All Products
Search
Document Center

ApsaraVideo Live:Secure acceleration

Last Updated:Mar 11, 2024

ApsaraVideo Live supports the HTTPS secure acceleration and force redirect features. This topic describes how secure acceleration works, its benefits, how to configure secure acceleration, and the usage notes.

Background information

HTTP transmits data in plaintext and does not encrypt data. In terms of security, HTTP plaintext data can be intercepted by node devices during transmission. The data is not encrypted, so its meaning is understandable.

Features

ApsaraVideo Live allows you to configure the HTTPS secure acceleration and force redirect features. You must configure an SSL certificate before you can use the force redirect feature.

  • HTTPS

    HTTPS is used for secure communication over networks. HTTP transmits data in plaintext. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. SSL or TLS is the security foundation of HTTPS.

    HTTPS provides authentication and encrypted communication methods, and is widely used for secure communication and sensitive data transmission on the Internet. Based on a report released by Electronic Frontier Foundation (EFF) in 2017, more than half of web page traffic in the world is transmitted in encrypted mode by using HTTPS.

  • Forcible redirect

    You can use the force redirect feature to redirect the original requests from a client to points of presence (POPs) as HTTP or HTTPS requests.

    If you have enabled HTTP secure acceleration for domain names for CDN, you can forcibly redirect the original requests from users based on the specified redirect type. Assume that you set the redirect type to HTTP > HTTPS. When a client initiates an HTTP request, the server returns a 301 response to redirect the request to the HTTPS version of the web page, as shown in the following figure.

How it works

After you enable HTTPS in the ApsaraVideo Live console, requests that are transmitted from clients to ApsaraVideo Live nodes are encrypted by using HTTPS. ApsaraVideo Live nodes retrieve requested resources from origin servers and then return the resources to clients by using the protocol that is configured on the origin servers. We recommend that you configure and enable HTTPS for your origin server to implement end-to-end HTTPS encryption.

The following figure shows how HTTPS works.

image
  1. The client sends a request over HTTPS.

  2. The server generates a public key and a private key. You can prepare the keys on your own or request them from an authority.

  3. The server sends the public key certificate to the client.

  4. The client verifies the certificate.

    • If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the encrypted random number to the server.

    • If the certificate is invalid, the SSL handshake fails.

    Note

    A certificate is considered valid if the following conditions are met:

    • The certificate is not expired.

    • The certificate is issued by a trusted certificate authority (CA).

    • The public key of the certificate can be used to decrypt the signature of the certificate.

    • The domain name on the server certificate is the same as the actual domain name that is hosted on the server.

  5. The server uses the private key to decrypt the encrypted random number.

  6. The server uses the random number to encrypt data and transmits the data to the client.

  7. The client uses the random number to decrypt the received data.

Benefits

  • Secure transmission: HTTPS secure acceleration protects communications against eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.

  • Information encryption: HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.

  • Data integrity: HTTPS checks data integrity during transmission to protect the data against MITM attacks, such as DNS hijacking and tampering.

  • Dominant trend: An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP URLs as not secure since 2018. If you use HTTP, your website is exposed to security risks. Users who visit your website by using these browsers are prompted that this website is not secure. This compromises user experience and may reduce visits to the website.

    Mainstream browsers prioritize HTTPS URLs in the search results. In addition, mainstream browsers must support HTTPS before they can support HTTP/2. HTTPS is a more reliable choice in terms of security, market share, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Configuration methods

ApsaraVideo Live allows you to configure the HTTPS secure acceleration and force redirect features by using the console or API.

  • Console

    Feature

    Description

    References

    HTTPS secure acceleration

    Configures an SSL certificate.

    To access resources over HTTPS, you must configure an SSL certificate. For more information, see Certificate formats.

    Configure HTTPS secure acceleration

    Force redirect

    Configures the redirect type.

    Before you configure the feature, make sure that an SSL certificate is configured.

    Forcible redirect

  • API

    Operation

    Description

    References

    SetLiveDomainCertificate

    Enables or disables the certificate of a domain name, and modifies the certificate information.

    SetLiveDomainCertificate

    DescribeLiveCertificateList

    Queries the certificates of a specified domain name or all the domain names within your Alibaba Cloud account.

    DescribeLiveCertificateList

    DescribeLiveCertificateDetail

    Queries details of a specified certificate.

    DescribeLiveCertificateDetail

    BatchDeleteLiveDomainConfigs

    Deletes multiple domain name configurations at a time.

    BatchDeleteLiveDomainConfigs

Usage notes

Operation

Description

Disable and enable HTTPS

  • After you disable HTTPS, ApsaraVideo Live no longer supports HTTPS requests. In addition, ApsaraVideo Live deletes the SSL certificate and private key.

  • After you enable HTTPS, you must upload the certificate and private key again to enable the certificate.

Upload a certificate and a private key

  • After you enable HTTPS secure acceleration for a domain name for CDN, you must upload a certificate and a private key. Both must be in the PEM format.

    Note

    ApsaraVideo Live uses NGINX-based Tengine web server. Therefore, ApsaraVideo Live supports only PEM certificates that can be read by NGINX.

  • ApsaraVideo Live supports only SSL and TLS handshakes that use Server Name Indication (SNI) information.

  • The uploaded certificate must match the private key. Otherwise, the certificate and private key fail the verification.

  • It requires 1 hour for an updated certificate to take effect.

  • The system does not support private keys for which passwords are configured.

View a certificate

You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe.

Change or edit a certificate

You can change or edit a certificate. It requires 1 hour for an updated certificate to take effect. Exercise caution when you perform this operation.