Using HTTPS and HTTP/2, you can provide users with a more secure, faster, and smoother network experience.
Configure HTTPS
Introduction
Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) is a secure HTTP channel that uses the SSL or TLS protocol for encapsulation. ApsaraVideo Live provides HTTPS to securely accelerate content delivery. You can view, disable, enable, and edit certificates. If a certificate is correctly configured and enabled for a domain, both HTTP and HTTPS requests are supported. If the certificate does not match the domain or is disabled, only HTTP requests are supported.
Benefits of HTTPS
-
Encrypts sensitive information, such as session IDs and cookies, during transmission. This prevents security risks, such as information leakage, if the data is intercepted by attackers.
-
HTTPS verifies data integrity during transmission to protect against man-in-the-middle (MITM) attacks, such as DNS and content hijacking or tampering.
Usage notes
Configuration
|
Action |
Description |
|
Disable and Enable HTTPS |
|
|
View a certificate |
You can view certificate information. However, you cannot view the private key because it is sensitive. Make sure to store your certificate and private key securely. |
|
Edit a certificate |
You can edit a certificate. The change takes about five minutes to take effect. Proceed with caution. |
Certificates
-
ApsaraVideo Live supports two types of certificate deployment: certificates from Certificate Management Service and custom certificates.
-
To enable Enable HTTPS for a streaming domain, you must upload a certificate and its private key. Both must be in PEM format.
ApsaraVideo Live uses Tengine, which is based on Nginx. Therefore, it supports only Nginx-compatible certificate formats, such as PEM.
-
Only SSL or TLS handshakes that include Server Name Indication (SNI) are supported.
-
The certificate and private key that you upload must match. Otherwise, validation fails.
-
Certificate updates take about five minutes to take effect.
-
Password-protected private keys are not supported.
Procedure
Step 1: Purchase a certificate
To enable Enable HTTPS, you need a certificate that matches your streaming domain. If you do not have one, go to Certificate Management Service and click Buy Now. If you have a custom certificate, you can skip this step.
Step 2: Configure a streaming domain
-
Enable HTTPS.
-
Log on to the ApsaraVideo Live console.
-
In the left navigation pane, click Domain Names. The Domain Management page appears.
-
Find the streaming domain for which you want to configure HTTPS and click Domain Settings in the Actions column.
-
Click HTTPS Settings and turn on the HTTPS Certificate switch.
-
-
Select a certificate.
-
Certificate from Certificate Management Service: For Certificate Type, select Alibaba Cloud Security. Select the certificate that you purchased from Certificate Management Service. You can select it by name to match the streaming domain.
-
Custom certificate: For Certificate Type, select Others. Enter a certificate name, and then upload the certificate content and private key. The certificate is saved in the Certificate Management Service console and can be viewed in the My Certificates section.
NoteOnly certificates in PEM format are supported.
-
Step 3: Verify the configuration
The settings take about one minute to take effect across the network. To verify that the certificate has taken effect, access a resource by using an https:// URL. If a lock icon appears in your browser's address bar, the certificate is active and HTTPS is enabled.
Configure HTTP/2
Introduction
HTTP/2, also known as HTTP 2.0, introduces features such as multiplexing, header compression, request prioritization, and server push. It addresses the limitations of HTTP 1.1 to optimize request performance while remaining compatible with HTTP 1.1 semantics. Modern browsers such as Chrome, Edge, Safari, and Firefox support the HTTP/2 protocol.
Benefits of HTTP/2
-
Binary protocol: Unlike the text-based parsing of HTTP 1.x, HTTP/2 splits all transmitted information into smaller messages and frames, and encodes them in a binary format. This binary foundation allows for greater protocol extensibility, such as introducing frames to transport data and commands.
-
Multiplexing: In HTTP 1.x, performance optimizations often involve techniques like using image sprites and multiple domains because browsers limit the number of concurrent requests per domain. When a page needs to load many resources, head-of-line blocking can occur, which forces resources to wait for other requests to complete. In HTTP/2, the binary framing layer allows multiple requests and responses to be sent concurrently over a shared TCP connection. The recipient reassembles them by using stream identifiers and headers. This technique avoids the head-of-line blocking issue of older HTTP versions and greatly improves transmission performance.
-
Header compression: HTTP request headers contain a large amount of repetitive information. HTTP/2 uses the HPACK format for compression. Both the client and server maintain an index table of header fields. Identical headers are transmitted by using only their index numbers, which improves efficiency and speed.
-
Server push: A server can send multiple responses for a single client request. This allows the server to push resources to the client without the client explicitly requesting them.
Usage notes
Before you proceed, ensure that HTTPS is enabled.
-
If you are configuring an HTTPS certificate for the first time, you must wait for it to take effect before you can enable HTTP/2.
-
If you disable the HTTPS certificate feature, the HTTP/2 setting is dimmed and cannot be enabled.
-
If you enable HTTP/2 and then disable the HTTPS certificate feature, HTTP/2 is also automatically disabled.
Enable or disable HTTP/2
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the streaming domain that you want to configure and click Domain Settings in the Actions column.
-
In the left-side navigation pane for the domain, click HTTPS Settings.
-
In the HTTP/2 section, turn the HTTP/2 switch on or off.
Force redirect
Before you proceed, ensure that HTTPS is enabled.
Introduction
If you have enabled HTTPS for your streaming domain, you can configure a force redirect to automatically change the protocol of end-user requests.
For example, if you enable the HTTP > HTTPS redirect, when an end user makes an HTTP request, the server returns a 301 response that redirects the request to HTTPS. The following code provides an example.
$ curl http://xxx xxx xxx/' -i
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Mon, 03 Jun 2019 13:26:01 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: https://xxx xxx xxx/
Via: cache2.cn201[,0]
Timing-Allow-Origin: *
EagleId: 2a786b0215595683612635433e
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<h1>301 Moved Permanently</h1>
<p>The requested resource has been assigned a new permanent URI.</p>
<hr/>Powered by Tengine</body>
</html>Procedure
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the streaming domain that you want to configure and click Domain Settings in the Actions column.
-
In the left-side navigation pane for the domain, click .
-
Click Change Settings.
The Modify Configuration button is in the Force Redirect section.
-
Select a Redirect Type.
After selecting a type, click OK.
Redirect type
Description
Default
Both HTTP and HTTPS requests are supported.
HTTPS > HTTP
Requests from clients to points of presence (POPs) are redirected to HTTP.
HTTP > HTTPS
Requests from clients to POPs are redirected to HTTPS to ensure secure access.
-
Click OK.
Certificate format reference
This section describes the certificate formats supported by ApsaraVideo Live and how to convert between formats.
Certificates issued by root certificate authorities
Each certificate issued by a root certificate authority is unique and can be used with multiple server software platforms, including Apache, IIS, Nginx, and Tomcat. ApsaraVideo Live typically uses Nginx servers to handle certificates. Certificate files usually use the .crt extension, and private key files usually use the .key extension.
Certificate upload format:
Include the header
-----BEGIN CERTIFICATE-----and footer-----END CERTIFICATE-----.Each line must be 64 characters long, except the last line, which may be shorter.
In a Linux environment, an example of a certificate in PEM format is as follows.
-----BEGIN CERTIFICATE-----
MIIDRjCCAq+gAwIBAgIJAJn3ox4K13xxx
xxx
-----END CERTIFICATE-----Certificates issued by intermediate certificate authorities
Certificates from intermediate authorities include multiple certificates. Upload them together by concatenating the server certificate and intermediate certificate.
Concatenation rule: Place the server certificate first, followed by the intermediate certificate. Certificate issuers usually provide specific instructions—follow them carefully.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Certificate chain rules:
Do not leave blank lines between certificates.
Each certificate must follow the standard upload format.
RSA private key format requirements
RSA private key rules:
To generate a private key locally, run:
openssl genrsa -out privateKey.pem 2048. Here,privateKey.pemis your private key file.The key must start with
-----BEGIN RSA PRIVATE KEY-----and end with-----END RSA PRIVATE KEY-----. Upload the entire content.Each line must be 64 characters long, except the last line, which may be shorter.
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDOOkt3vfjY9...
...(Private key content)...
-----END RSA PRIVATE KEY-----If you did not generate the private key using the method described above and instead obtained a private key in a format such as -----BEGIN PRIVATE KEY----- or -----END PRIVATE KEY-----, you can transform it as follows:
openssl rsa -in old_server_key.pem -out new_server_key.pemThen upload the contents of new_server_key.pem along with your certificate.
Certificate format conversion methods
HTTPS configuration only supports PEM-formatted certificates. Convert other formats to PEM using the OpenSSL tool. The following table shows common conversion methods.
Conversion method | Description |
DER to PEM | DER format is commonly used in Java platforms.
|
P7B to PEM | P7B format is commonly used in Windows Server and Tomcat.
|
PFX to PEM | PFX format is commonly used in Windows Server.
|