Map a custom domain name to a function or application - Function Compute

Use cases

Map a custom domain name to a function or application in the following scenarios:

You have migrated a web application to Function Compute and want to access it through its existing domain name.
You built a web application in the Function Compute console and want to use different paths of the same domain name to trigger different functions.
You created an application, such as a Stable Diffusion application, in the Serverless Application Center of Function Compute and want to access it with a static domain name.

Limitations

When binding a custom domain name to a function, you must select the function's region.
Custom domain names are case-sensitive. You must enter the domain name exactly as specified in its ICP filing.
Wildcard and standard domain names are supported, but Chinese domain names are not.

How it works

Prerequisites

You have created a function or an application. For more information, see Create a function and Create an application.

Binding a custom domain name to an application also binds it to the associated function. You can find this automatically created function resource in the Resource Information section on the Environment Details page. Click the function name to go to the function details page.
Your custom domain name must have an ICP filing with Alibaba Cloud as the service provider.

Follow the ICP filing instructions for your domain name's service provider and the account that owns it.
- Domain names registered with the current Alibaba Cloud account
  
  Log on to the Alibaba Cloud ICP Filing system to complete the ICP filing for the custom domain name.
- Domain names registered with another Alibaba Cloud account
  
  We recommend that you use the Alibaba Cloud account that registered the domain name to complete the ICP filing. Then, log on to the Alibaba Cloud ICP Filing system to complete the ICP filing for the custom domain name.
- Domain names not registered with an Alibaba Cloud account
  
  If another service provider handled your domain name's ICP filing, you must update the filing to add Alibaba Cloud as a service provider. Log on to the Alibaba Cloud ICP Filing system to do so.
Note
- Custom domain names bound to functions in the China (Hong Kong) region or regions outside the Chinese mainland do not require an ICP filing.
- If you are unsure of your domain name's registrar, you can perform a WHOIS query.
- To determine if a domain name is registered to your current Alibaba Cloud account, check the Alibaba Cloud DNS console.

1. Add a custom domain name

Log on to the Function Compute console. In the left-side navigation pane, choose Function Management > Custom Domains. Select a region and then click Add Custom Domain Name.

Important
When you map a custom domain name to a function, the custom domain name and the function must be in the same region.

On the Add Custom Domain Name page, enter a custom domain name that has an ICP filing with Alibaba Cloud. Both single domain names (for example, www.aliyun.com) and wildcard domain names (for example, *.aliyun.com) are supported.

Obtain the Internet CNAME or Internal CNAME, which you will use in the next step to configure domain name resolution. The following table describes the CNAME formats.

CNAME type	Format	Example
Internet CNAME	`<account_id>.<region_id>.fc.aliyuncs.com`	If your Alibaba Cloud account ID is 1413397765**** and your function or application is in the China (Hangzhou) region:	The Internet CNAME is `1413397765****.cn-hangzhou.fc.aliyuncs.com`.
Internal CNAME	`<account_id>.<region_id>-internal.fc.aliyuncs.com`		The Internal CNAME is `1413397765****.cn-hangzhou-internal.fc.aliyuncs.com`.

2. Configure domain name resolution

Log on to the Alibaba Cloud DNS console and map the domain name to the CNAME of Function Compute. For more information, see Add a DNS record.

When you configure the DNS record, set Record Value to the Function Compute CNAME from the previous step. If you want to access the domain name over the internet, set Record Value to the Internet CNAME of Function Compute.

When you configure the DNS record, set Record Type to CNAME, enter @ for Hostname, and set the Resolution Line to Default.

3. Complete the domain configuration

Return to the Add Custom Domain Name page from Step 1. Configure the following options and click Create.

3.1 Route configuration

If your application contains multiple functions, you can map different request paths to trigger different functions. For more information, see Path-matching rules.

If you need to rewrite the URI of a request that matches a specific path based on rules, see Configure a rewrite policy (in public preview).

The routing settings are managed in a table. Each rule includes the Path, Function Name, Version/Alias, and Rewrite Policy fields. For example, you can map the path /test1 to the function test-renwu, and use /* as a fallback path mapped to a default function. You can select LATEST as the version for all rules.

3.2 (Optional) HTTPS settings

To enable HTTPS access for the custom domain name, configure the following parameters.

Parameter	Actions
HTTPS	When enabled, the custom domain name supports both HTTP and HTTPS. When disabled, it only supports HTTP. Note You can also select the Redirects HTTP Requests to HTTPS checkbox. Selecting this option restricts access to HTTPS only, and Function Compute redirects all HTTP requests to HTTPS.
Certificate Type	Select the type of certificate to upload. Valid values: Alibaba Cloud SSL Certificate: Select an Alibaba Cloud SSL certificate. If the Certificate Name drop-down list is empty, you do not have an Alibaba Cloud SSL certificate. Log on to the Certificate Management Service console to purchase one. Manual Upload: Manually enter a Certificate Name and provide the PEM Certificate Content and PEM Certificate Key. Note The uploaded certificate cannot exceed 20 KB in size, and the certificate key cannot exceed 4 KB in size.
TLS Version	Select the Transport Layer Security (TLS) protocol version for the function. Note After you select a TLS version, you can also select the Enable Support for TLS1.3 checkbox to enable TLS 1.3.
Cipher Suite	Select the TLS cipher suites. If you do not configure this parameter, all cipher suites are selected by default. Valid values: All Cipher Suites (High Compatibility and Low Security): Selects all cipher suites. For a list of cipher suites supported by Function Compute, see Strong and weak cipher suites. Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select a subset of supported cipher suites. The drop-down list displays all available cipher suites. You can click the delete icon to the right of a cipher suite to remove weak cipher suites, retaining only those supported by your selected TLS version. Important Select custom cipher suites with caution. Ensure that the cipher suites used by the server and clients match. For information about TLS versions and their supported cipher suites, see Mappings between TLS versions and cipher suites. Function Compute names cipher suites based on the RFC naming convention. The name of a cipher suite can vary depending on the naming convention used. For information about the differences between RFC and OpenSSL names for cipher suites, see Mappings between RFC and OpenSSL cipher suite names.

3.3 (Optional) Authentication settings

No Authentication: No authentication is required for HTTP requests. Anonymous access is supported, and anyone can make HTTP requests to invoke your function.
Signature Authentication: Signature authentication is performed on HTTP requests. For more information, see Configure signature authentication for a custom domain name.
Basic Authentication: A standard HTTP authentication method. You configure a username and password in the Function Compute console. The client must include valid credentials in the Authorization header. Access is granted only if the user information in the request matches the configured username and password. For more information, see Configure Basic authentication for a custom domain name.
JWT Authentication: JWT authentication is performed on HTTP requests to ensure that only clients with a valid JWT can access the function. For more information, see Configure JWT authentication for a custom domain name.
Bearer Authentication: Bearer authentication is performed on HTTP requests. You configure allowed tokens in the Function Compute console. The client must include a valid token in the Authorization header. Access is granted only if the token in the request matches a configured token. For more information, see Configure Bearer authentication for a custom domain name.

3.4 (Optional) Web application firewall settings

When enabled, the Web Application Firewall (WAF) inspects traffic to your function, filters out malicious requests, and forwards only safe traffic to the backend. This protects your function from attacks. For more information, see Enable Web Application Firewall.

3.5 (Optional) CDN settings

After you bind a custom domain name to a web application, you can use this custom domain name as the origin server domain, add an accelerated domain name, and then configure a CNAME for the accelerated domain name to enable CDN acceleration. The application deployed on Function Compute is used as the origin server to publish origin content to edge nodes. This allows end users to quickly retrieve the required content, which effectively reduces access latency and improves service quality.

Enable CDN acceleration, enter a custom CDN-Accelerated Domain Name, and then click Create to add it.

For acceleration to take effect, you must manually configure the DNS record for the accelerated domain name. The Alibaba Cloud CDN service generates a CNAME value for the accelerated domain name. You must map this CNAME to your accelerated domain name.
Important
- The CDN acceleration feature consumes internet traffic and incurs traffic fees. For more information, see Billing overview.
- The custom domain name and the accelerated domain name cannot be the same. To conserve domain name resources, you can configure the accelerated domain name as a subdomain name of your custom domain name. For example, if your custom domain name is example.com, you can set the accelerated domain name to fast.example.com.
Click your configured custom domain name. On the details page, in the CDN Acceleration Settings section, click CDN Settings in the Actions column. This redirects you to the Alibaba Cloud CDN console, where you can find the CNAME for your accelerated domain name.

The CNAME uses the format Accelerated domain name.w.kunlun**.com, for example, fast.example.com.w.kunlunle.com.
Log on to the Alibaba Cloud DNS console, find your custom domain name, and create a DNS record that points the accelerated domain name to the assigned CNAME to enable acceleration. For more information, see Add a DNS record.

Set Record Type to CNAME - Map a domain name to another domain name.

Set Hostname to the first part of the subdomain name (in this example, fast). Set Record Value to the CNAME value for the accelerated domain name that you obtained in the previous step.

3.6 (Optional) CORS configuration

You can configure Cross-Origin Resource Sharing (CORS) for a custom domain name by calling the UpdateCustomDomain API operation. For more information, see Handle CORS requests.

4. Verify the custom domain

4.1 Verify custom domain access

Method 1: Use the curl URL command. Example: curl example.com/login.
Method 2: Use a web browser.

Enter the request URL in the address bar and press Enter to verify that the target function is invoked.

4.2 (Optional) Verify the accelerated domain

In a browser, use the accelerated domain name that you configured in Step 3.5 (Optional) CDN settings to access the application. Then, open the developer tools and check the value of the X-Cache response header to verify that CDN acceleration is working.

Note

The X-Cache response header indicates the cache status. A value of MISS indicates a cache miss on the first access, meaning the request was retrieved from the origin server. A subsequent request should return HIT, indicating a successful cache hit.

First-access miss	Subsequent-access hit
In the browser's DevTools, go to the Network panel. Select the target request and view the Headers tab. Confirm that the Status Code is `200 OK` and the X-Cache header value contains `MISS TCP_MISS`.	In the browser's DevTools, check the Headers tab for the second request in the Network panel. The Status Code is `200 OK` and the X-Cache header value contains `HIT`, which indicates a CDN cache hit.

Cipher suites

Strong and weak cipher suites

Function Compute supports the following strong and weak cipher suites.

Strong cipher suites

Weak cipher suites

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS versions and cipher suites

This table lists the cipher suites that Function Compute supports for each TLS version. By default, all listed cipher suites are enabled.

Note

In the table below, Supported indicates that the TLS version supports the cipher suite, and not-support indicates that the TLS version does not support the cipher suite.

Cipher suite	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

RFC and OpenSSL name mapping

RFC name	OpenSSL name
TLS_RSA_WITH_3DES_EDE_CBC_SHA	DES-CBC3-SHA
TLS_RSA_WITH_AES_128_CBC_SHA	AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA	AES256-SHA
TLS_RSA_WITH_AES_128_GCM_SHA256	AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384	AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ECDHE-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA	ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	ECDHE-RSA-AES256-SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305	N/A
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	N/A
TLS_RSA_WITH_RC4_128_SHA	RC4-SHA
TLS_RSA_WITH_AES_128_CBC_SHA256	AES128-SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA	ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA	ECDHE-RSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	ECDHE-RSA-AES128-SHA256
TLS_AES_128_GCM_SHA256	TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384	TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256	TLS_CHACHA20_POLY1305_SHA256

Matching rules

Route matching rules

When you bind a custom domain name, you map paths to functions. This allows requests from different paths to trigger their corresponding functions. Function Compute supports two types of path matching: exact matching and fuzzy matching.

Exact matching: A request triggers a function only when its path is identical to the configured path.

For example, if you configure a route that maps the path /a to function f1, version 1, only requests for /a will trigger the function. A request for /a/ will not match.
Fuzzy matching: Uses a wildcard character (*) at the end of a path to match any request with a matching path prefix.

For example, if you configure a route with the path /login/* to target function f2, version 1, any request whose path starts with /login/ (such as /login/a or /login/b/c/d) will trigger the function.

Note

If multiple routes are configured for a custom domain name, exact matching takes precedence over fuzzy matching.
If multiple fuzzy-matching routes apply to a request, the one with the longest matching prefix is used.

For example, consider a custom domain name example.com with two configured paths: /login/a/* and /login/*. A request to example.com/login/a/b matches both paths. However, based on the longest prefix match principle, the request is routed to the function associated with /login/a/* because it is the more specific path.

Example

Assume you have configured the following five routing rules for the custom domain name example.com.

Routing rule	Path	Function name	Version
Routing rule 1	/	f1	1
Routing rule 2	/*	f2	2
Routing rule 3	/login	f3	3
Routing rule 4	/login/a	f4	4
Routing rule 5	/login/*	f5	5

The following table shows the matching results.

Request URL	Function	Version	Path
example.com	f1	1	/
example.com/user	f2	2	/*
example.com/login	f3	3	/login
example.com/login/a	f4	4	/login/a
example.com/login/a/b	f5	5	/login/*
example.com/login/b	f5	5	/login/*

Domain name matching rules

Function Compute matches the domain name in a request to a configured custom domain name and then forwards the request to the corresponding function. Function Compute supports both exact matching and fuzzy matching for domain names.

Exact matching: A request triggers a function only when its domain name is identical to a configured single domain name.
Fuzzy matching: A request can trigger a function if its domain name matches a configured wildcard domain name. A wildcard domain name must use a single wildcard character (*) as its first label.

Note

If a request matches both a single domain name and a wildcard domain name, the single domain name takes precedence.
A wildcard domain name can only match a domain name at the same level. For example, a wildcard domain name *.aliyun.com can match fc.aliyun.com, but it cannot match cn-hangzhou.fc.aliyun.com. This is because *.aliyun.com and fc.aliyun.com are both third-level domains, whereas cn-hangzhou.fc.aliyun.com is a fourth-level domain.

Example

Assume you have the following custom domain names: fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com. The following table shows which domain name each request matches.

Request domain	Matched domain
fc.aliyun.com	fc.aliyun.com
fnf.aliyun.com	*.aliyun.com
cn-hangzhou.fc.aliyun.com	*.fc.aliyun.com
accountID.cn-hangzhou.fc.aliyun.com	none

FAQ

Public endpoint for production use

To provide public-facing website services, you must use a domain name that has an ICP filing. This requires you to configure a custom domain name and bind it to your function.

Custom domain 502 error

Check the Record Value you set during domain name resolution. For public access, the Record Value must be set to the public endpoint of Function Compute. For more information, see 2. Configure domain name resolution.

Error with Chinese domain names

Function Compute does not support custom domain names that contain Chinese characters.

Forced downloads in browser

The default public endpoint generated by an HTTP trigger does not have an ICP filing. Accessing this endpoint in a browser triggers a forced download. Refer to How do I resolve the issue of a forced download when I access an HTTP function from a browser? for the solution.

Accelerated domain 301 redirect

Check whether forced HTTPS redirection is enabled for your custom domain name. If you do not want a 301 redirect, you can disable this setting.

Function selection in routing

Make sure that the custom domain name and the function are in the same region.

Function not triggered by route path

Check that your function's code implements the configured route path. Otherwise, requests to that path will fail.

Diagnostics

If you encounter an error while binding a custom domain name, the server returns an error message. This table lists common error codes to help you identify and resolve these issues.

Error code	HTTP status code	Error message	Cause
InvalidICPLicense	400	domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun	The domain name either does not have an ICP filing, or its filing does not list Alibaba Cloud as a service provider.
DomainNameNotResolved	400	domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s'	The CNAME record for the domain name is not pointing to the specified endpoint. To verify this, use the dig command or check your DNS server settings.
DomainRouteNotFound	404	no route found in domain '%s' for path '%s'	No function is configured for the specified path.
TriggerNotFound	404	trigger 'http' does not exist in service '%s' and function '%s'	The function bound to the custom domain name lacks an HTTP trigger.
DomainNameNotFound	404	domain name '%s' does not exist	The requested domain name does not exist.
DomainNameAlreadyExists	409	domain name '%s' already exists	The specified domain name already exists.

If the issue persists, join the DingTalk group (group ID: 64970014484) for help from Function Compute engineers.