Add your website to ESA by CNAME setup - Edge Security Acceleration

If your website is added to Edge Security Acceleration (ESA) by CNAME setup, you need to add a DNS record to map the domain that you want to proxy to the ESA-assigned CNAME. This way, user requests destined for your domain can be forwarded to ESA points of presence (POPs). This enables content delivery acceleration, edge computing, and enhanced protection.

Select an appropriate DNS setup

ESA provides two DNS setups: CNAME and NS. Before you add your domain name to ESA, you can select a setup based on your needs.

CNAME setup: the setup used by traditional CDN products. You can choose CNAME if you are familiar with traditional Content Delivery Network (CDN) products or do not want to change your DNS service provider.
NS Setup: ESA manages DNS for your domain name. NS is suitable if you have not used traditional CDN products or need one-stop website management.

Procedure

Before you begin

You have an Alibaba Cloud account. For information about creating accounts, see Create an Alibaba Cloud account.
You have a domain name and its origin. You can register a domain name on Alibaba Cloud, and create an ECS instance as your origin.

Step 1: Add a website

Add the root domain of your website to ESA. This allows ESA to manage DNS resolution for your entire domain.

In the ESA console, select Websites. On the Websites page, click Add Website.
In the Enter Website step, enter the domain name you want to add to ESA, such as example.com, and click Next.
In the Select Location and DNS Setup step, select the region where you want to have ESA service in the Location section. Select NS in the DNS Setup section, and then click Next.
On the Select Plan page, you can select New Plans or Purchased Plans to choose a plan for your website. Then, follow the instructions in the console to make the purchase.
Note
To accelerate and protect your websiteb by ESA, you need to add a DNS record.

Verify the ownership of a domain name

After adding a domain name to ESA for the first time, you must verify its ownership. Once verified, ownership does not need to be re-verified for the domain or its subdomains.

In the left-side navigation pane, click Overview and copy the TXT record provided by ESA. This record is used to verify the ownership of your domain name.
Follow the instructions in the console to go to your DNS service provider and add the copied information in TXT format to your domain name resolution records.
Wait until the TXT record takes effect. Then, return to the Overview page in the ESA console, and click Verify to complete the verification.
Note
It may take minutes to hours for the TXT record to take effect after it is configured. If the verification fails, try again later.

(Optional) Configure the SSL certificate

If you want to allow HTTPS access to your proxied domains, configure edge certificates for the domains. This prevents service interruptions if users access your website over HTTPS.

Add a domain name

After you have verified the ownership of the domain name, perform the following steps to configure the ESA proxy acceleration service for the subdomain.

Obtain the CNAME in the ESA

You must add DNS records by configuring information such as the prefix of the domain name to be accelerated and the origin server address on ESA to obtain the CNAME value.

In the left-side navigation pane, choose DNS > Records.

You can import multiple records at a time or manually add records one by one.

Manually add a single record

Click Add Record and add a DNS record in the pop-up dialog box.
Add DNS records
Example: the domain name of your website is example.cn, and you want to accelerate the web pages of its subdomain www.example.cn. The IP address of the source server is 1.2.3.4. You can configure the website as the following figure.
Click Next and select a business type.

Batch import multiple DNS records

Click Import. On the page that appears, click Download File Template.

Fill and save the DNS records from your current DNS service provider in the template file, and click Upload File.

Import Template

;Hostname TTL IN Record Type Record Value

$ORIGIN example.com.

; A record
1.example.com.   600 IN  A   8.8.8.8

; AAAA record
2.example.com.   600 IN  AAAA		2400:cb00:2049:1::a29f:f9

; CNAME record
3.example.com.   600 IN  CNAME     example.com.

; MX record
4.example.com.    600 IN  MX	15 mailhost.example.com.

; TXT record
5.example.com.   600 IN  TXT	xxxxxxxxxxxxxxxxxxx

; NS record
6.example.com.    600 IN  NS	ns.example.com.

; SRV record
_sip._tcp.example.com.   600 IN  SRV	1 5 7001 srvhostname.example.com.

; CAA record
hostname.example.com.    600 IN  CAA	0 issue example.com

; CERT record
cert.example.com.	1	IN	CERT	0 0 0 VEVwQk5GWXlUR3RXVVZwc1RIcGFhMGh0UVhWUGQweFJFZENNM0JSVFROV2JVd3lWbFJOTkVSS1dnPT0=

; SMIMEA record
smimea.example.com.	1	IN	SMIMEA	12 12 12 436c6f7564666c61726520444e53

; SSHFP record
sshfp.example.com.	1	IN	SSHFP	12 12 436C6F7564666C61726520444E53

; TLSA record
tlsa.example.com.	1	IN	TLSA	12 12 12 436c6f7564666c61726520444e53

; URI record
uri.example.com.	1	IN	URI	12 12 "http://www.example.com/service"

On the Import page, check and adjust the configurations of the records, and click OK.

After the record is added, follow the instructions in the console, click CNAME Configuration Guide, and click to retrieve the CNAME record pointed to ESA POPs.

Add a CNAME record at your DNS service provider

Since your domain name resolution is managed by a third-party DNS service provider, you must add the corresponding CNAME record there. When a user requests an accelerated domain name, the DNS service provider resolves the request to the appropriate ESA POP, providing acceleration through a proxy service.

Follow the instructions in the console to go to your DNS service provider and add the copied information to your domain resolution records in the CNAME record type. This step is the same as Step 2: Verify the ownership of the domain name.
Return to the ESA console, select DNS > Record, and make sure that the CNAME Status of the newly added record is Configured.
Note
It may take minutes to hours for the TXT record to take effect after it is configured. If the verification fails, try again later.

(Optional) Verify whether a website is accelerated

When your website is active on ESA, client requests to your website are automatically directed to the nearest POPs. You can check the IP address to verify whether the acceleration takes effect.

Method 1: Use the browser developer tools

Test a proxied DNS record. Traffic to unproxied DNS records does not pass through POPs.

Access a resource on your website by using a web browser, such as https://api.example.com/test.txt. Use developer tools to query the IP address to which the request is directed.
Go to the IP Geolocation page to check whether the IP address belongs to ESA POPs. If Yes, the website is being accelerated by ESA.

Method 2: Use the CLI

Test a proxied DNS record. Traffic to unproxied DNS records does not pass through POPs.

For Windows

Start Command Prompt.
Run the nslookup -type=A hostName command, such as nslookup -type=A test.example.com, to obtain the resolved IP address.
Go to the IP Geolocation page to check whether the IP address belongs to ESA POPs. If yes, the website is being accelerated by ESA.

For Linux or macOS

Open the terminal.
Run the dig hostName command, such as dig test.example.com, to obtain the resolved IP address.
Go to the IP Geolocation page to check whether the IP address belongs to ESA POPs. If yes, the website is being accelerated by ESA.

Method 3: Check the instant logs

Note

The Entrance plan does not support instant logs. You can upgrade a plan.

In the ESA console, select Websites. On the Websites page, find the website that you want to manage, and click the website name.
In the left-side navigation pane, choose Analytics and Logs > Instant Logs. Then, click Start Monitoring to collect logs.
If the access log can be queried on the Instant Logs page, the website is being accelerated by ESA.

Enable security protection

After your website is connected to the ESA, you can customize security settings for data encryption and request filtering.

Data transmission encryption

ESA being between the client and your server helps you manage data transmission security from end to end.

By default, the ESA enables the SSL/TLS feature. You can apply for a free edge certificate to use HTTPS to access ESA POPs. To enhance security between clients and ESA POPs, you can enable TLS mutual authentication. This way, clients are verified before requests are accepted.

Abnormal requests mitigation

ESA with native Web Application Firewall (WAF) protection rules can filter requests from clients to ensure that only clean traffic reaches the servers.

While your business is running, ESA collects data from multiple dimensions for security analytics and event analytics. This helps you quickly identify abnormal requests and use WAF custom rules to block or challenge requests. By default, the ESA enables Basic DDoS Protection to protect your website against DDoS and HTTP flood attacks.

Optimize website performance

Maximize your website's overall performance by enhancing access and network speed through ESA features.

Access speed

You can enhance your website's access speed by setting up ESA features such as image transformations, content compression, and protocol optimization.

Network speed

ESA helps you improve network speed with IPv6 support, WebSocket and gRPC connections, as well as settings for a maximum upload size.

Learn more about ESA

ESA also supports features related to cache, Edge computing, rules, analytics and logs, and traffic.

Cache

You can store resource files at ESA POP by configuring cache policies or cache rules for your website. When you request a file, the POP will respond directly, reducing time-consuming origin fetches and speeding up access to the latest files.

Edge computing

ESA offers an efficient, flexible, and low-latency edge computing solution through three products: Edge Routine, Edge Containers, and Edge KV.

Edge Routine: This serverless service allows you to deploy JavaScript code directly on POPs. Your requests are processed at the nearest POP, significantly reducing computing latency.
Edge Containers: These are container-based computing resources deployed on POPs. They offer high elasticity and easy maintenance. With global deployment and localized scheduling, they simplify protocol handling and greatly reduce response time.
Edge KV: This key-value edge storage service works with Edge Routine to help you quickly access data from the same POP, enabling lightweight BaaS services and API gateways.

Rules

Leverage a unified tool to create and deploy conditional rules across various features such as caching, redirection, compression, origin fetch, and WAF. This allows you to flexibly and precisely implement various strategies, leading to more efficient management and optimization.

Analytics and logs

ESA generates real-time and detailed analytics and logs when processing requests. You can use this information to optimize resource allocation, identify and fix service issues, create monitoring solutions, and assess network connection quality for performance testing. These features help you ensure stable and efficient website operations.

Traffic

ESA POPs monitor data flow in real time and adjust it intelligently. Use these features to optimize traffic distribution strategies and balance the load across multiple origins. You can significantly reduce latency while enhance the availability and stability of your services.