All Products
Search
Document Center

Set HTTPS security acceleration

Last Updated: Apr 16, 2019

Function

HTTPS is an HTTP channel designed to enhance security. It encapsulates HTTP messages with the SSL or TLS protocol.

HTTPS acceleration benefits:

  • Sensitive user information, such as session IDs or cookies, is encrypted during transmission to prevent information leakage and other potential security risks.

  • Data integrity check is performed during transmission, protecting the DNS server or content against hijacking, tampering, and other man-in-the-middle (MITM) attacks.

  • After enabling HTTPS, you only need to upload a certificate and the private key. You can also view, disable, enable, and update the certificate.

  • You can apply for a free certificate or purchase an advanced certificate in the Alibaba Cloud Security console. If your certificate is correctly configured and enabled, both HTTP and HTTPS are supported. If the certificate does not match the private key or the certificate is disabled, only HTTP is supported.

Note: SNI origin-fetching is not currently supported.

Function diagram

HTTPS encrypts the requests between users and Alibaba Cloud CDN nodes. A request for obtaining resources initiated by a CDN node on the origin site is processed according to the origin site configuration. We recommend that you configure and enable HTTPS for the origin site to implement end-to-end HTTPS encryption.

About the configuration

  • HTTPS security for wildcard domain names is supported.
  • HTTPS secure acceleration can be enabled or disabled.
    • Enabled: When HTTPS secure acceleration is enabled, certificate modification, HTTP and HTTPS requests, and force redirect are supported.
    • Disabled: If HTTPS secure acceleration is disabled, HTTPS requests are not supported.
  • You can view the certificate but not the private key. Make sure that the certificate information is not accessible to others.
  • Certificates can be updated. Exercise caution when updating a certificate. The updated certificate takes effect in 10 minutes.

About certificates

  • To enable HTTPS secure acceleration for CDN domains, you must upload a certificate and the private key in PEM format. CDN uses the Nginx-based Tengine service, only certificates that can be read by Nginx are supported, namely PEM certificates.
  • Only SSL and TLS with SNI information are supported.
  • The uploaded certificate and private key must match each other or a validation failure occurs.
  • The updated certificate takes effect in 10 minutes.
  • Private keys with a password are not supported.

Procedure

  1. Purchase a certificate.

    To enable HTTPS secure acceleration, you must have a certificate for CDN domains. You can apply for a free certificate or purchase an advanced certificate through the Alibaba Cloud Security certificate service. Buy now

  2. Configure CDN domain settings.

    In the VOD console, choose Domain Names > Configure, select an enabled domain name, and click HTTPS Acceleration Configuration to configure the domain name.

    HTTPs

    • Select and configure a certificate:
      • You can apply for a free certificate or purchase an advanced certificate through the Alibaba Cloud Security certificate service.
      • If you choose to upload a custom certificate, set a name for the certificate and upload it with the private key. If multiple certificates are uploaded, select one as needed.
      • Only certificates in PEM format are supported. For more information, see Certificate format description.
      • Force redirect is supported. For example, when Force HTTPS Redirect is enabled and the user initiates an HTTP request, the server returns a 302 redirect response and the original HTTP request is forcibly redirected to an HTTPS request.
      • Default: HTTP and HTTPS requests are both supported.
      • Force HTTPS redirect: Redirects all user requests to HTTPS.
      • Force HTTP redirect: Redirects all user requests to HTTP.
  3. Verify that the certificate is valid.

    After the certificate takes effect (about one hour after being set), try to access resources over HTTPS. If the green HTTPS mark appears in the browser, a private connection is established to the website and HTTPS secure acceleration is active.

    https