Configure a custom domain name - Function Compute - Alibaba Cloud Documentation Center

You can bind a custom domain name to an application, and use the bound custom domain name to access the application. This topic describes the typical usage scenarios of custom domain names. This topic also describes how to bind a custom domain name to a web application, and how to enable the Alibaba Cloud CDN (CDN) acceleration feature for the bound custom domain name in the Function Compute console.

Typical scenarios

You can create HTTP functions in Function Compute. Only HTTP functions can be triggered by HTTP requests. An HTTP function is similar to a web application that can process HTTP requests and return the results to the callers. In the following sample scenarios, you must bind a custom domain name to a web application:

A web application is created and migrated to Function Compute. You want to use a fixed domain name to access the web application.
A web application in the Function Compute console is created. You want to use the default URL <account_id>.<region_id>.fc.aliyuncs.com/<version>/proxy/<serviceName>/<functionName>/[action?queries] provided by Function Compute to access the web application. If you change the default URL to another URL in actual business, users are not affected.

Prerequisites

An HTTP function is created. For more information, see Manage functions. Requests that are sent from a custom domain name can trigger only HTTP functions.

Procedure

Step 1: Apply for an ICP filing for a custom domain name

Apply for an Internet Content Provider (ICP) filing for your custom domain name in the Alibaba Cloud ICP Filing Management system. For more information, see ICP filing application overview.

Step 2: Configure domain name resolution

Configure domain name resolution to resolve the custom domain name to the endpoint of the region where Function Compute resides. For more information, see Quick Start. You can resolve the domain name to a public endpoint or an internal endpoint. If you resolve the domain name to a public endpoint, the domain name is accessed over the Internet. If you resolve the domain name to an internal endpoint, the domain name is accessed over an internal network.

When you configure domain name resolution to resolve the custom domain name to the Function Compute endpoint, you must add the CNAME record of the custom domain name to the Function Compute endpoint. The following items describe the format of an endpoint:

An internal endpoint is in the <account_id>.<region_id>-internal.fc.aliyuncs.com format. In this format, account_id specifies the ID of your Alibaba Cloud account. For example, if your custom domain name is example.com, the ID of your Alibaba Cloud account is 164901546557****, and the region is China (Shanghai), the internal endpoint is 164901546557****.cn-shanghai-internal.fc.aliyuncs.com.
A public endpoint is in the <account_id>.<region_id>.fc.aliyuncs.com format. In this format, account_id specifies the ID of your Alibaba Cloud account. For example, if your custom domain name is example.com, the ID of your Alibaba Cloud account is 164901546557****, and the region is China (Shanghai), the public endpoint is 164901546557****.cn-shanghai.fc.aliyuncs.com.

Step 3: Add the custom domain name

Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.
In the top navigation bar, select a region. On the Custom Domains page, click Add Custom Domain Name.

On the Add Custom Domain Name page, configure the parameters and click Create. The following table describes the parameters:

Parameter	Description
Domain Name	Enter a custom domain name that has obtained the Internet Content Provider (ICP) filing in the Alibaba Cloud ICP Filing system, or a custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. Single domain names such as `www.aliyun.com` and wildcard domain names such as `*.aliyun.com` are supported.
HTTPS	Select Enable or Disable to allow or disallow the custom domain name to be accessed over HTTPS. Valid values: Enable: allows the custom domain name to be accessed over HTTPS. If you select Enable for this parameter, you can access the custom domain name over HTTP or HTTPS. Note You can also select Redirects HTTP Requests to HTTPS. In this case, Function Compute redirects requests for the custom domain name from HTTP to HTTPS, and you can access the custom domain name only over HTTPS. Disable: disallows the custom domain name to be accessed over HTTPS. If you select Disable for this parameter, you can access the custom domain name only over HTTP.
Certificate Type	Select the type of the certificate that you want to upload. This parameter is required if you select Enable for the HTTPS parameter. Valid values: Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate from the Certificate Name drop-down list. An empty Certificate Name drop-down list indicates that you did not purchase an Alibaba Cloud SSL certificate. In this case, you can log on to the Cloud Security Center to purchase an Alibaba Cloud SSL certificate. Manual Upload: Configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters. Note The certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.
TLS Version	Select the transport layer security (TLS) protocol version that the function uses from the drop-down list. If you leave this parameter empty, TLS 1.0 or a later version is used, including TLS 1.0, TLS 1.1, and TLS 1.2. Valid values: TLS 1.0 and Later (Best Compatibility and Low Security): TLS 1.0, TLS 1.1, and TLS 1.2 are supported. TLS 1.1 and Later (High Compatibility and High Security): TLS 1.1 and TLS 1.2 are supported. TLS 1.2 and Later (High Compatibility and Best Security): Only TLS 1.2 is supported. Note After you select a TLS protocol version, you can also select Enable Support for TLS1.3. This way, TLS 1.3 is supported.
Cipher Suite	Select TLS cipher algorithm suites. If you leave this parameter empty, all cipher suites are selected. Valid values: All Cipher Suites (High Compatibility and Low Security): Select all cipher suites. The following cipher suites are supported: Strong cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 Weak cipher suites: TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the icon on the right of a cipher suite to deselect the cipher suite. This way, you can delete weak cipher suites and keep the cipher suites that are supported by the TLS protocols that you selected. Important Select custom cipher suites with caution to ensure the cipher suites that are used by the client match the cipher suites that are used by the server. For more information about TLS protocol versions and the supported cipher suites, see Mapping between TLS versions and cipher suites. In Function Compute, the naming of cipher suites follows the request for comments (RFC) naming convention. The name of a cipher suite varies based on the naming conventions. For information about the differences between the names of cipher suites that are named based on the RFC conventions and the names of cipher suites that are named based on the OpenSSL conventions, see Mapping between RFC and OpenSSL cipher suites.
CDN Acceleration	Specifies whether to enable CDN acceleration for the custom domain name. If you enable CDN acceleration for the custom domain name, end users can use the CDN-accelerated domain name to read the required content with high efficiency. Valid values: Enable: enables CDN acceleration. If you set the CDN Acceleration parameter to Enable, you must enter an accelerated domain name in the CDN-Accelerated Domain Name field. Then, log on to the CDN console and configure a CNAME record for the accelerated domain name. For more information, see (Optional) Step 4: Enable CDN acceleration. Disable: disables CDN acceleration.
Web Application Firewall (WAF)	Specifies whether to enable the WAF feature for the custom domain name. After the WAF feature is enabled, WAF detects malicious traffic that is directed to your functions or applications and redirects normal and secure traffic to backend functions to prevent intrusions. For more information, see Enable WAF. Enable Disable
Route	Configure the mapping between paths and functions. This way, requests from different paths can trigger different functions. You must configure the following fields: Path: the path from which a request can trigger the specified function in the specified service. Service Name: the name of the service to which the specified function belongs. Function Name: the name of the function triggered by a request from the specified path. Version or Alias: the version or alias of the service to which the function triggered by a request from the specified path belongs. Rewrite Policy: the rule based on which the Uniform Resource Identifier (URI) of a request in a specified path is rewritten. For more information, see Procedure. You can configure multiple routes based on your business requirements. For more information, see Routing rules. Important You can configure routing rules only for functions that support the GET request method in the Function Compute console. If you want to configure routing rules for functions that support other request methods, such as the POST method, use Serverless Devs or call the CreateCustomDomain operation.

After you configure a custom domain name, you can modify or delete it based on your business requirements.

Important

If you delete a custom domain name, all requests that use the domain name to access Function Compute fail. Exercise caution when you perform this operation.

(Optional) Step 4: Enable CDN acceleration

After you bind a custom domain name to a web application, you can use the custom domain name as the origin domain name and add an accelerated domain name to it. Then, you can configure a CNAME record for the accelerated domain name. This way, CDN acceleration is enabled for the custom domain name. An application that is deployed in Function Compute is used as an origin server to publish the origin content to edge nodes. This way, users can read the required content efficiently. This helps reduce access latency and improve service quality. For information about CDN, see Alibaba Cloud CDN Documentation.

Note

If you enable the CDN acceleration feature, you are charged for Internet traffic. For more information, see Billing overview.

Method 1: Add an accelerated domain name in the Function Compute console

Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.
In the top navigation bar, select a region. In the domain name list, find the desired domain name and click Edit in the Actions column.
On the Modify Custom Domain Name page, set the CDN Acceleration parameter to Enable, enter a domain name in the CDN-Accelerated Domain Name field, and then click Save.
You can configure multiple accelerated domain names. Log on to the CDN console. In the left-side navigation pane, click Domain Names. On the Domain Names page, view the accelerated domain name that you added.

Method 2: Add an accelerated domain name in the CDN console

After you add the accelerated domain name, you can check whether CDN acceleration is enabled for your custom domain name in the Function Compute console and whether the specified accelerated domain name that is added in the CDN console is bound to your custom domain name.

Log on to the Alibaba Cloud CDN console to activate Alibaba Cloud CDN.
For more information, see Add a domain name.
When you add an accelerated domain name, select Function Compute Domain as Origin Info. Then, select the region where your Function Compute service resides and the custom domain name that you added in the Function Compute console.
Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.
In the top navigation bar, select a region. In the domain name list, find the desired domain name and click Edit in the Actions column.
On the Modify Custom Domain Name page, view the settings of the domain name for CDN that are synchronized from the CDN console.

After you add the domain name for CDN, you must configure a CNAME for the domain name for CDN. For more information, see Add a CNAME record for a domain name.

Note

The CNAME is in the Accelerated domain name.w.alikunlun.com format. Example: example.aliyundoc.com.w.alikunlun.com.

Test the configurations

After you add the custom domain name or the CDN-accelerated domain name, you can use one of the following methods to check whether the custom domain name or the CDN-accelerated domain name can be accessed.

Method 1: Run the curl URL command, such as curl example.com/login.
Method 2: Use a browser.
Enter the request URL in the address bar of a browser and press the Enter key to check whether the specified function is invoked.

Mapping between TLS versions and cipher suites

The following table describes the mapping between TLS versions and the cipher suites that the TLS versions support. By default, all cipher suites in the table are configured in Function Compute.

Note

In the following table, Supported indicates that the TLS version supports the cipher suite. not-support indicates that the TLS version does not support the cipher suite.

Expand to view the mapping between TLS protocol versions and cipher suites.

Cipher suite	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

Mapping between RFC and OpenSSL cipher suites

Expand to view the mapping between RFC and OpenSSL cipher suites.

RFC	OpenSSL
TLS_RSA_WITH_3DES_EDE_CBC_SHA	DES-CBC3-SHA
TLS_RSA_WITH_AES_128_CBC_SHA	AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA	AES256-SHA
TLS_RSA_WITH_AES_128_GCM_SHA256	AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384	AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ECDHE-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA	ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	ECDHE-RSA-AES256-SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305	N/A
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	N/A
TLS_RSA_WITH_RC4_128_SHA	RC4-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256	AES128-SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA	ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA	ECDHE-RSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	ECDHE-RSA-AES128-SHA256
TLS_AES_128_GCM_SHA256	TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384	TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256	TLS_CHACHA20_POLY1305_SHA256

Routing rules

You must configure the mapping between paths and functions when you bind a custom domain name. This way, requests from different paths can trigger different functions. Function Compute supports exact match and fuzzy match that can be implemented in the following way:

Exact match: A function is triggered only if the path of the request is exactly the same as the specified path.
For example, you have created a route whose path is /a, the corresponding service is s1, the corresponding function is f1, and the corresponding version is 1. Only requests from the /a path can trigger the f1 function of version 1. Requests from the /a/ path cannot trigger the f1 function of version 1.
Fuzzy match: You can append an asterisk (*) as a wildcard to a path.
For example, you have created a route whose path is /login/*, the corresponding service is s2, the corresponding function is f2, and the corresponding version is 1. Requests from paths that begin with /login/, such as /login/a and /login/b/c/d, can trigger the f2 function of version 1.

Note

If multiple routes are configured for one custom domain name, exact match takes precedence over fuzzy match.
The longest prefix match (LPM) rule applies when fuzzy matches are performed.
For example, the /login/a/* path and the /login/* path are configured for the custom domain name example.com, and the request URL is example.com/login/a/b. The request URL matches the configured paths. However, the /login/a/* path is used based on the LPM rule.

Examples

In this example, the custom domain name is example.com and five routing rules are configured based on the steps that are described in this topic. The following table describes the routing rules.

Routing rule	Path	Service name	Function name	Version
Routing rule 1	/	s1	f1	1
Routing rule 2	/*	s2	f2	2
Routing rule 3	/login	s3	f3	3
Routing rule 4	/login/a	s4	f4	4
Routing rule 5	/login/*	s5	f5	5

The following table describes the final matches.

Request URL	Matched service name	Matched function name	Matched version	Matched path
example.com	s1	f1	1	/
example.com/user	s2	f2	2	/*
example.com/login	s3	f3	3	/login
example.com/login/a	s4	f4	4	/login/a
example.com/login/a/b	s5	f5	5	/login/*
example.com/login/b	s5	f5	5	/login/*

Domain name matching rules

Function Compute matches a domain name based on the domain name information in your request and forwards the request to the function that corresponds to the matched domain name. Function Compute supports exact match and fuzzy match for domain names. These matching rules are implemented in the following way:

Exact match: The function that corresponds to the domain name can be triggered only if the domain name of the request exactly matches the custom domain name that you created.
Fuzzy match: Wildcard domain names are supported. The function can be triggered if the domain name of the request partially matches the custom domain name that you created. A maximum of one wildcard character (*) can be contained in a domain name, and the wildcard character must be at the beginning of the domain name.

Note

If a request matches a single domain name and a wildcard domain name at the same time, the request is forwarded to the function that corresponds to the single domain name.
In fuzzy match, a wildcard domain name can match only a domain name at the same level. For example, the wildcard domain name *.aliyun.com can match the domain name fc.aliyun.com, but not the domain name cn-hangzhou.fc.aliyun.com. This is because *.aliyun.com and fc.aliyun.com are third-level domain names, but cn-hangzhou.fc.aliyun.com is a fourth-level domain name.

Examples

The following table lists the domain names that are matched for requests that contain custom domain names fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com.

Domain name in the request	Matched domain name
fc.aliyun.com	fc.aliyun.com
fnf.aliyun.com	*.aliyun.com
cn-hangzhou.fc.aliyun.com	*.fc.aliyun.com
accountID.cn-hangzhou.fc.aliyun.com	None

Troubleshooting

If an error occurs when you bind a custom domain name, the server returns an error message. The following table describes common error codes to help you quickly identify and resolve issues.

Error code	HTTP status code	Error message	Cause
InvalidICPLicense	400	domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun	The error message returned because the domain name has not obtained an ICP filing or the information in the ICP filing does not include Alibaba Cloud as a service provider. For more information, see Step 1: Apply for an ICP filing for a custom domain name in this topic.
DomainNameNotResolved	400	domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s'	The error message returned because no CNAME has been configured for the domain name to point to the specified endpoint. You can check the CNAME settings by running the dig command or logging on to the Domain Name System (DNS) server.
DomainRouteNotFound	404	no route found in domain '%s' for path '%s'	The error message returned because no to-be-triggered function is configured for the specified path.
TriggerNotFound	404	trigger 'http' does not exist in service '%s' and function '%s'	The error message returned because no HTTP trigger is configured for the function bound to the custom domain name.
DomainNameNotFound	404	domain name '%s' does not exist	The error message returned because the domain name that you want to query does not exist.
DomainNameAlreadyExists	409	domain name '%s' already exists	The error message returned because the domain name that you want to bind already exists.

If your problem persists, join the DingTalk group 11721331 to communicate instantly with Function Compute engineers