API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
CDN
CDN
BillingCDN resources overviewOrigin groupPurgePrefetchReports
API
Chosen image
Home/CDN/CDN resource options/General/Enable SSL Validation

Enable origin SSL Validation

What is this option for?

Note: This option is only accessible via API.  

In the Origin Pull Protocol option, you are to set the protocol which CDN servers will use to pull content from an origin server: HTTP, HTTPS or HTTP and HTTPS. It allows you to control whether the connection between the CDN and the origin server is encrypted or not. 

If you choose the HTTPS protocol, CDN servers will send a request for the content via HTTPS protocol, such a content transfer process is encrypted, but still do not save the connection from the attack called Man In The Middle

This is because the CDN servers by default do not check whether the SSL certificate on the origin is valid and certified by a Certificate Authority and whether the answered server is the client's server.  

To increase the connection security level, activate the Origin SSL Validation option.  

With the active origin validation option, the CDN server will ensure the validity of your origin certificate before completing any connection. This includes ensuring the identity of your server with your signing CA. 

How does it work?

1. You set the part of the public key of the X.509 certificate in the system (using an API request) in the PEM format. The other part of the key you will store on your origin server. The certificates you added will receive a unique ID. We will store all the certificate information on CDN servers. At any moment, you can get a request for the certificate information or change their names.  

2. When a user sends a request for the content for the first time, a CDN server sends a request to access protected information on the origin server. 

3. The origin server presents its X.509 certificate to the CDN server. 

4. The CDN server verifies the origin server’s certificate by validating the digital signature of the server’s public key using CA’s public key stored in the CDN system. 

5. The origin server verifies the CDN server's certificate using the same approach.  

6. If successful, the origin server gives access to the protected information to the CDN server. 

7. CDN server sends the content to the user browser.

Enable SSL validation via API

1. Upload the certificate using the "Add Trusted CA Certificate" documentation.

2. Link the certificate to the CDN resource using the proxy_ssl_ca and proxy_ssl_data keys according to the "Change CDN Resource" documentation.

3. Set the proxy_ssl_enabled key to the true value for your resource according to the "Change CDN Resource" documentation.

Was this article helpful?

Not a Gcore user yet?

Learn more about our next-gen CDN

Go to the product page