CDN's are very popular these days. Their main purpose is to off-load the servers and increase the speed of the website. I will explain here why you need a CDN from the performance and security point of view and if your website doesn't have CDN native support, how you can enable it with mod_cdn.
They are just inverse proxies. The concept is not new; inverse proxies have been around for quite some time. Their main goal is to protect the main web server by caching common objects and filtering HTTP queries that may try to exploit any possible vulnerability. An inverse proxy usually is hosted in the same network as the webserver is.
At some point, someone realized that if you have different inverse proxies around the world, you may improve drastically the performance of your website. Hence CDN's were born.
CDN's could be all in front of the main web server (full approach) or just partially. It depends on the architecture of the site.
That is completely another thing, with nothing to do with the partial or full approach. When you read about a push or pull CDN, the vendor is referring to how it will get the objects.
Moden web browsers won't overload your server with 200 requests on the spot, instead, they cap the simultaneous calls they can do. It is well-known Chrome does six simultaneous requests to the same FQDN. By adding extra FQDN's in your HTML code, you are working around this limitation. Instead of having a single FQDN (like inside-out.xyz), you may have two (static.inside-out.xyz) like this website. You will be able to have twice the connections (if there is no other limit) which are translated to having a quicker loading time.
CDN networks also take care of the latency issue (slowness because nodes are distant). CDNs have many points of presence around the world; with some Smart DNS queries, static.inside-out.xyz may resolve to a different IP if you are in Canada than if you are in Australia. There is no better thing than having cached content close to you. The following image shows how users find the closest CDN node.
In short, the faster the better SEO a website will have.
I would say that CDN is a perfect countermeasure for anything that threatens availability. CDN's usually have sophisticated controls to avoid anything from a DoS attacks to complex HTTP attacks. It is actually what is called a Layer-7 firewall. This usually works with a full CDN approach.
This approach will hide the Web server IP from the attacker. Making it, almost impossible to reach directly.
If you are lucky, the software you use will have support for CDN, you just need to do configurations.
Happily for us, we have mod_cdn. It was quite difficult to find the source of this project. There are many articles that describe how to use mod_cdn, but you will find that the URL they publish is broken (domain doesn't exist any more). After diggin a little, I found it. Documents describe verion 1.1.0, I found 1.1.1.
I will describe here how I did it to make it work. Since I am an Apache sysadmin, this is the procedure I will be describing. The easiest way to install mod_cdn is by using my CentOS 7 & 8 RPM repository. After adding the repository, just type yum install mod_cdn. If you are using the wrong distribution (non RPM), you may need to download the source and compile manually, it is almost straitforward.
Since CDN are more domain-specific, the best approach is to configure them inside a VirtualHost tag. I suggest to start with something like this:
CDNHTMLRemapURLServer \.png$ i
CDNHTMLRemapURLServer \.jpe?g$ i
CDNHTMLRemapURLServer \.gif$ i
CDNHTMLRemapURLServer \.css$ i
CDNHTMLRemapURLServer \.js$ i
CDNHTMLRemapURLServer \.mp4$ i
CDNHTMLRemapURLServer \.mp3$ i
CDNHTMLRemapURLServer \.mp4#t=[\d\.]+ i
CDNHTMLRemapURLServer \.jpe?g\?.+ i
CDNHTMLRemapURLServer \.png\?.+ i
CDNHTMLRemapURLServer \.js\?.+ i
CDNHTMLLinks img src
CDNHTMLLinks link href
CDNHTMLLinks object data
CDNHTMLLinks input src
CDNHTMLLinks script src
CDNHTMLLinks a href
CDNHTMLLinks a data-remote
CDNHTMLLinks source src
The Github page of the project have a very clear explanation on all the options. This is just to start right away, in most cases it is all what you need. I have done a fork to make it work with Apache 2.4 and use CentOS library path (/usr/lib64), if you are going to compile by hand, make sure to make it point to the right place of your distribution.
After that, just restart your Apache, call the web page and you will see the tags you have configured CDNfied.
Good luck!blog comments powered by Disqus
Read about IT, Migration, Business, Money, Marketing and other subjects.
Some subjects: FusionPBX, FreeSWITCH, Linux, Security, Canada, Cryptocurrency, Trading.