Accelerate HTTP websites over HTTPS - Best Practices| Alibaba Cloud Documentation Center

Scenarios

The following scenario is used as an example. The headquarters of a company is located in the US (Silicon Valley) region. The headquarters deploys an HTTP website on a self-managed server in the US (Silicon Valley) region. The clients that want to access the website are located in the China (Hong Kong) region. The website may encounter the following challenges:

Data is transmitted in plaintext over HTTP and the requests that are destined for the website are not authenticated. Therefore, security risks may arise.
The cross-border network is unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur.

You can deploy the GA service and configure HTTPS listeners to accelerate the HTTP website deployed in the US (Silicon Valley) region for clients in the China (Hong Kong) region. In addition, data transmission is encrypted and secured over HTTPS when the clients send requests to the HTTP website.

Prerequisites

An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase a certificate and Apply for a certificate.

Procedure

Step 1: Purchase a GA service bundle

You can enter the information about the web service in the GA console. After you enter the information, the system generates a list of recommended services. The list includes a GA instance and a basic bandwidth plan.

Log on to the Global Accelerator console.
In the upper-right corner of the Instances page, click Purchase Guide.

Note If this is the first time that you use the GA service, skip this step.

In the Enter the required information to generate a list of recommended services section, enter the required information and click Generate Service List.


Parameter	Description
Acceleration Area	Select the region that requires acceleration. In this example, China (Hong Kong) is selected.
Service Region	Select the region where the backend servers are deployed. In this example, US (Silicon Valley) is selected.
ICP Filing	Specify whether you have applied for an Internet Content Provider (ICP) number for the domain name of the web service. In this example, No is selected. Note All websites must obtain an ICP number before they are allowed to provide services to users in mainland China. For more information, see What is an ICP filing?.
Server Area	Specify whether the web service is deployed on Alibaba Cloud. In this example, Off Alibaba Cloud is selected.
Peak Bandwidth Range	Enter the bandwidth required during peak hours. Unit: Mbit/s. In this example, `2` is entered.
Maximum Concurrent Connections	The maximum number of concurrent connections that a GA instance supports. When the number of existing concurrent connections reaches the upper limit, new connection requests are dropped. In this example, 5 Thousand is selected.

In the Recommended Service List section, click Generate Service List after you confirm the information.

On the buy page, set the following parameters and click Buy Now to complete the payment.


Parameter	Description
Term	Select the subscription duration.
Specification	Select a specification for the GA instance. In this example, Small I (Specification Unit) is selected.
Bandwidth Type	Select a bandwidth type for the basic bandwidth plan. In this example, Premium is selected.
Peak Bandwidth	Select the bandwidth limit of the basic bandwidth plan. In this example, 2 Mbit/s is selected.

Step 2: Add an acceleration area

After you purchase a GA instance, you can add an acceleration area, specify the region where users are located, and then allocate bandwidth resources to the region.

On the Instances page, find the GA instance and click its ID.
Click the Acceleration Areas tab and then click Add Region on the Asia Pacific tab.

In the Add Acceleration Area dialog box, set the following parameters and click OK.


Parameter	Description
Regions	Select the region where the users are located. In this example, China (Hong Kong) is selected.
Bandwidth	Specify a bandwidth value for the acceleration region. In this example, `2` Mbit/s is entered.
Internet Protocol	Select the IP address version used to access GA. In this example, IPv4 is selected.

After you add the region, the system assigns an accelerated IP address to the region that is added to the GA instance. This accelerated IP address is used to accelerate data transfer from users in the specified region to the specified backend servers through GA.

Step 3: Add a listener and an endpoint group

A listener checks for connection requests and then distributes the requests to backend servers based on the specified protocol and ports. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, traffic is distributed to the optimal endpoint in the associated endpoint group.

You are required to configure an SSL certificate when you add an HTTPS listener. After you configure an SSL certificate for your website, data transmitted to the website is encrypted based on HTTPS. This allows you to secure the transmission of sensitive data.

On the instance details page, click the Listeners tab and then click Add Listener.

On the Configure Listener & Protocol wizard page, specify the following listener information and click Next.


Parameter	Description
Listener Name	Enter a name for the listener. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
Protocol	Select the protocol of the listener. HTTPS is selected in this example.
Port Number	Specify a port for the listener. The port is used to receive and forward requests to endpoints. Valid values: 1 to 65499. The value is set to `443` in this example.
Client Affinity	Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application. In this example, Source IP Address is selected.

On the Configure SSL Certificate wizard page, configure the following parameters and click Next.
- Server Certificate: Select the SSL certificate for which you applied.
- Click Modify to the right of Advanced Settings and select a TLS security policy from the TLS Security Policies drop-down list. In this example, tls_cipher_policy_1_0 is selected.
  For more information about TLS security policies, see TLS security policies.

On the Configure Endpoint Group wizard page, specify the following endpoint group information and click Next.

Pay close attention to the parameters that are described in the following table. For more information, see Overview.


Parameter	Description
Endpoint Group Name	Enter a name for the endpoint group. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
Region	Select the region where you want to create the endpoint group. The backend servers that the clients want to access must be deployed in the specified region. In this example, US (Silicon Valley) is selected.
Backend Service	Specify whether the backend service is deployed on Alibaba Cloud. In this example, Off Alibaba Cloud is selected.
Preserve Client IP	By default, this feature is enabled. HTTPS listeners can retrieve client IP addresses from the x-forward-for HTTP header field.
Endpoint	Endpoints are backend servers that receive and handle client requests. To add an endpoint, specify the following parameters: Backend Service Type: In this example, Custom IP Address is selected. Backend Service: Enter the IP address of the backend service that you want to accelerate. Weight: Enter a weight for the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on their weights. Notice If the weight of an endpoint is set to 0, GA stops distributing network traffic to the endpoint. Proceed with caution.
Backend Service Protocol	Select the protocol that the backend server uses. Valid values: HTTP: This is the default value. HTTPS In this example, HTTP is selected.
Port Mapping	If the listener port and the port that the endpoint uses to provide services are not the same, you must add a mapping between the ports. Listener Port: Enter the listener port. In this example, the value is set to `443`. Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, `80` is used.

On the Confirm wizard page, confirm the configurations of the listener and endpoint, and then click Submit.

Step 4: Configure DNS settings

You must configure DNS settings to map the domain name of the HTTP website to the CNAME allocated by GA. This way, requests that are destined for the domain name are routed to GA for acceleration. The following example shows how to configure DNS settings in the Alibaba Cloud DNS console.

Note If you use the DNS resolution service that is provided by a third-party service provider, log on to the platform of the service provider and modify the DNS record for your web application.

Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, find the domain name and click Configure in the Actions column to go to the DNS Settings page.

Click Add Record, set the following parameters and click Confirm.


Parameter	Description
Type	The CNAME record is used to map the domain name to the CNAME allocated by GA. In this example, CNAME is selected.
Host	Enter the prefix of the domain name that you want to accelerate. If the domain name is `www.aliyun.com`, set the prefix to `www`. If the domain name is `aliyun.com`, set the prefix to `@`. If the domain name is `.aliyun.com`, set the prefix to ``. If the domain name is `mail.aliyun.com`, set the prefix to `mail`.
ISP Line	Select Default from the drop-down list.
Value	Enter the CNAME that is allocated by GA. You can find the CNAME on the Instances page.
TTL	The time-to-live (TTL) period of the DNS record on the DNS server. In this example, 10 minute(s) is selected.

Note

New CNAME records immediately take effect. If you modify the CNAME record, the record takes effect within 72 hours after it is modified.
After you add a CNAME record, it requires about 10 minutes for the system to update the status in the console. The message "You must add the CNAME record" may appear on the Domain Names page.

Step 5: Verify the acceleration performance

Perform the following steps to verify the connectivity to the HTTP website that is deployed in the US (Silicon Valley) region over HTTPS. In addition, check whether content delivery is accelerated.

Note The Alibaba Cloud Linux 3.2104 LTS 64-bit operating system is used in this example. The command that is used to verify the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.

Open the CLI on an on-premises machine in the China (Hong Kong) region.
Run the following command to check whether the client can access the HTTP website that is deployed in the US (Silicon Valley) region:
```
curl https://<The domain name of the HTTP website>
```
Figure 1. Verification result
Run the following command to test the network latency:
```
curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name of the HTTP website>"
```
In the command:
- time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
- time_starttransfer: the start time of data transfer. The start time refers to the amount of time from when the client sends a request to the backend server to when the first byte is sent to the client. Unit: seconds.
- time_total: the total connection time. The total connection time refers to the amount of time from when the client sends a request to when the client receives the last byte from the backend server. Unit: seconds.
Figure 2. Data transmission before GA is used

Figure 3. Data transmission after GA is used

Note The acceleration result varies based on the actual workloads.