All Products
Search
Document Center

Function Compute:Bind a custom domain name to a function or an application

Last Updated:Nov 29, 2024

If you want to use a fixed domain name to access a Function Compute application or function in a production environment, or prevent forced downloads when accessing an HTTP trigger, you can bind a custom domain name to the application or function.

Common scenarios

The following items list the typical scenarios in which you need to bind a custom domain name to a function or an application:

  • You have created a web application and migrated the web application to Function Compute, and want users to access the web application by using a fixed domain name.

  • You have built a web application in the Function Compute console and want to use different paths of a domain name to trigger different functions.

  • You have created an application, such as a Stable Diffusion application, in the Serverless Application Center of Function Compute and want to access the application by using a fixed domain name.

Limits

  • You can bind a custom domain name only to a function that belongs to the same region as the custom domain name.

  • The configured custom domain name is case-sensitive. Use the actual domain name for which an Internet Content Provider (ICP) filing is obtained.

  • A domain name can be up to 256 characters in length. The subdomain name at each level must contain at least one character and can be up to 63 characters in length. A subdomain name can contain letters (case-sensitive), digits (0-9), and hyphens (-). However, a domain name cannot start with a hyphen (-). The last part of a domain name, or the top-level domain name, must be a string of alphabetic characters that is at least two characters in length.

  • You can configure wildcard domain names and standard domain names. You cannot configure domain names that contain Chinese characters.

How it works

image

Before you start

  • Create a function or application. For more information, see Create a function and Create an application.

    To bind a custom domain name to an application is to bind the custom domain name to the functions created by the application. You can find the function resources that are automatically created when the application is created in the Resource Information section of the Environment Details page of the application and click a function name to go to the function page.

    image

  • Prepare a custom domain name whose ICP filing information includes Alibaba Cloud as a service provider.

    Apply for an ICP filing for the domain name based on the service provider and account to which the domain name belongs. The following items list the corresponding operations for different domain names.

    • Domain names registered by the current Alibaba Cloud account

      Apply for an ICP filing for a custom domain name in the Alibaba Cloud ICP Filing system. For more information, see ICP filing process.

    • Domain names registered by other Alibaba Cloud accounts

      We recommend that you use the Alibaba Cloud account that is used to register the domain name to obtain the ICP filing for the domain name. Apply for an ICP filing for a custom domain name in the Alibaba Cloud ICP Filing system. For more information, see ICP filing process.

    • Domain names registered by non-Alibaba Cloud accounts

      If your domain name is filed through another service provider, you must add Alibaba Cloud to the ICP filing information as a service provider. Log on to the Alibaba Cloud ICP Filing system to apply for an ICP filing for the custom domain name.

    Note
    • You do not need to apply for an ICP filing for custom domain names that are bound to functions in China (Hong Kong) or regions outside China.

    • You can query the registrar of a domain name at WHOIS.

    • You can check whether a domain name belongs to the current Alibaba Cloud account in the DNS console.

1. Add a custom domain name

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains. On the page that appears, select a region and click Add Custom Domain Name.

    Important

    You can bind a custom domain name only to a function that belongs to the same region as the custom domain name.

    image

  2. Enter the custom domain name that has obtained an ICP filing in the Alibaba Cloud ICP Filing system or whose ICP filing information includes Alibaba Cloud as a service provider. Single domain names, such as www.aliyun.com, and wildcard domain names, such as *.aliyun.com, are supported.

    image

    In the Add Custom Domain Name panel, obtain the Internet CNAME or Internal CNAME record. The following table describes the format of a CNAME record.

    CNAME type

    Format

    Example

    Internet CNAME

    <account_id>.<region_id>.fc.aliyuncs.com

    If the ID of your Alibaba Cloud account is 1413397765****, and the region of the function or application is China (Hangzhou),

    the Internet CNAME is 1413397765****.cn-hangzhou.fc.aliyuncs.com.

    Internal CNAME

    <account_id>.<region_id>-internal.fc.aliyuncs.com

    the internal CNAME is 1413397765****.cn-hangzhou-internal.fc.aliyuncs.com.

2. Configure domain name resolution

Log on to the DNS console and resolve the filed domain name to the CNAME of Function Compute. For more information, see Quick Start.

image

As shown in the preceding figure, you must set Record Value to the CNAME of Function Compute obtained in the previous step. If you want to access the domain name over the Internet, you must set Record Value to the Internet CNAME of Function Compute.

3. Continue to add the custom domain name

Go back to the Add Custom Domain Name page in step 1, configure the following parameters, and then click Create.

3.1 (Optional) Routing Settings

If your application contains multiple functions, you can configure the mapping between the paths and the functions. Different request paths can trigger different functions. For more information, see Route matching rules.

If you want to rewrite the URI of a request that matches a specified path based on rules, see Configure a rewrite policy (public review).

image

3.2 (Optional) HTTPS Settings

To enable HTTPS access to a custom domain name, configure the following parameters.

image

Parameter

Description

HTTPS

Specify whether to enable HTTPS. After you enable HTTPS, the custom domain name can be accessed by HTTP and HTTPS requests. If you disable HTTPS, the custom domain name can be accessed only by HTTP requests.

Note

You can also select the Redirects HTTP Requests to HTTPS check box to allow only HTTPS requests to access the custom domain name. Function Compute redirects requests that are accessed over HTTP to HTTPS.

Certificate Type

Select the type of the certificate that you want to upload. Options:

  • Alibaba Cloud SSL Certificate: Specify an Alibaba Cloud SSL certificate in Certificate Name. If no values are available in the Certificate Name drop-down list, you do not have an Alibaba Cloud SSL certificate. In this case, log on to the Certificate Management Service console to purchase an SSL certificate.

  • Manual Upload: Configure a certificate by specifying the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.

Note

The certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.

TLS Version

Select the transport layer security (TLS) protocol version that the function uses from the drop-down list.

Note

If you select one of the preceding TLS versions, you can select Enable Support for TLS1.3 to enable TLS 1.3.

Cipher Suite

Specify TLS cipher algorithm suites. If you leave this parameter empty, all cipher suites are selected. Options:

  • All Cipher Suites (High Compatibility and Low Security): All cipher suites. For the list of cipher suites supported by Function Compute, see Strong and weak cipher suites.

  • Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the delete icon to the right of a weak cipher suite to delete the cipher suite and retain the cipher suites that are supported by the versions of the TLS protocol that you selected.

Important

3.3 (Optional) Authentication Settings

image

3.4 (Optional) WAF Settings

WAF identifies malicious traffic in functions and applications, scrubs and filters out malicious traffic, and returns normal traffic to backend functions to protect your functions against malicious intrusions. For more information, see Enable WAF protection.

image

3.6 (Optional) CDN Settings

After you bind a custom domain name to a web application, you can use the custom domain name as the origin domain name and add an accelerated domain name to it. Then, you can configure a CNAME for the accelerated domain name. This way, CDN acceleration is enabled for the custom domain name. The application that is deployed in Function Compute serves as an origin server, and the source content is published to edge nodes. This way, end users can read data with high efficiency. This efficiently reduces the latency and improves service quality.

  1. Set CDN Acceleration to Enable. Specify a custom CDN-Accelerated Domain Name and click Create.

    image

    Important
    • If you enable the CDN acceleration feature, you are charged for data transferred over the Internet. For more information, see Billing overview.

    • The custom domain name and the accelerated domain name cannot be the same. To prevent consuming excessive domain name resources, you can set CDN-Accelerated Domain Name to the second-level domain name (the subdomain name) of your custom domain name. For example, if you set the custom domain name to example.com, you can set CDN-Accelerated Domain Name to fast.example.com.

  2. Click the custom domain name that you configured. In the CDN Acceleration Settings section of the custom domain name details page, click CDN Settings in the Actions column to go to the Alibaba Cloud CDN console and obtain the CNAME that is assigned to the CDN-accelerated domain name by Alibaba Cloud CDN.

    The preceding figure shows an example. A CNAME follows the Accelerated domain name.w.kunlun**.com format, for example, fast.example.com.w.kunlunle.com.

  3. Log on to the DNS console, find your custom domain name, and then point the Domain Name System (DNS) record of the domain name to the assigned CNAME to implement acceleration. For more information, see Quick Start.

    image

    The preceding figure shows an example. Set Hostname to the first level of the accelerated domain name. In this example, the value is fast. Set Record Value to the accelerated domain name that you configure in the previous step.

4. Verify the custom domain name

4.1 Verify whether the custom domain name can be accessed

  • Method 1: Run the curl URL command, for example, curl example.com/login.

  • Method 2: Use a browser.

    Enter the request URL in the address bar of a browser and press the Enter key to check whether the specified function is invoked.

4.2 (Optional) Verify the accelerated domain name

Use the CDN-accelerated domain name that you configured in 3.6 (Optional) CDN Settings in the browser to access the application. Then, open a developer tool and check the return value of the X-Cache field in the response to determine whether the accelerated domain name takes effect.

Note

The return value of the X-Cache field indicates the actual effect of the CDN cache policy. "MISS" in the value indicates that the first access to the CDN point of presence (POPs) misses and resources need to be requested from the origin server. If the missing resource is retrieved from the origin server, the resource is cached on the POP. The value of the X-Cache field in subsequent requests for the resource starts with HIT, which indicates that the requested resource is cached on and served from the POP.

First access misses

Subsequent accesses hit

42561c466d77bb5e52a6768b56ded229

3cd29fd2ed26b2fc3827e9162d16fae0

Cipher suites

Strong and weak cipher suites

The following table lists the strong and weak cipher suites that are supported by Function Compute.

Strong cipher suites

Weak cipher suites

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

  • TLS_ECDHE_RSA_WITH_RC4_128_SHA

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Mapping between TLS versions and cipher suites

The following table describes the mapping between TLS versions and the cipher suites that the TLS versions support. By default, all cipher suites in the following table are configured in Function Compute.

Note

In the following table, 支持 indicates that the TLS version supports the cipher suite. not-support indicates that the TLS version does not support the cipher suite.

Expand to view mappings between TLS versions and cipher suites.

Cipher Suite

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

TLS_RSA_WITH_3DES_EDE_CBC_SHA

not-support

not-support

not-support

not-support

TLS_RSA_WITH_AES_128_CBC_SHA

not-support

not-support

支持

not-support

TLS_RSA_WITH_AES_256_CBC_SHA

not-support

not-support

支持

not-support

TLS_RSA_WITH_AES_128_GCM_SHA256

not-support

not-support

支持

not-support

TLS_RSA_WITH_AES_256_GCM_SHA384

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

not-support

not-support

支持

not-support

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

not-support

not-support

支持

not-support

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

not-support

not-support

not-support

not-support

TLS_RSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_RSA_WITH_AES_128_CBC_SHA256

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

not-support

not-support

支持

not-support

TLS_AES_128_GCM_SHA256

not-support

not-support

not-support

支持

TLS_AES_256_GCM_SHA384

not-support

not-support

not-support

支持

TLS_CHACHA20_POLY1305_SHA256

not-support

not-support

not-support

支持

Mappings between RFC cipher suite names and OpenSSL cipher suite names

RFC cipher suite name

OpenSSL cipher suite name

TLS_RSA_WITH_3DES_EDE_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES256-SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-GCM-SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE-RSA-DES-CBC3-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

N/A

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

N/A

TLS_RSA_WITH_RC4_128_SHA

RC4-SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA256

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

ECDHE-ECDSA-RC4-SHA

TLS_ECDHE_RSA_WITH_RC4_128_SHA

ECDHE-RSA-RC4-SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_CHACHA20_POLY1305_SHA256

Matching rule

Route matching rule

You must configure the mapping between paths and functions when you bind a custom domain name. This way, requests from different paths can trigger different functions. Function Compute supports exact matching and fuzzy matching for paths. The following items describe the matching rules:

  • Exact matching: A function is triggered only if the path of the request is exactly the same as the specified path.

    For example, you have created a route whose path is /a, the corresponding function is f1, and the corresponding version is 1. In this case, only requests from the /a path can trigger Function 1 of Version 1.

  • Fuzzy matching: You can append an asterisk (*) as a wildcard to a path.

    For example, you have created a route whose path is /login/*, the corresponding function is f2, and the corresponding version is 1. Requests from paths that begin with /login/, such as /login/a and /login/b/c/d, can trigger Function 2 of Version 1.

Note
  • If multiple routes are configured for a custom domain name, exact matching takes precedence over fuzzy matching.

  • The longest prefix match (LPM) rule applies when fuzzy matching is performed.

    For example, the /login/a/* path and the /login/* path are configured for the custom domain name example.com, and the request URL is example.com/login/a/b. The request URL matches the configured paths. However, the /login/a/* path is used based on the longest prefix match (LPM) rule.

Example

For example, the custom domain name is example.com and five routing rules are configured based on the steps described in this topic. The following table lists the routing rules.

Routing rule

Path

Function

Version

Routing rule 1

/

f1

1

Routing rule 2

/*

f2

2

Routing rule 3

/login

f3

3

Routing rule 4

/login/a

f4

4

Routing rule 5

/login/*

f5

5

The following table describes the final matches.

Request URL

Matched function

Matched version

Matched path

example.com

f1

1

/

example.com/user

f2

2

/*

example.com/login

f3

3

/login

example.com/login/a

f4

4

/login/a

example.com/login/a/b

f5

5

/login/*

example.com/login/b

f5

5

/login/*

Domain name matching rule

Function Compute matches a domain name based on the domain name information in your request and forwards the request to the function that corresponds to the matched domain name. Function Compute supports exact matching and fuzzy matching for domain names. The following items describe the matching rules:

  • Exact matching: The function that corresponds to the domain name can be triggered only if the domain name of the request exactly matches the custom domain name that you created.

  • Fuzzy matching: Wildcard domain names are supported. The function can be triggered if the domain name of the request matches the custom domain name that you created based on wildcards. A maximum of one wildcard character (*) can be contained in a domain name, and the wildcard character must be placed at the beginning of the domain name.

Note
  • If a request matches a single domain name and a wildcard domain name at the same time, the request is forwarded to the function that corresponds to the single domain name.

  • In fuzzy matching, a wildcard domain name can match only a domain name at the same level. For example, *.aliyun.com can match fc.aliyun.com, but not cn-hangzhou.fc.aliyun.com. *.aliyun.com and fc.aliyun.com are third-level domains and cn-hangzhou.fc.aliyun.com is a fourth-level domain.

Example

The following table shows the results of request domain names that match the following existing domain names: fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com.

Request domain name

Matched domain name

fc.aliyun.com

fc.aliyun.com

fnf.aliyun.com

*.aliyun.com

cn-hangzhou.fc.aliyun.com

*.fc.aliyun.com

accountID.cn-hangzhou.fc.aliyun.com

None

FAQ

Can a public endpoint of an HTTP trigger be used in a production environment?

Website services can be provided only by using domain names for which ICP filings are obtained. You can configure a custom domain name, bind the domain name to your function, and then use the domain name to provide services.

What do I do if a 502 Bad Gateway error is reported when I access a custom domain name?

Check the Record Value parameter that you set when you configure domain name resolution. If you want to access the domain name over the Internet, set Record Value to a public endpoint of Function Compute. For more information, see 2. Configure domain name resolution.

What do I do if errors are reported when I use a Chinese-character domain name to configure a custom domain name?

Domain names that contain Chinese characters are not supported in custom domain names of Function Compute.

How do I resolve the issue of forced downloads when I access a domain name through a browser?

By default, Internet access URLs generated by HTTP triggers do not have ICP filing. Forced downloads are triggered when Internet access URLs are accessed through a browser. For more information about the solution, see Return results are forcibly downloaded when I access an HTTP function through a browser. How do I resolve this issue?

What do I do if a 301 redirect occurs when I access an accelerated domain name?

Check whether forced HTTPS redirection is enabled when you configure a custom domain name. If you do not want 301 redirects, disable this feature.

What do I do if I cannot select an existing function when I configure routes?

Make sure that the custom domain name is in the same region as the function.

What do I do if a function cannot be triggered by using a route?

Check whether the configured route is implemented in corresponding paths in the function. If not, requests fail.

Diagnostics

If an error occurs when you bind a custom domain name, the server returns an error message. The following table describes common error codes to help you quickly identify and resolve issues.

HTTP status code

HTTP status code

Error message

Possible cause

InvalidICPLicense

400

domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun

This error is reported because the domain name does not have an ICP filing or the information in the ICP filing does not include Alibaba Cloud as a service provider.

DomainNameNotResolved

400

domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s'

The error message returned because no CNAME is configured for the domain name to point to the specified endpoint. You can check the CNAME settings by running the dig command or logging on to the Domain Name System (DNS) server.

DomainRouteNotFound

404

no route found in domain '%s' for path '%s'

The error message returned because no function is configured for the specified path.

TriggerNotFound

404

trigger 'http' does not exist in service '%s' and function '%s'

The error message returned because no HTTP trigger is configured for the function that is bound to the custom domain name.

DomainNameNotFound

404

domain name '%s' does not exist

The error message returned because the domain name that you want to query does not exist.

DomainNameAlreadyExists

409

domain name '%s' already exists

The error message returned because the domain name that you want to bind already exists.

If the issue persists, join the DingTalk group 64970014484 for technical support.