All Products
Search
Document Center

Edge Security Acceleration:What is HTTPS secure acceleration?

Last Updated:Oct 21, 2024

HTTPS encrypts data by using the TLS/SSL protocol based on HTTP. This prevents data from being monitored, intercepted, or tampered with by third parties. You can configure an SSL certificate in the DCDN console to encrypt requests between the clients and DCDN to ensure data security.

Benefits

  • HTTPS secure acceleration protects communications from eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks. The feature encrypts sensitive information, such as session IDs and cookies, during data transmission to minimize the risk of sensitive information leaks.

  • HTTPS is the new standard. If you use HTTP, your website may be exposed to security risks and visitors to your website are prompted that the website is not secure. This compromises user experience.

  • Mainstream search engines assign a higher weight to HTTPS-capable websites. After you enable HTTPS for a website, the website can achieve a higher ranking in search engine results.

SSL/TLS certificates

SSL is located between the TCP/IP protocol and various application layer protocols. With SSL, a client such as a browser can verify the authenticity and integrity of the server it is connecting with, and use encryption to exchange information.

Internet Engineering Task Force (IETF) standardized SSL and changed the name to Transport Layer Security (TLS). Therefore, the protocol is referred to as SSL/TLS.

SSL certificates use the SSL protocol for communications. SSL certificates are credentials that are issued by certificate authorities (CAs) to websites to authenticate the identities of websites and encrypt data for transmission.

Billing

HTTPS secure acceleration is a value-added feature. After you enable HTTPS, you are charged based on the number of HTTPS requests. For more information, see Billing of HTTPS and HTTP requests.

Note

HTTPS requests are separately billed, and the fees cannot be offset by data transfer plans of Dynamic Content Delivery Network (DCDN). Make sure that you have a sufficient balance in your Alibaba Cloud account. Otherwise, overdue payments may occur and cause service suspension.

End-to-end data transfer over HTTPS

The following figure shows how HTTPS encryption works when a client initiates a request to a server.

image
  1. Configure an SSL certificate for your domain name in the DCDN console to allow HTTPS connections between clients and points of presence (POPs).

    Note

    HTTPS secure acceleration is a value-added feature that is billed based on the number of HTTPS requests. For more information, see Billing of HTTPS and HTTP requests.

  2. Configure an SSL certificate on the origin server and configure origin fetch over HTTPS. For more information, see Configure the static origin protocol policy.

    Note

    If you want to implement end-to-end data transfer over HTTPS, make sure that the origin server supports HTTPS before you configure origin fetch over HTTPS. For more information, see Configure the static origin protocol policy.

Configure HTTPS secure acceleration between clients and POPs

Step 1: Prepare a certificate for the accelerated domain name

Only certificates in the PEM format are supported. You can convert certificates in other formats to the PEM format. For more information, see Convert certificate formats.

You can apply for an individual test certificate (free) or purchase a certificate in the Certificate Management Service console.

You can also apply for a certificate from a third-party CA. The issued certificate must meet the certificate format requirements. For more information, see Certificate formats.

Step 2: Enable HTTPS secure acceleration

  1. Required. After you prepare an SSL certificate, configure the certificate for the accelerated domain name before you enable HTTPS secure acceleration. For more information, see Configure an SSL certificate.

  1. Optional. Configure more features based on your business requirements.

    Category

    Feature

    Description

    Configure client access protocols

    Configure force redirect

    You can use 301 redirection to redirect HTTP requests from clients to POPs to HTTPS or redirect HTTPS to HTTP.

    Configure HSTS

    You can configure HSTS to force clients, such as browsers, to connect to POPs over HTTPS. This reduces the risk of cookie hijacking.

    Specify the protocol version

    Configure HTTP/2

    HTTP/2, originally named HTTP/2.0, is the first new version of HTTP since HTTP/1.1. HTTP/2 supports binary framing, multiplexing, and header compression. This protocol improves web performance and reduces network latency.

    Configure TLS versions and cipher suites

    After you configure a TLS version, only clients that use the TLS version can send requests to and receive requests from POPs. This meets the security requirements of communication links.

    Accelerate the validation of the SSL certificate

    Configure OCSP stapling

    POPs cache certificate verification results and then send the results to clients without the need for the clients to verify certificates with the CAs. This reduces the verification time.