HTTPS is used for secure communication over networks. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. SSL or TLS is the security foundation of HTTPS.
Benefits
HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
HTTPS checks data integrity during transmission to protect the data against MITM attacks, such as DNS hijacking and tampering.
ApsaraVideo Live allows you to configure HTTPS secure acceleration. After you enable the HTTPS secure acceleration feature for a domain name for CDN, you need to upload a certificate that matches the domain name and a private key. You can also view, disable, enable, or change the certificate.
After you correctly configure and enable the certificate, HTTP and HTTPS access are supported. If the certificate that you configured does not match the domain name or you disable the certificate, only HTTP access is supported.
Usage notes
The following table describes the operations.
Operation | Description |
Disable and enable HTTPS | After you disable HTTPS, ApsaraVideo Live no longer supports HTTPS requests. In addition, ApsaraVideo Live deletes the SSL certificate and private key. After you enable HTTPS, you must upload the certificate and private key again to enable the certificate. |
View a certificate | You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe. |
Change or edit a certificate | You can change or edit a certificate. It requires 5 minutes for an updated certificate to take effect. Exercise caution when you perform this operation. |
Certificate management
ApsaraVideo Live supports certificates purchased by using Certificate Management Service and custom certificates.
After you enable HTTPS secure acceleration for a domain name for CDN, you must upload a certificate and a private key. Both must be in the PEM format.
ApsaraVideo Live uses the NGINX-based Tengine web server. Therefore, ApsaraVideo Live supports only PEM certificates that can be read by NGINX.
ApsaraVideo Live supports only SSL/TLS handshakes that include Server Name Indication (SNI) information.
The uploaded certificate must match the private key. Otherwise, the certificate and private key fail the verification.
It requires 5 minutes for an updated certificate to take effect.
The system does not support private keys for which passwords are configured.
Procedure
Step 1: Purchase a certificate
To enable HTTPS secure acceleration, you must upload a certificate that matches the domain name for CDN. To purchase a certificate, click Buy Now on the Certificate Management Service buy page. If you want to use a custom certificate, skip this step.
Step 2: Configure a streaming domain
Enable HTTPS secure acceleration.
Log on to the ApsaraVideo Live console.
In the left-side navigation pane, choose Acceleration > Domains. On the page that appears, find the domain name that you want to configure and click Domain Settings in the Actions column.
In the left-side navigation tree, choose Streaming Management > HTTPS Settings. On the page that appears, turn on HTTPS Certificate.
Upload a certificate.
Alibaba Cloud Certificate Management Service: In the dialog box that appears, select Alibaba Cloud Security for Certificate Authority and then select a certificate that is purchased from Alibaba Cloud Certificate Management Service.
Custom certificate: In the dialog box that appears, select Others for Certificate Authority. Then, specify the certificate name, certificate content, and private key. The certificate is stored in the Certificate Management Service console. You can view the certificate on the SSL Certificates page.
NoteOnly certificates in PEM format are supported.
Configure the redirect type.
Click Change Settings in the Force Redirect section.
You can force clients to use HTTP or HTTPS by forcibly redirecting the original requests. For example, you set the redirect type to HTTP > HTTPS. When a client initiates an HTTP request, the server returns a 302 response to redirect the request to the HTTPS version of the web page.
Default: HTTP and HTTPS requests are supported.
HTTP > HTTPS: forces clients to use HTTPS.
HTTPS > HTTP: forces clients to use HTTP.
Step 3: Verify that the certificate takes effect
After a certificate is uploaded, it takes effect within 1 minute. To verify that the SSL certificate takes effect, send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.