All Products
Search
Document Center

HTTPS settings

Last Updated: Jan 24, 2019

Introduction

  • Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) is an HTTP channel designed to ensure security, namely, the secure edition of HTTP. It encapsulates HTTP with the SSL/TLS protocol, so the foundation of HTTPS security is SSL/TLS.

  • SSL acceleration advantages:

    • Key user information is encrypted during transmission, preventing leakage of sensitive information, such as session IDs or cookies, or other potential safety hazards.
    • Integrity verification of data is carried out during transmission to protect DNS or content from third-party hijacking, tampering, and man-in-the-middle attacks (MITM). For more information, see Use HTTPS to Prevent Traffic Hijacking.
  • Alibaba Cloud DCDN provides SSL acceleration. You only need to enable the SSL acceleration mode and then upload the certificate and private key for the CDN domains. DCDN also allows you to view, disable, enable, and edit a certificate.

  • You can apply for free certificates or purchase advanced certificates on Alibaba Cloud Security. Certificates purchased on Alibaba Cloud Security can be directly selected in the DCDN console without upload certificates.

  • If your certificate is configured correctly and enabled, both HTTP access and HTTPS access are supported. If the certificate does not match with the private key or is disabled, only HTTP access is supported.

  • SNI origin fetch is currently not supported.

Restrictions and guidelines

Configuration

  • SSL acceleration for wildcard domain names is supported.

  • You can enable or disable SSL acceleration.

    • Enable: Certificate modification is supported, both HTTP and HTTPS requests are supported by default, and force redirect is supported.
    • Disable: No HTTPS requests are supported and no certificate or private key information will be retained. You must re-upload the certificate and private key to enable the certificate again.
  • The private key information cannot be viewed because it is sensitive information. Make sure that you keep the certificate information safe.

  • You can modify the certificate. It takes up to 10 minutes for any modifications to take effect. Modify the certificate with caution

Billing

SSL acceleration is a value-added service. Once it is enabled, a fee is charged per HTTPS request. For current billing standards, see HTTPS billing details.

Note: HTTPS is billed separately based on the number of requests. Fees are not included in the CDN traffic package or the subscription plan. Make sure that your account balance is sufficient before you enable the HTTPS service to avoid arrears that may affect your DCDN service.

Certificate

  • To enable SSL acceleration for a DCDN domain, you must upload the certificate and the private key, both in the PEM format. Certificate format description.

  • Note: The Tengine service used by DCDN is based on Nginx, so only certificates that can be read by Nginx are supported, namely, PEM certificates.

  • Only TLS handshake with SNI information is supported.

  • The uploaded user certificate and private key must match. Otherwise, an error occurs during verification.

  • It takes about 10 minutes for an updated certificate to take effect.

  • Private keys with passwords are not supported.

Procedure

Step 1: Purchase a certificate.

To enable SSL acceleration, you need a certificate that matches the DCDN domain name. You can apply for free certificates or purchase advanced certificates with Alibaba Cloud Security.

Step 2: Configure a DCDN domain name.

  1. On the Domain Names page, select a domain name, and click Configure.

  2. Go to HTTPS Settings > SSL Certificate, click Modify to enable SSL Acceleration.

Note: SSL acceleration is a value-added service. Once it is enabled, you are billed based on the number of HTTPS requests. For more information, see Billing details.

  1. Select a certificate:

    • You can apply for a free certificates or purchase an advanced certificate with Alibaba Cloud Security Certificates Service. You can associate a certificate that is purchased with Alibaba Cloud Certificates Service with the DCND domain by using the certificate name.

    • If no currently adaptable certificate exists in the certificate list, you can upload a custom certificate. You must set the certificate name and then upload the content and private key of the certificate. This certificate is saved in “Alibaba Cloud Security Certificate Service” and can be viewed in My Certificates.

    • Only the PEM certificate format is supported. For more information, see Certificate format description.
  2. You can configure the force redirect feature to redirect user requests.

    For example, if force redirect is enabled and the user initiates an HTTP request, the server returns a 302 redirect response, and the original HTTP request is redirected to an HTTPS request.

    • Default: Supports both HTTP and HTTPS requests.
    • HTTP to HTTPS: User requests are redirected to HTTPS requests.
    • HTTPS to HTTP: User requests are redirected to HTTP requests.

Step 3: Verify that a certificate takes effect

After you have completed the SSL certificate settings and the certificate takes effect (after approximately one hour), use HTTPS to access resources. A green HTTPS logo in the browser indicates that the current connection to the website is private and SSL acceleration takes effect, as shown in the following figure:

Verify HTTPS