A General Solution for Publishing Web-Based Services Hosted Overseas in China

This document presents a solution for foreign companies to publish web services in China by proxying traffic to existing services outside of China through CEN.

By Alibaba Cloud Intelligence USA Team

Zhong Wang, Solutions Architect
Rui Chen, Staff Solutions Architect
Kexue Wei, Staff Solutions Architect

This document presents a general solution for foreign companies to publish web-based service in China by proxying traffic to their existing services outside of China through Alibaba Cloud Enterprise Network (CEN), achieving better performance and user experience, reducing complexity and cost, as well as meeting regulatory requirements. Other Alibaba Cloud services used in the solution include VPC, ECS, SLB, DNS and DCDN. The solution has been adopted by several enterprise customers in the US.

Background

Providing reliable online service inside China is crucial to foreign companies entering the China market. Addressing packet loss and latency over unreliable public Internet is a big challenge.

Fulfilling local regulatory requirements is another key requirement. Government regulation in China mandates publishing web-based service with a top-level domain name that either has ICP filing (for non-commercial web services) or ICP license (for commercial web services) approved by Ministry of Industry and Information Technology (MIIT). Obtaining ICP approval for an existing top-level domain name registered outside of China can be very difficult. It's often easier to register a new domain name instead and get ICP approval. But using a different domain name to publishing service would require modification to the existing service to ensure all URLs are consistent with the new domain name, which can be challenging as well.

The general solution presented in this document helps customers to:

Leverage existing service outside of China, either hosted on-premises or in public cloud
Solve network quality issues with Alibaba Cloud CEN and proxy servers
Realize domain name consistency with on-the-fly domain name conversion
Achieve great performance by leveraging Alibaba Cloud CDN and DCDN

ICP and related process are out of the scope of this document. Further information can be found at https://www.alibabacloud.com/help/product/35468.htm

Solution

The solution is illustrated in the following diagram:

The example presented here is a customer who already has service with domain name "example.com" deployed in US East, and has obtained a new domain name "example.cn" with ICP filing/license in place.

The main components of the solution are:

Alibaba Cloud DNS service hosting the new domain name "example.cn"
Two Alibaba Cloud VPCs, one in Shanghai, one in US East. Both VPCs are attached to a Cloud Enterprise Network (CEN), establishing reliable, low latency, private connection between Shanghai and US East. Instructions for CEN configuration can be found at https://www.alibabacloud.com/help/doc-detail/65885.htm
Deploy ECS instance in Shanghai VPC, running HAProxy (www.haproxy.org) in TCP mode, serving user requests for example.cn at a public IP (or Elastic IP). All user requests are then proxied to the ECS instance running Nginx in US East VPC via CEN.
Deploy ECS instance in US East VPC, running Nginx. It is important to choose a region that is geographically close to where the existing service is hosted (US East in this example) to minimize latency over public Internet. Configure Nginx proxy_pass and sub_filter to convert the domain part of the requests on the fly, ie. from "example.cn" to "example.com", so that all HTTPS requests to example.cn from users in China are converted to example.com and proxied to the origin web server in US East via public Internet. The URLs in the returned HTML are converted back to example.cn and forwarded to users in China via HAProxy. The Nginx server needs to have ngx_http_proxy_module and ngx_http_sub_module loaded to perform the conversion.

Example haproxy.conf

listen HTTPS
bind 0.0.0.0:443
mode tcp
server us-nginx <nginx private IP>

This configuration tells HAProxy to listen on port 443 (for HTTPS) in TCP mode, ie. SSL connections to example.cn will not be terminated by HAProxy. Traffic will be proxied to the private IP address of the Nginx server in US East VPC via CEN.

Example nginx.conf ("Server" Section Only)

server {
        listen 443;
        server_name example.cn;
        ssl on;
        root html;
        index index.html;
        ssl_certificate   cert/example.cn.pem;
        ssl_certificate_key  cert/example.cn.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_pass https://example.com/;
            sub_filter_types *;
            sub_filter https://example.com https://example.cn;
            sub_filter_once off;
            proxy_set_header Accept-Encoding "";
        }
}

This configuration tells Nginx to serve HTTPS requests at port 443, using the SSL certificate for example.cn in file cert/example.cn.pem and its associated private key in file cert/example.cn.key. The proxy_pass line specifies the origin web server being proxied. The sub_filter line takes care of the conversion between "example.cn" and "example.com".

For more details on proxy and sub_filter directives, please refer to:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
http://nginx.org/en/docs/http/ngx_http_sub_module.html

Adding DCDN to the Picture

In order to achieve better performance and user experience, the Alibaba Cloud Dynamic Route for CDN (DCDN) service can be leveraged. The major benefit of DCDN are:

Static contents can be cached at CDN PoPs close to end users for faster access, which also helps to reduce the load on the HAProxy server, Nginx server and CEN bandwidth.
Dynamic requests are routed to HAProxy via Alibaba Cloud backbone network, yielding better performance than routing via public Internet.

For more information on Alibaba Cloud DCDN service, please refer to https://www.alibabacloud.com/product/dcdn

Unified Entry Point

By far users in China still need to specify "example.cn" to access the service. An HTTP 301 (permanent redirection) based on IP geolocation can be implemented for "example.com". Only requests from users in China will be redirected to "example.cn".

The easiest way to implement permanent redirection is at the origin service by using MaxMind GeoIP database in a web server. There are a number of online tutorials on how to use the legacy GeoIP database and the Nginx ngx_http_geoip_module. Unfortunately, the GeoIP databases is no longer available after January 2, 2019, and MaxMind has migrated to GeoIP2.

A more up-to-date tutorial on using GeoIP2 with Nginx is at https://dev.iachieved.it/iachievedit/geoip2-and-nginx/. The example in the tutorial is not specifically for HTTP redirection, so the Nginx configuration in the tutorial needs to be changed slightly to perform redirection like this:

geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
    $geoip2_data_country_code country iso_code;
} 
map $geoip2_date_country_code $geo_sub_domain {
    default www.example.com;
    CN      example.cn;
}
server {
    server_name example.com
                www.example.com
                example.cn;
    if ($closest_server != $host) {
        rewrite ^ $scheme://$geo_sub_domain$request_uri break;
    }
    ... 
}

It's worth noting that there is a performance penalty with this approach: The first time a user in China visits "example.com", an HTTP session still needs to be established from China all the way to the overseas service to get the HTTP 301 response. But after that, the permanent redirection will be cached at the client side so that all future connections will be made to "example.cn" directly.

Nonetheless in certain circumstances the first session may fail or time out due to Internet quality issues. To remedy that, an additional light weight web server can be deployed in a region that is close to mainland China, e.g. Hong Kong, whose only function is to provide the permanent redirection for users from China. Resolving domain name "example.com" to the IP address of that server can be achieved by configuring GeoDNS feature where "example.com" is hosted. GeoDNS feature is widely available at major DNS service providers.

Further Considerations

The example given in this document is a minimal implementation. In order to achieve high availability and security, more services need to be leveraged, including but not limited to:

Server Load Balancer and Auto Scaling for multiple HAProxy and Nginx instances
Hardening Security Groups and server ACLs
Deploying Web Application Firewall to protect the web service

These topics are beyond the scope of this document. There are well-written Alibaba Cloud white papers for reference at https://resource.alibabacloud.com/whitepaper

Community

A General Solution for Publishing Web-Based Services Hosted Overseas in China

Background

Solution

Example haproxy.conf

Example nginx.conf ("Server" Section Only)

Adding DCDN to the Picture

Unified Entry Point

Further Considerations

Read previous post:

Read next post:

Alibaba Clouder

You may also like

Comments

Alibaba Clouder

Related Products

CEN

CDN(Alibaba Cloud CDN)

ECS(Elastic Compute Service)