This topic describes how to use Global Accelerator (GA) to accelerate HTTP websites
over HTTPS. This improves user experience and enhances network security.
Scenarios
The following scenario is used as an example. The headquarters of a company is located
in the US (Silicon Valley) region. The headquarters deploys an HTTP website on a self-managed
server in the US (Silicon Valley) region. The clients that want to access the website
are located in the China (Hong Kong) region. The website may encounter the following
challenges:
Data is transmitted in plaintext over HTTP and the requests that are destined for
the website are not authenticated. Therefore, security risks may arise.
The cross-border network is unstable. Network issues, such as network latency, network
jitter, and packet loss, may frequently occur.
You can deploy the GA service and configure HTTPS listeners to accelerate the HTTP
website deployed in the US (Silicon Valley) region for clients in the China (Hong
Kong) region. In addition, data transmission is encrypted and secured over HTTPS when
the clients send requests to the HTTP website.
You can enter the information about the web service in the GA console. After you enter
the information, the system generates a list of recommended services. The list includes
a GA instance and a basic bandwidth plan.
In the upper-right corner of the Instances page, click Purchase Guide.
Note If this is the first time that you use the GA service, skip this step.
In the Enter the required information to generate a list of recommended services section, enter the required information and click Generate Service List.
Parameter
Description
Acceleration Area
Select the region that requires acceleration.
In this example, China (Hong Kong) is selected.
Service Region
Select the region where the backend servers are deployed.
In this example, US (Silicon Valley) is selected.
ICP Filing
Specify whether you have applied for an Internet Content Provider (ICP) number for
the domain name of the web service.
In this example, No is selected.
Note All websites must obtain an ICP number before they are allowed to provide services
to users in mainland China. For more information, see What is an ICP filing?.
Server Area
Specify whether the web service is deployed on Alibaba Cloud.
In this example, Off Alibaba Cloud is selected.
Peak Bandwidth Range
Enter the bandwidth required during peak hours. Unit: Mbit/s.
In this example, 2 is entered.
Maximum Concurrent Connections
The maximum number of concurrent connections that a GA instance supports. When the
number of existing concurrent connections reaches the upper limit, new connection
requests are dropped.
In this example, 5 Thousand is selected.
In the Recommended Service List section, click Generate Service List after you confirm the information.
On the buy page, set the following parameters and click Buy Now to complete the payment.
Parameter
Description
Term
Select the subscription duration.
Specification
Select a specification for the GA instance.
In this example, Small I (Specification Unit) is selected.
Bandwidth Type
Select a bandwidth type for the basic bandwidth plan.
In this example, Premium is selected.
Peak Bandwidth
Select the bandwidth limit of the basic bandwidth plan.
In this example, 2 Mbit/s is selected.
Step 2: Add an acceleration area
After you purchase a GA instance, you can add an acceleration area, specify the region
where users are located, and then allocate bandwidth resources to the region.
On the Instances page, find the GA instance and click its ID.
Click the Acceleration Areas tab and then click Add Region on the Asia Pacific tab.
In the Add Acceleration Area dialog box, set the following parameters and click OK.
Parameter
Description
Regions
Select the region where the users are located.
In this example, China (Hong Kong) is selected.
Bandwidth
Specify a bandwidth value for the acceleration region.
In this example, 2 Mbit/s is entered.
Internet Protocol
Select the IP address version used to access GA.
In this example, IPv4 is selected.
After you add the region, the system assigns an accelerated IP address to the region
that is added to the GA instance. This accelerated IP address is used to accelerate
data transfer from users in the specified region to the specified backend servers
through GA.
Step 3: Add a listener and an endpoint group
A listener checks for connection requests and then distributes the requests to backend
servers based on the specified protocol and ports. Each listener is associated with
an endpoint group. You can associate an endpoint group with a listener by specifying
the region to which you want to distribute network traffic. After you associate an
endpoint group with a listener, traffic is distributed to the optimal endpoint in
the associated endpoint group.
You are required to configure an SSL certificate when you add an HTTPS listener. After
you configure an SSL certificate for your website, data transmitted to the website
is encrypted based on HTTPS. This allows you to secure the transmission of sensitive
data.
On the instance details page, click the Listeners tab and then click Add Listener.
On the Configure Listener & Protocol wizard page, specify the following listener information and click Next.
Parameter
Description
Listener Name
Enter a name for the listener.
The name must be 2 to 128 characters in length, and can contain letters, digits, underscores
(_), and hyphens (-). The name must start with a letter.
Protocol
Select the protocol of the listener.
HTTPS is selected in this example.
Port Number
Specify a port for the listener. The port is used to receive and forward requests
to endpoints. Valid values: 1 to 65499.
The value is set to 443 in this example.
Client Affinity
Specify whether to enable client affinity. If client affinity is enabled, requests
from the same client are forwarded to the same endpoint when the client connects to
a stateful application.
In this example, Source IP Address is selected.
On the Configure SSL Certificate wizard page, configure the following parameters and click Next.
Server Certificate: Select the SSL certificate for which you applied.
Click Modify to the right of Advanced Settings and select a TLS security policy from the TLS Security Policies drop-down list. In this example, tls_cipher_policy_1_0 is selected.
On the Configure Endpoint Group wizard page, specify the following endpoint group information and click Next.
Pay close attention to the parameters that are described in the following table. For
more information, see Overview.
Parameter
Description
Endpoint Group Name
Enter a name for the endpoint group.
The name must be 2 to 128 characters in length, and can contain letters, digits, underscores
(_), and hyphens (-). The name must start with a letter.
Region
Select the region where you want to create the endpoint group. The backend servers
that the clients want to access must be deployed in the specified region.
In this example, US (Silicon Valley) is selected.
Backend Service
Specify whether the backend service is deployed on Alibaba Cloud.
In this example, Off Alibaba Cloud is selected.
Preserve Client IP
By default, this feature is enabled. HTTPS listeners can retrieve client IP addresses
from the x-forward-for HTTP header field.
Endpoint
Endpoints are backend servers that receive and handle client requests. To add an endpoint,
specify the following parameters:
Backend Service Type: In this example, Custom IP Address is selected.
Backend Service: Enter the IP address of the backend service that you want to accelerate.
Weight: Enter a weight for the endpoint. Valid values: 0 to 255. GA distributes network traffic to endpoints based on their weights.
Notice If the weight of an endpoint is set to 0, GA stops distributing network traffic to
the endpoint. Proceed with caution.
Backend Service Protocol
Select the protocol that the backend server uses. Valid values:
HTTP: This is the default value.
HTTPS
In this example, HTTP is selected.
Port Mapping
If the listener port and the port that the endpoint uses to provide services are not
the same, you must add a mapping between the ports.
Listener Port: Enter the listener port. In this example, the value is set to 443.
Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, 80 is used.
On the Confirm wizard page, confirm the configurations of the listener and endpoint, and then click
Submit.
Step 4: Configure DNS settings
You must configure DNS settings to map the domain name of the HTTP website to the
CNAME allocated by GA. This way, requests that are destined for the domain name are
routed to GA for acceleration. The following example shows how to configure DNS settings
in the Alibaba Cloud DNS console.
Note If you use the DNS resolution service that is provided by a third-party service provider,
log on to the platform of the service provider and modify the DNS record for your
web application.
On the Manage DNS page, find the domain name and click Configure in the Actions column to go to the DNS Settings page.
Click Add Record, set the following parameters and click Confirm.
Parameter
Description
Type
The CNAME record is used to map the domain name to the CNAME allocated by GA.
In this example, CNAME is selected.
Host
Enter the prefix of the domain name that you want to accelerate.
If the domain name is www.aliyun.com, set the prefix to www.
If the domain name is aliyun.com, set the prefix to @.
If the domain name is *.aliyun.com, set the prefix to *.
If the domain name is mail.aliyun.com, set the prefix to mail.
ISP Line
Select Default from the drop-down list.
Value
Enter the CNAME that is allocated by GA.
You can find the CNAME on the Instances page.
TTL
The time-to-live (TTL) period of the DNS record on the DNS server.
In this example, 10 minute(s) is selected.
Note
New CNAME records immediately take effect. If you modify the CNAME record, the record
takes effect within 72 hours after it is modified.
After you add a CNAME record, it requires about 10 minutes for the system to update
the status in the console. The message "You must add the CNAME record" may appear
on the Domain Names page.
Step 5: Verify the acceleration performance
Perform the following steps to verify the connectivity to the HTTP website that is
deployed in the US (Silicon Valley) region over HTTPS. In addition, check whether
content delivery is accelerated.
Note The Alibaba Cloud Linux 3.2104 LTS 64-bit operating system is used in this example.
The command that is used to verify the connectivity varies based on the operating
system that you use. For more information, see the user guide of your operating system.
Open the CLI on an on-premises machine in the China (Hong Kong) region.
Run the following command to check whether the client can access the HTTP website
that is deployed in the US (Silicon Valley) region:
curl https://<The domain name of the HTTP website>
Figure 1. Verification result
Run the following command to test the network latency:
curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "https://<The domain name of the HTTP website>"
In the command:
time_connect: the period of time that it takes to establish a TCP connection. Unit: seconds.
time_starttransfer: the start time of data transfer. The start time refers to the amount of time from
when the client sends a request to the backend server to when the first byte is sent
to the client. Unit: seconds.
time_total: the total connection time. The total connection time refers to the amount of time
from when the client sends a request to when the client receives the last byte from
the backend server. Unit: seconds.
Figure 2. Data transmission before GA is used
Figure 3. Data transmission after GA is used
Note The acceleration result varies based on the actual workloads.