ApsaraVideo Live supports the HTTPS secure acceleration and forcible redirect features. This topic describes how secure acceleration works, its benefits, how to configure secure acceleration, and the usage notes.

Background information

HTTP does not encrypt data. Instead, HTTP transmits data in plaintext. In terms of security, HTTP plaintext data can be intercepted by node devices during transmission. The data is not encrypted, so its meaning is understandable.

Features

ApsaraVideo Live allows you to configure the HTTPS secure acceleration and forcible redirect features. You must configure an HTTPS certificate before you can use the forcible redirect feature.

  • HTTPS

    HTTPS is used for secure communication over networks. HTTP transmits data in plaintext. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. SSL or TLS is the security foundation of HTTPS.

    HTTPS provides authentication and encrypted communication methods, and is widely used for secure communication and sensitive data transmission on the Internet. Based on a report released by Electronic Frontier Foundation (EFF) in 2017, more than half of web page traffic in the world is transmitted in encrypted mode by using HTTPS.

  • Forcible redirect

    You can use the forcible redirect feature to redirect the original requests from a client to edge nodes as HTTP or HTTPS requests.

    If you have enabled HTTP secure acceleration for domain names for CDN, you can forcibly redirect the original requests from users based on the specified redirect type. Assume that you set the redirect type to HTTP > HTTPS. When a client initiates an HTTP request, the server returns a 301 response to redirect the request to the HTTPS version of the web page, as shown in the following figure.

How it works

After you enable HTTPS in the ApsaraVideo Live console, requests that are transmitted from clients to ApsaraVideo Live nodes are encrypted by using HTTPS. ApsaraVideo Live nodes retrieve requested resources from origin servers and then return the resources to clients by using the protocol that is configured on the origin servers. We recommend that you configure and enable HTTPS for your origin servers to implement end-to-end HTTPS encryption.

The following figure shows the encrypted transmission process by using HTTPS. HTTPS encryption process
  1. The client sends an HTTPS request.
  2. The server generates a public key and a private key. You can prepare the keys on your own or request them from an authority.
  3. The server sends the public key to the client.
  4. The client verifies the certificate.
    • If the certificate is valid, the client generates a random number as a key. The client uses the public key to encrypt the random number and transmits the encrypted random number to the server.
    • If the certificate is invalid, the SSL handshake fails.
    Note A certificate is considered valid if the following conditions are met:
    • The certificate is not expired.
    • The certificate is issued by a trusted certificate authority (CA).
    • The public key of the certificate can be used to decrypt the signature of the certificate.
    • The domain name on the certificate is the same as the actual domain name that is hosted on the server.
  5. The server uses the private key to decrypt the encrypted random number.
  6. The server uses the random number to encrypt data and transmits the data to the client.
  7. The client uses the random number to decrypt the received data.

Benefits

  • Secure transmission: HTTPS secure acceleration protects communications against eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.
  • Information encryption: HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
  • Integral data: HTTPS checks data integrity during transmission to protect the data against MITM attacks, such as DNS hijacking and tampering.
  • Dominant trend: An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP web URLs as not secure since 2018. If you use HTTP, your website is exposed to security risks. Users who visit your website by using these browsers are prompted that this website is not secure. This compromises user experience and may reduce visits to the website.

    Mainstream browsers prioritize HTTPS web URLs in the search results. Additionally, mainstream browsers must support HTTPS before they can support HTTP/2. HTTPS is a more reliable choice in terms of security, market share, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.

Configuration methods

ApsaraVideo Live allows you to configure the HTTPS secure acceleration and forcible redirect features in the console or by calling API operations.

  • Console
    Feature Description Documentation
    HTTPS secure acceleration Configure an HTTPS certificate.

    To access resources by using HTTPS, you must configure an HTTPS certificate. For more information, see Certificate formats.

    Enable HTTPS
    Forcible redirect Configure the forcible redirect type.

    Before you configure the forcible redirect feature, make sure that an HTTPS certificate is configured.

    Forcible redirect
  • API
    Operation Description Documentation
    SetLiveDomainCertificate Enables or disables the certificate of a domain name, and modifies the certificate information. SetLiveDomainCertificate
    DescribeLiveCertificateList Queries certificates. DescribeLiveCertificateList
    DescribeLiveCertificateDetail Queries details of a specified certificate. DescribeLiveCertificateDetail
    BatchDeleteLiveDomainConfigs Deletes multiple domain name configurations at a time. BatchDeleteLiveDomainConfigs

Usage notes

Operation Description
Disable and enable HTTPS
  • After you disable HTTPS, ApsaraVideo Live no longer supports HTTPS requests. In addition, ApsaraVideo Live deletes the HTTPS certificate and private key.
  • After you enable HTTPS, you must upload the certificate and private key again to enable the certificate.
Upload a certificate and a private key
  • After you enable HTTPS secure acceleration for a domain name for CDN, you must upload a certificate and a private key. Both must be in the PEM format.
    Note ApsaraVideo Live uses NGINX-based Tengine Web Server. Therefore, ApsaraVideo Live supports only PEM certificates that can be read by NGINX.
  • ApsaraVideo Live supports only SSL and TLS handshakes that use Server Name Indication (SNI) information.
  • The uploaded certificate must match the private key. Otherwise, the certificate and private key fail the verification.
  • It requires one hour for an updated certificate to take effect.
  • A private key cannot carry a password.
View a certificate You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe.
Change or edit a certificate You can change or edit a certificate. It requires one hour for an updated certificate to take effect. Exercise caution when you perform this operation.