All Products
Search

This Product

    ApsaraVideo Live:HTTP/S settings

    Document Center

    ApsaraVideo Live:HTTP/S settings

    Last Updated:May 13, 2025

    HTTPS ensures secure data transmission through encryption and integrity verification. HTTP/2 improves transmission efficiency and speed through multiple technical enhancements. Combining these features provides viewers with a faster, smoother, and more secure experience.

    Configure HTTPS

    Introduction

    HTTPS is an extension of HTTP for secure communication over networks. In HTTPS, the communication is encrypted using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol. After you configure an SSL certificate for a domain name, HTTP and HTTPS access are supported. If the certificate does not match the domain name or is disabled, only HTTP access is supported. 

    Benefits

    • HTTPS encrypts sensitive information such as session IDs and cookies during transmission. This prevents security threats caused by sensitive information leakage.

    • HTTPS checks data integrity during transmission to protect the data against man-in-the-middle (MITM) attacks, such as DNS hijacking and tampering.

    Before you begin

    Notes on configuration

    • After you disable HTTPS for a domain name, only HTTP access is supported. The certificate and private key are no longer available. To re-enable HTTPS, upload a certificate and a private key again.

    • You can view basic information about a certificate. However, the private key is not displayed due to its sensitive nature.

    • You can change or edit a certificate. It takes about 5 minutes for an updated certificate to take effect.

    • The uploaded certificate must match the private key. Otherwise, the verification will fail.

    Notes on certificates

    • ApsaraVideo Live supports certificates purchased through Certificate Management Service and custom certificates.

    • ApsaraVideo Live uses the NGINX-based Tengine web server, so it only supports PEM certificates that can be read by NGINX. Your certificate content and private key must be in PEM format.

    • ApsaraVideo Live only supports SSL/TLS handshakes that include Server Name Indication (SNI) information.

    • The system does not support private keys for which passwords are configured.

    Procedure

    Step 1: Purchase a certificate

    To enable HTTPS, you need a certificate that matches your accelerated domain name. If you do not have one, go to the Certificate Management Service page and click Purchase SSL Certificates. If you already have one, skip this step.

    Step 2: Enable HTTPS for a domain name

    1. Enable HTTPS.

      1. Log on to the ApsaraVideo Live console.

      2. In the left-side navigation pane, click Domain Names. The Domain Management page appears.

      3. Select the ingest domain for which you want to configure HTTPS, and click Domain Settings in the Actions column.

      4. Select Streaming Management > HTTPS Settings and turn on the HTTPS Certificate switch.

    2. Upload a certificate.

      • Certificate issued by Alibaba Cloud:

        In the HTTPS Settings dialog box, select Certificate Management Service as the certificate type. Then, select a certificate in Certificate Name. The content and private key are automatically filled.

      • Custom certificates:

        In the HTTPS Settings dialog box, select Custom as the certificate type. Then, enter a certificate name and upload the content and private key in PEM format. This certificate will be stored in the Certificate Management Service console.

    Step 3: Verify certificate effectiveness

    After you complete the settings, it takes about one minute for the certificate to take effect. Then, access resources using HTTPS. If a lock icon appears in the address bar of the browser, the certificate has taken effect.image

    Configure HTTP/2

    Introduction

    HTTP/2 is a new version of HTTP. It supports more features, including multiplexing, header compression, prioritization, and server push. HTTP/2 provides optimized performance and is compatible with HTTP/1.1 semantics. HTTP/2 is supported by major browsers, such as Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox.

    Benefits

    • Binary encoding: Unlike the newline-delimited plaintext HTTP/1.x protocol, all HTTP/2 communication is split into smaller messages and frames, each of which is encoded in binary format. This makes HTTP/2 more extensible.

    • Multiplexing: HTTP/1.x faces head-of-line blocking due to browser request limits for a single domain. So, if one resource cannot be loaded, it blocks all the other resources behind it. In contrast, HTTP/2 can use a single TCP connection to send multiple streams of data at once so that no resource blocks any other resource. HTTP/2 does this by splitting data into binary-code messages and numbering these messages, so the client knows which stream each binary message belongs to.

    • Header compression: Each HTTP message carries a set of headers. To reduce the overhead of repetitive headers, HTTP/2 uses HPACK compression to compress header metadata. Both the client and server maintain an indexed list of header fields. This list is used as a reference to encode previously transmitted values.

    • Server push: A server can send multiple responses to a single request and server content to a client before the client asks for it.

    Before you begin

    • To enable HTTP/2, you must first configure HTTPS and wait for the SSL certificate to take effect.

    • If you disable HTTPS after you enable HTTP/2, HTTP/2 is automatically disabled. 

    Procedure

    1. Log on to the ApsaraVideo Live console.

    2. In the left-side navigation pane, click Domain Names. The Domain Management page appears.

    3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

    4. In the left-side navigation tree, choose Streaming Management > HTTPS Settings.

    5. In the HTTP/2 section, turn on or off HTTP/2.

    Force redirect

    Introduction

    If you have enabled HTTPS for a domain name, you can forcibly redirect the client requests based on the specified redirect type to change the protocol.

    For example, if you choose HTTP > HTTPS, when a user initiates an HTTP request, the server returns a 301 response to redirect the HTTP request to HTTPS, as illustrated below:

    Before you begin

    To configure a force redirect, you must first configure HTTPS.

    Procedure

    1. Log on to the ApsaraVideo Live console.

    2. In the left-side navigation pane, click Domain Names. The Domain Management page appears.

    3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

    4. Choose Streaming Management > HTTPS Settings.

    5. In the Force Redirect section, click Modify.

      修改配置

    6. Select Redirect Type.

      跳转类型

      Redirect Type

      Description

      Default

      Both HTTP and HTTPS requests are supported.

      HTTPS > HTTP

      The requests from a client to points of presence (POPs) are forcibly redirected as HTTP requests.

      HTTP > HTTPS

      The requests from a client to POPs are forcibly redirected as HTTPS requests to ensure security.

    7. Click OK.

    Certificate format

    This section describes the certificate format supported by ApsaraVideo Live and how to convert formats.

    Root CA certificates

    A root certificate is a unique pubic key certificate issued by a root certificate authority (CA). It can be implemented on different servers, including Apache, Internet Information Services (IIS), NGINX, and Tomcat. ApsaraVideo Live uses NGINX servers to manage certificates. The certificate information is contained in a .crt file, and the private key information in a .key file.

    Upload your certificate in the following format:

    • The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

    • All lines except the last one must be 64 characters in length. The last line can be up to 64 characters in length.

    The following figure shows a sample certificate in the PEM format used in the Linux operating system:

    image

    Intermediate CA certificates

    A certificate issued by an intermediate CA includes a server certificate and an intermediate certificate. You must manually concatenate the content of the server and intermediate certificates before uploading them.

    Concatenation rules:

    • Place the server certificate first, followed by the intermediate certificate.

    • Typically, issuing authorities provide instructions on concatenation. Refer to these guidelines before proceeding.

    Certificate chain formats:

    • Empty lines are not allowed between certificates.

    • Each certificate must follow the specified format for uploading.

    The following provides an example of a chain of certificates issued by an intermediate CA:

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    RSA private keys

    A Rivest-Shamir-Adleman (RSA) private key must comply with the following rules:

    • Run the openssl genrsa -out privateKey.pem 2048 command to generate the RSA private key. privateKey.pem is the private key file.

    • The private key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. Upload the key together with these lines.

    • All lines except the last one must be 64 characters in length. The last line can be up to 64 characters in length.

    Sample private key:

    image

    If your private key does not match the above format and starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----, convert it using the following command:

    openssl rsa -in old_server_key.pem -out new_server_key.pem

    Then, upload the new_server_key.pem file and the certificate.

    Certificate format conversion

    ApsaraVideo Live only supports SSL certificates in the PEM format. If your certificates are not in PEM format, convert them using OpenSSL.

    • From DER to PEM format

      The DER format is typically used for Java. 

      • Run the following command to convert the certificate: 

        openssl x509 -inform der -in certificate.cer -out certificate.pem

      • Run the following command to convert the private key: 

        openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem

    • From P7B to PEM format

      The P7B format is typically used for Windows Server and Tomcat. 

      • Run the following command to convert the certificate: 

        openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

        Open the outcertificat.cer file. Then, copy and paste the part that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- as the certificate content.

      • P7B certificates do not include private key files. You do not need to specify the private key information in the ApsaraVideo Live console.

    • From PFX to PEM format

      The PFX format is typically used for Windows Server. 

      • Run the following command to convert the certificate: 

        openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

      • Run the following command to convert the private key: 

        openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes