Home PageAPI GatewayAPI GatewaySecurity and ComplianceClarification on CNAME-based access and non-standard ports
Search for Help Content

Clarification on CNAME-based access and non-standard ports

Updated at: 2024-10-09 10:11
Product
Community

This topic clarifies the security and regulatory compliance of CNAME-based access to API Gateway and of use of non-standard ports.

Security clarification on CNAME-based access

If your origin server is deployed in the Chinese mainland, you must use an API Gateway instance that is purchased in a Chinese mainland region and complete an ICP filing for your domain name beforehand.

Note

  • If your website or application is hosted on a node in Alibaba Cloud in the Chinese mainland and no ICP filing has been completed for the website or application, you must complete an ICP filing by using the Alibaba Cloud ICP filing system before you provide your website or application service.

  • If an ICP filing has been completed with another service provider for your application or website and you want to change the service provider to Alibaba Cloud or add Alibaba Cloud as a service provider, you must complete the operation on Alibaba Cloud.

Security clarification on opening non-standard ports

If you use CNAME to access an API Gateway domain name, some scanners may mistakenly detect that listening is enabled on a non-80 or non-443 port. As a result, the system may consider that a high-risk port is opened. Alibaba Cloud API Gateway opens only ports 80 and 443 and forwards data only after three TCP handshakes. For unconfigured ports, API Gateway sends an RST packet immediately after three TCP handshakes to close the connection. In this process, no data is forwarded. Therefore, the detected high-risk port is not opened.

Note

High-risk ports are not opened in API Gateway, and the three TCP handshakes will not succeed. The following ports are considered high-risk: ports 9, 20, 21, 22, 23, 25, 42, 53, 67, 68, 69, 135, 137, 138, 139, 143, 161, 389, 445, 593, 1434, 1521, 3127, 3306, 3389, 4444, 5554, 5800, 5900, 6379, 9996, 11211, 27017, 27018, 50030, 50070, 61613, 61616, and 61617.

Previous: Use an ACL to control accessNext: Use Cases
  • On this page (1, T)
  • Security clarification on CNAME-based access
  • Security clarification on opening non-standard ports
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare