What is an Origin Server
A CDN topology distinguishes between your own origin servers and the on-edge servers of your CDN provider. The former contains the original version of your website while the latter hosts cached versions of some of its content.
How a CDN Server Interacts with an Origin Server
As many of the changes to the content on your origin server are propagated to your CDN’s cache servers, the two communicate on a regular basis.
The most effective method for updating edge servers is to have your CDN automatically pull the new content from your origin. Less effective is the push method, in which you're charged with updating the CDN with the changes you make to your origin.
Our entire CDN guide, which this entry is only a small part of, discusses the ways CDNs can augment your origin’s functions, including the offloading some of its tasks, boosting its performance and security.
These five questions, however, provide a quick introduction to the basic interactions between your CDN edge and origin server:
1. How do I route traffic through a CDN to my origin server?
To function properly, a CDN edge server needs to be designated as the destination for all of your inbound HTTP/S traffic. This can be achieved through the following modifications to your Domain Name System (DNS):
- Configuring your domain's A record so that it resolves to your CDN's IP range
- Pointing your subdomains' CNAME records to the respective subdomains provided by your CDN
Following these changes, all visitor requests to any URL/resource on your domain will be routed by the DNS to one of your CDN's edge servers—due to the use of anycast routing, this is typically the server closest to the individual visitor.
2. How does a CDN protect my origin server?
As the gateway for all HTTP/S traffic, a CDN is ideally placed to inspect incoming HTTP/S requests. This enables it to identify and filter out web application attacks, (e.g., SQL injection, XSS and RFI) before they can reach your origin server. The same logic holds true for application layer DDoS and malicious bots (e.g., spammers and scrapers).
Additionally, a CDN routes all domain resolve requests to the IPs of your CDN providers. This effectively hides your origin’s IP addresses and protects it from direct-to-IP attacks (e.g., network layer DDoS floods).
3. Is my IP completely masked once I onboard a CDN?
Not exactly. The above mentioned rerouting mechanism, while effective, can be circumvented if attackers can expose your IP data using historical records of your domain or through other origin exposing attacks.
Therefore, additional steps should be taken to protect your web server, including:
- Avoiding generic subdomain names – If some of your domain-related services (e.g., FTP or mail) are not protected by a CDN, their subdomain can be resolved to uncover the IP address of your origin. This is why, after onboarding a CDN, you should avoid using generic subdomains for these services. For example, changing ftp.mydomain.com to 650Ftp.mydomain.com.
- Changing your IP address – To block attackers from using historical records to uncover your origin IP, you should change your IP address after onboarding a CDN. Doing so renders any residual references useless.
Read more about how you can avoid origin exposing attacks.
4. Can a CDN offload all content delivery from my origin server?
Not likely. While most CDNs offload a considerable part of all content delivery tasks, the exact amount depends on the CDN’s capabilities and the particulars of your website.
More advanced CDNs can also cache dynamically generated content (e.g., WordPress HTML files, which are created on the fly). With such capabilities, caching potential increases to 60%-80%, or more.
5. What can a CDN do if I have multiple origins or data centers?
The reverse proxy nature of CDNs allows them to function as load balancers and distribute traffic to your data centers, all while controlling the flow of incoming traffic to maximize performance and reduce server load.
Because of their on-edge positioning, CDN servers have better visibility into incoming traffic. This enables CDNs to employ application layer load balancing algorithms that improve traffic distribution efficiency by precisely gauging the actual load on each of your origin servers.
To learn more about different CDN functions and how they impact your origin performance, continue reading the other entries in this guide. You might want to start with chapter one: What is a CDN.