This topic describes the typical scenarios of custom domain names, how to bind a custom domain name to a web application, and how to enable the Alibaba Cloud CDN (CDN) acceleration feature for the bound custom domain name in the Function Compute console.

Typical scenarios

You can create HTTP functions in Function Compute. Only HTTP functions can be triggered by HTTP requests. An HTTP function is similar to a web application that can process HTTP requests and return the results to the callers. In the following sample scenarios, you must bind a custom domain name to a web application:
  • You have created a web application and migrated the web application to Function Compute, and want users to access the web application by using a fixed domain name. In this scenario, you can bind a custom domain name to the web application in the Function Compute console to allow users to use the domain name to access the web application.
  • You have created a web application in the Function Compute console. The web application can be accessed by using the default URL <account_id>.<region_id>.fc.aliyuncs.com/<version>/proxy/<serviceName>/<functionName>/[action?queries] provided by Function Compute. You may need to change the URL of the web application. To make sure that access to the web application is not affected, you can bind a custom domain name to the web application. This way, users can use the domain name to access the web application.

Prerequisites

An HTTP function is created. For more information, see Create an HTTP function. Requests that are sent from a custom domain name can trigger only HTTP functions.

Procedure

Custom domain name

Step 1: Apply for an ICP filing for a custom domain name

Apply for an Internet Content Provider (ICP) filing for your custom domain name in the Alibaba Cloud ICP filing system. For more information, see ICP filing application overview.

Step 2: Configure domain name resolution

Configure domain name resolution to resolve the custom domain name to the endpoint of the region where Function Compute resides. For more information, see Quick Start. You can resolve the domain name to a public or internal endpoint. If you resolve the domain name to a public endpoint, the domain name is accessed over the Internet. If you resolve the domain name to an internal endpoint, the domain name is accessed over the internal network.

Note When you configure domain name resolution to resolve the custom domain name to the Function Compute endpoint, you set the CNAME of the custom domain name to the Function Compute endpoint. The endpoint is in one of the following formats:
  • Internal endpoint: <account_id>.<region_id>-internal.fc.aliyuncs.com, in which account_id specifies the ID of your Alibaba Cloud account. For example, if your custom domain name is example.com, the ID of your Alibaba Cloud account is 164901546557****, and the region is China (Shanghai), the internal endpoint is 164901546557****.cn-shanghai-internal.fc.aliyuncs.com.
  • Public endpoint: <account_id>.<region_id>.fc.aliyuncs.com, in which account_id specifies the ID of your Alibaba Cloud account. For example, if your custom domain name is example.com, the ID of your Alibaba Cloud account is 164901546557****, and the region is China (Shanghai), the public endpoint is 164901546557****.cn-shanghai.fc.aliyuncs.com.

Step 3: Add the custom domain name

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, choose Advanced Features > Domain Names.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Domain Names page, click Add Custom Domain Name.
  5. On the Add Custom Domain Name page, configure the parameters and click OK.
    Parameter Description
    Domain Name Enter the custom domain name that has obtained the ICP filing in the Alibaba Cloud ICP Filing system or whose ICP filing information includes Alibaba Cloud as a service provider.
    HTTPS Select Enable or Disable to allow or disallow the custom domain name to be accessed over HTTPS. Valid values:
    • Enable: allows the custom domain name to be accessed over HTTPS. You can access the custom domain name over HTTP and HTTPS.
      Note You can also select Redirects HTTP Requests to HTTPS. In this case, you can access the custom domain name only over HTTPS. Function Compute redirects requests for the custom domain name from HTTP to HTTPS.
    • Disable: disallows the custom domain name to be accessed over HTTPS. You can access the custom domain name over only HTTP. You cannot access the custom domain name over HTTPS.
    Certificate Type Select the type of the certificate that you want to upload. This parameter is required if you select Enable for the HTTPS parameter. Valid values:
    • Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate from the drop-down list. If the Certificate Name drop-down list is empty, you have not purchased an Alibaba Cloud SSL certificate. You can log on to the SSL Certificates Service console to purchase an Alibaba Cloud SSL certificate.
    • Manual Upload: Configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.
      Note The size of the certificate that you want to upload cannot exceed 20 KB. The size of the private key cannot exceed 4 KB.
    TLS version Select the transport layer security (TLS) protocol version that the function uses. If you leave this parameter empty, TLS 1.0 or a later version is used, including TLS 1.0, TLS 1.1, and TLS 1.2. Valid values:
    • TLS 1.0 and Later (Best Compatibility and Lower Security). TLS 1.0, TLS 1.1, and TLS 1.2 are supported.
    • TLS 1.1 and Later (High Compatibility and High Security). TLS 1.1 and TLS 1.2 are supported.
    • TLS 1.2 and Later (High Compatibility and Best Security). Only TLS 1.2 is supported.
    Note After you select a TLS protocol version, you can also select Enable Support for TLS1.3. This way, TLS 1.3 is supported.
    Cipher Suite Select TLS cipher algorithm suites. If you leave this parameter empty, all cipher suites are selected. Valid values:
    • All Cipher Suites (High Compatibility and Low Security): Select all cipher suites. The following cipher suites are supported:
      • Strong cipher suites:
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      • Weak cipher suites:
        • TLS_RSA_WITH_RC4_128_SHA
        • TLS_RSA_WITH_3DES_EDE_CBC_SHA
        • TLS_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        • TLS_ECDHE_RSA_WITH_RC4_128_SHA
        • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution.): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the delete icon on the right of a cipher suite to deselect a weak cipher suite and keep the cipher suites that are supported by the TLS protocols that you selected.

    For more information about TLS protocol versions and the supported cipher suites, see Mapping between TLS versions and cipher suites.

    In Function Compute, the naming of cipher suites follows the request for comments (RFC) naming conventions. The name of a cipher suite varies with the naming conventions. For more information about the differences in the names of cipher suites that are named based on the RFC and OpenSSL conventions, see Mapping between RFC and OpenSSL cipher suites.

    CDN Acceleration Enable or disable CDN acceleration for the custom domain name. If you enable CDN acceleration for the custom domain name, users can read the required content with high efficiency by using the CDN-accelerated domain name.
    • Enable: enables CDN acceleration. If you set the CDN Acceleration parameter to Enable, you must enter an accelerated domain name in the CDN-Accelerated Domain Name field. Then, log on to the CDN console and configure a CNAME for the accelerated domain name. For more information, see (Optional) Step 4: Enable CDN acceleration.
    • Disable: disables CDN acceleration.
    Route Configure the mapping between paths and functions. This way, requests from different paths can trigger different functions. You must configure the following fields:
    • Path: the path from which a request can trigger the specified function in the specified service.
    • Service Name: the name of the service to which the specified function belongs.
    • Function Name: the name of the function triggered by a request from the specified path.
    • Version or Alias: the version or alias of the service to which the function triggered by a request from the specified path belongs.

    You can configure multiple routes. For more information, see Routing rules.

(Optional) Step 4: Enable CDN acceleration

After you bind a custom domain name to a web application, you can use the custom domain name as the origin domain name, add an accelerated domain name, and then configure a CNAME for the accelerated domain name. This way, CDN acceleration is enabled for the custom domain name. An application that is deployed in Function Compute is used as the origin, and origin content is published to edge nodes so that users can read the required content with high efficiency. CDN acceleration effectively reduces access latency and improves service quality. For more information about CDN, see CDN documentation.

Notice If you enable CDN acceleration, you are charged for Internet traffic. For more information, see Overview.

Method 1: Add an accelerated domain name in the Function Compute console

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, choose Advanced Features > Domain Names.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Domain Names page, find the desired domain name and click Modify in the Actions column.
  5. On the Modify Custom Domain Name page, set the CDN Acceleration parameter to Enable, enter a domain name in the CDN-Accelerated Domain Name field, and then click Save.
    Note You can specify multiple accelerated domain names for one custom domain name.
  6. Log on to the CDN console. In the left-side navigation pane, click Domain Names. On the Domain Names page, view the accelerated domain name that you added.

Method 2: Add an accelerated domain name in the CDN console

For more information about how to enable CDN acceleration in the CDN console, see Add a domain name.

When you add an accelerated domain name, select Function Compute Domain as Origin Info. Then, select the region where your Function Compute service resides and the custom domain name that you added in the Function Compute console.

After you add the accelerated domain name, you can verify whether CDN acceleration is enabled for your custom domain name in the Function Compute console and the specified accelerated domain name added in the CDN console is bound to your custom domain name. To verify the results, perform the following operations:

  1. Log on to the Function Compute console.
  2. In the left-side navigation pane, choose Advanced Features > Domain Names.
  3. In the top navigation bar, select the region where the service resides.
  4. On the Domain Names page, find the desired domain name and click Modify in the Actions column.
  5. On the Modify Custom Domain Name page, view the setting of the domain name for CDN that are synchronized from the CDN console.
    accelerate-domain2
After you add the domain name for CDN, you must configure a CNAME for the domain name for CDN. For more information, see Add a CNAME record for a domain name.
Note The CNAME is in the following format: Accelerated domain name.w.alikunlun.com. Example: example.aliyundoc.com.w.alikunlun.com.

Test the configurations

After you add the custom domain name or the CDN-accelerated domain name, you can use one of the following methods to check whether the custom domain name or the CDN-accelerated domain name can be accessed.

  • Method 1: Run the curl URL command, such as curl example.com/login.
  • Method 2: Use a browser.

    Enter the request URL in the address bar of a browser and press the Enter key to check whether the specified function is invoked.

Mapping between TLS versions and cipher suites

The following table describes the mapping between the TLS versions and its supported cipher suites. The Default configurations column in the table lists the cipher suites that are supported by Function Compute.

Cipher suite TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3 Default configurations
TLS_RSA_WITH_3DES_EDE_CBC_SHA Supported Supported Supported not-support Supported
TLS_RSA_WITH_AES_128_CBC_SHA Supported Supported Supported not-support Supported
TLS_RSA_WITH_AES_256_CBC_SHA Supported Supported Supported not-support Supported
TLS_RSA_WITH_AES_128_GCM_SHA256 not-support not-support Supported not-support Supported
TLS_RSA_WITH_AES_256_GCM_SHA384 not-support not-support Supported not-support Supported
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Supported Supported Supported not-support Supported
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Supported Supported Supported not-support Supported
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Supported Supported Supported not-support Supported
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Supported Supported Supported not-support Supported
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Supported Supported Supported not-support Supported
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not-support not-support Supported not-support Supported
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not-support not-support Supported not-support Supported
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not-support not-support Supported not-support Supported
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not-support not-support Supported not-support Supported
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 not-support not-support Supported not-support Supported
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 not-support not-support Supported not-support Supported
TLS_RSA_WITH_RC4_128_SHA not-support not-support not-support not-support Supported
TLS_RSA_WITH_AES_128_CBC_SHA256 not-support not-support not-support not-support Supported
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA not-support not-support not-support not-support Supported
TLS_ECDHE_RSA_WITH_RC4_128_SHA not-support not-support not-support not-support Supported
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not-support not-support not-support not-support Supported
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not-support not-support not-support not-support Supported
TLS_AES_128_GCM_SHA256 not-support not-support not-support Supported Supported
TLS_AES_256_GCM_SHA384 not-support not-support not-support Supported Supported
TLS_CHACHA20_POLY1305_SHA256 not-support not-support not-support Supported Supported
Note In the preceding table, Supported indicates that the TLS version supports the cipher suite. not-support indicates that the TLS version does not support the cipher suite.

Mapping between RFC and OpenSSL cipher suites

RFC OpenSSL
TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 N/A
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 N/A
TLS_RSA_WITH_RC4_128_SHA RC4-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256

Routing rules

You must configure the mapping between paths and functions when you bind a custom domain name. This way, requests from different paths can trigger different functions. Function Compute supports exact match and fuzzy match that can be implemented in the following way:
  • Exact match: A function is triggered only if the path of the request is exactly the same as the specified path.

    For example, you have created a route whose path is /a, the corresponding service is s1, the corresponding function is f1, and the corresponding version is 1. Only requests from the /a path can trigger the f1 function of version 1. Requests from the /a/ path cannot trigger the f1 function of version 1.

  • Fuzzy match: You can append an asterisk (*) as a wildcard to a path.

    For example, you have created a route whose path is /login/*, the corresponding service is s2, the corresponding function is f2, and the corresponding version is 1. Requests from paths that begin with /login/, such as /login/a and /login/b/c/d, can trigger the f2 function of version 1.

Note
  • If multiple routes are configured for one custom domain name, exact match takes precedence over fuzzy match.
  • The longest prefix match (LPM) rule applies when fuzzy matches are performed.

    For example, the /login/a/* path and the /login/* path are configured for the custom domain name example.com, and the request URL is example.com/login/a/b. The request URL matches the configured paths. However, the /login/a/* path is used based on the LPM rule.

Examples

For example, the custom domain name is example.com. The following table describes five routing rules that are configured based on the steps described in this topic.
Routing rule Path Service name Function name Version
Routing rule 1 / s1 f1 1
Routing rule 2 /* s2 f2 2
Routing rule 3 /login s3 f3 3
Routing rule 4 /login/a s4 f4 4
Routing rule 5 /login/* s5 f5 5
The following table describes the final matches.
Request URL Matched service name Matched function name Matched version Matched path
example.com s1 f1 1 /
example.com/user s2 f2 2 /*
example.com/login s3 f3 3 /login
example.com/login/a s4 f4 4 /login/a
example.com/login/a/b s5 f5 5 /login/*
example.com/login/b s5 f5 5 /login/*

Troubleshooting

If an error occurs when you bind a custom domain name, the server returns an error message. The following table describes common error codes to help you quickly identify and resolve issues with high efficiency.

Error code HTTP status code Error message Cause
DomainNameAlreadyExists 409 domain name '%s' already exists The error message returned because the domain name that you want to bind already exists.
DomainNameNotFound 404 domain name '%s' does not exist The error message returned because the domain name that you want to query does not exist.
InvalidICPLicense 400 domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun The error message returned because the domain name has not obtained an ICP filing or its ICP filing information does not include Alibaba Cloud as a service provider.
DomainNameNotResolved 400 domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s' The error message returned because no CNAME has been configured for the domain name to point to the specified endpoint. You can check the CNAME settings by running the dig command or logging on to the Domain Name System (DNS) server.
DomainRouteNotFound 404 no route found in domain '%s' for path '%s' The error message returned because no to-be-triggered function is configured for the specified path.
TriggerNotFound 404 trigger 'http' does not exist in service '%s' and function '%s' The error message returned because no HTTP trigger is configured for the function bound to the custom domain name.

If your problem persists, contact Function Compute technical support.