All Products
Search

This Product

    ApsaraVideo Live:Configure HTTPS secure acceleration

    Document Center

    ApsaraVideo Live:Configure HTTPS secure acceleration

    Last Updated:Nov 29, 2024

    This topic describes how to configure HTTPS secure acceleration in ApsaraVideo Live.

    Overview

    HTTPS is an extension of HTTP for secure communication over networks. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). ApsaraVideo Live supports HTTPS secure acceleration and allows you to view, enable, disable, or change the SSL certificates. After you configure and enable an SSL certificate for an ingest domain, HTTP and HTTPS accesses are supported. If the SSL certificate does not match the domain name or is disabled, only HTTP access is supported.

    Benefits

    • HTTPS encrypts sensitive information, such as session IDs and cookies, to prevent information leakage.

    • HTTPS checks data integrity during transmission to protect the data against man-in-the-middle (MITM) attacks, such as DNS hijacking and tampering.

    Usage notes

    Related operations

    Operation

    Description

    Disable or enable HTTPS

    After you disable HTTPS, ApsaraVideo Live no longer supports HTTPS requests. In addition, ApsaraVideo Live deletes the SSL certificate and private key. After you enable HTTPS, you must upload the certificate and private key again to enable the certificate.

    View a certificate

    You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe.

    Change or edit a certificate

    You can change or edit a certificate. It requires 5 minutes for an updated certificate to take effect. Exercise caution when you perform this operation.

    Certificate management

    • ApsaraVideo Live supports certificates purchased by using Certificate Management Service and custom certificates.

    • After you enable HTTPS secure acceleration for a domain name, you must upload a certificate and a private key, both of which must be in the PEM format.

    Note

    ApsaraVideo Live uses the NGINX-based Tengine web server. Therefore, ApsaraVideo Live supports only PEM certificates that can be read by NGINX.

    • ApsaraVideo Live supports only SSL/TLS handshakes that include Server Name Indication (SNI) information.

    • The uploaded certificate must match the private key. Otherwise, the certificate and private key fail the verification.

    • It requires 5 minutes for an updated certificate to take effect.

    • The system does not support private keys for which passwords are configured.

    Procedure

    Step 1: Purchase a certificate

    To enable HTTPS secure acceleration, you must upload a certificate that matches the domain name. To purchase a certificate, click Buy Now on the Certificate Management Service buy page. If you want to use a custom certificate, skip this step.

    Step 2: Configure the domain name

    1. Enable HTTPS secure acceleration.

      1. Log on to the ApsaraVideo Live console.

      2. In the left-side navigation pane, click Domain Names. The Domain Management page appears.

      3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

      4. In the left-side navigation tree, choose Streaming Management > HTTPS Settings. On the page that appears, turn on HTTPS Certificate.

    2. Upload a certificate.

      • Alibaba Cloud Certificate Management Service: In the dialog box that appears, select Alibaba Cloud Security for Certificate Authority and then select a certificate that is purchased from Certificate Management Service.

      • Custom certificate: In the dialog box that appears, select Others for Certificate Authority. Then, specify the certificate name, certificate content, and private key. The certificate is stored in the Certificate Management Service console. You can view the certificate on the SSL Certificates page.

        Note

        Only certificates in the PEM format are supported.

    3. Configure the redirect type.

      Click Change Settings in the Force Redirect section.

      You can force clients to use HTTP or HTTPS by forcibly redirecting the original requests. For example, you set the redirect type to HTTP > HTTPS. When a client initiates an HTTP request, the server returns a 302 response to redirect the request to the HTTPS version of the web page.

      Default: HTTP and HTTPS requests are supported.

      HTTP > HTTPS: forces clients to use HTTPS.

      HTTPS > HTTP: forces clients to use HTTP.

    Step 3: Verify that the certificate takes effect

    After a certificate is uploaded, it takes effect within 1 minute. To verify that the certificate takes effect, send HTTPS requests to access resources. If the URL is displayed with a lock icon in the address bar of the browser, HTTPS secure acceleration is working as expected.111