All Products
Search
Document Center

CDN:What is HTTPS secure acceleration?

Last Updated:Feb 19, 2024

HTTPS encrypts data by using the TLS/SSL protocol based on HTTP. This prevents data from being monitored, intercepted, or tampered with by third parties. You can configure an SSL certificate in the Alibaba Cloud CDN console to encrypt requests between the clients and Alibaba Cloud CDN to ensure data security.

Benefits

  • HTTPS secure acceleration protects communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks. HTTPS encrypts critical information in transit such as session IDs and cookies. This minimizes the risk of sensitive information leaks.

  • HTTPS is the new standard. If you use HTTP, your website may be exposed to security risks and users who visit your website are prompted that the website is not secure. This compromises user experience.

  • Mainstream search engines assign a higher weight to HTTPS-capable websites. After you enable HTTPS for your website, the website can achieve a higher ranking in search engine results.

SSL/TLS certificates

SSL is located between the TCP/IP protocol and various application layer protocols. Clients, such as browsers, can use SSL to verify the authenticity and integrity of connections between servers and clients, and encrypt data for transmission.

Internet Engineering Task Force (IETF) standardized SSL and changed the name to Transport Layer Security (TLS). Therefore, the protocol is referred to as SSL/TLS.

SSL certificates use the SSL protocol for communications. SSL certificates are credentials that are issued by certificate authorities (CAs) to websites to authenticate the identities of websites and encrypt data for transmission.

End-to-end data transfer over HTTPS

The following figure shows how HTTPS encryption works when a client initiates a request to a server.

image
  1. Configure an SSL certificate in the Alibaba Cloud CDN console to allow HTTPS connections between clients and points of presence (POPs).

    Note

    HTTPS secure acceleration is a value-added service. After you enable HTTPS secure acceleration, you are charged for basic services and HTTPS requests. For more information, see Billing of HTTPS requests for static content.

  2. Configure an SSL certificate on the origin server and configure origin fetch over HTTPS. For more information, see Configure the origin protocol policy.

    Note

    If you want to implement end-to-end data transfer over HTTPS, make sure that the origin server supports HTTPS before you configure origin fetch over HTTPS. For more information, see Configure the origin protocol policy.

Configure HTTPS secure acceleration between clients and POPs

Step 1: Prepare a certificate for the accelerated domain name

Only certificates in the PEM format are supported. You can convert certificates in other formats to the PEM format. For more information, see Convert certificate formats.

You can apply for a free certificate or purchase an advanced certificate in the Certificate Management Service console.

You can also apply for a certificate from a third-party CA. The issued certificate must meet the certificate format requirements. For more information, see Certificate formats.

Step 2: Enable HTTPS secure acceleration

  1. Required. After you prepare an SSL certificate, configure the certificate for the accelerated domain name before you enable HTTPS secure acceleration. For more information, see Configure an SSL certificate.

  1. Optional. Configure more features based on your business requirements.

    Category

    Feature

    Description

    Configure client access protocols

    Configure URL redirection

    You can use 301 redirection to redirect HTTP requests from clients to POPs to HTTPS or redirect HTTPS to HTTP.

    Configure HSTS

    You can configure HSTS to force clients, such as browsers, to connect to POPs over HTTPS. This reduces the risk of cookie hijacking.

    Specify the protocol version

    Configure HTTP/2

    HTTP/2, originally named HTTP/2.0, is the first new version of HTTP since HTTP/1.1. HTTP/2 is a binary protocol that supports multiplexing and header compression. This protocol improves web performance and reduces network latency.

    Configure TLS versions and cipher suites

    After you configure a TLS version, only clients that use the specific version of TLS can send requests to and receive requests from POPs. This meets the security requirements of communication links.

    Accelerate the verification of the SSL certificate

    Configure OCSP stapling

    POPs cache certificate verification results and then send the results to clients without the need for the clients to verify certificates with the CAs. This reduces the verification time.

FAQ