The Gcore CDN uses advanced technology to protect and secure content delivery.
To enhance security, we’ve built an origin server authentication mechanism into the content retrieval process.
Why do I need an origin SSL certificate?
When configuring the protocol for interaction with the origin, you specify the protocol by which the CDN servers will contact the origin for content. You can decide whether the connection should be encrypted (HTTPS) or not (HTTP).
If HTTPS is selected, cache servers will access and receive content from the origin over HTTPS. This process is encrypted but it doesn’t protect against man-in-the-middle attacks because, by default, the cache server doesn’t check whether the responding server belongs to the client when requesting content.
- Man-in-the-middle attack scheme
To ensure the security of the transmitted data, use the “Validate origin using SSL” option.
This option also allows clients to check the validity of requests from our cache servers without using a list of IP addresses and constantly updating it.
How does it work?
You specify the PEM-encoded public part of the X.509 digital certificate in our system. The other part of the certificate is stored on your origin server. Each certificate in the system is assigned its own identifier, and this information is stored on each CDN server. You can request information about a certificate (or about all certificates available in the system) and change its name at any time.
- Origin server validation scheme
- When a request comes from a user, the cache server contacts the origin server for access to protected information.
- In response, the origin server provides its X.509 certificate.
- The cache server checks the digital signature of the public key in the system.
- If successful, the cache server sends its certificate to the origin server.
- The origin server verifies the received certificate in the same way.
- If this check is also successful, the origin server provides access to protected information.
- The CDN fetches content from the origin server and caches it for transmission to the user.
- If certificate verification fails, the cache server automatically rejects the request and doesn’t send data to an unverified server.
How do I enable this feature?
For now, this feature can only be enabled via API.