This topic describes how to use one Global Accelerator (GA) instance to accelerate access to multiple HTTPS-capable domain names.

Sample scenario

The following scenario is used as an example in this topic. A company deployed two servers in the US (Silicon Valley) region for its headquarters, and a web application is deployed on both servers. The web application provides Internet-facing services through two different domain names. Most employees of the company need to access the web application from the China (Hong Kong) region. They face the following challenges:
  • The network connections that are established over the Internet are unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur.
  • Multiple servers provide Internet-facing services through two domain names. The company must configure content delivery acceleration for both domain names. This increases the cost.
Architecture
To address the preceding issues, the company plans to use GA and HTTPS listeners. HTTPS listeners support the following features that can accelerate access to multiple HTTPS-capable domain names:
  • Allow you to associate an HTTPS listener with multiple certificates and multiple domain names.
  • Support domain name-based forwarding rules, which are used to match requests against domain names and forward the requests to the backend servers based on the match results.
  • Support request encryption, which increases the security of data transmission.

The following table describes the information about the web servers of the company and the forwarding rules used by the HTTPS listener after the company uses the GA service to accelerate its web application.

Configuration item example.com example.net
Listening protocol HTTPS
Listener port 443
Certificate Default certificate (Certificate A) Additional certificate (Certificate B)
Forwarding rule Default forwarding rule Custom forwarding rule
Endpoint group Default endpoint group Virtual endpoint group
Server Server 1 Server 2
Service protocol HTTP HTTPS
Service port 80 443
Server public IP 47.254.XX.XX 47.88.XX.XX
Note The SSL certificate is used to encrypt data that is transmitted from clients to GA. You can use the certificate that is installed on the backend servers to encrypt data that is transmitted from GA to the backend servers. The certificate on your GA instance can be the same as the one on the backend servers.

Prerequisites

  • An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase a certificate and Submit a certificate application.
  • The certificate is uploaded to the backend servers. For more information, see Upload files to ECS instances.
  • An HTTP service (port 80) and an HTTPS service (port 443) are deployed on the backend servers (Server 1 and Server 2) by using NGNIX. For more information about how to deploy NGINX, see Step 2: Install NGINX.
  • A records are configured for example.com and example.net to map the domain names to the public IP addresses of the backend servers.
    Note Alibaba Cloud DNS is used in this example. For more information about how to add an A record, see Add a DNS record. If you use a third-party DNS service, refer to the user guide provided by the service provider.

Procedure

Procedure

Step 1: Purchase a GA service bundle

You can enter the information about the web service in the GA console. After you enter the information, the system generates a list of recommended services. The list includes a GA instance and a basic bandwidth plan.

  1. Log on to the Global Accelerator console.
  2. In the upper-right corner of the Instances page, click Purchase Guide.
    Note If this is the first time that you use the GA service, skip this step.
    Purchase Guide
  3. In the Enter the required information to generate a list of recommended services section, enter the required information and click Generate Service List.
    Parameter Description
    Acceleration Area Select the region that requires acceleration.

    In this example, China (Hong Kong) is selected.

    Service Region Select the region where the backend servers are deployed.

    In this example, US (Silicon Valley) is selected.

    ICP Filing Specify whether the domain name of the web service has an Internet Content Provider (ICP) number.

    In this example, No is selected.

    Note All websites must obtain an ICP number before they are permitted to provide services to users in the Chinese mainland. For more information, see What is an ICP filing?.
    Server Area Specify whether the backend service is deployed on Alibaba Cloud.

    In this example, On Alibaba Cloud is selected.

    Peak Bandwidth Range Enter the bandwidth required during peak hours. Unit: Mbit/s.

    In this example, 2 is entered.

    Maximum Concurrent Connections Select the maximum number of concurrent connections that a GA instance supports. When the number of concurrent connections reaches the upper limit, new connection requests are dropped.

    In this example, 5 Thousand is selected.

  4. In the Recommended Service List section, confirm the information and click Generate Service List.
    Recommended service list
    Note The instance configurations in Recommended Service List provide the most cost-effective plan to run your services. You can also change the instance configurations on the buy page.
  5. On the buy page, set the following parameters and click Buy Now to complete the payment.
    Parameter Description
    Subscription Duration Select a subscription duration.
    Type Select a type of GA instance.

    In this example, Standard is selected.

    Specification Select a specification for the GA instance.

    In this example, Small I (Specification Unit) is selected.

    Instance By default, Instance is selected.
    Accelerated IP Address Type By default, EIP is selected.
    Bandwidth Type Select a bandwidth type for the basic bandwidth plan.

    In this example, Premium is selected.

    Peak Bandwidth Select a maximum bandwidth value for the bandwidth plan.

    In this example, 2 Mbit/s is selected.

Step 2: Add an acceleration area

After you purchase a GA instance, you can add an acceleration area, specify the region where users are located, and then allocate bandwidth to the region.

  1. On the Instances page, find the GA instance that you purchased and click the instance ID.
  2. On the instance details page, click the Acceleration Areas tab. Then, click the Asia Pacific tab and click Add Region.
  3. In the Add Acceleration Area dialog box, set the following parameters and click OK.
    Parameter Description
    Region Select the region where the users that require the acceleration service are located.

    In this example, China (Hong Kong) is selected.

    Bandwidth Allocate bandwidth to the region.

    In this example, 2 Mbit/s of bandwidth is allocated.

    Internet Protocol Select the Internet protocol that is used by the users to connect to GA.

    In this example, IPv4 is selected.

    After you add a region, the system assigns an accelerated IP address to the region that is added to the GA instance. This accelerated IP address is used to accelerate access from users in the specified region to the specified backend servers through GA. Accelerated IP address

Step 3: Add a listener and an endpoint group

A listener listens for connection requests and distributes the requests to endpoints based on the port and protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoints in the endpoint group.

For more information about how to configure default endpoint groups and virtual endpoint groups, see Endpoint groups.

  1. Add a listener and a protocol.
    1. On the instance details page, click the Listeners tab and then click Add Listener.
    2. On the Configure Listener & Protocol wizard page, specify the following listener information and click Next.
      The following table describes the parameters that are relevant to this topic. For more information about other parameters, see Add an HTTP or HTTPS listener.
      Parameter Description
      Listener Name Enter a name for the listener.
      Protocol Select a protocol for the listener.

      HTTPS is selected in this example.

      Port Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499.

      Port 443 is used in this example.

      Client Affinity Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application.

      In this example, Source IP Address is selected.

  2. Configure the default server certificate.
    On the Configure SSL Certificate wizard page, set the following parameters and click Next.
    • Server Certificate: Select the SSL certificate for which you applied. Certificate A is selected in this example.
    • Advanced Settings: TLS Security Policies is set to tls_cipher_policy_1_0 by default. The default value is used in this example.

      For more information about TLS security policies, see TLS security policies.

    After you configure an SSL certificate, GA uses HTTPS to encrypt client requests and service data. This ensures the security of data transmission.

  3. Configure the default endpoint group.
    On the Configure Endpoint Group wizard page, set the following parameters for the default endpoint group and click Next.

    The following table describes the parameters that are relevant to this topic. For more information about other parameters, see Manage the endpoint groups of a standard GA instance.

    Parameter Description
    Endpoint Group Name Enter a name for the endpoint group.
    Region Select the region where you want to create the endpoint group. The backend servers that the clients want to access must be deployed in the specified region.

    In this example, US (Silicon Valley) is selected.

    Backend Service Specify whether the origin servers are deployed on Alibaba Cloud or in a environment outside Alibaba Cloud.

    In this example, Alibaba Cloud is selected.

    Preserve Client IP By default, client IP address preservation is enabled for HTTPS listeners. HTTPS listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.
    Endpoint Endpoints are backend servers that receive and handle client requests. To add an endpoint, set the following parameters:
    • Backend Service Type: Select Alibaba Cloud Public IP Address.
    • Backend Service: Enter the IP address of the backend service that you want to accelerate. In this example, 47.254.XX.XX is entered, which is the public IP address of Server 1.
    • Weight: Enter a weight for the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on their weights.
      Notice If the weight of an endpoint is set to 0, GA stops distributing network traffic to the endpoint. Proceed with caution.
    Backend Service Protocol Select the protocol that the backend server uses. Valid values:
    • HTTP: This is the default value.
    • HTTPS

    In this example, HTTP is selected.

    Port Mapping If the listener port and the port that the endpoint uses to provide services are not the same, you must add a mapping between the ports.
    • Listener Port: Enter the listener port. In this example, the value is set to 443.
    • Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, 80 is used.
  4. On the Confirm wizard page, confirm the configurations of the listener and endpoint, and then click Submit.
  5. Configure a virtual endpoint group.
    1. On the Listeners tab, find the listener that you want to manage and click the number in the Virtual Endpoint Group column.
    2. On the Endpoint Group tab, click Add Virtual Endpoint Group in the Virtual Endpoint Group section.
    3. In the Add Virtual Endpoint Group dialog box, set the following parameters and click Create.
      Parameters other than the following parameters use the same values as those of the default endpoint group configured in Step 3.
      • Backend Service: Enter 47.88.XX.XX, which is the public IP address of Server 2.
      • Backend Service Protocol: Select HTTPS.
      • Port Mapping: You do not need to add a port mapping.

        If the listener port and the port that the endpoint uses to provide services are the same, you do not need to add a port mapping. GA automatically distributes client requests to the listening port of the endpoint.

Step 4: Associate additional certificates with the HTTPS listener

If you associate an additional certificate with an HTTPS listener, you can associate the HTTPS listener with multiple domain names. Based on the additional certificate and forwarding rules, GA can distribute requests that are destined for different domain names to different virtual endpoint groups.

The following procedure shows how to associate the HTTPS listener with Certificate B and the domain name example.net:

  1. On the Listeners tab, find the HTTPS listener that you want to manage and click the listener ID.
  2. On the listener details page, click the Certificates tab.
  3. On the Certificates tab, click Associate Certificate in the Additional Certificate section.
  4. In the Associate Certificate dialog box, configure the additional certificate and click OK.
    • Certificate: Select the certificate that you want to associate. Certificate B is used in this example.
    • Associated Domain Name: Select one or more domain names that you want to accelerate by using GA. The certificate will be associated with the selected domain names. example.net is selected in this example.

Step 5: Add a forwarding policy

When an HTTPS listener receives requests, the HTTPS listener forwards the requests that meet the conditions in forwarding rules to the associated endpoint groups. If the requests do not match a custom forwarding rule, the HTTPS listener forwards the requests to the default endpoint group in the default forwarding rule.

The following procedure shows how to add a custom forwarding rule for the virtual endpoint group that is associated with Server 2 so that requests destined for example.net can be forwarded to Server 2:

  1. On the Listeners tab, find the HTTPS listener that you want to manage and click the listener ID.
  2. On the listener details page, click Forwarding Rule.
  3. Click Add Forwarding Rule, set the following parameters, and then click OK.
    Parameter Description
    Policy Name Enter a name for the forwarding rule.
    If (Matching All Conditions) Specify the forwarding condition.

    In this example, Domain Name is selected and example.net is specified. example.net is the domain name to which requests are to be forwarded.

    Forward to Virtual Endpoint Group Select the virtual endpoint group to which a matched request is forwarded.

    In this example, the virtual endpoint group created in Step 3: Add a listener and an endpoint group is selected.

Step 6: Add a CNAME record

example.com and example.net must be mapped to their CNAMEs before requests destined for the domain names can be forwarded to GA. Perform the following steps to add an CNAME record for each of example.com and example.net:
  • Change the default ISP line of the existing A record to the ISP line of a specific region. In this example, select the ISP line of North America_United States outside the Chinese mainland.
  • Add a CNAME record. Add an A record for each of example.com and example.net to map them to the CNAMEs assigned by GA.
Note The Free Trial edition of Alibaba Cloud DNS is selected by default. Only the Enterprise Standard edition and Enterprise Ultimate edition can return IP addresses based on geographical locations. You must upgrade your Alibaba Cloud DNS. For more information, see Step 5: Upgrade Alibaba Cloud DNS.
  1. Log on to the Alibaba Cloud DNS console.
  2. If your domain name is not registered through Alibaba Cloud Domains and you need to add a CNAME record in the Alibaba Cloud DNS console, you must log on to the Alibaba Cloud DNS console and add the domain name.
    Note If the domain name is registered through Alibaba Cloud Domains, skip this step. If the domain name is not registered through Alibaba Cloud Domains, you can use one of the following methods to configure DNS settings for the domain name:
    • If you use the Alibaba Cloud DNS service, you must first add the domain name in the Alibaba Cloud DNS console. For more information, see Add a domain name.
    • If you use the DNS resolution service that is provided by a third-party service provider, log on to the platform of the service provider and modify the DNS record for your application.
  3. On the Manage DNS page, find example.com and click Configure in the Actions column.
  4. On the DNS Settings page, modify the A record and click OK.
    1. Find the A record that you want to modify and click Edit in the Actions column.
    2. In the Edit Record panel, select Outside mainland China, North America, and United States in the ISP Line drop-down list.
  5. On the DNS Settings page, click Add Record, set the following parameters, and then click Confirm.
    Parameter Description
    Type Select CNAME from the drop-down list.
    Host Enter the prefix of the domain name that you want to accelerate.
    • If the accelerated domain name is www.aliyun.com, set the prefix to www.
    • If the accelerated domain name is aliyun.com, set the prefix to @.
    • If the accelerated domain name is *.aliyun.com, set the prefix to *.
    • If the domain name is mail.aliyun.com, set the prefix to mail.
    In this example, @ is entered.
    ISP Line Select Default from the drop-down list.
    Value Enter the CNAME assigned by GA.

    You can find the CNAME on the Instances page in the GA console.

    TTL Select 10 minute(s) from the drop-down list.
  6. Modify the A record of example.net and add a CNAME record for example.net.
    Repeat Step 3 to Step 5.
Note
  • A new CNAME record immediately takes effect. If you modify the CNAME record, the record takes effect within 72 hours.
  • After you add a CNAME record, it requires about 10 minutes for the system to update the status in the console. The message "You must add the CNAME record" may appear on the Domain Names page.

Step 7: Test the acceleration performance

Use both domain names to test the connectivity to the web application that is deployed in the US (Silicon Valley) region. In addition, check whether access to the domain names is accelerated.
Note
  • In this example, the Alibaba Cloud Linux 2 operating system is used. The command that is used to test the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.
  • The result varies based on the actual workloads.
  1. Open the CLI on an on-premises machine in the China (Hong Kong) region.
  2. Run the following command to ping example.com and example.net. This command checks whether the CNAME records take effect.
    curl https://<The domain name>
    If the CNAME in the echo reply is the same as the CNAME assigned by GA, the CNAME record takes effect. Test the CNAME record
  3. Run the following command to check whether example.com and example.net are accessible and whether the certificates can be retrieved:
    curl -v https://<The domain name> --resolve <The domain name>:<The listener port>:<The accelerated IP address>
    If the response contains the server certificate information and HTTP response information, the domain name is accessible. Test accessibility and certificate retrieval
  4. Run the following commands to check the acceleration performance for example.com:
    1. Run the following command to check the network latency before acceleration is enabled:
      curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name>"
      Parameter descriptions:
      • time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
      • time_starttransfer: the start time of data transfer. The start time refers to the amount of time from when the client sends a request to the backend server to when the first byte is sent to the client. Unit: seconds.
      • time_total: the total connection time. The total connection time refers to the amount of time from when the client sends a request to when the client receives the last byte from the backend server. Unit: seconds.
      Network latency of Domain Name 1
    2. Run the following command to check the network latency after acceleration is enabled:
      curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name>"
      where:
      • time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
      • time_appconnect: the period of time that it takes for upper-layer protocols such as SSL to establish a connection. Unit: seconds.
      • time_total: the total connection time. The total connection time refers to the amount of time from when the client sends a request to when the client receives the last byte from the backend server. Unit: seconds.
      Domain Name
  5. Run the following commands to check the acceleration performance for example.net:
    1. Run the following command to check the network latency before acceleration is enabled:
      curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name>"
      where:
      • time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
      • time_appconnect: the period of time that it takes for upper-layer protocols such as SSL to establish a connection. Unit: seconds.
      • time_total: the total connection time. The total connection time refers to the amount of time from when the client sends a request to when the client receives the last byte from the backend server. Unit: seconds.
      2 before acceleration
    2. Run the following command to check the network latency after acceleration is enabled:
      curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name>"
      where:
      • time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
      • time_appconnect: the period of time that it takes for upper-layer protocols such as SSL to establish a connection. Unit: seconds.
      • time_total: the total connection time. The total connection time refers to the amount of time from when the client sends a request to when the client receives the last byte from the backend server. Unit: seconds.
      2 after acceleration