Function Compute provides a default endpoint for HTTP functions you create. When you access this endpoint in a browser, the browser triggers a forced download. To access a function in a browser without triggering a forced download or to use a fixed domain name, you must configure a custom domain name.
Common scenarios
An HTTP function acts as a web application, processing HTTP requests and returning results to the caller. In the following scenario, you will attach a custom domain to the web application.
You created a web application and migrated it to Function Compute, and now want to access the application through a fixed domain name.
You built a web application in the Function Compute console. You want to access it using the default endpoint that Function Compute provides:
<account_id>.<region_id>.fc.aliyuncs.com/<version>/proxy/<serviceName>/<functionName>/[action?queries]. However, accessing this endpoint in a browser triggers a forced download. You need to change the web application’s access address without affecting users.
Prerequisites
Create an HTTP function. Only HTTP functions can be triggered by requests sent to a custom domain name.
Limits
You cannot configure a Chinese domain name.
Custom domain names are case-sensitive. Enter the domain name exactly as it appears in your ICP filing.
You can configure wildcard domain names and standard domain names.
Procedure
Configure a custom domain name end-to-end
Step 1: File your domain name for ICP
Depending on the domain name's service provider (SP) and associated account, you can refer to the corresponding operation guide to perform ICP filing.
Domain names bound to functions in China (Hong Kong) or regions outside China do not require ICP filing.
If you are unsure which service provider manages your domain name, check on the WHOIS lookup page.
If you are unsure whether your domain name belongs to your current Alibaba Cloud account, check in the Alibaba Cloud DNS console.
Domain name registered under your current Alibaba Cloud account
Use the Alibaba Cloud ICP Filing System to file your custom domain name. For details, see ICP filing process.
Domain name registered under another Alibaba Cloud account
We recommend filing the domain name using the Alibaba Cloud account under which it was registered.
Domain name registered outside Alibaba Cloud
If your entity and domain name are already filed with another service provider, and you now want to add Alibaba Cloud as a service provider or switch your service provider to Alibaba Cloud, complete an ICP filing for Alibaba Cloud. Use the Alibaba Cloud ICP Filing System to file your custom domain name.
Step 2: Configure domain name resolution
For instructions on configuring domain name resolution, see Configure domain name resolution.
You must resolve your ICP-filed domain name to the Function Compute endpoint in the corresponding region, which means configuring the CNAME record for your custom domain name to point to the Function Compute endpoint. On the domain name resolution page, add a record where the Record Type is CNAME and the Record Value is the Function Compute endpoint.
The Function Compute endpoint format is as follows:
Endpoint type | Format | Example | |
Public network endpoint |
| If your custom domain name is example.com, your Alibaba Cloud account ID is 164901546557****, and your region is China (Shanghai). | Your public network endpoint is |
Private network endpoint |
| Your private network endpoint is | |
If you want to access this domain name over the public network, you must configure the record value as the Function Compute public endpoint.
Step 3: Add a custom domain name
Log on to the Function Compute console. In the left-side navigation pane, choose .
In the top navigation bar, select a region. On the Custom Domains page, click Add Custom Domain Name.
On the Add Custom Domain Name page, enter the required settings. Click Create.
Configuration item
Action
Domain name
Enter your custom domain name. The domain name must be filed with Alibaba Cloud or added to your ICP filing as a service provider. You can enter a single domain name (for example,
www.aliyun.com) or a wildcard domain name (for example,*.aliyun.com).HTTPS
Enable or disable HTTPS access to your custom domain name as needed. Options:
Enable: Enable HTTPS access. Users can access your custom domain name using HTTP or HTTPS.
NoteYou can also select the Force HTTPS check box. When selected, only access via the HTTPS protocol is allowed for this custom domain, and Function Compute redirects all HTTP requests to this custom domain to the HTTPS protocol.
Disable: Disable HTTPS access. Users can access your custom domain name only using HTTP. HTTPS requests fail.
Certificate type
Select the certificate type to upload. You must set this option if you enable HTTPS access. Options:
Alibaba Cloud SSL Certificate: Select an SSL certificate from your Alibaba Cloud account. If the Certificate Name drop-down list is empty, you have not purchased an Alibaba Cloud SSL certificate. Log on to the SSL Certificate Management console to purchase one.
Manual Upload: Enter a Certificate Name. Paste the PEM certificate content and the PEM certificate key.
NoteThe certificate size must not exceed 20 KB. The certificate key size must not exceed 4 KB.
TLS version
Select the TLS version for your function.
NoteSelect a TLS version. Then select the Enable TLS 1.3 check box to support TLS 1.3.
Cipher suite
Select a TLS cipher suite. If you do not set this option, all cipher suites are enabled by default. Options:
All cipher suites, highest compatibility, lower security: Select all cipher suites. For the list of cipher suites supported by Function Compute, see List of strong and weak cipher suites.
Custom cipher suites for the selected TLS version. Choose carefully to avoid impacting your service: Enable only some cipher suites. The drop-down list shows all cipher suites. Click the
icon next to a cipher suite to remove it. Keep only the cipher suites supported by your selected TLS version.
ImportantChoose custom cipher suites carefully. Ensure that the server-side and client-side cipher suites match.
For the TLS versions and their supported cipher suites, see TLS versions and supported cipher suites.
Function Compute uses the RFC naming convention for cipher suites. Names of cipher suites vary based on the naming convention. For differences between RFC and OpenSSL cipher suite names, see Mappings between RFC cipher suite names and OpenSSL cipher suite names.
CDN acceleration
Enable or disable CDN acceleration as needed. After you enable CDN acceleration, end users read content faster through the CDN-accelerated domain name.
Enable: Enable CDN acceleration. Enter a custom CDN-accelerated domain name. Then log on to the CDN console to configure a CNAME for the accelerated domain name. For more information, see Step 4: Enable CDN acceleration (optional).
Disable: Disable CDN acceleration.
Web Application Firewall
Enable or disable Web Application Firewall as needed. After you enable Web Application Firewall for your custom domain name, it detects and blocks malicious traffic to your domain name. This prevents unauthorized access to your functions. For details, see Enable Web Application Firewall.
Enable: Enable Web Application Firewall protection.
Disable: Disable Web Application Firewall protection.
Routing configuration
Map request paths to functions. Requests to different paths trigger different functions. Set the following fields:
Path: The request path that triggers a specific function in a specific service.
Service name: The service that handles requests to the specified path.
Function name: The function in the specified service that handles requests to the specified path.
Version or alias: The version or alias of the function in the specified service that handles requests to the specified path.
Rewrite policy: Rewrite the URI of requests that match the specified path. For details, see Procedure.
You can add multiple routing rules. For more information, see Routing match rules.
After you finish the configuration, edit or delete the custom domain name as needed.
ImportantDeleting a custom domain name causes all requests to that domain name to fail. Proceed with caution.
Step 4: Enable CDN acceleration (optional)
After you bind a custom domain name to a web application, you can use the custom domain name as the origin domain name, add an accelerated domain name, and then configure a CNAME for the accelerated domain name. This enables CDN acceleration for the domain name. When you deploy the application on Function Compute as the origin, you distribute the source content to edge nodes, enabling end users to quickly retrieve the content they need. This effectively reduces access latency and improves service quality.
After you successfully add an accelerated domain name, you see the CDN toggle enabled for your custom domain name in the Function Compute console. You also see the accelerated domain name you added in the CDN console.
CDN acceleration consumes Internet traffic and incurs traffic fees. For more information, see Billing overview.
Your custom domain name and accelerated domain name cannot be the same. For example, if your custom domain name is www.test.com, your accelerated domain name must be different, such as cdn.test.com.
Log on to the CDN console. Enable CDN acceleration.
For instructions, see Add an accelerated domain name.
When setting the origin server information, select Function Compute domain name, and then select the region of the target Function Compute service and an existing custom domain.
Log on to the Function Compute console. In the left-side navigation pane, choose .
In the top navigation bar, select a region. In the domain name list, find the desired domain name and click Edit in the Actions column.
On the Edit Custom Domain Name page, view the CDN-accelerated domain name configuration synced from the CDN console.
After you successfully add a CDN-accelerated domain name, CDN assigns a CNAME domain name. On the Domain Management page, get the assigned CNAME domain name. Point your accelerated domain name’s DNS record to the assigned CNAME domain name to enable acceleration.
For instructions, see Configure a CNAME.
NoteThe CNAME format is
accelerated-domain-name.w.alikunlun.com. For example,example.aliyundoc.com.w.alikunlun.com.
Step 5: Verify the custom domain name
After you configure your custom domain name or CDN-accelerated domain name, test it using one of the following methods.
Method 1: Test using the command line
curl URL. For example,curl example.com/login.Method 2: Test using a browser.
Enter the request URL in the browser address bar and press Enter to verify that the target function is called.
Cipher suite information
Strong and weak cipher suites
TLS versions and supported cipher suites
The following table describes the mappings between TLS versions and the cipher suites that the TLS versions support. Function Compute configures all cipher suites in the list by default.
In the table, 
means the TLS version supports the cipher suite. 
means it does not.
Expand to view TLS versions and supported cipher suites.
Cipher suite | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
|
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA |
|
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA |
|
|
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
|
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
|
|
|
|
TLS_RSA_WITH_RC4_128_SHA |
|
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
|
|
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
TLS_AES_128_GCM_SHA256 |
|
|
|
|
TLS_AES_256_GCM_SHA384 |
|
|
|
|
TLS_CHACHA20_POLY1305_SHA256 |
|
|
|
|
RFC and OpenSSL cipher suite name mapping
Match rules
Routing match rules
You must configure mappings between paths and functions when you bind a custom domain name. This way, requests from different paths can trigger different functions. Function Compute supports exact match and fuzzy match, and the specific rules are as follows:
Exact match: The request path must match the configured path exactly to trigger the corresponding function.
For example, if you set the path to /a, the service to s1, the function to f1, and the version to 1, only requests to /a trigger f1 version 1. Requests to /a/ do not trigger f1 version 1.
Fuzzy match: Use a wildcard (*) in the path. The wildcard can appear only at the end of the path.
For example, if you set the path to /login/*, the service to s2, the function to f2, and the version to 1, requests with the prefix /login/ (such as /login/a or /login/b/c/d) trigger f2 version 1.
If you configure multiple routing rules for a custom domain name, exact match takes priority over fuzzy match.
Fuzzy match uses longest prefix match.
For example, you configure /login/a/* and /login/*. Your custom domain name is
example.com. A request to example.com/login/a/b matches both paths. But longest prefix match selects /login/a/*.
Example
Assume your custom domain name is example.com. Based on the steps in this topic, you configure the following five routing rules.
Routing rule | Path | Service name | Function name | Version |
Rule 1 | / | s1 | f1 | 1 |
Rule 2 | /* | s2 | f2 | 2 |
Rule 3 | /login | s3 | f3 | 3 |
Rule 4 | /login/a | s4 | f4 | 4 |
Rule 5 | /login/* | s5 | f5 | 5 |
The final match results are as follows.
Request URL | Matched service name | Matched function name | Matched version | Matched path |
example.com | s1 | f1 | 1 | / |
example.com/user | s2 | f2 | 2 | /* |
example.com/login | s3 | f3 | 3 | /login |
example.com/login/a | s4 | f4 | 4 | /login/a |
example.com/login/a/b | s5 | f5 | 5 | /login/* |
example.com/login/b | s5 | f5 | 5 | /login/* |
Domain name match rules
Function Compute matches the domain name in your request to an appropriate custom domain and forwards the request to the function associated with that domain. Function Compute supports both exact match and fuzzy match for domain names, as follows.
Exact match: The function associated with a custom domain is triggered only when the requested domain name exactly matches the custom domain you created.
Fuzzy match: Wildcard domain names (also known as wildcard domains) are supported. The function associated with a custom domain is triggered when the requested domain name matches the wildcard pattern you defined. A wildcard character (*) can appear at most once and must be placed at the beginning of the domain name.
If a request matches both a single domain name and a wildcard domain name, the single domain name takes priority.
Wildcard domain names match only domains at the same level. For example, the domain name
*.aliyun.commatchesfc.aliyun.combut notcn-hangzhou.fc.aliyun.com. Both*.aliyun.comandfc.aliyun.comare third-level domain names. Butcn-hangzhou.fc.aliyun.comis a fourth-level domain name.
Example
Assume you have the custom domain names fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com. The following table shows which domain name each request matches.
Request domain name | Matched domain name |
fc.aliyun.com | fc.aliyun.com |
fnf.aliyun.com | *.aliyun.com |
cn-hangzhou.fc.aliyun.com | *.fc.aliyun.com |
accountID.cn-hangzhou.fc.aliyun.com | No match |
FAQ
Can I use the public network endpoint of an HTTP trigger in production?
I configured a custom domain name, but I always get HTTP 502 Bad Gateway errors. How do I fix this?
I keep getting errors when I try to use a Chinese domain name for my custom domain name. How do I fix this?
How do I fix forced downloads when users access my domain name in a browser?
My accelerated domain name returns HTTP 301 redirection. How do I fix this?
I cannot select existing services and functions in the routing configuration. What should I do?
Requests to my configured routing path do not trigger my function. How do I fix this?
Troubleshooting
If an error occurs while you bind a custom domain name, the server returns an error message. The following table lists common error codes to help you quickly identify issues.
Error code | HTTP status code | Error message | Cause |
InvalidICPLicense | 400 | domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun | Your domain name is not filed, or your ICP filing does not include Alibaba Cloud. For more information, see Step 1: File your domain name for ICP. |
DomainNameNotResolved | 400 | domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s' | Your domain name does not point to the correct endpoint using a CNAME record. Check using the dig command or your domain name resolution server. |
DomainRouteNotFound | 404 | no route found in domain '%s' for path '%s' | You did not configure a function for the specified path. |
TriggerNotFound | 404 | trigger 'http' does not exist in service '%s' and function '%s' | The function triggered by your custom domain name does not have an HTTP trigger configured. |
DomainNameNotFound | 404 | domain name '%s' does not exist | The domain name does not exist when retrieving domain name information. |
DomainNameAlreadyExists | 409 | domain name '%s' already exists | The domain name already exists when creating it. |
If you still cannot resolve the issue, join the DingTalk user group (DingTalk group number: 64970014484) and contact a Function Compute engineer for immediate assistance.