1

I have a CDN that serves our static content. From Internap.

To make the CDN urls in my html a bit more palatable, I have a "CNAME" entry in my DNS settings:

cache.mysite.com => CNAME points to Internap

The Internap server is an origin pull server. So my domain has a "/public_html/cache" folder that is pointed to the CDN.

There are files I am putting here that I would like to serve only from my own domains.

Also important is that my site is behind Nginx. That's the front server, and serves all static files like ttf/woff/eot/css/js/gif, etc. Only the PHP needs are proxied in the backend to Apache.

I came across the "access-control-allow-origin" directive. Nginx has a way to do this too (useful ServerFault article and a useful StackOverFlow article too), but I want to limit the access from some domains only, which I own.

The reason I'm a little confused is because I have three layers in serving the fonts and managing access:

  • CDN
  • Nginx static server
  • Apache (probably not needed at all as Nginx serves the file to the CDN, and then the CDN takes over?)

My questions:

  1. How should I specify some select domains in Nginx. The "*" is really not what I need. Will this work for my domains and also covering related subdomains-- 
location ~* \.(eot|ttf|woff)$ {
  add_header Access-Control-Allow-Origin *.domain1.com,*.domain2.com
}

  1. Where inside Nginx should I specify this block. In the vhost file related to the specific domain from which I'm serving fonts (cache.mysite.com mentioned earlier) or in the overall Nginx config?

  2. Do I need the Apache stuff at all? If Nginx is handling the webfont formats already and controlling access to it.

Thanks!

Community
  • 1
  • 1
PKHunter
  • 642
  • 2
  • 11
  • 24
  • I'm puzzled. If the DNS entry for `cache.mysite.com` points to Internap, how do you ever see any requests for `cache.mysite.com` on your server? – arx Jan 14 '12 at 23:11
  • Because the first "original pull" is from my server. Or will this request be registered as Internap and not the original user pulling it? In this case, with a CDN, how do I limit access? Thanks. – PKHunter Jan 15 '12 at 00:22
  • What URL is the Internap server using to access your server? – arx Jan 15 '12 at 00:29
  • Not sure. It's set up in their website. I login to my account at SoftLayer, then I specify my domain and the CNAME (cache.mysite.com). What it does behind the scenes is not really under my control. – PKHunter Jan 15 '12 at 01:05

2 Answers2

1

If the browser downloads the fonts from your CDN, then there is no way of checking the headers. This is because Internap caches the downloaded file, otherwise the CDN would slow things down, and your data-traffic would remain the same. It could be that Internap provides the option to only accept certain referrers.

The Access-Control-Allow-Origin option might work, but you'll have to check to see if the CDN also forwards this header.

Gerben
  • 16,200
  • 6
  • 35
  • 55
0

You have to check the HTTP_REFERRER header to see if the files are being accessed from your own domain or not.

If not, you can always redirect them (and maybe through in a 403 error as well)

Milad Naseri
  • 3,875
  • 1
  • 23
  • 38