests with cookies containing STATE=DEBUG to the origin location - keeping CDN resources for production requests only.
Curl Showing Response To Request Without Cookie
curl -I http://foo.bar.netdna-cdn.com/image.svg
HTTP/1.1 200 OK
Date: Sun, 26 Jan 2014 18:26:29 GMT
Content-Type: image/svg+xml
Content-Length: 9838
Connection: keep-alive
Last-Modified: Wed, 11 Sep 2013 22:32:41 GMT
X-Type: static/known
Cache-Control: public, max-age=2592000
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
Curl Showing Response To Request With Cookie Different Than The One We Want To Track
curl -I http://foo.bar.netdna-cdn.com/image.svg -b "state=live"
HTTP/1.1 200 OK
Date: Sun, 26 Jan 2014 18:28:51 GMT
Content-Type: image/svg+xml
Content-Length: 9838
Connection: keep-alive
Last-Modified: Wed, 11 Sep 2013 22:32:41 GMT
X-Type: static/known
Cache-Control: public, max-age=2592000
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
Curl Showing Response To Request With Debug Cookie In Request
curl -I http://foo.bar.netdna-cdn.com/image.svg -b "state=debug"
HTTP/1.1 301 Moved Permanently
Date: Sun, 26 Jan 2014 18:31:43 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://www.origin.com/wp-content/themes/maxcdnv4/img/svg/top-blurb-lines.svg
Server: NetDNA-cache/2.2
Resulting Nginx Configuration Block
location / {
set $origin_ http://www.origin.com;
if ($http_cookie = 'state=debug') {
rewrite ^ $origin_$request_uri permanent;
}
We hope this article was helpful and as always, If there are any questions or concerns about any of the topics mentioned in this article, please feel free to reach out to support - we are available 24/7 by chat or email!