Content delivery
Content Delivery Networks (CDNs) allow you to quickly deliver your site content by caching content appropriately for improved speed and performance. Magnolia PaaS uses Fastly as the default CDN.
For more on cache in Magnolia PaaS, see here. |
Some screenshots on this page are in dark mode. You can set your own Cockpit to dark mode in your User preferences. |

CDN statistics
You can view your CDN statistics for an active domain in a content delivery server.
You must register a domain in the cockpit. If you haven’t done that, see Manage CDN domains. |
The statistics sections remain empty until you enable a domain for the content delivery server. |
View stats
-
Go to Content delivery > Statistics.
-
Select the desired domain from the dropdown list.
-
Select the Date Range for the statistics.

Statistic | Description | ||
---|---|---|---|
Hit Ration |
Rate of hits over all requests per second in the last hour. |
||
Hits |
Requests per second with |
||
Miss |
Requests per second with |
||
Miss Time |
Requests per millisecond with |
||
Requests |
Requests per second in the last hour. |
||
Errors |
Requests per second with |
||
GRAPHS |
|||
Requests graph |
Number of requests over a selected time range. |
||
Bandwidth graph |
Number of bytes transmitted over a selected time range. |
||
Global POP Traffic |
The global Point of Presence (POP) traffic over a selected time range. These are the key access points from which the CDN delivers its service.
|
Purge CDN
To purge the entire cache from the content delivery server for the domains in the selector, click Purge CDN. Alternatively, you can purge by URL.
For more, see Purging. |

It does not currently purge your magnolia instances cache. |
Purge URL
Instead of purging the entire cache, you may want to simply purge a single object from all cache servers. In this case, you will want to use the Purge URL option in the Cockpit.
Instructions
-
Go to Content delivery > Statistics.
-
Under CDN Actions, click Purge URL.
-
In the dialog:
-
Choose your desired Domain from the dropdown list.
-
Enter the Full URL path of the object that you want to purge.
-
Optionally select to perform a Soft purge.
If unselected, a hard purge is performed which immediately makes the object inaccessible. Soft purges mark the object as stale, but it is still accessible.
Stale objects can reduce backend loads by allowing for conditional revalidation and other performance-enhancing patterns. For more, see Fastly’s soft vs hard purge docs.
-
Click Purge URL.
-
Manage CDN domains
If you are unable to access the Content delivery section of the Cockpit, please contact the Helpdesk. |
Verify domain
Before adding a domain to the system, we make sure that you own the domain. Depending on the validation type you chose when adding the domain, you’ll need to provide either the CNAME
or A
record.
Once you have provided this, the validation is automatically handled by our side.
To verify by HTTP
, you can change the A
and AAAA
record to point to the desired cluster.
www.ggogle.com. 60 IN A $IPv4OfClusterOrFastly (1)
www.ggogle.com. 60 IN AAAA $IPv6OfClusterOrFastly (2)
1 | ipv4 cluster example |
2 | ipv6 cluster example |
If you change the A and/or AAAA records, requests to the domain will go to the PaaS cluster. Since it takes some time (minutes) to verify and automatically issue a new certificate, your site may be unreachable until this process is done. This verification method is only recommended for new domains or where a short downtime of the domain’s site is tolerable. The verification then happens automatically in the background as soon as the A and AAAA records have been changed.
|
You can check the verification status at anytime in the Cockpit. |
You’ll need to add the CNAME
record in the DNS zone for your domain.
_acme-challenge.opera.mplatform.int.magnolia-platform.com. 60 IN CNAME d448a399-4249-4ed8-a45f-36fff888f71b.auth.mirohost.ch.auth.mirohost.ch. (1)
This allows us to verify you have control over the domain and automatically issue certificates for the domain before changing the A
record. This way a new setup or a cutover can be fully verified before switching DNS.
Certificates can be auto-renewed this way and you don’t have to take care of it yourself.
The system continually verifies things in the background so please do not alter the record as long as you need the domain to be active in Magnolia PaaS. As soon as the record has been created, it will be automatically verified.
You can check the verification status at anytime in the Cockpit. |
Custom certificates
You can upload your own custom certificates directly in the Cockpit under the Content delivery section and the Custom certificates tab. See?

Prerequisites
-
You must have first added and verified a domain.
These domains are the only domains available to which certificates can be added.
Once the domain is created and verified, a Certificate signing request (CSR) is generated. You’ll need to Sign the certificate as part of the upload instructions below. |
Add certificate
Follow the instructions here to add a certificate.
The maximum number of subdomains per domain is 100.
The maximum subdomain and domain length combined is 250 characters.
-
Go to your Cockpit and navigate to Content delivery.
-
Click the Custom certificates tab.
-
Choose the Cluster (from the dropdown menu) which holds the domain for which you want to upload a certificate.
-
Click Add certificate.
-
Give the certificate a Name.
Names must start with a letter and can contain letters, numbers, hyphens (
-
), and underscores (_
) only. -
Select the Namespace to which you want to add the certificate.
These are virtual clusters within a project backed by a physical cluster.
-
If applicable, select the Is custom checkbox.
-
Select the domain from the list where you want to add a certificate.
-
If desired, add a subdomain.
-
Click Add certificate to complete the process.
-
Sign certificate
-
Go to your Cockpit and navigate to Content delivery.
-
Click the Custom certificates tab.
-
From the table, select the certificate you want to sign.
-
On the right, click the green circle with lines.
-
Click Sign certificate.
-
Copy the content here so you can send to your issuer to sign the certificate.
Example request
-----BEGIN CERTIFICATE REQUEST----- MIIDRDCCAiwCAQAwNDEyMDAGA1UEAxMpb3BlcmEubXBsYXRmb3JtLmludC5tYWdu b2xpYS1wbGF0Zm9ybS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCpT1amMErv06ta8s8LIbJ+uxJWbXcLnDffm2ybpsGzOkuIIEEymJHUilH3+ri8 govrlpQnprNCqJt1ij06x69jrIfsTRInHKVRxkJ/faOn/usswFV0NEkL7/FeNg5U QdqT8Od6Xtjuuxtan9Q14GjYn2s0nztqoBPxPJmfZCGR3iwgsMsL6aAakx1ybXny Pjg4+U4BATYTMrMVfMi2LNFx+D6QcxfeXFupecrkeeWRhKGf2u4fCZameK/+C66d dbqw/65QZN6nhYafUOhFQed6d+0Dto/sLVtmJntXghefy5lK1GAiT2AUpratgqmi uP+flBcbf9LvzHheoirShn0DAgMBAAGggcowgccGCSqGSIb3DQEJDjGBuTCBtjAY BgNVHRgEERgPMjAyMjExMTcyMzAwMDBaMIGZBgNVHREEgZEwgY6CKW9wZXJhLm1w bGF0Zm9ybS5pbnQubWFnbm9saWEtcGxhdGZvcm0uY29tgi9mdXJzci5vcGVyYS5t cGxhdGZvcm0uaW50Lm1hZ25vbGlhLXBsYXRmb3JtLmNvbYIwc2Vjb25kLm9wZXJh Lm1wbGF0Zm9ybS5pbnQubWFnbm9saWEtcGxhdGZvcm0uY29tMA0GCSqGSIb3DQEB BQUAA4IBAQBXP//4UUrsd7ZZn0JjbmFXHzgAsHzqhHsj9z80wzhJ2JOQAn2tKIr5 hBacmZCl04jPNVoPV3/0aErQWdVFuBILO4EogI006iNL4i5sWghEyTtr7sGw6+jo 28QH5sNhtNiMjWmKW3hfPJaRjKfAWh4WVqB2ebL/BVOzcgaUeha70Q2GpkuthgvB PYjX6bZihgFUSxUfdptYwQZm5Z3F5S6cvUgKBUmtwhi9V5Io4oNBOhoWlfkEQ9Bt 6sVIF7umQNl0JcKCbZSFspsKLTYQK/2FZQE+r3WxIcnqEjBaIiRSlxD3Pd6Sq3/h Ao2cgWeOrdqM8fM73zo64fZgMfIMN0s9 -----END CERTIFICATE REQUEST-----
-
Once you have your signed certificate from your issuer, paste it into the Paste signed certificate text area.
-
Click Sign certificate once more to complete the process.
-
Create redirects
You can view redirects that you have created or add them directly yourself from the Cockpit.
Redirects prerequisites
You need to ensure the following prerequisites are met in order to use the redirects feature in Magnolia PaaS.
-
You must be using at least helm chart version
1.6.2
. Anything earlier than this, and you’ll need to upgrade. The latest helm chart version is1.6.2
. -
You should add the following to your helm chart:
magnoliaPublic.redirects.enabled = true
Good to knows
-
Redirects are evaluated in order of appearance when entered. The first match is accepted.
-
You can use RE2 syntax.
RE2 Syntax examplesRegex example
https://www.example.com/0-9{2}(bar|baz)
matcheshttps://www.example.com/01bar
orhttps://www.example.com/14baz
Wildcard example
https://www.example.com/(.*)
→https://www.example.com/$1.html
redirectshttps://www.example.com/test
tohttps://www.example.com/test.html
-
Only
3xx
status codes are acceptable. Different codes affect the browser in different ways. For more, see here. -
Wrong entries in a CSV file won’t cause any issues. They’ll simply be ignored.
Add redirects
-
Go to Content delivery > Redirects.
-
Select the desired Cluster from the dropdown list.
-
Select the desired Environment from the dropdown list.
-
Add a single redirect or import a redirect CSV file.
-
Click Add redirect.
-
In the dialog, fill out the following.
-
The Source URL. This is the place to redirect from.
-
The Target URL. This is the place to redirect to.
-
The Code. This is the http status code passed with the redirect. Only
3xx
http codes are acceptable. -
Click Add redirect to complete the action.
-
-
Click Add redirects (CSV).
-
Click Choose File to import a CSV file for redirects.
formatsource,target,code (1)
1 Only 3xx
http codes are acceptable.examplehttps://www.example.com/,\https://www.example.be/foo.html,308
-
Select your file.
-
Click Add redirects (CSV) to complete the action.
-
Block IPs
If you spot a malicious IP or need to block IPs for whatever reason, you can block them directly from the Cockpit.
This is only applicable if you are using Fastly as your CDN. Otherwise, you can block IPs using an ingress. |
Instructions
You can block a single IP or a list of IPs by importing a csv
file.
-
Go to Content delivery > Block IP (tab).
-
Select the desired Cluster from the dropdown list.
-
Choose to block a single IP or import a list to block:
-
Click Block IP.
-
Enter the CIDR[1].
-
Add a comment.
-
Click Block IP.
-
Click Block IP (CSV).
-
Select the file you wish to upload.
-
Click Block IP (CSV).
See an example format and CSV file below these instructions.
- CSV entry format
-
CIDR[1],Comment
example csv file192.169.0.0/16,local network range 23.45.67.111/32, 2002::1234:abcd:ffff:c0a8:101/64 192.169.0.1/12,"commas, in, a, comment, example" (1)
1 Comments are optional. However, if you use them and there are commas in your comment, be sure to wrap the comment in double quotations. Otherwise, it may be read as a separate entry in the CSV file. -
Webapp firewall
Web Application Firewalls, or WAFs, protect web applications from common malicious attacks such as cross-site-scripting (XSS) and SQL injections. Essentially, they act as a type of wall or shield between your web application and the internet. If you have your own CDN for your project, you’ll likely have your own WAF.
If you choose to go with the default CDN for Magnolia PaaS, you’ll be protected with the Fastly WAF.
The Fastly WAF inspects the web traffic at the HTTP application layer by looking at all HTTP and HTTPS requests (both header and body included). This can be configured specifically for your deployment.
View WAF information
To view passed, logged, and blocked requests for your WAF:
-
Go to Content delivery > WAF (tab).
-
Select the desired Cluster from the dropdown list.
-
Select the desired Domain from the dropdown list.
-
Select the Date Range for the statistics.
-
Choose the Traffic or Origin tab to see the desired section(s) to see the results.
See WAF graphs below for more details on each metric.
WAF graphs
Traffic
Under the Traffic tab, you can view the following:
Metric | Description and Visual | ||
---|---|---|---|
Total requests |
Displays the total requests to the WAF in the specified time period. |
||
Total blocked requests |
Displays the total blocked requests to the WAF in the specified time period. |
||
Total requests per WAF status |
Displays the total requests broken down by WAF status.
|
||
Total requests per WAF status over time |
Displays the total requests broken down by WAF status by the time period.
|
||
Total blocked requests per host |
Displays the total blocked requests broken down by host. |
Origin
Under the Origin tab, you can view the following:
Metric | Description and Visual | ||
---|---|---|---|
Blocked request per zones |
Displays (as a map) the blocked requests per geographic zone.
|
||
Blocked request per zones and host: |
Displays the blocked requests per zone, showing the zones with the most blocked requests first. |