You can use Global Accelerator (GA) to accelerate access to HTTP websites over HTTPS. This improves the speed and security of client access to HTTP websites.
Sample scenario
The following scenario is used as an example. The headquarters of a company is located in the US (Silicon Valley) region and the headquarters deploys an HTTP website on a self-managed server in the US (Silicon Valley) region. The clients that want to access the website are located in the China (Hong Kong) region. The website may encounter the following challenges:
Data is transmitted in plaintext over HTTP and the requests that are destined for the website are not authenticated. Therefore, security risks may arise.
The cross-border network is unstable. Network issues, such as network latency, network jitter, and packet loss, may frequently occur.
In this case, the company can use GA and configure an HTTPS listener to accelerate access to the HTTP website deployed in the US (Silicon Valley) region for clients in the China (Hong Kong) region. In addition, data transmission is encrypted and secured over HTTPS when the clients send requests to the HTTP website.
Prerequisites
An SSL certificate is purchased and an application is submitted to apply for the SSL certificate. For more information, see Purchase an SSL certificate and Submit a certificate application.
An HTTP service that uses port 80 is deployed on a backend server.
An A record that maps the backend domain name to the public IP address of the backend server is created.
In this example, NGINX is used to deploy the backend HTTP service and Alibaba Cloud DNS is used to configure the DNS record.
For more information about how to deploy an NGINX service, see Install NGINX.
For more information about how to configure DNS records, see Add a DNS record. If you use a third-party DNS resolution service, refer to the user guide provided by the service provider.
Procedure
This topic uses a pay-as-you-go standard Global Accelerator instance as an example to describe how to configure Global Accelerator to accelerate access to HTTP websites over HTTPS. Before you create a pay-as-you-go standard Global Accelerator instance, take note of the following information:
GA instances use the pay-by-data-transfer metering method. You do not need to associate a basic bandwidth plan with pay-as-you-go GA instances. The billing of data transfer over the GA network is managed by Cloud Data Transfer (CDT). For more information, see Pay-by-data-transfer.
The first time you use a pay-as-you-go Global Accelerator instance, go to the pay-as-you-go GA activation page and activate Global Accelerator as prompted.
Step 1: Configure the basic information about an instance
Log on to the GA console.
On the Instances page, click Create GA Instance. Select Subscription Standard Instance or Pay-as-you-go Standard Instance based on your business requirements.
In this example, Pay-as-you-go Standard Instance is selected.
In the Basic Instance Configuration step, configure the following parameters and click Next.
Parameter
Description
GA Instance Name
Enter a name for the GA instance.
Instance Billing Method
Pay-As-You-Go is selected by default.
You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard GA instances.
For more information about instance fees and CU fees, see Billing of pay-as-you-go GA instances.
For more information about data transfer fees, see Pay-by-data-transfer.
Resource Group
Select the resource group to which the standard GA instance belongs.
The resource group must be a resource group created in Resource Management by the current Alibaba Cloud account. For more information, see Create a resource group.
Step 2: Add an acceleration area
By adding an acceleration area, you can specify the regions of the GA users and allocate bandwidth to the regions.
In the Configure acceleration areas step, configure the parameters and click Next. The following table describes the parameters.
Parameter | Description |
Acceleration Area | Select one or more regions from the drop-down list and click Add. In this example, the China (Hong Kong) region of Asia Pacific is selected. |
Assign Bandwidth | |
Bandwidth | Specify the bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s. The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT. In this example, the default value 200 Mbit/s is used. Important If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements. |
IP Protocol | Select the IP version that is used to connect to GA. In this example, the default value IPv4 is selected. |
ISP Line Type | Select an ISP line type for the GA. BGP (Multi-ISP) is selected in this example. |
Step 3: Configure a listener
A listener listens for connection requests and distributes the requests to endpoints based on the port and the protocol that you specify. Each listener is associated with an endpoint group. You can associate an endpoint group with a listener by specifying the region to which you want to distribute network traffic. After you associate an endpoint group with a listener, network traffic is distributed to the optimal endpoint in the endpoint group.
In the Configure listener step, configure the parameters and click Next. The following table describes the parameters.
The following table describes only the parameters that are relevant to this topic. Use the default values for other parameters. For more information, see Add and manage intelligent routing listeners.
Parameter | Description |
Listener Name | Enter a name for the listener. |
Routing Type | Select a routing type. In this example, Intelligent Routing is selected. |
Protocol | Select a protocol for the listener. HTTPS is selected in this example. |
Port | Specify a port for the listener to receive and forward requests to endpoints. Valid values: 1 to 65499. The value is set to 443 in this example. |
Server Certificate | Select the server certificate that you obtained. |
TLS Security Policies | Select the TLS security policy required by your service. A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information about TLS security policies, see TLS security policies. In this example, the default value tls_cipher_policy_1_0 is used. |
Client Affinity | Specify whether to enable client affinity. If client affinity is enabled, requests from the same client are forwarded to the same endpoint when the client connects to a stateful application. In this example, Source IP is selected. |
Custom HTTP Headers | Select the HTTP headers that you want to add. In this example, the default settings are used. |
Step 4: Configure an endpoint group and endpoints
In the Configure an endpoint group step, configure the parameters and click Next. The following table describes the parameters.
This topic describes only the key parameters. For more information, see Add and manage endpoint groups of intelligent routing listeners.
Parameter
Description
Region
Select the region where the endpoint group is deployed.
In this example, US (Silicon Valley) is selected.
Endpoint Configuration
Endpoints are destinations of client requests. To add an endpoint, specify the following parameters:
Backend Service Type: In this example, Custom IP is selected.
Backend Service: Enter the IP address of the backend service that you want to accelerate.
Weight: Enter a weight for the endpoint. Valid values: 0 to 255. Global Accelerator routes network traffic to endpoints based on the weights of the endpoints. In this example, the default value 255 is used.
WarningIf you set the weight of an endpoint to 0, Global Accelerator stops distributing network traffic to the endpoint. Proceed with caution.
Preserve Client IP
By default, client IP address preservation is enabled. This feature allows you to view client IP addresses on backend servers. HTTP listeners can retrieve client IP addresses from the X-Forwarded-For HTTP header. For more information, see Preserve client IP addresses.
Backend Service Protocol
Select the protocol that is used by backend servers.
In this example, HTTP is selected.
Port Mapping
If the listener port and the port that is used by the endpoint to provide services are different, you must configure this parameter.
Listener Port: Enter the port of the current listener. The value is set to 443 in this example.
Endpoint Port: Enter the port that the endpoint uses to provide services. In this example, 80 is used.
In the Configuration Review step, check the configurations and click Submit.
NoteIt takes 3 to 5 minutes to create a Global Accelerator instance.
(Optional) After you create a GA instance, you can click the instance ID on the Instances page to view the configurations of the instance. On the instance details page, you can click tabs, such as Instance Information, Listeners, and Acceleration Areas, to view more details.
Step 5: Configure a CNAME record
You must create a DNS record to map the domain name that you want to access to the CNAME of the Global Accelerator instance. This way, requests can be forwarded to Global Accelerator.
- Log on to the Alibaba Cloud DNS console.
If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS.
NoteIf your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS before you configure a DNS record. For more information, see the "Add a domain name" section of the Manage domain names topic. If your domain name is registered by using Alibaba Cloud Domains, skip this step.
On the Domain Name Resolution page, find the domain name and click DNS Settings in the Actions column to go to the DNS Settings page.
On the DNS Settings page, find the A record and click Modify in the Actions column.
In the Modify DNS Record panel, set Record Type to CNAME, set Record Value to the CNAME assigned to the Global Accelerator instance, and then click OK.
You can view the CNAME assigned to the Global Accelerator instance on the Instances page.
If you want to return resolution results based on the region to which a client belongs, make sure that Alibaba Cloud DNS is upgraded to Enterprise Standard Edition or Enterprise Ultimate Edition. For more information, see Renewal and upgrade.
After the upgrade is complete, you can change the default ISP line of the existing A record to the ISP line of a specific region and add a CNAME record that maps the website domain name to the CNAME assigned to the Global Accelerator instance.
Step 6: Test network connectivity
Perform the following steps to verify the connectivity to the HTTP website that is deployed in the US (Silicon Valley) region over HTTPS. In addition, check whether content delivery is accelerated.
The Alibaba Cloud Linux 3.2104 LTS 64-bit operating system is used in this example. The command that is used to test the connectivity varies based on the operating system that you use. For more information, see the user guide of your operating system.
Check whether the CNAME record takes effect.
Open the CLI on an on-premises machine in the China (Hong Kong) region.
Run the following command to ping the domain name:
ping <Website domain name>If the CNAME in the output is the same as the CNAME allocated by Global Accelerator, the CNAME record takes effect.
Run the following command to check whether the client can access the HTTP website deployed in US (Silicon Valley) over HTTPS:
curl https://<Website domain name>Figure 1. Results
For information about how to test acceleration performance, see Use network detection tools to verify acceleration performance.