By Alibaba Cloud Intelligence USA Team
This document presents a general solution for foreign companies to publish web-based service in China by proxying traffic to their existing services outside of China through Alibaba Cloud Enterprise Network (CEN), achieving better performance and user experience, reducing complexity and cost, as well as meeting regulatory requirements. Other Alibaba Cloud services used in the solution include VPC, ECS, SLB, DNS and DCDN. The solution has been adopted by several enterprise customers in the US.
Providing reliable online service inside China is crucial to foreign companies entering the China market. Addressing packet loss and latency over unreliable public Internet is a big challenge.
Fulfilling local regulatory requirements is another key requirement. Government regulation in China mandates publishing web-based service with a top-level domain name that either has ICP filing (for non-commercial web services) or ICP license (for commercial web services) approved by Ministry of Industry and Information Technology (MIIT). Obtaining ICP approval for an existing top-level domain name registered outside of China can be very difficult. It's often easier to register a new domain name instead and get ICP approval. But using a different domain name to publishing service would require modification to the existing service to ensure all URLs are consistent with the new domain name, which can be challenging as well.
The general solution presented in this document helps customers to:
ICP and related process are out of the scope of this document. Further information can be found at https://www.alibabacloud.com/help/product/35468.htm
The solution is illustrated in the following diagram:
The example presented here is a customer who already has service with domain name "example.com" deployed in US East, and has obtained a new domain name "example.cn" with ICP filing/license in place.
The main components of the solution are:
listen HTTPS
bind 0.0.0.0:443
mode tcp
server us-nginx <nginx private IP>
This configuration tells HAProxy to listen on port 443 (for HTTPS) in TCP mode, ie. SSL connections to example.cn will not be terminated by HAProxy. Traffic will be proxied to the private IP address of the Nginx server in US East VPC via CEN.
server {
listen 443;
server_name example.cn;
ssl on;
root html;
index index.html;
ssl_certificate cert/example.cn.pem;
ssl_certificate_key cert/example.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://example.com/;
sub_filter_types *;
sub_filter https://example.com https://example.cn;
sub_filter_once off;
proxy_set_header Accept-Encoding "";
}
}
This configuration tells Nginx to serve HTTPS requests at port 443, using the SSL certificate for example.cn in file cert/example.cn.pem and its associated private key in file cert/example.cn.key. The proxy_pass line specifies the origin web server being proxied. The sub_filter line takes care of the conversion between "example.cn" and "example.com".
For more details on proxy and sub_filter directives, please refer to:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
http://nginx.org/en/docs/http/ngx_http_sub_module.html
In order to achieve better performance and user experience, the Alibaba Cloud Dynamic Route for CDN (DCDN) service can be leveraged. The major benefit of DCDN are:
For more information on Alibaba Cloud DCDN service, please refer to https://www.alibabacloud.com/product/dcdn
By far users in China still need to specify "example.cn" to access the service. An HTTP 301 (permanent redirection) based on IP geolocation can be implemented for "example.com". Only requests from users in China will be redirected to "example.cn".
The easiest way to implement permanent redirection is at the origin service by using MaxMind GeoIP database in a web server. There are a number of online tutorials on how to use the legacy GeoIP database and the Nginx ngx_http_geoip_module. Unfortunately, the GeoIP databases is no longer available after January 2, 2019, and MaxMind has migrated to GeoIP2.
A more up-to-date tutorial on using GeoIP2 with Nginx is at https://dev.iachieved.it/iachievedit/geoip2-and-nginx/. The example in the tutorial is not specifically for HTTP redirection, so the Nginx configuration in the tutorial needs to be changed slightly to perform redirection like this:
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_data_country_code country iso_code;
}
map $geoip2_date_country_code $geo_sub_domain {
default www.example.com;
CN example.cn;
}
server {
server_name example.com
www.example.com
example.cn;
if ($closest_server != $host) {
rewrite ^ $scheme://$geo_sub_domain$request_uri break;
}
...
}
It's worth noting that there is a performance penalty with this approach: The first time a user in China visits "example.com", an HTTP session still needs to be established from China all the way to the overseas service to get the HTTP 301 response. But after that, the permanent redirection will be cached at the client side so that all future connections will be made to "example.cn" directly.
Nonetheless in certain circumstances the first session may fail or time out due to Internet quality issues. To remedy that, an additional light weight web server can be deployed in a region that is close to mainland China, e.g. Hong Kong, whose only function is to provide the permanent redirection for users from China. Resolving domain name "example.com" to the IP address of that server can be achieved by configuring GeoDNS feature where "example.com" is hosted. GeoDNS feature is widely available at major DNS service providers.
The example given in this document is a minimal implementation. In order to achieve high availability and security, more services need to be leveraged, including but not limited to:
These topics are beyond the scope of this document. There are well-written Alibaba Cloud white papers for reference at https://resource.alibabacloud.com/whitepaper
Reinventing Your Business with New Retail Roadshow and Booth Solutions
Deciphering Data to Uncover Hidden Insights – Data Stories (1)
2,599 posts | 764 followers
FollowAlibaba Clouder - May 29, 2020
Alibaba Clouder - June 24, 2020
ApsaraDB - April 14, 2020
Alibaba Clouder - January 31, 2019
Alibaba Clouder - March 2, 2021
JJ Lim - January 4, 2022
2,599 posts | 764 followers
FollowA global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud network
Learn MoreA scalable and high-performance content delivery service for accelerated distribution of content to users across the globe
Learn MoreElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreMore Posts by Alibaba Clouder