To use a fixed domain name to access a Function Compute application or function in a production environment, or to prevent the browser from forcing a download when an HTTP trigger is accessed, bind a custom domain name to the application or function.
Use cases
You need to bind a custom domain name to a function or an application in the following cases:
-
You migrated a web application to Function Compute and want to access it through a custom domain name.
-
You built a web application in the Function Compute console and want to use different paths on the same domain to trigger different functions.
-
You created an application, such as a Stable Diffusion application, in the Function Compute and want to access it through a custom domain name.
Usage limits
-
When binding a custom domain name to a function, you must select the region where the function is located.
-
The custom domain name is case-sensitive. You must enter it exactly as it appears in your ICP filing.
-
Wildcard and standard domain names are supported, but Chinese domain names are not.
How it works
Prerequisites
-
You have created a function or an application. For more information, see Create a function and Create an application.
When you bind a custom domain name to an application, it is also bound to the functions within that application. You can find these automatically created functions in the Resource Information section of the application's Environment Details page. Click a function name to go to the Function Details page.
-
You have a custom domain name with an Alibaba Cloud ICP filing for a website.
The ICP filing procedure depends on the domain's registrar and its associated account.
-
Domain name registered with the current Alibaba Cloud account
Log on to the Alibaba Cloud ICP Filing system to complete the ICP filing for your custom domain name.
-
Domain name registered with another Alibaba Cloud account
We recommend using the Alibaba Cloud account where the domain name is registered to complete the ICP filing. log on to the Alibaba Cloud ICP Filing system to complete the ICP filing for your custom domain name.
-
Domain name not registered with an Alibaba Cloud account
If your domain name's ICP filing was completed by another service provider, you must add Alibaba Cloud as a service provider to the existing filing record. To do this, log on to the Alibaba Cloud ICP Filing system.
Note-
An ICP filing is not required for a custom domain name that is bound to a function in the China (Hong Kong) region or any region outside the Chinese mainland.
-
To find your domain name's registrar, use the WHOIS page.
-
To check if the domain name belongs to your current Alibaba Cloud account, use the Alibaba Cloud DNS (DNS) console.
-
1. Add a custom domain name
-
Log on to the Function Compute console. In the left-side navigation pane, choose . Select a region and then click Add Custom Domain Name.
ImportantTo bind a custom domain name to a function, ensure it is in the same region as the function.
-
On the Add Custom Domain Name page, enter a custom domain name that has an ICP filing with Alibaba Cloud or lists Alibaba Cloud as a service provider in its ICP filing record. You can use single domain names, such as
www.aliyun.com, or wildcard domain names, such as*.aliyun.com.Obtain the Internet CNAME or Internal CNAME to configure domain name resolution in the next step. The following table describes the CNAME formats.
Cname type
Format
Example
Internet CNAME
<account_id>.<region_id>.fc.aliyuncs.comIf your Alibaba Cloud account ID is 1413397765**** and the function or application resides in the China (Hangzhou) region:
The Internet CNAME is
1413397765****.cn-hangzhou.fc.aliyuncs.com.Internal CNAME
<account_id>.<region_id>-internal.fc.aliyuncs.comThe Internal CNAME is
1413397765****.cn-hangzhou-internal.fc.aliyuncs.com.
2. Configure domain name resolution
Log on to the Alibaba Cloud DNS console to point the domain name with the ICP filing to the Function Compute CNAME. For more information, see Configure domain name resolution.
As shown in the figure, when you configure DNS resolution, set the Record Value to the Function Compute CNAME that you obtained in the previous step. If you want to access this domain name over the public network, you need to set the Record Value to the Function Compute public CNAME.
3. Complete domain name configuration
Return to the Add Custom Domain Name page from step 1. Start adding a custom domain name. Configure the following options as needed, and then click Create to add the custom domain name.
3.1 Configure routing
If your application contains multiple functions, you can map different request paths to trigger specific functions. For more information, see Route matching rules.
If you need to rewrite the URI of a request that matches a specific path based on rules, see Configure a rewrite policy (in public preview).
3.2 (Optional) Configure HTTPS settings
To enable access to your custom domain name over HTTPS, perform the following steps.
|
Parameter |
Description |
|
HTTPS |
After you enable this option, you can access the custom domain name over HTTP or HTTPS. If you disable this option, you can access the custom domain name only over HTTP. Note
You can also select the Redirects HTTP Requests to HTTPS checkbox. This forces all access to the custom domain name to be over HTTPS, as Function Compute redirects all HTTP requests to HTTPS. |
|
Certificate Type |
The type of certificate to upload. Valid values:
Note
The certificate file cannot exceed 20 KB in size, and the certificate key file cannot exceed 4 KB in size. |
|
TLS Version |
Select the TLS protocol version for your function. Note
After you select a TLS protocol version, you can also select the Enable Support for TLS 1.3 checkbox to also enable TLS 1.3. |
|
Cipher Suite |
Select the TLS cipher suites. If you do not configure this parameter, all cipher suites are selected by default. Valid values:
Important
|
icon to the right of a cipher suite to remove weaker suites, retaining only those supported by your selected TLS protocol version.3.3 (Optional) Configure authentication
-
No Authentication: No authentication is required for HTTP requests. Anonymous access is supported, and anyone can make HTTP requests to invoke your function.
-
Signature authentication: Signature authentication is required for HTTP requests. For more information, see Configure signature authentication for a custom domain name.
-
Basic authentication: A standard HTTP authentication method. You configure a username and password in the Function Compute console. When a client initiates a request, it includes the credentials in the Authorization header. Access is granted only if the credentials in the request match the configured username and password. For more information, see Configure Basic authentication for a custom domain name.
-
JWT authentication: JWT authentication requires that HTTP requests include a valid JWT, ensuring that only authorized clients can access the function. For more information, see Configure JWT authentication for a custom domain name.
-
Bearer authentication: A standard HTTP authentication method. You configure allowed tokens in the Function Compute console. When a client initiates a request, it includes a token in the Authorization header. Access is granted only if the token in the request matches a configured token. For more information, see Configure Bearer authentication for a custom domain name.
3.4 (Optional) Configure WAF
After you enable WAF, it identifies and filters malicious traffic, forwarding only normal and secure requests to the back-end function. This protects your function from malicious intrusions. For more information, see Enable WAF.
3.5 (Optional) Configure CDN settings
After you bind a custom domain name to a web application, you can use the custom domain name as an origin server and add an accelerated domain name for it. Then, you can configure a CNAME for the accelerated domain name to enable CDN. With the application in Function Compute as the origin server, content is cached on edge nodes. This allows users to retrieve content from a nearby location, reducing access latency and improving service quality.
-
Enable CDN acceleration. Enter a custom CDN-Accelerated Domain Name and then click Create.
Important-
CDN acceleration consumes internet traffic and incurs fees. For more information, see Billing overview.
-
The custom domain name and the accelerated domain name cannot be the same. To conserve domain name resources, you can configure the accelerated domain name as a subdomain of your custom domain name. For example, if your custom domain name is
example.com, you can set the accelerated domain name tofast.example.com.
-
-
Click the custom domain name that you just configured. In the CDN Acceleration Settings section of the details page, click CDN Settings in the Actions column. This redirects you to the Alibaba Cloud CDN console, where you can obtain the CNAME assigned to the accelerated domain name.
The CNAME is in the format of
accelerated-domain-name.w.kunlun**.com, for example,fast.example.com.w.kunlunle.com. -
Log on to the Alibaba Cloud DNS console. Find your custom domain name and add a CNAME record for the accelerated domain name, pointing it to the assigned CNAME to enable acceleration. For more information, see Configure domain name resolution.
Set Hostname to the subdomain prefix, such as
fast. Set Record Value to the CNAME that you obtained in the previous step.
3.6 (Optional) Configure CORS
You can configure CORS for a custom domain name by calling the UpdateCustomDomain API operation. For details, see CORS request handling.
4. Verify the domain name
4.1 Verify domain name access
-
Method 1: Run the
curl URLcommand. Example:curl example.com/login. -
Method 2: Use a browser.
Enter the request URL in your browser's address bar and press Enter to verify that the destination function is invoked.
4.2 (Optional) Verify accelerated domain access
Use the CDN-accelerated domain name that you configured in Step 3.5 (Optional) Configure CDN settings to access the application in a browser. Then, open the developer tools and check the value of the X-Cache field in the response header to verify that CDN acceleration is working.
The value of the X-Cache field indicates the CDN cache status. A value of MISS indicates the request missed the cache on the edge node, which then retrieved the resource from the origin server. After the resource is cached on the edge node, subsequent requests will result in a HIT.
|
First access: Miss |
Subsequent access: Hit |
|
|
|
Cipher suite reference
Strong and weak cipher suites
TLS version and cipher suite compatibility
The following table shows the compatibility between TLS versions and cipher suites. By default, Function Compute uses all cipher suites in this list.
In the following table, 
indicates that a cipher suite is supported, and 
indicates that it is not.
Expand to view the compatibility between TLS versions and cipher suites.
|
Cipher suite |
TLS 1.0 |
TLS 1.1 |
TLS 1.2 |
TLS 1.3 |
|
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
|
|
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA |
|
|
|
|
|
TLS_RSA_WITH_AES_256_CBC_SHA |
|
|
|
|
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 |
|
|
|
|
|
TLS_RSA_WITH_RC4_128_SHA |
|
|
|
|
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
|
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
TLS_AES_128_GCM_SHA256 |
|
|
|
|
|
TLS_AES_256_GCM_SHA384 |
|
|
|
|
|
TLS_CHACHA20_POLY1305_SHA256 |
|
|
|
|
RFC and OpenSSL cipher suite mappings
Matching rules
Route matching rules
To bind a custom domain name, you configure mappings between paths and functions. This allows you to route requests from different paths to trigger different functions. Function Compute supports exact matching and wildcard matching. The rules are as follows:
-
Exact matching: Triggers a function only when the request path exactly matches the configured path.
For example, if you configure a route with the path /a to trigger function f1 (version 1), only requests for the path /a will invoke the function. Requests for /a/ will not.
-
Wildcard matching: You can use a wildcard (*) at the end of a path to match multiple sub-paths.
For example, if you configure a route with the path /login/* to trigger function f2 (version 1), any request whose path starts with the prefix /login/, such as /login/a or /login/b/c/d, will invoke the function.
-
If multiple routes are configured for a custom domain name, exact matching takes precedence over wildcard matching.
-
Wildcard matching follows the longest prefix match principle.
For example, assume you configure two paths, /login/a/* and /login/*, for the custom domain name
example.com. A request with the URL example.com/login/a/b matches both paths. However, based on the longest prefix match principle, Function Compute routes the request to the path /login/a/*.
Example
Assume the custom domain name is example.com and you have configured the following five routing rules:
|
Routing rule |
Path |
Function |
Version |
|
Routing rule 1 |
/ |
f1 |
1 |
|
Routing rule 2 |
/* |
f2 |
2 |
|
Routing rule 3 |
/login |
f3 |
3 |
|
Routing rule 4 |
/login/a |
f4 |
4 |
|
Routing rule 5 |
/login/* |
f5 |
5 |
The following table shows the final matching results.
|
Request URL |
Matched function |
Matched version |
Matched path |
|
example.com |
f1 |
1 |
/ |
|
example.com/user |
f2 |
2 |
/* |
|
example.com/login |
f3 |
3 |
/login |
|
example.com/login/a |
f4 |
4 |
/login/a |
|
example.com/login/a/b |
f5 |
5 |
/login/* |
|
example.com/login/b |
f5 |
5 |
/login/* |
Domain name matching rules
Function Compute matches an incoming request to the appropriate custom domain name based on the request's domain name and then forwards the request to the corresponding function. Function Compute supports exact matching and wildcard matching for domain names. The rules are as follows:
-
Exact matching: Triggers a function only when the request's domain name exactly matches the configured single domain name.
-
Wildcard matching: Triggers a function if the request's domain name matches a configured wildcard domain name. You can use only one wildcard (*), and it must be at the start of the domain name.
-
If a request matches both a single domain name and a wildcard domain name, the single domain name takes precedence.
-
In wildcard matching, a wildcard domain name can match only a domain name at the same level. For example,
*.aliyun.comcan matchfc.aliyun.combut cannot matchcn-hangzhou.fc.aliyun.com. This is because*.aliyun.comandfc.aliyun.comare both third-level domains, whilecn-hangzhou.fc.aliyun.comis a fourth-level domain.
Example
Assume you have the following custom domain names configured: fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com. The following table shows how Function Compute matches requests from different domain names.
|
Request domain name |
Matched domain name |
|
fc.aliyun.com |
fc.aliyun.com |
|
fnf.aliyun.com |
*.aliyun.com |
|
cn-hangzhou.fc.aliyun.com |
*.fc.aliyun.com |
|
accountID.cn-hangzhou.fc.aliyun.com |
None |
FAQ
Public endpoints in production
502 Bad Gateway error
Chinese domain name error
Forced download issue
301 redirect
Cannot select function
Route path trigger failure
Diagnostics
If an error occurs when you bind a custom domain name, the server returns an error message. Use the following table of common error codes to quickly identify and resolve issues.
|
Error code |
HTTP status code |
Error message |
Cause |
|
InvalidICPLicense |
400 |
domain name '%s' does not have an ICP filing, or the ICP filing is not with Alibaba Cloud |
The domain name does not have an ICP filing or the ICP filing information does not include Alibaba Cloud as a service provider. |
|
DomainNameNotResolved |
400 |
domain name '%s' is not resolved to your Function Compute endpoint; the expected endpoint is '%s' |
A CNAME record is not configured to point the domain name to the specified endpoint. You can verify the configuration by running the dig command or checking the settings on your DNS server. |
|
DomainRouteNotFound |
404 |
no route found in domain '%s' for path '%s' |
No function is configured to handle requests for the specified path. |
|
TriggerNotFound |
404 |
trigger 'http' does not exist in service '%s' and function '%s' |
The function bound to the custom domain name does not have an HTTP trigger. |
|
DomainNameNotFound |
404 |
domain name '%s' does not exist |
The specified domain name does not exist. |
|
DomainNameAlreadyExists |
409 |
domain name '%s' already exists |
The specified domain name already exists. |
If the issue persists, join the DingTalk user group (ID: 64970014484) and contact a Function Compute engineer for help.