how to enable https secure acceleration - ApsaraVideo VOD

This topic describes how HTTPS secure acceleration works, its benefits, use cases, and how to enable it. You can enable this feature to encrypt HTTPS requests between clients and the CDN points of presence (POPs) that ApsaraVideo VOD uses for acceleration. This ensures data security during transmission.

Background information

You can configure HTTPS secure acceleration in the Alibaba Cloud CDN console to encrypt HTTPS requests between clients and CDN points of presence.

Note

When a CDN point of presence (POP) returns a resource from an origin server to a client, the connection follows the origin server's configuration. To implement end-to-end HTTPS encryption, you must also configure and enable HTTPS on your origin server.

How it works

The following figure shows the HTTPS encryption process. 流程图

The client initiates an HTTPS request.
The server generates a key pair that consists of a public key and a private key. You can create the key pair or obtain it from a professional organization.
The server sends its certificate, which contains the public key, to the client.
The client parses the certificate to verify its authenticity.
- If the certificate is valid, the client generates a random number (key), encrypts it with the public key, and sends it to the server.
- If the certificate is invalid, the SSL handshake fails.
Note
A valid certificate must meet the following requirements: it must not be expired, it must be issued by a trusted certificate authority (CA), its digital signature must be verifiable, and the domain name on the certificate must match the server's actual domain name.
The server uses its private key to decrypt the message and obtain the random number (key).
The server uses the key to encrypt the data to be transmitted.
The client uses the key to decrypt the encrypted data from the server to obtain the original data.

Benefits

HTTPS secure transmission provides the following benefits:

HTTPS secure transmission effectively prevents eavesdropping, tampering, impersonation, and hijacking, which are risks inherent to plaintext HTTP transmission.
It encrypts your critical information during data transmission to prevent attackers from capturing session IDs or cookie content, which can lead to sensitive information leakage.
It performs data integrity checks during transmission to prevent man-in-the-middle (MITM) attacks, such as DNS hijacking, content hijacking, and tampering by third parties.
Using HTTPS is now standard practice because major browsers mark HTTP connections as insecure. If you continue to use HTTP, your website will have security vulnerabilities. In addition, the "Not Secure" warning that appears when users visit your website can negatively affect traffic.
Major search engines rank HTTPS websites higher in search results. Major browsers also support HTTP/2, which requires HTTPS. From the perspectives of security, marketing, and user experience, adopting HTTPS is essential. Therefore, you should upgrade your access protocol to HTTPS.

Scenarios

The main use cases for HTTPS secure transmission are divided into five categories, as shown in the following table.

Application scenario	Description
Enterprise applications	If a website contains confidential enterprise information, such as Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) data, interception or theft of this information during access can have a disastrous impact on the business.
Government information	Information on government websites is authoritative and must be accurate. Prevent phishing, fraud, and information hijacking to avoid a loss of public trust due to information leaks.
Payment systems	The payment process involves sensitive information such as names and phone numbers. Enable HTTPS encrypted transmission to prevent information hijacking and fraudulent impersonation. This helps avoid scams where customers, after placing an order, receive fraudulent messages containing their name, address, and order details, asking them to re-pay for reasons like a "stuck order". Such scams cause financial losses for both the customer and the business.
API operations	Protect the transmission of sensitive information or critical operational instructions to prevent core information from being hijacked during transmission.
Enterprise websites	Activate the green security lock icon for Domain Validated (DV) or Organization Validated (OV) certificates, or display the company name in the address bar for Extended Validation (EV) certificates. This provides potential customers with a more trustworthy and reassuring browsing experience.

Procedure

Purchase a certificate from Certificate Service.
To enable HTTPS secure acceleration, you need a certificate that matches the accelerated domain name. In the Certificate Service Marketplace, you can apply for a free trial certificate or purchase a commercial certificate based on your needs.

Configure an HTTPS certificate.

Log on to the ApsaraVideo VOD console.
In the navigation pane on the left, choose Configuration Management.
Click CDN Configuration > Domain Names to open the Domain Names page.
Find the domain name that you want to configure and click Configure in the Actions column.
Click the HTTPS Settings tab. In the HTTPS Certificate section, click Modify.

Modify the configuration.

HTTPS设置

Note

An expired or invalid HTTPS certificate may cause playback failures. Update your certificate promptly.

Parameter	Description
Certificate Type	Alibaba Cloud Security You can quickly apply for certificates of various brands and types in the Certificate Service console. For more information, see Certificate application. After you apply for a free personal test certificate from Certificate Service, set Certificate Type to Alibaba Cloud Certificate and select the certificate that you applied for. A free personal test certificate is typically issued within one to two business days. While you wait, you can upload a custom certificate or select a different Alibaba Cloud certificate. Note Based on the review process of the CA, your certificate may be issued within a few hours or up to two business days. This is normal. Please wait patiently. A free personal test certificate is valid for three months. If you disable and then re-enable HTTPS secure acceleration, the existing unexpired certificate is used. If the certificate is expired when you re-enable the feature, you must apply for a new free personal test certificate. Custom If no suitable certificate is available in the list, you can choose to upload a custom certificate. You must specify a certificate name and then upload the certificate content and private key. The certificate is saved in Alibaba Cloud's Certificate Service. You can view it in My Certificates. Note When you upload a Custom certificate, if a message indicates that the certificate is a duplicate, change the certificate name and upload it again.
Certificate Name	This parameter is required when Certificate Type is set to Alibaba Cloud Certificate or Custom.
Content	This parameter is required when Certificate Type is set to Custom. For configuration instructions, see the PEM Encoding Example below the Content text box.
Private Key	This parameter is required when Certificate Type is set to Custom. For configuration instructions, see the PEM Encoding Example below the Private Key text box.

Click OK to save the configuration.

What to do next

The updated HTTPS certificate takes about one minute to take effect across the network. To verify that the configuration is effective, access a resource using HTTPS. If a lock icon appears in the browser's address bar, it indicates that HTTPS secure acceleration is enabled and working correctly. 验证结果