HTTPS Security Acceleration

Last Updated: Dec 25, 2017

Features

  • HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is an HTTP channel designed to ensure security, namely, the secure edition of HTTP. It encapsulates HTTP with the SSL/TLS protocol, so the foundation of HTTPS security is SSL/TLS.
  • Advantages of HTTPS acceleration:
    • Key user information is encrypted during transmission, preventing leakage of sensitive information, such as session IDs or cookies, or other potential safety hazards;
    • Integrity verification is performed on all data during transmission, protecting the DNS or content from being hijacked, tampered with, or suffering from other “man in the middle” (MITM) attacks. Learn more. Using HTTPS to Prevent Traffic Hijacking
  • Alibaba Cloud CDN provides HTTPS secure acceleration. You only need to enable the secure acceleration mode and then upload the certificate and private key for the CDN domains. The service also supports viewing, disabling, enabling, and editing certificates.
  • If your certificate is configured correctly and enabled, both HTTP access and HTTPS access are supported. If the certificate does not match with the private key or is disabled, only HTTP access is supported.
  • Note: SNI back-to-origin is not supported.

Note

Configuration

  1. HTTPS Secure Acceleration is supported for the following business scenarios:
    • Acceleration of images and small files
    • Acceleration of large file downloads
    • Acceleration of on-demand video/audio
    • Acceleration of live streaming media
    • Mobile acceleration is not supported.
  2. HTTPS security for wildcard domains is supported.
  3. The options to “Enable” and “Disable” this feature are provided:
    • Enable: Certificate modification is supported, both HTTP and HTTPS requests are supported by default, and “force redirect” is supported.
    • Disable: No HTTPS requests are supported and no certificate/private key information will be retained. You must re-upload the certificate/private key to enable the certificate again.
  4. You are allowed to view the certificate, but the certificate only. The private key information cannot be viewed because it is sensitive information. Make sure you keep the certificate information safe.
  5. Modifications and edits can be made to the certificate. It takes up to 10 minutes for any modifications and edits to take effect, so proceed with caution.

Billing

  • HTTPS Secure Acceleration is a value-added offering. Once it is enabled, you are billed based on the number of HTTPS requests, at a rate of 0.1 CNY every 10,000 requests. Note: The HTTPS cost is billed separately based on the number of requests, and is not included in the CDN traffic package. Ensure that you have adequate account balance before enabling HTTPS service, so as to avoid any arrears that may affect your CDN service.

See How to Check the Number of HTTPS Requests.

Certificate

  1. You must upload a certificate for the CDN domains with the “HTTPS secured acceleration” enabled, including the certificate and the private key, both in the PEM format. See About certificate formats(Note: CDN adopts the Tengine service which is based on Nginx. Therefore, only certificates that are readable by Nginx are supported, namely, PEM certificates).
  2. Only SSL/TLS handshaking with SNI information is supported.
  3. The certificate and private key you upload must match with each other, or the verification will report errors.
  4. It takes 10 minutes for any certificate updates to take effect.
  5. Password-protected private keys are not supported.

Configuration guide

Step 1: purchase a certificate

To enable HTTPS Secure Acceleration, you must have a certificate associated with the CND domains. You can purchase a certificate with Alibaba Cloud Certificates Service. Buy Now

Step 2: configure CDN domains

  • CDN domain list—>Select a domain to enter the configuration page—>HTTPS Settings—>Modify Configuration.
  • Click the “Modify Configuration” to perform the settings.
  1. Check if “HTTPS Setting” is enabled for the domain. Click the “Modify Configuration” button to enter the setting page and click “Enable”. Note: HTTPS Secure Acceleration is a value-added offering. Once it is enabled, you are billed based on the number of HTTPS requests. Learn more about Billing Details.
  2. Select a certificate:
    • For a certificate purchased with Alibaba Cloud Certificates Service, you can select to associate the CND domain by using the certificate name directly.
    • You can use custom upload if no associated certificate is available in the certificate list. In this case, you must set the certificate name, and then upload the certificate information and the private key. This certificate is saved in Alibaba Cloud Certificates Service and can be viewed in the My Certificates section.
  3. Only the PEM certificate format is supported. Learn more. About Certificate Formats.
  4. “Force redirect” is supported: You can enable this function to force redirect users’ original request method.
    • For example, when “Force HTTPS Redirect” is enabled and you initiate an HTTP request, the server returns a 302 redirect response and the original HTTP request is forcibly redirected to an HTTPS request.
    • Default: supports both HTTP and HTTPS requests.
    • Force HTTPS redirect: User requests are forcibly redirected to HTTPS requests.
    • Force HTTP redirect: User requests are forcibly redirected to HTTP requests.

Step 3: verify whether the certificate is effective

After the certificate is set up and becomes effective (about one hour after the HTTPS certificate is set up), visit resources by means of HTTPS. If the green HTTPS mark appears in the browser, it indicates that a private connection is established with the website and HTTPS Secure Acceleration has taken effect.Verify HTTPS

Thank you! We've received your feedback.