What is HTTPS acceleration gateway?
HTTPS acceleration gateway is a lightweight reverse proxy service that automates SSL/TLS certificate lifecycle management and caches static content at edge nodes. It uses TLS termination to handle certificate application, deployment, and renewal automatically. Point your domain's CNAME record to the gateway — without modifying your origin server — to enable accelerated HTTPS access.
Benefits
HTTPS acceleration gateway provides the following key benefits:
-
Automated certificate lifecycle management
-
Automated management: Automatically handles certificate application, deployment, and renewal to ensure your certificate is always valid.
-
No infrastructure constraints: Works with traditional data centers, on-premises server rooms, and other non-standard cloud environments without manual certificate deployment.
-
-
Global content acceleration
-
Proximity-based access: Caches static resources from your origin server on Alibaba Cloud's globally distributed edge nodes nearest to your users.
-
Improved performance: Serves requests from edge cache first, reducing back-to-origin traffic and origin server load while improving access speed.
-
-
One-click, non-intrusive integration
-
Non-intrusive configuration: Requires no changes to your origin server configuration files (such as Nginx or Tomcat). You only need to update your DNS records to get started.
-
Simplified operations: Greatly lowers the barrier to implementing HTTPS, ideal for teams without dedicated security operations staff.
-
-
Security and compliance
-
Meet compliance requirements: Fulfills the encryption-in-transit requirements of standards such as the Multi-Level Protection Scheme (MLPS) and the Payment Card Industry Data Security Standard (PCI DSS).
-
Improve SEO ranking: HTTPS sites are favored by major search engines, which helps improve your search rankings.
-
Use cases
-
Financial and payment systems: Suitable for online banking and payment platforms. Encryption prevents data from being intercepted or tampered with during transmission, safeguarding financial assets and privacy.
-
Government and enterprise systems: Ideal for Office Automation (OA) systems and government portals. Server identity verification prevents DNS hijacking and phishing attacks.
-
E-commerce and retail platforms: Protects user transaction details such as credit card numbers and passwords, which builds user trust and reduces cart abandonment.
-
SEO optimization: Suitable for content-driven websites and news portals that need to improve their search engine indexing and rankings.
-
Mobile apps and mini programs: Meets the mandatory HTTPS requirements of platforms like iOS, Android, and various mini program ecosystems.
How it works
The gateway acts as an intermediary between clients and your origin server:
-
Client request: A user accesses your domain name over HTTPS.
-
DNS resolution: The CNAME record of the domain name routes the request to an edge node of the HTTPS acceleration gateway.
-
TLS termination: The edge node completes the TLS handshake with the client to establish an encrypted connection. All certificate-related operations, such as decrypting requests and encrypting responses, are handled at the gateway layer.
-
Cache check:
-
Static content with a valid cache: The edge node encrypts and returns the content directly to the client. No back-to-origin request is needed.
-
Dynamic content or cache miss: The gateway sends a back-to-origin request to the origin server over HTTP or HTTPS.
-
-
Response delivery: The origin server response is encrypted by the gateway and delivered to the client over the established HTTPS connection.
Limitations and certificate specifications
Integration and security limitations
-
Port restriction: Back-to-origin requests to the origin server support only ports 80 and 443.
-
Proxy service restriction: The service does not support domain names that already use other traffic forwarding services such as CDN or Web Application Firewall (WAF).
-
Violation and attack handling: The service will be automatically suspended if your website content violates applicable regulations or is under a DDoS attack.
Functional limitations
-
File upload: The maximum size for a single file is 300 MB.
-
Cache size limit: The maximum size of a single cached file is 500 GB.
-
Request header limit:
-
The maximum length of a custom HTTP request header is 300 bytes.
-
HTTP/2: A single URL or request header cannot exceed 32 KB, and the total size cannot exceed 128 KB.
-
HTTP/1.1: A single URL or request header cannot exceed 64 KB, and the total size cannot exceed 256 KB.
-
-
Back-to-origin timeout: The TCP connection timeout is 10 seconds, and the HTTP response timeout is 30 seconds.
-
Supported methods: By default, the service supports
GET,POST,PUT,HEAD, andOPTIONS.
Certificate specifications
The gateway uses the following SSL certificate brands:
-
Entry-level - Single domain: DigiCert certificate.
-
Basic - Single Domain: DigiCert certificate.
-
Basic - Wildcard Domain: Rapid certificate.
Billing
HTTPS acceleration gateway charges are based on the number of gateway instances, Gateway Resource Calculation Quantity (GRCQ), and the subscription duration. For more information, see billing details for HTTPS acceleration gateway.
Quick start
-
Purchase a gateway: See Gateway purchasing guide.
-
Configure the gateway: Add a domain name for acceleration and configure DNS resolution. See Configure an HTTPS acceleration gateway instance.
FAQ
Do I need to purchase a certificate after buying the gateway?
No. After you purchase an HTTPS acceleration gateway, the service automatically binds a certificate to the domain name you add to the gateway.
Does my origin server need an HTTPS certificate?
No. The gateway uses TLS termination at the edge node. Traffic between the client and the gateway is encrypted over HTTPS, while the back-to-origin request from the gateway to the origin server can use plain HTTP. Your origin server only needs to serve HTTP traffic without handling SSL. For enhanced security, the gateway also supports back-to-origin requests over HTTPS.
Does the gateway domain require an ICP filing?
Yes. HTTPS acceleration gateway supports network acceleration by default, and domain names must have a completed ICP filing to use the service.