Content delivery

Content Delivery Networks (CDNs) allow you to quickly deliver your site content by caching content appropriately for improved speed and performance. Magnolia PaaS uses Fastly as the default CDN.

For more on cache in Magnolia PaaS, see here.

Some screenshots on this page are in dark mode. You can set your own Cockpit to dark mode in your User preferences.

CDN statistics

You can view your CDN statistics for an active domain in a content delivery server.

You must register a domain in the cockpit. If you haven’t done that, see Manage CDN domains.

The statistics sections remain empty until you enable a domain for the content delivery server.

View stats

Go to Content delivery > Statistics.
Select the desired domain from the dropdown list.
Select the Date Range for the statistics.

Statistic Description

Hit Ration

Rate of hits over all requests per second in the last hour.

Hits

Requests per second with hit cache status in the last hour.

Miss

Requests per second with miss cache status in the last hour.

Miss Time

Requests per millisecond with miss cache status in the last hour.

Requests

Requests per second in the last hour.

Errors

Requests per second with error cache status in the last hour.

GRAPHS

Requests graph

Number of requests over a selected time range.

Bandwidth graph

Number of bytes transmitted over a selected time range.

Global POP Traffic

The global Point of Presence (POP) traffic over a selected time range. These are the key access points from which the CDN delivers its service.

For more, see POP network.

Purge CDN

To purge the entire cache from the content delivery server for the domains in the selector, click Purge CDN. Alternatively, you can purge by URL.

For more, see Purging.

It does not currently purge your magnolia instances cache.

Purge URL

Instead of purging the entire cache, you may want to simply purge a single object from all cache servers. In this case, you will want to use the Purge URL option in the Cockpit.

Instructions

Go to Content delivery > Statistics.
Under CDN Actions, click Purge URL.

In the dialog:

Choose your desired Domain from the dropdown list.
Enter the Full URL path of the object that you want to purge.

Optionally select to perform a Soft purge.

If unselected, a hard purge is performed which immediately makes the object inaccessible. Soft purges mark the object as stale, but it is still accessible.

Stale objects can reduce backend loads by allowing for conditional revalidation and other performance-enhancing patterns. For more, see Fastly’s soft vs hard purge docs.

Click Purge URL.

Manage CDN domains

From the Domains tab under Content Delivery, you can add, verify, or delete domains.

If you are unable to access the Content delivery section of the Cockpit, please contact the Helpdesk.

Add domain

Go to Content delivery > Domains.
Click Add domain.
1. Enter the Domain you want to add.
2. Choose your desired Environment from the dropdown.
3. Select the Validation type from the dropdown.
  Options
  - http-01
  - dns-01
4. Click Add domain.

Verify domain

Before adding a domain to the system, we make sure that you own the domain. Depending on the validation type you chose when adding the domain, you’ll need to provide either the CNAME or A record.

Once you have provided this, the validation is automatically handled by our side.

HTTP-01
DNS-01

To verify by HTTP, you can change the A and AAAA record to point to the desired cluster.

www.ggogle.com. 60 IN A $IPv4OfClusterOrFastly (1)
www.ggogle.com. 60 IN AAAA $IPv6OfClusterOrFastly (2)

1	ipv4 cluster example
2	ipv6 cluster example

If you change the A and/or AAAA records, requests to the domain will go to the PaaS cluster. Since it takes some time (minutes) to verify and automatically issue a new certificate, your site may be unreachable until this process is done. This verification method is only recommended for new domains or where a short downtime of the domain’s site is tolerable. The verification then happens automatically in the background as soon as the A and AAAA records have been changed.

You can check the verification status at anytime in the Cockpit.

You’ll need to add the CNAME record in the DNS zone for your domain.

_acme-challenge.opera.mplatform.int.magnolia-platform.com. 60 IN CNAME d448a399-4249-4ed8-a45f-36fff888f71b.auth.mirohost.ch.auth.mirohost.ch. (1)

This allows us to verify you have control over the domain and automatically issue certificates for the domain before changing the A record. This way a new setup or a cutover can be fully verified before switching DNS.

Certificates can be auto-renewed this way and you don’t have to take care of it yourself.

The system continually verifies things in the background so please do not alter the record as long as you need the domain to be active in Magnolia PaaS. As soon as the record has been created, it will be automatically verified.

You can check the verification status at anytime in the Cockpit.

From the Cockpit

You can see if your domain is verified by going to Content delivery > Domains (tab) and checking out whether you have the or icon next to the domain as shown below.

verified notVerified domain

Delete domain

Go to Content delivery > Domains.
Click on the desired domain.
Click Delete domain.

Custom certificates

You can upload your own custom certificates directly in the Cockpit under the Content delivery section and the Custom certificates tab. See?

Prerequisites

You must have first added and verified a domain.

These domains are the only domains available to which certificates can be added.

Once the domain is created and verified, a Certificate signing request (CSR) is generated. You’ll need to Sign the certificate as part of the upload instructions below.

Add certificate

Follow the instructions here to add a certificate.

Limitations

The maximum number of subdomains per domain is 100.
The maximum subdomain and domain length combined is 250 characters.

Go to your Cockpit and navigate to Content delivery.
Click the Custom certificates tab.
Choose the Cluster (from the dropdown menu) which holds the domain for which you want to upload a certificate.
Click Add certificate.
1. Give the certificate a Name.
  
  Names must start with a letter and can contain letters, numbers, hyphens (-), and underscores (_) only.
2. Select the Namespace to which you want to add the certificate.
  
  These are virtual clusters within a project backed by a physical cluster.
3. If applicable, select the Is custom checkbox.
4. Select the domain from the list where you want to add a certificate.
5. If desired, add a subdomain.
6. Click Add certificate to complete the process.

Sign certificate

Go to your Cockpit and navigate to Content delivery.
Click the Custom certificates tab.
From the table, select the certificate you want to sign.
On the right, click the green circle with lines.

Click Sign certificate.

Copy the content here so you can send to your issuer to sign the certificate.

Example request

Once you have your signed certificate from your issuer, paste it into the Paste signed certificate text area.
Click Sign certificate once more to complete the process.

Delete certificate

Go to your Cockpit and navigate to Content delivery.
Click the Custom certificates tab.
From the table, select the certificate you want to delete.
On the right, click the green circle with lines.
Click Delete.

Create redirects

You can view redirects that you have created or add them directly yourself from the Cockpit.

Redirects prerequisites

You need to ensure the following prerequisites are met in order to use the redirects feature in Magnolia PaaS.

You must be using at least helm chart version 1.6.2. Anything earlier than this, and you’ll need to upgrade. The latest helm chart version is 1.6.2.
You should add the following to your helm chart:
```
magnoliaPublic.redirects.enabled = true
```

Good to knows

Redirects are evaluated in order of appearance when entered. The first match is accepted.
You can use RE2 syntax.

RE2 Syntax examples

Regex example

https://www.example.com/0-9{2}(bar|baz) matches https://www.example.com/01bar or https://www.example.com/14baz

Wildcard example

https://www.example.com/(.*) → https://www.example.com/$1.html redirects https://www.example.com/test to https://www.example.com/test.html
Only 3xx status codes are acceptable. Different codes affect the browser in different ways. For more, see here.
Wrong entries in a CSV file won’t cause any issues. They’ll simply be ignored.

Add redirects

Go to Content delivery > Redirects.
Select the desired Cluster from the dropdown list.
Select the desired Environment from the dropdown list.
Add a single redirect or import a redirect CSV file.
- Add redirect
- Add redirects (CSV)
Click Add redirect.

In the dialog, fill out the following.

The Source URL. This is the place to redirect from.

The Target URL. This is the place to redirect to.

The Code. This is the http status code passed with the redirect. Only 3xx http codes are acceptable.

Click Add redirect to complete the action.
Click Add redirects (CSV).

Click Choose File to import a CSV file for redirects.

format

source,target,code (1)

1 Only 3xx http codes are acceptable.

example

https://www.example.com/,\https://www.example.be/foo.html,308

Select your file.

Click Add redirects (CSV) to complete the action.

Block IPs

If you spot a malicious IP or need to block IPs for whatever reason, you can block them directly from the Cockpit.

This is only applicable if you are using Fastly as your CDN. Otherwise, you can block IPs using an ingress.

Instructions

You can block a single IP or a list of IPs by importing a csv file.

Go to Content delivery > Block IP (tab).
Select the desired Cluster from the dropdown list.

Choose to block a single IP or import a list to block:

Block IP
Block multiple IPs

Click Block IP.
Enter the CIDR^[1].
Add a comment.
Click Block IP.

block ip

Click Block IP (CSV).
Select the file you wish to upload.
Click Block IP (CSV).

See an example format and CSV file below these instructions.

block ip csv

CSV entry format: CIDR^[1],Comment

example csv file

192.169.0.0/16,local network range
23.45.67.111/32,
2002::1234:abcd:ffff:c0a8:101/64
192.169.0.1/12,"commas, in, a, comment, example" (1)

1	Comments are optional. However, if you use them and there are commas in your comment, be sure to wrap the comment in double quotations. Otherwise, it may be read as a separate entry in the CSV file.

Removed a blocked IP (unblock)

Go to Content delivery > Block IP.
Select the desired Cluster from the dropdown list.
From the list of currently blocked IPs, on the right side, click the accordion icon and delete the IP.

Webapp firewall

Web Application Firewalls, or WAFs, protect web applications from common malicious attacks such as cross-site-scripting (XSS) and SQL injections. Essentially, they act as a type of wall or shield between your web application and the internet. If you have your own CDN for your project, you’ll likely have your own WAF.

If you choose to go with the default CDN for Magnolia PaaS, you’ll be protected with the Fastly WAF.

The Fastly WAF inspects the web traffic at the HTTP application layer by looking at all HTTP and HTTPS requests (both header and body included). This can be configured specifically for your deployment.

View WAF information

To view passed, logged, and blocked requests for your WAF:

Go to Content delivery > WAF (tab).
Select the desired Cluster from the dropdown list.
Select the desired Domain from the dropdown list.
Select the Date Range for the statistics.
Choose the Traffic or Origin tab to see the desired section(s) to see the results.

See WAF graphs below for more details on each metric.

WAF graphs

You can view information on the Traffic as well as the Origin of requests easily in the Cockpit.

Traffic

Under the Traffic tab, you can view the following:

Metric Description and Visual

Total requests

Displays the total requests to the WAF in the specified time period.

traffic totalRequests.totalBlockedRequests.totalRequestsPerWafStatus

Total blocked requests

Displays the total blocked requests to the WAF in the specified time period.

traffic totalRequests.totalBlockedRequests.totalRequestsPerWafStatus

Total requests per WAF status

Displays the total requests broken down by WAF status.

This is not for the specified period, but the total requests over time.

PASSED = Passed by the WAF and sent to the origin server.
LOGGED = Logged by the WAF and sent to the origin server.
BLOCKED = Blocked by the WAF.

traffic totalRequests.totalBlockedRequests.totalRequestsPerWafStatus

Total requests per WAF status over time

Displays the total requests broken down by WAF status by the time period.

This is for the specified period, and you can drag over the graph to get even more granular results.

PASSED = Passed by the WAF and sent to the origin server.
LOGGED = Logged by the WAF and sent to the origin server.
BLOCKED = Blocked by the WAF.

traffic totalRequestsPerWafStatusOverTime

Total blocked requests per host

Displays the total blocked requests broken down by host.

traffic totalRequestsPerHost

Origin

Under the Origin tab, you can view the following:

Metric Description and Visual

Blocked request per zones

Displays (as a map) the blocked requests per geographic zone.

You can zoom in and out just as you would any other modern web map.

origin blockedRequestsPerZone

Blocked request per zones and host: <host-domain>

Displays the blocked requests per zone, showing the zones with the most blocked requests first.

origin blockedRequestsPerZoneAndHost

1. Classless Inter-Domain Routing. For more, see here.