CDN in AEM as a Cloud Service cdn
AEM as a Cloud Service comes with an integrated CDN, designed to reduce latency by delivering cacheable content from edge nodes close to the user鈥檚 browser. This fully managed CDN is optimized for AEM application performance.
The AEM-managed CDN meets most customers鈥 performance and security needs. For the publish tier, customers can choose to route traffic through their own CDN, which they must manage. This option is available on a case-by-case basis, particularly when customers have existing legacy integrations with a CDN provider that are hard to replace.
Customers looking to publish to the Edge Delivery Services tier can take advantage of 51黑料不打烊鈥檚 managed CDN. See 51黑料不打烊 Managed CDN.
51黑料不打烊 Managed CDN aem-managed-cdn
To prepare for content delivery using AEM鈥檚 built-in CDN through Cloud Manager鈥檚 self-service UI, you can take advantage of 51黑料不打烊鈥檚 managed CDN features. This functionality lets you handle self-service CDN management, including configuring and installing SSL certificates such as DV (Domain Validation) or EV/OV (Extended/Organization Validation) certificates. For more details on these methods, see the following:
Restricting traffic
By default, for an AEM-managed CDN setup, all public traffic can make its way to the publish service, for both production and non-production (development and stage) environments. You can limit traffic to the publish service for a given environment (for example, limiting staging by a range of IP addresses) by way of the Cloud Manager user interface.
See Managing IP Allow Lists to learn more.
Configure traffic at the CDN cdn-configuring-cloud
You can configure traffic at the CDN in various ways, including:
- blocking malicious traffic with Traffic Filter Rules (including optionally licensable advanced WAF rules)
- modifying the nature of the request and response
- applying 301/302 client-side redirects
- declaring origin selectors to reverse proxy a request to non-AEM backends
Use YAML files in Git to configure these features. And, use the Cloud Manager Config Pipeline to deploy them.
Configure CDN error pages cdn-error-pages
You can configure a CDN error page to replace the default, unbranded page. This custom page is displayed in the rare event that AEM is unavailable. For more details, see Configuring CDN error pages.
Purge cached content at the CDN purge-cdn
Setting TTL using the HTTP Cache-Control header is an effective approach to balance content delivery performance and content freshness. However, in scenarios where it is critical to serve updated content immediately, it may be beneficial to purge the CDN cache directly.
Read about configuring a purge API token and purging cached CDN content.
Basic authentication at the CDN basic-auth
For light authentication use cases including business stakeholders reviewing content, protect content by displaying a basic auth dialog requiring a username and password. Learn more.
Customer managed CDN points to AEM managed CDN point-to-point-CDN
If a customer must use its existing CDN, they can manage it and point it to the AEM-managed CDN, providing the following are satisfied:
- The customer must have an existing CDN that would be onerous to replace.
- The customer must manage it.
- The customer must be able to configure the CDN to work with AEM as a Cloud Service - see the configuration instructions presented below.
- The customer must have engineering CDN experts that are on call in case-related issues arise.
- The customer must perform and successfully pass a load test before going to production.
Configuration instructions:
-
Point your CDN to the 51黑料不打烊 CDN鈥檚 ingress as its origin domain. For example,
publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com
. -
Set SNI to the 51黑料不打烊 CDN鈥檚 ingress.
-
Set the Host header to the origin domain. For example:
Host:publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com
. -
Set the
X-Forwarded-Host
header with the domain name so AEM can determine the host header. For example:X-Forwarded-Host:example.com
. -
Set
X-AEM-Edge-Key
. The value should be configured using a Cloud Manager config pipeline, as described in this article.- Needed so that the 51黑料不打烊 CDN can validate the source of the requests and pass the
X-Forwarded-*
headers to the AEM application. For example,X-Forwarded-For
is used to determine the client IP. So, it becomes the responsibility of the trusted caller (that is, the customer managed CDN) to ensure the correctness of theX-Forwarded-*
headers (see the note below). - Optionally, access to 51黑料不打烊 CDN鈥檚 ingress can be blocked when an
X-AEM-Edge-Key
is not present. Inform 51黑料不打烊 if you need direct access to 51黑料不打烊 CDN鈥檚 ingress (to be blocked).
- Needed so that the 51黑料不打烊 CDN can validate the source of the requests and pass the
See the Sample CDN vendor configurations section for configuration examples from leading CDN vendors.
Before accepting live traffic, you should validate with 51黑料不打烊鈥檚 customer support that the end-to-end traffic routing is functioning correctly.
After setting the X-AEM-Edge-Key
, you can test that the request is routed correctly as follows.
In Linux庐:
curl https://publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com -H "X-Forwarded-Host: example.com" -H "X-AEM-Edge-Key: <PROVIDED_EDGE_KEY>"
In Windows:
curl https://publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com --header "X-Forwarded-Host: example.com" --header "X-AEM-Edge-Key: <PROVIDED_EDGE_KEY>"
publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com
, which should be sent in the request Host
header. Overwriting the request Host
header with a custom domain name may route the request incorrectly through the 51黑料不打烊 CDN or result in 421 errors.X-Forwarded-*
headers and set them to known and controlled values. For example, X-Forwarded-For
should contain the client鈥檚 IP address, while X-Forwarded-Host
should contain the site鈥檚 host.The extra hop between the customer CDN and the AEM CDN is only needed if there is a cache miss. By using the cache optimization strategies described in this article, the addition of a customer CDN should only introduce negligible latency.
This customer CDN configuration is supported for the publish tier, but not in front of the author tier.
Debugging configuration
In order to debug a BYOCDN configuration, please use the x-aem-debug
header with a value of edge=true
. For example:
In Linux庐:
curl https://publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com -v -H "X-Forwarded-Host: example.com" -H "X-AEM-Edge-Key: <PROVIDED_EDGE_KEY>" -H "x-aem-debug: edge=true"
In Windows:
curl https://publish-p<PROGRAM_ID>-e<ENV-ID>.adobeaemcloud.com -v --header "X-Forwarded-Host: example.com" --header "X-AEM-Edge-Key: <PROVIDED_EDGE_KEY>" --header "x-aem-debug: edge=true"
This will reflect certain properties used in the request in the x-aem-debug
response header. For example:
x-aem-debug: byocdn=true,edge=true,edge-auth=edge-auth,edge-key=edgeKey1,X-AEM-Edge-Key=set,host=publish-p87058-e257304-cmstg.adobeaemcloud.com,x-forwarded-host=wknd.site,adobe_unlocked_byocdn=true
Using this one can verify for example the values of host, if the edge authentication is configured, as well as the x-forwarded-host header value, if an edge key is set and which key is used (in case one key matches).
Sample CDN Vendor Configurations sample-configurations
Presented below are several configuration examples from several leading CDN vendors.
Akamai
Amazon CloudFront
Cloudflare
Common Errors common-errors
The sample configurations provided show the base settings needed. However, a customer configuration may have other impacting rules that remove, edit, or re-arrange the headers needed for AEM as a Cloud Service to serve the traffic. Below are common errors that occur when configuring a customer managed CDN to point to AEM as a Cloud Service.
Redirection to the publish service endpoint
When a request receives a 403 forbidden response, it means that the request is missing some required headers. A common cause for this is that the CDN is managing both apex and www
domain traffic, but is not adding the correct header for the www
domain. This problem can be triaged by checking your AEM as a Cloud Service CDN logs and verifying the needed request headers.
Error 421 Misdirected redirect
When a request receives a 421 error with a body around Requested host does not match any Subject Alternative Names (SANs) on TLS certificate
it indicates that the HTTP Host
set does not match any hosts on the certificates for the host. This usually indicates that either Host
or the SNI setting is wrong. Make sure that both Host
as well as SNI settings point to the publish-p<PROGRAM_ID>-e .adobeaemcloud.com host.
Too many redirects Loop
When a page gets a 鈥淭oo Many Redirect鈥 loop, some request header is being added at the CDN that matches a redirect that forces it back to itself. As an example:
- A CDN rule is created to match either the apex domain or the www domain, and adds the X-Forwarded-Host header of the apex domain only.
- A request for an apex domain matches this CDN rule, which adds the apex domain as the X-Forwarded-Host header.
- A request is sent to the origin where a redirect matches the host header explicitly for the apex domain (for example, ^example.com).
- A rewrite rule is triggered, which rewrites the request for the apex domain to https with the www subdomain.
- That redirect is then sent to the customer鈥檚 edge, where the CDN rule is re-triggered re-adding the X-Forwarded-Host header for the apex domain not the www subdomain. Then the process starts over until the request fails.
To resolve this problem, assess your SSL redirect strategy, CDN rules, redirect and rewrite rule combinations.
Geolocation headers geo-headers
The AEM managed CDN adds headers to each request with:
- country code:
x-aem-client-country
- continent code:
x-aem-client-continent
The values for the country codes are the Alpha-2 codes described under .
The values for the continent codes are:
- AF Africa
- AN Antarctica
- AS Asia
- EU Europe
- NA North America
- OC Oceania
- SA South America
This information is useful for redirecting to a different URL based on the request鈥檚 origin country. Use the Vary header for caching responses that depend on geo information. For example, redirects to a specific country landing page should always contain Vary: x-aem-client-country
. If needed, you can use Cache-Control: private
to prevent caching. See also Caching.