Configure HTTPS encryption for CDN and DCDN - CDN - Alibaba Cloud Documentation Center

HTTPS uses SSL/TLS to encrypt data over HTTP, preventing third-party monitoring, interception, or tampering. Configure an SSL/TLS certificate in the CDN console to encrypt requests between clients and CDN .

HTTPS benefits

HTTPS protects communications from eavesdropping, tampering, impersonation, and hijacking. It encrypts sensitive information such as session IDs and cookies during transmission to prevent leaks.
HTTPS is the web standard. Browsers flag HTTP sites as insecure, which erodes user trust.
Search engines rank HTTPS sites higher, improving your website's visibility in search results.

SSL/TLS certificates

SSL operates between TCP/IP and application-layer protocols. Clients such as browsers use SSL to verify connection authenticity and integrity, and to encrypt data in transit.

The IETF standardized SSL under the name TLS, so the protocol is commonly called SSL/TLS.

SSL/TLS certificates are credentials issued by certificate authorities (CAs) to authenticate website identities and encrypt data in transit.

End-to-end data transmission over HTTPS

The following figure shows the HTTPS encryption process for client-to-server requests.

Configure an SSL/TLS certificate for your domain name in the CDN console to allow HTTPS connections between clients and CDN points of presence (POPs).

Note
HTTPS configuration is a value-added service. You are charged for HTTPS requests in addition to basic services. For more information, see Billing of HTTPS requests for static content.
Configure an SSL/TLS certificate on the origin server and configure the origin protocol for CDN POPs to implement HTTPS encryption. For more information, see Configure the origin protocol policy.

Note
Ensure the origin server supports HTTPS before you configure HTTPS origin fetch. For more information, see Configure the origin protocol policy.

Configure SSL/TLS certificates between clients and CDN POPs

Step 1: Prepare a certificate for the accelerated domain name

Only PEM-format certificates are supported. Convert other formats to PEM as described in Certificate formats.
You can apply for a free individual test certificate or purchase a certificate in the Certificate Management Service console.
You can also use a certificate from a third-party CA. The certificate must meet format requirements. For more information, see Certificate format.

Step 2: Configure an SSL/TLS certificate

Required. Configure the prepared SSL/TLS certificate for the accelerated domain name to enable HTTPS. For more information, see Configure an HTTPS certificate.

Optional. Configure more features based on your business requirements.

Category	Feature	Description
Configure client access protocols	Configure HTTP/S redirection	Use 301 redirection to redirect client HTTP requests to CDN POPs to HTTPS, or redirect HTTPS to HTTP.
Configure client access protocols	Configure HSTS	Configure HSTS to force clients to connect to CDN POPs over HTTPS, reducing first-visit hijacking risk.
Specify the protocol version	Configure HTTP/2	HTTP/2 supports binary framing, multiplexing, and header compression to improve web performance and reduce network latency.
Specify the protocol version	Configure TLS versions and cipher suites	After you configure a TLS version, only clients using that version can communicate with CDN POPs, enforcing communication security requirements.
Accelerate the validation of the SSL/TLS certificate	Configure OCSP stapling	CDN POPs cache certificate verification results and return them to clients directly, eliminating client-to-CA verification and reducing verification time.

CDN:Configure HTTPS