HTTPS encrypts data by using the TLS/SSL protocol based on HTTP. This prevents data from being monitored, intercepted, or tampered with by third parties. You can configure an SSL certificate in the Alibaba Cloud CDN console to encrypt requests between the clients and Alibaba Cloud CDN to ensure data security.
HTTPS secure acceleration protects communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks. HTTPS encrypts critical information in transit such as session IDs and cookies. This minimizes the risk of sensitive information leaks.
HTTPS is the new standard. If you use HTTP, your website may be exposed to security risks and users who visit your website are prompted that the website is not secure. This compromises user experience.
Mainstream search engines assign a higher weight to HTTPS-capable websites. After you enable HTTPS for your website, the website can achieve a higher ranking in search engine results.
SSL is located between the TCP/IP protocol and various application layer protocols. Clients, such as browsers, can use SSL to verify the authenticity and integrity of connections between servers and clients, and encrypt data for transmission.
Internet Engineering Task Force (IETF) standardized SSL and changed the name to Transport Layer Security (TLS). Therefore, the protocol is referred to as SSL/TLS.
SSL certificates use the SSL protocol for communications. SSL certificates are credentials that are issued by certificate authorities (CAs) to websites to authenticate the identities of websites and encrypt data for transmission.
End-to-end data transfer over HTTPS
The following figure shows how HTTPS encryption works when a client initiates a request to a server.
Configure an SSL certificate in the Alibaba Cloud CDN console to allow HTTPS connections between clients and points of presence (POPs).Note
HTTPS secure acceleration is a value-added service. After you enable HTTPS secure acceleration, you are charged for basic services and HTTPS requests. For more information, see Billing of HTTPS requests for static content.
Configure an SSL certificate on the origin server and configure origin fetch over HTTPS. For more information, see Configure the origin protocol policy.Note
If you want to implement end-to-end data transfer over HTTPS, make sure that the origin server supports HTTPS before you configure origin fetch over HTTPS. For more information, see Configure the origin protocol policy.
Configure HTTPS secure acceleration between clients and POPs
Step 1: Prepare a certificate for the accelerated domain name
Only certificates in the PEM format are supported. You can convert certificates in other formats to the PEM format. For more information, see Convert certificate formats.
You can apply for a free certificate or purchase an advanced certificate in the Certificate Management Service console.
You can also apply for a certificate from a third-party CA. The issued certificate must meet the certificate format requirements. For more information, see Certificate formats.
Step 2: Enable HTTPS secure acceleration
Required. After you prepare an SSL certificate, configure the certificate for the accelerated domain name before you enable HTTPS secure acceleration. For more information, see Configure an SSL certificate.
Optional. Configure more features based on your business requirements.
Configure client access protocols
You can use 301 redirection to redirect HTTP requests from clients to POPs to HTTPS or redirect HTTPS to HTTP.
You can configure HSTS to force clients, such as browsers, to connect to POPs over HTTPS. This reduces the risk of cookie hijacking.
Specify the protocol version
HTTP/2, originally named HTTP/2.0, is the first new version of HTTP since HTTP/1.1. HTTP/2 is a binary protocol that supports multiplexing and header compression. This protocol improves web performance and reduces network latency.
After you configure a TLS version, only clients that use the specific version of TLS can send requests to and receive requests from POPs. This meets the security requirements of communication links.
Accelerate the verification of the SSL certificate
POPs cache certificate verification results and then send the results to clients without the need for the clients to verify certificates with the CAs. This reduces the verification time.
Am I charged for HTTPS requests when HTTP 403 or 404 status code is returned because the IP addresses of the HTTPS requests belong to the IP address whitelist or blacklist or the headers of the HTTPS requests belong to the User-Agent whitelist or blacklist?