When I first entered the industry, I also thought that the API documentation of the high-defense CDN was placed on the surface like the goods in the supermarket, and as a result, I stepped on the pit and stepped on the pit to doubt my life. Once in order to find a real-time traffic statistics interface, rummage through every corner of the service provider's official website, and finally found a hidden entrance in the community forum's old post in 2016 - this thing is hidden deeper than the Cold War spies.
The distribution of API documents of mainstream high-defense CDN service providers on the market is extremely fragmented. Some directly put the entrance on the console home page, some need to apply for an API key before unlocking the document permissions, more outrageous is that some vendors actually scattered in the document under three different sub-domains. I found that vendors like CDN5 are smarter, logging into the console directly in the upper right corner of the "Developer Center" resident entrance, while CDN07 needs to open the API access rights in the "account security" before the document link will appear in the lower left corner of the Help Center.
Do not believe those so-called "the most complete API documentation collection" of third-party websites, last year I have seen some people outdated interface documents as a baby for the results of the call frequency limit parameters have long been changed from 200 times per minute to 50 times, which directly leads to online business frequently reported errors. The most reliable or directly nibble on the official documents, although sometimes it takes a little effort to find.
Mainstream service provider documentation to obtain the actual battle
Let's start with CDN5, which is a developer-friendly document. After logging into the console does not need to apply for additional permissions, directly in the "Tools and Integration" - "API Management" page will be able to see the real-time documentation. The key is that they provide SDK download and online debugging tools, new API key as long as two steps:
CDN07 is a bit of a detour, you have to find the "Advanced Features" tab in your account security settings, and you have to verify your cell phone after opening API access. Their documents are distributed in two places: the basic configuration interface is in the "Developer's Guide" in the Help Center, and the security policy-related APIs are actually placed separately in the "Open Interface" section of the DDoS Protection Console - the design logic is comparable to a labyrinth.
08Host even more desperate, the document is not open to the public at all, you need to contact customer service to apply for "partner API permissions", after receiving the encrypted zip package, but also to use the GPG key provided to decrypt. I helped the customer integration last year when I waited for three whole days, after decompression found that the document also has 2018 on the abandoned interface parameters ...... So if you want to use his API, it is recommended to directly find the technical customer service to ask for the latest version, don't use those versions circulated on the Internet.
API call those pitfalls
Finding the documentation is only the first step, and there are more pits in the actual invocation. Most high-defense CDN service providers now require double authentication: in addition to the API key must also be added to the dynamic token. 08Host's signature algorithm is particularly perverse, you need to do three SHA256 hashes of timestamps, keys, and non-ce parameter splicing:
Traffic statistics interface is the most prone to problems. Once I called the CDN07 bandwidth query interface according to the document example, the result of the return data unit for a while is Mbps for a while is Kbps, and then realized that according to the time period to automatically switch the unit - this kind of dark pit in the document will not be written, can only rely on the packet debugging.
The cleaning status query interface is also a disaster area. When encountering DDoS attacks, high defense CDNs will automatically switch to cleaning mode, but the status return value of each is extremely different. CDN5 uses the numbers 0-4 to indicate the intensity of cleaning, 08Host directly uses the string "light/heavy/excessive", and CDN07 is even more outrageous - the return of the hexadecimal code needs to be looked up in the I suggest wrapping a unified status parser. I suggest wrapping a unified state parser:
Security policy must be pulled full
These days even CDNs have to be "teammate-proof". Last year there was a case where an attacker maliciously swiped hundreds of terabytes of traffic through the interface because of a leaked API key. Be sure to follow the principle of least privilege:
For example, in a pure monitoring scenario, only report_read permissions are given, and a separate key with only cache_purge permissions is created for cache refresh operations.CDN5 supports IP-based whitelisting of API access restrictions, and it is recommended to tie up all the IPs of the API call servers in the production environment:
Never hardcode API keys in client-side code! I've seen people write the key in a JavaScript file, only to be caught by a crawler. The right thing to do is to relay the call through a backend service, or use a short-term token (such as the 2-hour valid temporary token supported by 08Host).
How to track document updates
API iterations for high defense CDNs are much faster than expected, especially when it comes to new DDoS attack techniques, where several new protection parameters may be added in a week. I have three reliable methods:
Subscribe to the official changelog RSS (both CDN5 and CDN07 provide it), watch their SDK repository on GitHub (08Host's SDK update is more timely than the documentation), the most earthy but effective is to add a few vendors' tech groups - their customer service often sends out the update notification first in the group! The most rustic but most effective is to add a few vendors' technical exchange groups - their customer service often sends out update notifications in the group first, and updates the documentation only every other day.
Last year, when CDN07 suddenly changed the parameter name of "CC Protection Threshold" from cc_level to cc_protection_level, if it wasn't for someone in the group who tipped us off in advance, our automation scripts would have collapsed. Now I've gotten into the habit of checking the interface version number before each API call:
in the final analysis
Finding API documents for high defense CDNs is like playing a scavenger hunt, and the location of the treasure map and the way to decrypt it vary greatly from service provider to service provider. But once you master each set, you can deeply integrate the high defense capabilities into your own operation and maintenance system - from automatic capacity expansion to emergency response to attacks, the whole chain automation is the ultimate goal.
Recently, I helped an e-commerce customer use CDN5's API to make a smart scheduling system: real-time monitoring of the cleaning status, and automatically switching the core static resources to 08Host's standby node in the event of an attack on the mega-traffic. This system can really save your life at critical moments, and last month it carried a hybrid attack of 800Gbps with zero business interruption.
If you are just starting out, it is recommended that you start with CDN5's sandbox environment, which has the most detailed error messages and is relatively user-friendly for debugging. Remember: API documentation is not a bible, always lagging behind the actual function, really encounter problems directly to technical support is more efficient than looking through the documents - of course, provided that you buy the service package includes technical support access.
