ApsaraVideo Live supports the HTTPS secure acceleration and force redirect features. This topic describes how secure acceleration works, its benefits, how to configure secure acceleration, and the usage notes.
Background information
HTTP transmits data in plaintext and does not encrypt data. In terms of security, HTTP plaintext data can be intercepted by node devices during transmission. Because the data is not encrypted, its content can be easily understood.
Features
ApsaraVideo Live allows you to configure the HTTPS secure acceleration and force redirect features. You must configure a Secure Sockets Layer (SSL) certificate before you can use the force redirect feature.
HTTPS
HTTPS is used for secure communication over networks. HTTP transmits data in plaintext. As a secure version of HTTP, HTTPS encapsulates HTTP data by using the SSL or Transport Layer Security (TLS) protocol. SSL or TLS is the security foundation of HTTPS.
HTTPS provides authentication and encrypted communication methods, and is widely used for secure communication and sensitive data transmission on the Internet. Based on a report released by Electronic Frontier Foundation (EFF) in 2017, more than half of web page traffic in the world is transmitted in encrypted mode by using HTTPS.
Force redirect
You can use the force redirect feature to redirect the original requests from a client to points of presence (POPs) as HTTP or HTTPS requests.
If you have enabled HTTPS secure acceleration for your domain names, you can forcibly redirect the original requests from users based on the specified redirect type. Assume that you set the redirect type to HTTP > HTTPS. When a client initiates an HTTP request, the server returns a 301 response to redirect the request to the HTTPS version of the web page, as shown in the following figure.
How it works
After you enable HTTPS in the ApsaraVideo Live console, requests that are transmitted from clients to ApsaraVideo Live are encrypted by using HTTPS. ApsaraVideo Live retrieves requested resources from the origin server and then returns the resources to clients by using the protocol that is configured on the origin server. We recommend that you configure and enable HTTPS for your origin server to implement end-to-end HTTPS encryption.
The following figure shows how HTTPS encrypts data.
The client sends a request over HTTPS.
The server generates a public key and a private key. You can prepare the keys on your own or request them from an authority.
The server sends the public key certificate to the client.
The client verifies the certificate.
If the certificate is valid, the client generates a random string. The client uses the public key to encrypt the random string and transmits the encrypted random string to the server.
If the certificate is invalid, the SSL handshake fails.
NoteA certificate is considered valid if the following conditions are met:
The certificate is not expired.
The certificate is issued by a trusted certificate authority (CA).
The public key of the certificate can be used to decrypt the signature of the certificate.
The domain name on the server certificate is the same as the actual domain name that is hosted on the server.
The server uses the private key to decrypt the encrypted random string.
The server uses the random string to encrypt data and transmits the data to the client.
The client uses the random string to decrypt the received data.
Benefits
Secure transmission: HTTPS secure acceleration protects communications against eavesdropping, tampering, impersonation attacks, and man-in-the-middle (MITM) attacks.
Information encryption: HTTPS encrypts sensitive information such as session IDs and cookies before transmission. This prevents security threats caused by sensitive information leakage.
Data integrity: HTTPS checks data integrity during transmission to protect the data against MITM attacks, such as DNS hijacking and tampering.
Dominant trend: An increasing number of mainstream browsers such as Google Chrome 70 and later and Mozilla Firefox have labeled HTTP URLs as not secure since 2018. If you use HTTP, your website is exposed to security risks. Users who visit your website by using these browsers are prompted that this website is not secure. This compromises user experience and may reduce visits to the website.
Mainstream browsers prioritize HTTPS URLs in the search results. In addition, mainstream browsers must support HTTPS before they can support HTTP/2. HTTPS is a more reliable choice in terms of security, market share, and user experience. Therefore, we recommend that you upgrade your communication protocol to HTTPS.
Configuration methods
HTTPS secure acceleration
To access resources over HTTPS, you must configure an HTTPS certificate. For more information, see Certificate formats.
You can use the ApsaraVideo Live console or call an API operation to configure HTTPS secure acceleration.
1. For information about how to use the ApsaraVideo Live console to configure HTTPS secure acceleration, see Configure HTTPS secure acceleration.
2. Call the SetLiveDomainCertificate operation to configure the certificate settings for a domain name.
The following sample code provides an example on how to use the server SDK for Java to configure the certificate settings for a domain name:
// Replace the parameters in <> with actual values.
DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>");
IAcsClient client = new DefaultAcsClient(profile);
SetLiveDomainCertificateRequest setLiveDomainCertificateRequest =new SetLiveDomainCertificateRequest();
setLiveDomainCertificateRequest.setDomainName("<DomainName>");
setLiveDomainCertificateRequest.setSSLProtocol("on");
setLiveDomainCertificateRequest.setCertName("<CertName>");
setLiveDomainCertificateRequest.setCertType("<Upload>");
setLiveDomainCertificateRequest.setSSLPub("<-----BEGIN CERTIFICATE-----\n" +
"MIIDRjCCAq+gAwI********************\n" +
"**************************\n" +
"-----END CERTIFICATE----->");
setLiveDomainCertificateRequest.setSSLPri("<-----BEGIN RSA PRIVATE KEY-----\n" +
"MIICXAIBAAKBgQDO********************\n" +
"****************************\n" +
"-----END RSA PRIVATE KEY----->");
try {
SetLiveDomainCertificateResponse response = client.getAcsResponse(setLiveDomainCertificateRequest);
System.out.println(new Gson().toJson(response));
//todo something
} catch (ServerException e) {
e.printStackTrace();
} catch (ClientException e) {
e.printStackTrace();
}In the preceding example, an HTTPS certificate named <CertName> is configured for the domain name <DomainName>. The certificate type is <Upload>, the public key is <-----BEGIN CERTIFICATE***>, and the private key is <-----BEGIN RSA PRIVATE KEY*****>.
The public and private keys support only the PEM format.
After the certificate is configured, the certificate is saved to Certificate Management Service. To view the certificate in the Certificate Management Service console, choose Certificate Management > SSL Certificate Management and click the Manage Uploaded Certificates tab.
For more information about the server SDK for Java, see Use the server SDK for Java.
Related API operations:
API operation | Description | References |
SetLiveDomainCertificate | Enables or disables the certificate of a domain name, and modifies the certificate information. | |
DescribeLiveCertificateList | Queries certificates. | |
DescribeLiveCertificateDetail | Queries the details of a certificate. | |
BatchDeleteLiveDomainConfigs | Deletes the configurations of multiple domain names at a time. |
Force redirect
Before you configure the feature, make sure that an HTTPS certificate is configured.
You can use the ApsaraVideo Live console or call an API operation to configure force redirect.
1. For information about how to use the ApsaraVideo Live console to configure force redirect, see Configure force redirect.
2. Call the BatchSetLiveDomainConfigs operation to configure force redirect.
The following sample code provides an example on how to use the server SDK for Java to configure force redirect:
// Replace the parameters in <> with actual values.
DefaultProfile profile = DefaultProfile.getProfile("<regionId>", "<ALIBABA_CLOUD_ACCESS_KEY_ID>", "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>");
IAcsClient client = new DefaultAcsClient(profile);
BatchSetLiveDomainConfigsRequest batchSetLiveDomainConfigsRequest =new BatchSetLiveDomainConfigsRequest();
batchSetLiveDomainConfigsRequest.setDomainNames("<DomainNames>");
batchSetLiveDomainConfigsRequest.setFunctions("[{\"functionArgs\":[{\"argName\":\"enable\",\"argValue\":\"on\"}],\"functionName\":\"https_force\"}]");
try {
BatchSetLiveDomainConfigsResponse response = client.getAcsResponse(batchSetLiveDomainConfigsRequest);
System.out.println(new Gson().toJson(response));
//todo something
} catch (ServerException e) {
e.printStackTrace();
} catch (ClientException e) {
e.printStackTrace();
}In the preceding example, force redirect is configured for the domain name <DomainNames>. This way, HTTP requests are forcibly redirected to HTTPS.
For more information about the server SDK for Java, see Use the server SDK for Java.
Related API operations:
API operation | Description | References |
BatchSetLiveDomainConfigs | Configures multiple domain names at a time. You can configure force redirect by using the https_force attribute of the Functions parameter. |
Usage notes
Action | Description |
Disable and enable HTTPS |
|
Upload a certificate and a private key |
|
View a certificate | You can view a certificate. However, you cannot view a private key because it is sensitive. Keep your certificate information safe. |
Change or edit a certificate | You can change or edit a certificate. It requires 1 hour for an updated certificate to take effect. Exercise caution when you perform this operation. |