Menu

Lumen help

Access control

This section explains how to set up geographic location blocking (geo-blocking) and token authentication.
 

Once a geo-blocking rule is configured, it causes an edge server to use the client IP address to determine a geo location and evaluate against the defined allow or deny list. The configuration of a geoblocking object includes the following:


geoid—array of geo IDs as defined in GeoDefs

Type allow or deny.

 

Token authentication allows customers to protect content from URL tampering or unauthorized re-use or re-publication via email forwarding or deep linking to content. Using shared secrets defined in the tokens, a URL signature appended to the query string of the resource URL can be validated by the CDN before serving content without contacting the customer environment for authentication.

 

The configuration of the tokenauth object applies to all tokens defined in the Tokens section and includes the following:

action Currently limited to "fail"

 

Because token authentication requires the addition of query string parameters to the URL, content manipulation qshmode for assets to be protected using token authentication should typically be set to action: "ignore".

Description

Creates a new AccessControl group of a service component or a property. An AccessControl group can include a geo-blocking and a tokenauth object. A geo-blocking setting includes an array of geo ids and a type specifying an allow or deny filter. The tokenauth setting includes token ID and the action attribute, which is currently limited to "fail".

Method

POST

Base URI

https://ws.level3.com

Body syntax

{
"AccessControl":
{"geoblocking":
{# optional "geoid": [" <geoid>", … ] # required
"action": ("deny" | "allow" ) # required},
"tokenauth":
{ # optional "action": "fail" # required
}
}
}

URI syntax

/serviceConfiguration/(version)/(scope)/ResourceGroups/(rgid)/ConfGroups/AccessControl

version [CDATA[ ]] Values: "v1.0" (required)
scope [CDATA[ ]] (AG)/(SCID)[/(ALIAS)]

AG = Access Group

SCID = Service Component Identifier

ALIAS = Optional Alias identifies Property

Example

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/test1.caching.cdn.level3.net/ResourceGroups/videos/ConfGroups/AccessControl

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/ResourceGroups/videos/ConfGroups/AccessControl

{
"AccessControl": {
"geoblocking": {
"geoid": [ "NorthAmerica" ],
"type": "allow"
}
}
}

{
"AccessControl": {
"geoblocking": {
"geoid": [ "NorthAmerica" ],
"type": "allow"
}
}
}

Possible status and error messages returned to client

201: Created

Description

Retrieves the access control configuration group of a given resource group for service component or property.

Method

GET

Base URI

https://ws.level3.com

URI syntax

/serviceConfiguration/(version)/(scope)/ResourceGroups/(rgid)/ConfGroups/AccessControl

version [CDATA[ ]] Values: "v1.0" (required)
scope [CDATA[ ]] (AG)/(SCID)[/(ALIAS)]

AG = Access Group

SCID = Service Component Identifier

ALIAS = Optional Alias identifies Property

Example

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/test1.caching.cdn.level3.net/ResourceGroups/videos/ConfGroups/AccessControl

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/ResourceGroups/videos/ConfGroups/AccessControl

{
"AccessControl": {
"tokenauth": {
"action": "fail"
},
"geoblocking": {
"geoid": [ "NorthAmerica", "Asia" ],
"type": "deny"
}
}
}

Possible status and error messages returned to client

200: Request Successful.

Description

Updates an AccessControl group of a service component or a property. An AccessControl group can include a geo-blocking and a tokenauth object. A geo-blocking setting includes an array of geo IDs and a type specifying an allow or deny filter.

The tokenauth setting comprises an array of token IDs and an action attribute. Action is currently limited to "fail". The update applies to adding or removing the geo-blocking or tokenauth objects or changes to such objects themselves.

Method

PUT

Base URI

https://ws.level3.com

Body syntax

{
"AccessControl": {
"geoblocking": { # optional
"geoid": [ "<geoid>", … ] # required
"action": ("deny" | "allow" ) # required
},
"tokenauth": { # optional
"type": "fail" # required
}
}
}

URI syntax

/serviceConfiguration/(version)/(scope)/ResourceGroups/(rgid)/ConfGroups/AccessControl

version [CDATA[ ]] Values: "v1.0" (required)
scope [CDATA[ ]] (AG)/(SCID)[/(ALIAS)]

AG = Access Group

SCID = Service Component Identifier

ALIAS = Optional Alias identifies Property

Example

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/test1.caching.cdn.level3.net/ResourceGroups/videos/ConfGroups/AccessControl

https://ws.level3.com/serviceConfiguration/v1.0/1234/BBBN5678/ResourceGroups/videos/ConfGroups/AccessControl

{
"AccessControl": {
"geoblocking": {
"geoid": [ "NorthAmerica", "Asia" ],
"type": "allow"
},
"tokenauth": {
"action": "fail"
}
}
}

[Empty]

Possible status and error messages returned to client

204: Success no Content.