Module 6 - ESD Capabilities and Features ESD Modules • Content Targeting • Advanced Cache Optimization • NetStorage Ireland • User Authentication/Access Control • Secure Content Delivery • Large File Download Optimization • Download Receipts • Download Manager • Download Analytics Powering a Better Internet © 2011 Akamai Content Targeting • Identifies visitors by geographic location, connection speed, device type, or other attributes • Allows content to be targeted in real time at the network edge for each visitor • Methods to achieve content targeting: • HTTP Headers • EdgeScape Applications Identification Attributes • • • • • Browser Device type OS type Connection speed Precise Geography • • • • • • • Powering a Better Internet Localized content Customized storefronts Streamlined navigation Targeted advertising Adaptive marketing Rich end user experiences Controlled distribution © 2011 Akamai Content Targeting Using EdgeScape User request 1 Customized content served 4 Data request & response when needed AKAMAI NETWORK CONTENT PROVIDER ENVIRONMENT IP address sent EdgeScape EdgeScape Integrated API Web Server 2 3 Geographic and network codes sent back Engine Local DB Powering a Better Internet 5 EdgeScape Server Processes DB DB DB © 2011 Akamai Content Targeting Using HTTP Headers User visits Site Akamai passes a “X-AkamaiEdgescape” header to the origin 1 2 Akamai edge server returns customized content 4 Origin returns customized content based on user attributes passed through header Akamai Edge Server Powering a Better Internet 3 Origin Server © 2011 Akamai Export Control Using Content Targeting • US export laws may require denying content access to certain embargoed countries such as Iran, Cuba, and North Korea. • Content Targeting enables denying access based on end user location. • No additional integration is required to enforce export control policies. Powering a Better Internet © 2011 Akamai Advanced Cache Optimization • Provides a comprehensive set of configurable cache settings that allow you to specify, at a granular level, how Akamai edge servers are to cache and serve content • Features include: • Session Rewriting • Cache Key Customization • Cookie, Redirect, and Header Handling Powering a Better Internet © 2011 Akamai User Authentication/Access Control • Allows you to: • authenticate users and only allow authorized users to access software files • fully control distribution of your content • Two primary authentication methodologies: • Centralized Authorization • Edge Authorization Powering a Better Internet © 2011 Akamai How Centralized Authorization Works Akamai Edge Servers Authentication Server Maintained by Customer for authenticating requests User Request Auth Request Only Auth Server Content Served or Denied Yes/No Response End Users Powering a Better Internet © 2011 Akamai Edge Authorization • Allows Akamai servers to serve or deny content without forwarding authentication information to content source • It can either be: o Cookie-based or o URL-based Powering a Better Internet © 2011 Akamai Edge Authorization - Illustration 1. Request for download URL Front End Server 2. URL returned with Auth URL or Cookie 3. Download Request 4. Akamai server validates Auth URL/Cookie Akamai Edge Server Powering a Better Internet 5. Content or access denied/ served End User © 2011 Akamai How Cookie-based Edge Authorization Works • When edge servers receive a request, they: 1. search for cookie in request. 2. compute MAC based on data in configuration file. 3. Validate result against MAC included in cookie. 4. Verify IP address, expiration time, and access list entries if set in the cookie value. • If above steps are successful, content is served with a 200, OK, else a 403 is sent. Powering a Better Internet © 2011 Akamai How URL-based Edge Authorization Works • The origin or Akamai edge server adds token to query string of URL. • The Akamai edge server: 1. looks for the authorization token. 2. verifies that it has not expired. 3. re-computes token from expiration in the token and settings defined in configuration file. 4. compares result with token received in the request. • If results match, client is authorized to receive requested content. Powering a Better Internet © 2011 Akamai SSL Overview • SSL uses public and private key pair encryption system. • SSL certificate contains common name for site and RSA public key. • Public keys allow clients to encrypt information to be sent to the server. • Private key provides ability to decrypt data from the client. • SSL certificates must be digitally signed by a certificate authority. Powering a Better Internet © 2011 Akamai Akamai’s Secure Content Delivery Solution • Enables reliable and secure delivery of SSL content to end users • SSL content is delivered over Akamai’s trusted Secure Content Delivery network • An Akamai representative will purchase your SSL certificates • Public key is passed to requesting browsers • Private key is encrypted and secured by Akamai servers. • Key Management Infrastructure (KMI) is used to allow trusted interactions Powering a Better Internet © 2011 Akamai Key Management Infrastructure Key Agent running on edge server 1. Key Agent requests keys for edge server Key Distribution Center 4. Key Agent verifies itself to KDC 5. KDC gives the edge server ability to decrypt keys 2. KDC generates verification secret and hands it to audit server Secure Edge Server 3. Runs audit against edge server and if successful hands verification secret to Key Agent Audit Server Powering a Better Internet © 2011 Akamai Large File Download Optimization What is it? A feature that optimizes download performance for files > 100 MB and < maximum file size limit of 10 GB How LFO Works LFO: 1. breaks files into smaller clusters and caches each cluster separately. 2. caches only those elements of a file that are needed. 3. enables edge servers to deliver parts of the file without having to wait to receive the entire file. Powering a Better Internet © 2011 Akamai When to use LFO? • Akamai defines a file as “large” if it is > 100 MB and recommends using LFO for such files. • For files > 1.8 GB, LFO is a must and you must use NetStorage as the origin. • You can deliver files up to a maximum of 10 GB by enabling LFO. Powering a Better Internet © 2011 Akamai How LFO Works Akamai NetStorage End Users Origin Server Akamai EdgePlatform Powering a Better Internet © 2011 Akamai Caveats • Origin server must support use of Range requests and must respond correctly with full set of headers to a request for only the first byte of a file. • Only responses that contain a properly formatted Content-Range header with the instance-length can use LFO. • LFO applies only to files that are cacheable. • Files must not be republished under an existing URL as it risks serving corrupted files to the client. Powering a Better Internet © 2011 Akamai LFO: File Retrieval Behavior Type of Request Akamai Edge Server Behavior Non-range request for an object not in in cache Fetches the entire file through a series of consecutive range requests and caches each range response separately Range request for an object not in cache Fetches and saves only the fragments needed to satisfy the range request Range request for an object that is partially cached Determines which fragments the requested range falls into, and fetches and caches only the fragments it doesn't yet hold Non-range request for an Fetches and caches all fragments it object that is already partially doesn't have cached Powering a Better Internet © 2011 Akamai LFO: Response Requirements • Response to range request for first byte must • have a 206 status code. • be cacheable. • contain a properly formatted Content-Range header with instancelength. • Additionally: • instance-length must be within configured limits. • if configured for consistency verification through ETags, response must contain ETag header and ETag must not be weak. • if configured for consistency verification through Last-Modified time, response must contain Last-Modified header. Powering a Better Internet © 2011 Akamai Verifying Consistency of Fragments: Important Points • The mechanism illustrated only prevents inconsistency on a given Akamai server. • To ensure two Akamai servers cache and serve the same version of a file, never republish a newer version under its previous name. • If the file changes, some portion of the URI must change as well. Powering a Better Internet © 2011 Akamai Download Receipts • Enables you to receive notification on specific download events in real time • Sent in real time via HTTP to customer maintained origin servers • Can be triggered on download initiation and/or completion • Include information on: • Client IP address • Download initiation/completion • Cookies • Geographical location • Client Bandwidth • Available to ESD customers at no additional charge Powering a Better Internet © 2011 Akamai Download Receipts – Sample Metadata Powering a Better Internet © 2011 Akamai Download Manager • Client software application that helps users download content easily • Available as ActiveX component, Java applet, and JavaScript API • Provides users ability to start, stop, pause and resume downloads • Provides useful information: download initiations, completions • Latest version of Akamai’s Download Manager (DLM 3.0) features: • Customizable user interface • End-to-end integrity checking for 100% certified downloads • Embedded directly in web pages Powering a Better Internet © 2011 Akamai Download Analytics • Comprehensive analytics and reporting solution to understand how your downloads are performing • Optional module for HTTP Downloads • Provides you with the ability to: • create custom reports • specify data sources • specify qualifying data in reports Powering a Better Internet © 2011 Akamai