All Products
Search
Document Center

Global Accelerator:Accelerate access to HTTP websites over HTTPS

Last Updated:Aug 05, 2024

You can use Global Accelerator (GA) to accelerate access to HTTP websites over HTTPS. This improves the speed and security of client access to HTTP websites.

Sample scenario

The following scenario is used as an example. The headquarters of a company is located in the US (Silicon Valley) region and the headquarters deploys an HTTP website on a self-managed server in the US (Silicon Valley) region. The clients that want to access the website are located in the China (Hong Kong) region. The website may encounter the following challenges:

  • Data is transmitted in plaintext over HTTP and the requests that are destined for the website are not authenticated. Therefore, security risks may arise.

  • The cross-border network is unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur.

image

In this case, the company can use GA and configure an HTTPS listener to accelerate access to the HTTP website deployed in the US (Silicon Valley) region for clients in the China (Hong Kong) region. In addition, data transmission is encrypted and secured over HTTPS when the clients send requests to the HTTP website.

Prerequisites

  • An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase an SSL certificate and Submit a certificate application.

  • An HTTP service that uses port 80 is deployed on a backend server.

  • An A record that maps the backend domain name to the public IP address of the backend server is created.

Note

In this example, NGINX is used to deploy the backend HTTP service and Alibaba Cloud DNS is used to configure the DNS record.

  • For more information about how to deploy an NGINX service, see Install NGINX.

  • For more information about how to configure DNS records, see Add a DNS record. If you use a third-party DNS resolution service, refer to the user guide provided by the service provider.

Procedure

image
Note

This topic uses a pay-as-you-go standard Global Accelerator instance as an example to describe how to configure Global Accelerator to accelerate access to HTTP websites over HTTPS. Before you create a pay-as-you-go standard Global Accelerator instance, take note of the following information:

  • GA instances use the pay-by-data-transfer metering method. You do not need to associate a basic bandwidth plan with pay-as-you-go GA instances. The billing of data transfer over the GA network is managed by Cloud Data Transfer (CDT). For more information, see Pay-by-data-transfer.

  • The first time you use a pay-as-you-go Global Accelerator instance, go to the pay-as-you-go GA activation page and activate Global Accelerator as prompted.

Step 1: Configure the basic information about an instance

  1. Log on to the GA console.

  2. On the Instances page, click Create GA Instance. Select Subscription Standard Instance or Pay-as-you-go Standard Instance based on your business requirements.

    In this example, Pay-as-you-go Standard Instance is selected.

  3. In the Basic Instance Configuration step, configure the following parameters and click Next.

    Parameter

    Description

    GA Instance Name

    Enter a name for the GA instance.

    Instance Billing Method

    Pay-As-You-Go is selected by default.

    You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard GA instances.

    Resource Group

    Select the resource group to which the standard GA instance belongs.

    The resource group must be a resource group created in Resource Management by the current Alibaba Cloud account. For more information, see Create a resource group.

Step 2: Add an acceleration area

By adding an acceleration area, you can specify the regions of the GA users and allocate bandwidth to the regions.

In the Configure acceleration areas step, configure the parameters and click Next. The following table describes the parameters.

Parameter

Description

Acceleration Area

Select one or more regions from the drop-down list and click Add.

In this example, the China (Hong Kong) region of Asia Pacific is selected.

Assign Bandwidth

Bandwidth

Specify the bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s.

The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT.

In this example, the default value 200 Mbit/s is used.

Important

If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.

IP Protocol

Select the IP version that is used to connect to GA.

In this example, the default value IPv4 is selected.

ISP Line Type

Select an ISP line type for the GA.

BGP (Multi-ISP) is selected in this example.

Step 3: Configure a listener

A listener listens for connection requests and distributes the requests to endpoints based on the port and the protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoint in the endpoint group.

In the Configure listener step, configure the parameters and click Next. The following table describes the parameters.

The following table describes only the parameters that are relevant to this topic. Use the default values for other parameters. For more information, see Add and manage intelligent routing listeners.

Parameter

Description

Listener Name

Enter a name for the listener.

Routing Type

Select a routing type.

In this example, Intelligent Routing is selected.

Protocol

Select a protocol for the listener.

HTTPS is selected in this example.

Port

Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499.

The value is set to 443 in this example.

Server Certificate

Select the server certificate that you obtained.

TLS Security Policies

Select the TLS security policy required by your service.

A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information about TLS security policies, see TLS security policies.

In this example, the default value tls_cipher_policy_1_0 is used.

Client Affinity

Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application.

In this example, Source IP is selected.

Custom HTTP Headers

Select the HTTP headers that you want to add.

In this example, the default settings are used.

Show custom HTTP headers.

  • Obtain the GA instance ID by using the GA-ID header

  • Obtain the information about the acceleration region by using the GA-AP header

  • Obtain the listening protocol of the GA instance by using the GA-X-Forward-Proto header

  • Obtain the listening port of the GA instance by using the GA-X-Forward-Port header

  • Obtain client IP addresses by using the X-Real-IP header

Step 4: Configure an endpoint group and endpoints

  1. In the Configure an endpoint group step, configure the parameters and click Next. The following table describes the parameters.

    This topic describes only the key parameters. For more information, see Add and manage endpoint groups of intelligent routing listeners.

    Parameter

    Description

    Region

    Select the region where the endpoint group is deployed.

    In this example, US (Silicon Valley) is selected.

    Endpoint Configuration

    Endpoints are destinations of client requests. To add an endpoint, specify the following parameters:

    • Backend Service Type: In this example, Custom IP is selected.

    • Backend Service: Enter the IP address of the backend service that you want to accelerate.

    • Weight: Enter a weight for the endpoint. Valid values: 0 to 255. Global Accelerator routes network traffic to endpoints based on the weights of the endpoints. In this example, the default value 255 is used.

    Warning

    If you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.

    Preserve Client IP

    By default, client IP address preservation is enabled. This feature allows you to view client IP addresses on backend servers. HTTP listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.

    Backend Service Protocol

    Select the protocol that is used by backend servers.

    In this example, HTTP is selected.

    Port Mapping

    If the listener port and the port that is used by the endpoint to provide services are different, you must configure this parameter.

    • Listener Port: Enter the port of the current listener. The value is set to 443 in this example.

    • Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, 80 is used.

  2. In the Configuration Review step, check the configurations and click Submit.

    Note

    It takes 3 to 5 minutes to create a Global Accelerator instance.

  3. (Optional) After you create a GA instance, you can click the instance ID on the Instances page to view the configurations of the instance. On the instance details page, you can click tabs, such as Instance Information, Listeners, and Acceleration Areas, to view more details.

Step 5: Configure a CNAME record

You must create a DNS record to map the domain name that you want to access to the CNAME of the Global Accelerator instance. This way, requests can be forwarded to Global Accelerator.

  1. Log on to the Alibaba Cloud DNS console.
  2. If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS.

    Note

    If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS before you configure a DNS record. For more information, see the "Add a domain name" section of the Manage domain names topic. If your domain name is registered by using Alibaba Cloud Domains, skip this step.

  3. On the Domain Name Resolution page, find the domain name and click DNS Settings in the Actions column to go to the DNS Settings page.

  4. On the DNS Settings page, find the A record and click Modify in the Actions column.

  5. In the Modify DNS Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the Global Accelerator instance, and then click OK.

    You can view the CNAME assigned to the Global Accelerator instance on the Instances page.

Note

If you want to return resolution results based on the region to which a client belongs, make sure that Alibaba Cloud DNS is upgraded to Enterprise Standard Edition or Enterprise Ultimate Edition. For more information, see Renewal and upgrade.

After the upgrade is complete, you can change the default ISP line of the existing A record to the ISP line of a specific region and add a CNAME record that maps the website domain name to the CNAME assigned to the Global Accelerator instance.

Step 6: Test network connectivity

Perform the following steps to verify the connectivity to the HTTP website that is deployed in the US (Silicon Valley) region over HTTPS. In addition, check whether content delivery is accelerated.

Note

The Alibaba Cloud Linux 3.2104 LTS 64-bit operating system is used in this example. The command that is used to test the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.

  1. Check whether the CNAME record takes effect.

    1. Open the CLI on an on-premises machine in the China (Hong Kong) region.

    2. Run the following command to ping the domain name:

      ping <Website domain name>

      If the CNAME in the output is the same as the CNAME allocated by Global Accelerator, the CNAME record takes effect.

      HTTPS加速访问HTTP CNAME生效检测.png

  2. Run the following command to check whether the client can access the HTTP website deployed in US (Silicon Valley) over HTTPS:

    curl https://<Website domain name>

    Figure 1. Results

    HTTPS加速访问HTTP 连通性测试.png

  3. For information about how to test acceleration performance, see Use network detection tools to verify acceleration performance.