ESD_Module 6_ESD Capabilities

Download Report

Transcript ESD_Module 6_ESD Capabilities

Module 6 - ESD Capabilities and Features
ESD Modules
• Content Targeting
• Advanced Cache Optimization
• NetStorage Ireland
• User Authentication/Access Control
• Secure Content Delivery
• Large File Download Optimization
• Download Receipts
• Download Manager
• Download Analytics
Powering a Better Internet
© 2011 Akamai
Content Targeting
Identifies visitors by geographic location, connection speed,
device type, or other attributes
Allows content to be targeted in real time at the network edge for
each visitor
Methods to achieve content targeting:
HTTP Headers
Identification Attributes
Device type
OS type
Connection speed
Precise Geography
Powering a Better Internet
Localized content
Customized storefronts
Streamlined navigation
Targeted advertising
Adaptive marketing
Rich end user experiences
Controlled distribution
© 2011 Akamai
Content Targeting Using EdgeScape
User request
content served
Data request & response
when needed
IP address
Geographic and
network codes
sent back
Powering a Better Internet
© 2011 Akamai
Content Targeting Using HTTP Headers
User visits Site
Akamai passes a “X-AkamaiEdgescape” header to the
Akamai edge server
returns customized
Origin returns customized
content based on user
attributes passed through
Akamai Edge Server
Powering a Better Internet
Origin Server
© 2011 Akamai
Export Control Using Content Targeting
US export laws may require denying content access to certain
embargoed countries such as Iran, Cuba, and North Korea.
Content Targeting enables denying access based on end user
No additional integration is required to enforce export control
Powering a Better Internet
© 2011 Akamai
Advanced Cache Optimization
Provides a comprehensive set of configurable cache settings that
allow you to specify, at a granular level, how Akamai edge servers
are to cache and serve content
Features include:
• Session Rewriting
• Cache Key Customization
• Cookie, Redirect, and Header Handling
Powering a Better Internet
© 2011 Akamai
User Authentication/Access Control
Allows you to:
• authenticate users and only allow authorized users to access
software files
• fully control distribution of your content
Two primary authentication methodologies:
• Centralized Authorization
• Edge Authorization
Powering a Better Internet
© 2011 Akamai
How Centralized Authorization Works
Akamai Edge Servers
Authentication Server
Maintained by Customer for
authenticating requests
User Request
Auth Request Only
Auth Server
Served or
Yes/No Response
End Users
Powering a Better Internet
© 2011 Akamai
Edge Authorization
Allows Akamai servers to serve or deny content without
forwarding authentication information to content source
It can either be:
o Cookie-based or
o URL-based
Powering a Better Internet
© 2011 Akamai
Edge Authorization - Illustration
1. Request for
download URL
Front End Server
2. URL returned
with Auth URL
or Cookie
3. Download
4. Akamai server
validates Auth
Akamai Edge Server
Powering a Better Internet
5. Content or
access denied/
End User
© 2011 Akamai
How Cookie-based Edge Authorization
When edge servers receive a request, they:
1. search for cookie in request.
2. compute MAC based on data in configuration file.
3. Validate result against MAC included in cookie.
4. Verify IP address, expiration time, and access list entries if set in
the cookie value.
If above steps are successful, content is served with a 200, OK, else
a 403 is sent.
Powering a Better Internet
© 2011 Akamai
How URL-based Edge Authorization
The origin or Akamai edge server adds token to query string of
The Akamai edge server:
1. looks for the authorization token.
2. verifies that it has not expired.
3. re-computes token from expiration in the token and settings
defined in configuration file.
4. compares result with token received in the request.
If results match, client is authorized to receive requested
Powering a Better Internet
© 2011 Akamai
SSL Overview
SSL uses public and private key pair encryption system.
SSL certificate contains common name for site and RSA public key.
Public keys allow clients to encrypt information to be sent to the
Private key provides ability to decrypt data from the client.
SSL certificates must be digitally signed by a certificate authority.
Powering a Better Internet
© 2011 Akamai
Akamai’s Secure Content Delivery
Enables reliable and secure delivery of SSL content to end users
SSL content is delivered over Akamai’s trusted Secure Content
Delivery network
An Akamai representative will purchase your SSL certificates
Public key is passed to requesting browsers
Private key is encrypted and secured by Akamai servers.
Key Management Infrastructure (KMI) is used to allow trusted
Powering a Better Internet
© 2011 Akamai
Key Management Infrastructure
Key Agent running
on edge server
1. Key Agent requests
keys for edge server
Key Distribution
4. Key Agent verifies itself to KDC
5. KDC gives the edge server
ability to decrypt keys
2. KDC generates verification
secret and hands it to audit
Secure Edge
3. Runs audit against edge
server and if successful
hands verification secret
to Key Agent
Audit Server
Powering a Better Internet
© 2011 Akamai
Large File Download Optimization
What is it?
A feature that optimizes download performance for files > 100 MB and <
maximum file size limit of 10 GB
How LFO Works
1. breaks files into smaller clusters and caches each cluster separately.
2. caches only those elements of a file that are needed.
3. enables edge servers to deliver parts of the file without having to
wait to receive the entire file.
Powering a Better Internet
© 2011 Akamai
When to use LFO?
Akamai defines a file as “large” if it is > 100 MB and recommends
using LFO for such files.
For files > 1.8 GB, LFO is a must and you must use NetStorage as
the origin.
You can deliver files up to a maximum of 10 GB by enabling LFO.
Powering a Better Internet
© 2011 Akamai
How LFO Works
Origin Server
Powering a Better Internet
© 2011 Akamai
• Origin server must support use of Range requests and must respond
correctly with full set of headers to a request for only the first byte
of a file.
• Only responses that contain a properly formatted Content-Range
header with the instance-length can use LFO.
• LFO applies only to files that are cacheable.
• Files must not be republished under an existing URL as it risks
serving corrupted files to the client.
Powering a Better Internet
© 2011 Akamai
LFO: File Retrieval Behavior
Type of Request
Akamai Edge Server Behavior
Non-range request for an
object not in in cache
Fetches the entire file through a series
of consecutive range requests and
caches each range response separately
Range request for an object
not in cache
Fetches and saves only the fragments
needed to satisfy the range request
Range request for an object
that is partially cached
Determines which fragments the
requested range falls into, and fetches
and caches only the fragments it
doesn't yet hold
Non-range request for an
Fetches and caches all fragments it
object that is already partially doesn't have
Powering a Better Internet
© 2011 Akamai
LFO: Response Requirements
Response to range request for first byte must
• have a 206 status code.
• be cacheable.
• contain a properly formatted Content-Range header with instancelength.
• instance-length must be within configured limits.
• if configured for consistency verification through ETags, response
must contain ETag header and ETag must not be weak.
• if configured for consistency verification through Last-Modified
time, response must contain Last-Modified header.
Powering a Better Internet
© 2011 Akamai
Verifying Consistency of Fragments:
Important Points
The mechanism illustrated only prevents inconsistency on a given
Akamai server.
To ensure two Akamai servers cache and serve the same version of a
file, never republish a newer version under its previous name.
• If the file changes, some portion of the URI must change as well.
Powering a Better Internet
© 2011 Akamai
Download Receipts
Enables you to receive notification on specific download events in real
Sent in real time via HTTP to customer maintained origin servers
Can be triggered on download initiation and/or completion
Include information on:
• Client IP address
• Download initiation/completion
• Cookies
• Geographical location
• Client Bandwidth
Available to ESD customers at no additional charge
Powering a Better Internet
© 2011 Akamai
Download Receipts – Sample Metadata
Powering a Better Internet
© 2011 Akamai
Download Manager
Client software application that helps users download content easily
Available as ActiveX component, Java applet, and JavaScript API
Provides users ability to start, stop, pause and resume downloads
Provides useful information: download initiations, completions
Latest version of Akamai’s Download Manager (DLM 3.0) features:
• Customizable user interface
• End-to-end integrity checking for 100% certified downloads
• Embedded directly in web pages
Powering a Better Internet
© 2011 Akamai
Download Analytics
Comprehensive analytics and reporting solution to understand how
your downloads are performing
Optional module for HTTP Downloads
Provides you with the ability to:
• create custom reports
• specify data sources
• specify qualifying data in reports
Powering a Better Internet
© 2011 Akamai