Create HTTP CDN Resource

To add an HTTP CDN resource: 

  1. Go to your Control Panel > CDN > Resources menu. The page that loads shows the list of CDN resources.
  2. To create a new CDN resource, click the "+" button in the top right corner or the CDN Resource Wizard button.

  3. Follow the steps of the CDN resource creation wizard:

On this page:

Type Select

Click HTTP to select the required resource type, and then click Next to proceed.


  • Cdn hostname – the hostname from which you will serve static content.
    E.g. if your site (origin) is, and you want to serve static content from the CDN and make it available at, then would be the CDN hostname.
  • Enable SSL - move the slider to the right to enable the secure socket protocol for your CDN resource.

    • Let's Encrypt - select this option if you want to use a Let's Encrypt SSL certificate for the resource

      The Let's Encrypt SSL certificate is automatically generated for the following types of hostname:

      All the hostnames are bundled into one Let's Encrypt SSL certificate. If the secondary hostname cannot be validated, the system generates the LE certificate based on the CDN hostname, CNAME, and Operator Basehostname. The unverified hostname is revalidated by the system every 15 minutes.

      • Shared SSL - choose this option if you want to apply a shared SSL certificate for the resource

        If the SSL protocol is enabled, you can only have fourth-level domain names.
        If you select the Shared SSL certificate, the '' ending will be automatically added to the CDN hostname. Be aware that if CDN hostname ends with '', it can not be digit-only (for example is not applicable).

        A CDN resource can only be linked to one SSL certificate - Let's Encrypt, shared, or custom SNI.

      • Custom SNI SSL - choose this option if you want to apply a custom SNI SSL certificate for the resource and choose the required certificate from the drop-down list
    • Content origin – specify the content origin type (PULL or PUSH):
      • For the PULL type, you can use a custom origin port. Specify a port number using the colon character (":") in the Origins field. If you do not indicate the origin port, then the system will put it by default depending on origin policy:
        • 80 if origin policy is HTTP

        • 443 if origin policy is HTTPS

        • None if origin policy is AUTO, that is when the origin port is custom

          The valid port values include 80, 443, and the range from 1024 to 65535. Values other than mentioned above will be forbidden.

          In case of using multiple origins, the same port number should be specified for all origins using a colon character (":"). Erase the port number from the origin resource field to reset the custom origin port.

          Please note that you can specify one or more origins in the Origins field:

          • When a single origin is used, specify the value based on a hostname or IP.
          • When more than one origin is used, only IP addresses are allowed.

          For IP-based origins, ensure your origin is configured to accept HTTP requests with a CDN resource primary hostname as a Host header from CDN edge servers.

          When creating a CDN resource, specify or in the Origins field.
 is not allowed in the Origins field. If you want CDN to cache the content only in, move the content from to the subdomain folder.domain.comwhich should be used as an origin.

    • For the PUSH type:
      • Storage server location - choose the storage server location from the drop-down list
      • FTP password - specify the FTP password. It can consist of 6-32 alphanumeric characters
      • FTP password confirmation - confirm the password

Edge Locations

Tick the checkbox next to the edge group(s) that will share the new resource. Available groups depend on the assigned bucket's edge groups limit.
The map displays own, subscribed and available CDN resources. If you click a location icon on the map, the city name and country name of the location appear:

Map legend:

At this point, you can create the CDN resource or proceed to the Advanced Settings step which is optional in the wizard.

Advanced Settings

Origin Policy
The origin policy, which is available to a CDN resource, allows a CDN edge server to fetch content from the origin by using different HTTP or HTTPS protocol.
Select the type of the connection from the drop-down list:

  • HTTP—connection between an edge server and an origin where HTTP is always used. It is a default value
  • HTTPS—connection between an edge server and an origin where HTTPS is always used
  • AUTO—connection between an edge server and an origin based on a visitor's request (HTTP or HTTPS)

Country Access
Configure a rule to enable/disable access to the CDN resource’s content for specified countries.

  • Access Policy – select Disabled to switch off the rule, otherwise, choose between Allow by default/Block by default.
  • Except for Countries – select countries to which the access policy won’t be applied. To select more than one country, hold Ctrl during selection.

Hotlink Policy

  • Hotlink Policy – select Disabled to switch off a hotlink policy, otherwise, choose between Allow by default/Block by default.
  • Except for domains – specify domains to which the hotlink policy won’t be applied.
  1. Please note that a wildcard is not supported. Instead, use a URL.

IP Access
Configure a rule to enable/disable access to the CDN resource’s content for a range of IP addresses, including both IPv4 and IPv6.

  • Access Policy – select Disabled to switch off the rule, otherwise, choose between Allow by default/Block by default.
  • Except for IP Addresses – fill in IP address(es) to which the access policy won’t be applied.

Secondary CDN Hostnames
Submit secondary hostnames apart from the default one for HTTP based CDN sites. With these configured, users will be able to access the CDN site using secondary CDN hostname(s). You can add up to 7 secondary CDN hostnames to your CDN resource.

To be able to use a secondary hostname for a CDN resource with SSL enabled, you need an SSL certificate for your custom hostname. For more details about the purchase of an SSL certificate, contact OnApp Support.
Also, set CNAME for both CDN hostname and secondary CDN hostnames.
If you create a CDN resource with the following settings:

and visitors visit , cdn2.example.comall the three URLs will be displayed as

URL Signing
Protect your files from unauthorized access with a key. A signed URL looks like ``.

  • Enable URL Signing – move the slider to the right to enable it.
  • URL Signing Key – fill in the key which will be used for URL signing. The secret key is similar to a password and can contain a minimum of 6 to a maximum of 32 characters. Spaces are not allowed.

A signed URL can be in one of the following formats:

A secure token consists of the following parameters:

  • Expires—the expiration time of a URL or the time when an URL becomes invalid. The time is passed in the URL itself in a Unix timestamp format and takes part in hash generation. It is an optional parameter
  • Path—a file path or file directory

For HLS, put a path instead of an M3U8 file, so that all the chunks of the HLS are authenticated as well.

  • Key—a URL signing key
  • IP— an IP that provides access. It is optional and only one IP allowed when generating the hash key each time

Here is the format of a secure token:


Here is an example of the PHP script used to generate the hash key:

     * Create hash link CDN resource
     * @param string $cdnResourceUrl
     * The CDN resource URL, eg
     * @param string $filePath
     * File path of the CDN resource
     * @param string $secretKey
     * The secret key that is obtained from CDN resource property
     * @param int $expiryTimestamp [optional]
     * UNIX timestamp format, specify how long the hash link is accessible to the public
     * By default will be accessible forever.
     * @return string URL with generated hash link
     * URL with designated format to access the resource
     * Example:
     * Generate hash link for resource for next 3 days, assume today is Sun, 01 Apr 2012.
     * <?php
     * $hashLink = generateHashLink('', '/images/photo.png', 'l33tf0olol', 1333497600);
     * print $hashLink;
     * ?>
     * .
    function generateHashLink($cdnResourceUrl, $filePath, $secretKey, $expiryTimestamp = NULL){
        // NOTE [yasir 20110331] + and ?  are some of represented chars of based64 encoding (8 bits)
        // + is 62 and / is 63 . and These char should be replaced by other predefined chars.
        $searchChars = array('+','/');
        $replaceChars = array('-', '_');
        if($filePath[0] != '/'){
            $filePath = "/{$filePath}";
        if($pos =  strpos($filePath, '?')){
            $filePath = substr($filePath, 0, $pos);
        $hashStr = $filePath.$secretKey;
            $hashStr = $expiryTimestamp.$hashStr;
            $expiryTimestamp = ",{$expiryTimestamp}";
        return  "http://{$cdnResourceUrl}{$filePath}?secure=".
                str_replace($searchChars, $replaceChars, base64_encode(md5($hashStr, TRUE))).

To generate the hash key, download the Ruby, Python, PHP, or Java script.

ruby UrlSigning.rb -f path -s https -r -p images/photo.png -k abc123 -e 1546300800 -i 

python -f path -s https -r -p images/photo.png -k abc123 -e 1546300800 -i 

php UrlSigning.php -f path -s https -r -p images/photo.png -k abc123s -e 1546300800 -i

java UrlSigning -f path -s https -r -p images/photo.png -k abc123 -e 1546300800 -i
Available options:
-f: format, path or querystring, default = querystring
-s: scheme for resource URL, http or https, default = http
-r: resource hostname (compulsory)
-p: file path of the resource, default = /
-k: URL signing key (compulsory)
-e: expiration of the URL (optional)
-i: IP that allow to access (optional)

Cache Expiry

  • Cache expiry – set the cache expiry time in minutes (min=1, max=35000000).


  • Enable Password – move the slider to the right to restrict access to the resource (CDN hostname).
  • Unauthorized HTML – fill in the text which will be displayed for unauthorized login.
  • Username – choose a  username.
  • Password – select password for the user.

To remove a user, clear both fields.

Pseudo Streaming

  • Enable MP4 pseudo streaming – move the slider to the right to enable the pseudo streaming support for MP4 file type.
  • Enable FLV pseudo streaming – move the slider to the right to enable pseudo streaming for FVL file type, respectively.

With pseudo streaming enabled, your viewers can seek around a video even if it has not finished downloading. A Flash player and a prepared video are required for pseudo-streaming.

Nginx handles MP4 and FLV pseudo streaming differently.
The start parameter of MP4 pseudo streaming is represented in seconds:
(12.34 seconds)

The start parameter of FLV pseudo streaming is represented in bytes:
(1200 bytes)

The first value for both is 0.

MP4 pseudo streaming is applicable only to media files with a leading moov atom.

CORS Header

  • Enable CORS headers - move the slider to the right to enable cross-origin resource sharing (CORS) by adding HTTP header with Access-Control-Allow-Origin: *

Ignore Set-Cookie

  • Ignore Set-Cookie - move the slider to the right to enable caching content with Set-Cookie response headers.

Nginx Settings

  • Limit rate - set speed limit of a response to a client (per request) in KB/s. Maximum limit rate value - 2147483647 KB/s
  • Limit rate after - the amount after which the speed of a response to a client will be limited in KB. Maximum limit rate after value -2147483647 KB
  • Proxy cache key - key for caching. Select one of four supported types from the drop-down list:
    • $host$request_uri
    • $host$uri
    • $proxy_host$request_uri
    • $proxy_host$uri

Due to Nginx limitations, file extensions are not supported for gzip. It supports only specific MIME types (the Content-Type header returned from an origin). You can change the MIME types in the origin using the parameters from the whitelist.


The MIME types included in the whitelist are gzipped on demand on CDN edge servers. Any MIME types that are not listed but can be further compressed can be added to the whitelist.
The MIME types in the whitelist can be requested either in a gzip or non-gzip file format based on the passed headers. The reason why it is based on the passed headers is serving compressed content without the client requesting it and risks of breaking client/browser that do not handle Content-Encoding: gzip properly.

Search Engine Crawlers

  • Block search engine crawlers - move the slider to the right to block web crawling bots from indexing the CDN content (for HTTP Pull CDN resources only).

HTTP Live Streaming (HLS) Optimization

  • Enable HLS Optimization - move the slider to enable/disable HLS optimization. This option is available only for HTTP Pull CDN resources. 
  • Enforce Cache Expiry - tick this checkbox to create an HTTP rule that will enforce cache expiry. After you enable HLS optimization during HTTP Pull resource creation or editing, this checkbox will not be displayed if you edit the resource as long as the Enable HLS Optimization option is switched on. If you disable the option and then enable it again, this checkbox will be displayed. If an enforce cache expiry rule has already been set for the resource, a new rule will not be created after you check this box and save changes. You can manually add or delete the HTTP rule that will enforce cache expiry on the HTTP Caching Rules page of your CDN resource.

  • To ensure Samsung Smart TV’s compatibility with Microsoft Smooth Streaming through the CDN, the Suppress CDN Headers feature must be enabled. Contact OnApp Support to have this feature available in Control Panel.

      4. Click Create CDN Resource.