Certificate Management Service:Configure an HTTPS acceleration gateway

Prerequisites

• You have purchased the HTTPS acceleration gateway service. For more information, see Purchase an HTTPS acceleration gateway.

• You have a stable origin server.

• You have a domain name for HTTPS acceleration. A subdomain is typically used.

Step 1: Add an HTTPS acceleration domain

1. Log in to the Certificate Management Service console.

2. In the navigation pane on the left, choose Certificate and Domain Application Services > HTTPS Acceleration Gateway.

3. On the Domain Name Management tab, find the target instance, and in the Actions column, click Domain Names.

4. On the Domain Names page, click Add Domain Name. In the panel that appears, configure the parameters based on the following table and click OK.

   Parameter	Description
   Domains	Enter the domain name for the HTTPS acceleration gateway based on the edition you purchased. The domain name must meet the following requirements: Format requirements: The domain name must be 1 to 67 characters in length. Allowed characters: lowercase letters (a-z), digits (0-9), and hyphens (-). For example, example.com. Hyphens (-) cannot appear consecutively, cannot be used alone, and cannot appear at the beginning or end of a domain name. Disallowed characters: Chinese characters, uppercase letters (A-Z), and special characters other than hyphens (-). If a domain name contains Chinese characters (for example: 阿里云.网址), use the Chinese Domain Name Conversion Tool to convert it into Punycode format (for example: xn--fiq****.xn--eq****). Services, such as websites and apps, that resolve to servers in mainland China must complete an ICP filing before they can be made publicly accessible. Ensure that the domain you add has a completed ICP filing. We recommend that you complete the filing in the Alibaba Cloud ICP Filing System. Before you apply for an ICP filing, see Server check for ICP filing to complete the required preparations and checks. The domain name to be added must not have other proxy services enabled, such as Alibaba Cloud CDN, DCDN, or WAF. Supports up to a third-level wildcard domain name, which means the domain name contains at most three dots (.). For example, *.example.aliyundoc.com. Important A wildcard domain name enables HTTPS acceleration for all its subdomains at the same level. For example, if you add *.aliyundoc.com as an HTTPS accelerated domain name and complete the CNAME resolution for *.aliyundoc.com, all subdomains of this wildcard domain name (such as example.aliyundoc.com and demo.aliyundoc.com) can be secured with HTTPS encryption and benefit from website resource acceleration. A wildcard domain name can only match subdomains at the same level. It does not support cross-level matching. For example, *.aliyundoc.com matches subdomains like demo.aliyundoc.com, learn.aliyundoc.com, and example.aliyundoc.com, but it does not match guide.demo.aliyundoc.com or developer.demo.aliyundoc.com. If the wildcard domain is a second-level domain such as *.aliyundoc.com, the parent domain aliyundoc.com is included by default. However, if the wildcard domain is a third-level domain such as *.demo.aliyundoc.com, neither demo.aliyundoc.com nor aliyundoc.com is included. To ensure both the apex domain (for example, example.com) and the www subdomain (for example, www.example.com) can be accessed securely over HTTPS, you must add both domain names separately. To learn more about domain levels, see Domain hierarchy.
   Force HTTPS Access	If you enable this feature, all HTTP requests from browsers are automatically redirected to HTTPS.
   Alert Contact	Select a contact from the drop-down list. The contact must have email addresses and mobile numbers configured to receive notifications such as SSL certificate expiration alerts and remaining resource usage alerts. You can add up to 10 contacts. If you have not created a contact, click Create Contact in the drop-down list to create one. Certificate Management Service saves the new contact information for future use. For more information about how to create a contact, see Manage contacts.
   Origin Server	The address of your origin server. The HTTPS acceleration gateway uses this address to retrieve resources from the origin. You can add up to 20 origin server addresses. IP: You can configure one or more public IP addresses as the origin server. Private IP addresses are not supported. For example, 1.1.x.x. Origin server address: You can configure one or more domain names as the origin server. For example, aliyundoc.com,example.com. Note The origin server domain name cannot be the same as the acceleration domain name. Otherwise, a resolution loop occurs and requests cannot be forwarded to the origin server. Port: Select a port based on the protocol used by your origin server. Only the standard ports 80 and 443 are supported. If the origin server uses HTTP, select port 80. If the origin server uses HTTPS, select port 443.

5. In the dialog box that appears, carefully read the prompt and click OK.

   

   Important

   If your website violates national regulations for online content or is under a DDoS attack, the HTTPS acceleration gateway will stop forwarding traffic and notify you. If this occurs, contact your account manager for assistance.

6. In the Actions column of the instance list, click Verify.

7. On the Verify Information wizard page, complete the domain ownership verification and click OK.

   Scenario	Action
   The domain uses Alibaba Cloud DNS and is managed by the current Alibaba Cloud account.	After you grant permissions to Alibaba Cloud services, the system automatically adds a DNS record for the domain in the Alibaba Cloud DNS console to verify its ownership. Verification takes about 5 minutes. The following figure shows a successful verification. After the verification is complete, proceed to Step 2: Configure a CNAME record to forward service requests.
   The domain uses a third-party DNS service, or the domain is managed by another Alibaba Cloud account.	Manually add a CNAME or TXT record at your DNS provider to verify domain ownership. You can choose either record type. The following steps describe the DNS verification process using a TXT record as an example. On the Record Type tab of the Verify Information wizard page, copy the Host Record and Record Value. Add a DNS record for the domain at your DNS provider. The following steps show how to add a DNS record using Alibaba Cloud DNS as an example. If your domain's DNS service is not with Alibaba Cloud, go to your domain's DNS provider to add the record. Log on to the Alibaba Cloud DNS console using the Alibaba Cloud account that owns the domain. On the Authoritative DNS Resolution page, find the domain that is bound to the certificate, and then click the domain name. On the Settings page, click Add Record. In the Add Record panel, set the record type, hostname, and record value. Then, click OK. Verification takes about 10 to 15 minutes. The following figure shows a successful verification. After the verification is complete, proceed to Step 2: Configure a CNAME record to forward service requests.

Step 2: Configure a CNAME record to forward requests

After you add a domain name and verify its ownership, the HTTPS acceleration gateway assigns a CNAME record. Add this CNAME record at your DNS provider to point it to your domain name. This forwards requests to the HTTPS acceleration gateway and enables acceleration.

1. On the Domain Names page, get the CNAME record.

   

2. Add a CNAME record at your DNS provider.

   The steps to add a CNAME record vary by DNS provider. The following procedure uses Alibaba Cloud DNS as an example.

   1. Log on to the Alibaba Cloud DNS console using the Alibaba Cloud account that owns the domain name.

   2. On the Public Zone page, find your domain name. In the Actions column, click Settings.

      Note

      For domain names that are not registered with Alibaba Cloud, you must add them in the Alibaba Cloud DNS console before you can configure their DNS settings. For more information, see Add a domain name.

   3. Click Add Record, add a CNAME record as described in the following table, and then click OK.

      Parameter	Description
      Record Type	Select CNAME.
      Host Record	For a root domain, set the hostname to @. Examples: Domain name: aliyundoc.com, Hostname: @. Domain name: aliyundoc.com.cn, Hostname: @. For a wildcard domain name, the hostname is typically *. Examples: Domain name: *.aliyundoc.com, Hostname: *. Domain name: *.aliyundoc.com.cn, Hostname: *. Domain name: *.example.aliyundoc.com, Hostname: *.example. Domain name: *.example.aliyundoc.com.cn, Hostname: *.example. For a subdomain, the hostname is the subdomain prefix. Examples: Domain name: example.aliyundoc.com, Hostname: example. Domain name: example.aliyundoc.com.cn, Hostname: example. Domain name: www.example.aliyundoc.com, Hostname: www.example. Domain name: www.example.aliyundoc.com.cn, Hostname: www.example. For more information about domain levels, see Domain hierarchy.
      Query Source	Keep the default value.
      Record Value	Enter the CNAME record value for the domain name. Example: example.com.w.kunlunhuf.com.
      TTL	Keep the default value. TTL (Time-to-Live) is the cache duration. A smaller value means changes take effect faster. The default value is 10 minutes.

   4. Click Confirmation to finish adding the record.

      A new CNAME record in Alibaba Cloud DNS takes effect immediately. Changes to a CNAME record take effect after the TTL period expires (the default TTL is 10 minutes). The CNAME status in the console may be delayed and is for reference only. If you can access your website by using the domain name, the CNAME record has taken effect.

Related operations

FAQ