What is HTTPS secure acceleration?

Updated at:
Copy as MD

Unencrypted HTTP traffic between your users and your CDN exposes session IDs, cookies, and other sensitive data to eavesdropping, tampering, and man-in-the-middle (MITM) attacks. HTTPS secure acceleration adds TLS/SSL encryption across the entire delivery path: configure an SSL certificate on your accelerated domain name, and Alibaba Cloud CDN encrypts traffic between clients and points of presence (POPs) before forwarding requests to your origin.

Benefits

Benefit Description
Security Protects against eavesdropping, tampering, impersonation, and MITM attacks. Encrypts sensitive data such as session IDs and cookies in transit, reducing the risk of credential theft.
User trust Browsers flag HTTP sites as "Not Secure." HTTPS removes this warning.
Search ranking Mainstream search engines assign a higher weight to HTTPS-capable websites. After you enable HTTPS for a website, the website can achieve a higher ranking in search engine results.

How it works

HTTPS acceleration encrypts two connection segments independently:

  1. Client to POP: The client (browser) establishes a TLS connection with the nearest CDN POP. The POP presents the SSL certificate you configure for your accelerated domain name.

  2. POP to origin: The POP forwards the request to your origin. If you configure origin fetch over HTTPS, this segment is also encrypted end to end.

The following diagram illustrates the full end-to-end flow.

image
Note

HTTPS secure acceleration is a value-added service. After you enable it, you are charged for both basic CDN services and HTTPS requests. For pricing details, see Billing of HTTPS requests for static content.

SSL/TLS certificates

SSL (Secure Sockets Layer) sits between the TCP/IP protocol stack and application-layer protocols. It lets clients verify the identity and integrity of the server they connect to, then exchange data over an encrypted channel. The Internet Engineering Task Force (IETF) standardized SSL under the name Transport Layer Security (TLS), so the protocol is now referred to as SSL/TLS.

SSL certificates are credentials issued by certificate authorities (CAs). A CA-issued certificate authenticates your domain's identity and enables the encryption handshake.

Enable HTTPS secure acceleration

Prerequisites

Before you begin, make sure that you have:

  • An accelerated domain name configured in the Alibaba Cloud CDN console

  • An SSL certificate in PEM format for the accelerated domain name

  • (For end-to-end encryption) An SSL certificate installed on your origin server

Note

Only PEM-format certificates are supported. To convert a certificate from another format, see Convert certificate formats.

Step 1: Get a certificate

Choose the option that fits your requirements:

Option When to use
Free individual test certificate Development and testing
Certificate from Certificate Management Service Purchase a certificate for your domain
Certificate from a third-party CA Existing CA relationships or specific compliance requirements

To get a certificate, open the Certificate Management Service console. For certificate format requirements, see Certificate formats.

Step 2: Configure the SSL certificate on your domain

Configure the SSL certificate for your accelerated domain name to enable HTTPS between clients and POPs. For step-by-step instructions, see Configure an SSL certificate.

Step 3: (Optional) Enable end-to-end encryption

By default, only the client-to-POP segment is encrypted. To also encrypt the POP-to-origin segment, configure an SSL certificate on your origin server and set the origin protocol to HTTPS. For instructions, see Configure the origin protocol policy.

Important

Make sure your origin server supports HTTPS before enabling origin fetch over HTTPS.

Step 4: (Optional) Configure additional HTTPS features

After enabling HTTPS, you can harden your security posture or improve protocol performance with the following features:

Category Feature Description
Force HTTPS Configure URL redirection Redirects HTTP requests from clients to POPs to HTTPS using a 301 redirect, or downgrades HTTPS to HTTP if needed
Configure HSTS Instructs browsers to connect over HTTPS only (HTTP Strict Transport Security), reducing the risk of cookie hijacking
Protocol version Configure HTTP/2 Enables HTTP/2, which supports binary framing, multiplexing, and header compression to reduce latency
Configure TLS versions and cipher suites Restricts which TLS versions and cipher suites POPs accept, meeting link-level security requirements
Certificate verification Configure OCSP stapling POPs cache and serve certificate status responses so browsers skip the CA lookup, reducing TLS handshake time

FAQ

What's next