All Products
Search
Document Center

Function Compute:Configure a custom domain name

更新時間:Nov 11, 2024

Function Compute provides default access URLs for created HTTP functions. Forced downloads are triggered when the URLs are accessed in browsers. If you want to access a function by using a browser without triggering forced downloads or by using a fixed domain name, you must configure a custom domain name.

Common scenarios

An HTTP function is similar to a web application that can process HTTP requests and return results to callers. In the following sample scenarios, you must bind a custom domain name to a web application:

  • You create a web application, migrate the application to Function Compute, and want to access the web application by using a fixed domain name.

  • You build a web application in the Function Compute console and want to use the default URL provided by Function Compute to access the web application. A default URL follows the following format: <account_id>.<region_id>.fc.aliyuncs.com/<version>/proxy/<serviceName>/<functionName>/[action?queries] However, forced downloads are triggered when you access the application over this URL. You want to change the URL of the application without affecting users.

Prerequisites

An HTTP function is created. For more information, see Create a function. Requests that are sent from a custom domain name can trigger only HTTP functions.

Limits

  • Domain names that contain Chinese characters are not supported.

  • The configured custom domain name is case-sensitive. Use the actual domain name for which an Internet Content Provider (ICP) filing is obtained.

  • You can configure wildcard domain names and standard domain names.

  • A domain name can be up to 256 characters in length. The subdomain name at each level must contain at least one character and can be up to 63 characters in length. A subdomain name can contain letters (case-sensitive), digits (0-9), and hyphens (-). However, a domain name cannot start with a hyphen (-). The last part of a domain name, or the top-level domain name, must be a string of alphabetic characters that is at least two characters in length.

Procedure

Process of configuring a custom domain name

image

Step 1: Obtain an ICP filing

Obtain an ICP filing for the domain name based on the service provider and account to which the domain name belongs. Refer to the corresponding operation guide to complete the process.

Note
  • You do not need to apply for ICP filings for custom domain names that are bound to functions in China (Hong Kong) or regions outside the Chinese mainland.

  • You can query the service provider of a domain name on WHOIS.

  • You can check whether a domain name belongs to the current Alibaba Cloud account in the Alibaba Cloud DNS console.

  • Domain names registered by the current Alibaba Cloud account

    Apply for an ICP filing for the custom domain name in the Alibaba Cloud ICP Filing system. For more information, see ICP filing process.

  • Domain names registered by other Alibaba Cloud accounts

    We recommend that you use the Alibaba Cloud account that is used to register the domain name to obtain the ICP filing for the domain name. Log on to the Alibaba Cloud ICP Filing system to apply for an ICP filing for the custom domain name. For more information, see ICP filing process.

  • Domain names registered by non-Alibaba Cloud accounts

    If the entity and the domain name are filed through another service provider, and you need to change the service provider to Alibaba Cloud or add Alibaba Cloud as a new service provider for the website, you need to apply for an ICP filing in Alibaba Cloud. Log on to the Alibaba Cloud ICP Filing system to apply for an ICP filing for the custom domain name.

Step 2: Configure domain name resolution

For more information, see Quick Start.

You need to resolve the domain name to an endpoint of Function Compute in the corresponding region. That is, you need to configure the CNAME of the custom domain name to an endpoint of Function Compute. On the DNS page, set Record Type to CNAME and Record Value to an endpoint of Function Compute.

The following table describes formats of Function Compute endpoints.

Endpoint format

Format

Example

Public endpoint

<account_id>.<region_id>.fc.aliyuncs.com

Custom domain: example.com. Alibaba Cloud account: 164901546557****. Region: China (Shanghai).

Public endpoint: 164901546557****.cn-shanghai.fc.aliyuncs.com

Internal endpoint

<account_id>.<region_id>-internal.fc.aliyuncs.com

Internal endpoint: 164901546557****.cn-shanghai-internal.fc.aliyuncs.com

Note

If you want to access the domain name over the Internet, you must set Record Value to a public endpoint of Function Compute.

Step 3: Add a custom domain name

  1. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.

  2. In the top navigation bar, select a region. On the Custom Domains page, click Add Custom Domain Name.

  3. On the Add Custom Domain Name page, configure parameters and click Create. The following table describes the parameters.

    Parameter

    Description

    Domain Name

    Enter a custom domain name for which an ICP filing has been obtained in the Alibaba Cloud ICP Filing system or the custom domain name whose ICP filing information includes Alibaba Cloud as a service provider. You can enter a specific domain name such as www.aliyun.com or a wildcard domain name such as *.aliyun.com.

    HTTPS

    Select Enable or Disable to allow or disallow the custom domain name to be accessed over HTTPS. Valid values:

    • Enable: allows the custom domain name to be accessed over HTTPS. If you select Enable, you can access the custom domain name over HTTP or HTTPS.

      Note

      You can also select the Redirects HTTP Requests to HTTPS check box to allow only HTTPS requests. Function Compute redirects requests that are accessed over HTTP to HTTPS.

    • Disable: disallows the custom domain name to be accessed over HTTPS. If you select Disable, you can access the custom domain name only over HTTP.

    Certificate Type

    Select the type of certificate that you want to upload. This parameter is required only if you select Enable for the HTTPS parameter. Valid values:

    • Alibaba Cloud SSL Certificate: Select an Alibaba Cloud Secure Sockets Layer (SSL) certificate from the Certificate Name drop-down list. If no values are available in the Certificate Name drop-down list, you do not have an Alibaba Cloud SSL certificate. In this case, log on to the Certificate Management Service console to purchase an SSL certificate.

    • Manual Upload: Manually configure the Certificate Name, PEM Certificate Content, and PEM Certificate Key parameters.

      Note

      The certificate that you want to upload cannot exceed 20 KB in size. The certificate key cannot exceed 4 KB in size.

    TLS Version

    Select the transport layer security (TLS) protocol version that the function uses from the drop-down list.

    Note

    After you select a TLS version, you can also select Enable Support for TLS1.3. This way, TLS 1.3 is supported.

    Cipher Suite

    Select TLS cipher algorithm suites. If you leave this parameter empty, all cipher suites are selected. Valid values:

    • All Cipher Suites (High Compatibility and Low Security): All cipher suites. For the list of cipher suites supported by Function Compute, see Strong and weak cipher suites.

    • Custom Cipher Suite (Select Based on Protocol Version. Proceed with Caution): Select cipher suites based on your business requirements. All cipher suites are displayed in the drop-down list. You can click the delete icon to the right of a cipher suite to deselect the cipher suite. This way, you can delete weak cipher suites and retain only the cipher suites that are supported by the TLS versions that you specify.

    Important

    CDN Acceleration

    Specify whether to enable CDN acceleration for the custom domain name. If you enable CDN acceleration for the custom domain name, end users can use the CDN-accelerated domain name to read the content with high efficiency. Valid values:

    • Enable: enables CDN acceleration. If you set the CDN Acceleration parameter to Enable, you must enter an accelerated domain name in the CDN-Accelerated Domain Name field. Then, log on to the CDN console and configure a CNAME record for the accelerated domain name. For more information, see (Optional) Step 4: Enable CDN acceleration.

    • Disable: disables CDN acceleration.

    Web Application Firewall (WAF)

    Specify whether to enable WAF for the custom domain name. This feature identifies malicious traffic in functions and applications, scrubs and filters out malicious traffic, and returns normal traffic to backend functions to protect your functions against malicious intrusions. For more information, see Enable WAF protection. Valid values:

    • Enable

    • Disable

    Route

    Configure the mapping between paths and functions. This way, requests from different paths can trigger different functions. You must configure the following fields:

    • Path: the request path from which the specified function in the specified service can be triggered.

    • Service Name: the name of the service to which the function that is triggered by a request from a specified path belongs.

    • Function Name: the name of the function that is triggered by a request from the specified path.

    • Version or Alias: the version or alias of the service to which the function that is triggered by a request from the specified path belongs.

    • Rewrite Policy: the rule based on which the Uniform Resource Identifier (URI) of a request in a specified path is rewritten. For more information, see Procedure.

    You can configure multiple routes based on your business requirements. For more information, see Routing rules.

    After you configure a custom domain name, you can modify or delete it based on your business requirements.

    Important

    If you delete a custom domain name, all requests that use the domain name to access Function Compute fail. Exercise caution if you perform this operation.

(Optimal) Step 4: Enable CDN acceleration

After you bind a custom domain name to a web application, you can use the custom domain name as the origin domain name and add an accelerated domain name to it. Then, you can configure a CNAME for the accelerated domain name. This way, CDN acceleration is enabled for the custom domain name. The application that is deployed in Function Compute serves as an origin server, and the source content is published to edge nodes. This way, end users can read the required content with high efficiency. This efficiently reduces the latency and improves service quality.

After you add the accelerated domain name, you can check whether CDN acceleration is enabled for your custom domain name in the Function Compute console and whether the specified accelerated domain name that is added in the CDN console is bound to your custom domain name.

Note
  • If you enable the CDN acceleration feature, you are charged for data transferred over the Internet. For more information, see Billing overview.

  • The custom domain name and the accelerated domain name cannot be the same. For example, if you set the custom domain name to www.test.com, you must set the accelerated domain name to another domain name, such as cdn.test.com.

  1. Log on to the CDN console and enable CDN acceleration.

    For more information, see Add a domain name.

    When you configure the Origin Info parameter, select Function Compute Domain. Then, select the region where the Function Compute service that you want to manage resides and the custom domain name that you created.

  2. Log on to the Function Compute console. In the left-side navigation pane, choose Advanced Features > Custom Domains.

  3. In the top navigation bar, select a region. In the domain name list, find the desired domain name and click Edit in the Actions column.

  4. On the Modify Custom Domain Name page, view the CDN-accelerated domain name configurations that are synchronized from the CDN console.

    accelerate-domain2

  5. After the CDN domain name is added to the custom domain name, CDN assigns a CNAME to the custom domain name. Obtain the CNAME record on the Custom Domains page and map the DNS parsing of the accelerated domain to the CNAME record.

    For more information, see Add a CNAME record for a domain name.

    Note

    The CNAME is in the following format: Accelerated domain name.w.alikunlun.com, for example, example.aliyundoc.com.w.alikunlun.com.

Step 5: Verify the custom domain name

After you add the custom domain name or the CDN-accelerated domain name, you can use one of the following methods to check whether the custom domain name or the CDN-accelerated domain name can be accessed.

  • Method 1: Run the curl URL command, for example, curl example.com/login.

  • Method 2: Use a browser.

    Enter the request URL in the address bar of a browser and press the Enter key to check whether the specified function is invoked.

Cipher suites

Strong and weak cipher suites

The following table lists the strong and weak cipher suites that are supported by Function Compute.

Strong cipher suites:

Weak cipher suites:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

  • TLS_ECDHE_RSA_WITH_RC4_128_SHA

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Mappings between TLS versions and cipher suites

The following table describes mappings between TLS versions and cipher suites that are supported by each TLS version. By default, all cipher suites in the following table are configured in Function Compute.

Note

In the following table, 支持 indicates that a TLS version supports a cipher suite. not-support indicates that a TLS version does not support a cipher suite.

Expand to view mappings between TLS versions and cipher suites.

Cipher suite

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

TLS_RSA_WITH_3DES_EDE_CBC_SHA

支持

支持

支持

not-support

TLS_RSA_WITH_AES_128_CBC_SHA

支持

支持

支持

not-support

TLS_RSA_WITH_AES_256_CBC_SHA

支持

支持

支持

not-support

TLS_RSA_WITH_AES_128_GCM_SHA256

not-support

not-support

支持

not-support

TLS_RSA_WITH_AES_256_GCM_SHA384

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

支持

支持

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

支持

支持

支持

not-support

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

支持

支持

支持

not-support

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

支持

支持

支持

not-support

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

支持

支持

支持

not-support

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

not-support

not-support

支持

not-support

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

not-support

not-support

支持

not-support

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

not-support

not-support

支持

not-support

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

not-support

not-support

支持

not-support

TLS_RSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_RSA_WITH_AES_128_CBC_SHA256

not-support

not-support

not-support

not-support

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_RC4_128_SHA

not-support

not-support

not-support

not-support

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

not-support

not-support

not-support

not-support

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

not-support

not-support

not-support

not-support

TLS_AES_128_GCM_SHA256

not-support

not-support

not-support

支持

TLS_AES_256_GCM_SHA384

not-support

not-support

not-support

支持

TLS_CHACHA20_POLY1305_SHA256

not-support

not-support

not-support

支持

Mappings between RFC cipher suit names and OpenSSL cipher suite names

RFC cipher suite name

OpenSSL cipher suite name

TLS_RSA_WITH_3DES_EDE_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES256-SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

AES128-GCM-SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE-RSA-DES-CBC3-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

N/A

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

N/A

TLS_RSA_WITH_RC4_128_SHA

RC4-SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

AES128-SHA256

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

ECDHE-ECDSA-RC4-SHA

TLS_ECDHE_RSA_WITH_RC4_128_SHA

ECDHE-RSA-RC4-SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_CHACHA20_POLY1305_SHA256

Matching rules

Route matching rules

You must configure mappings between paths and functions when you bind a custom domain name. This way, requests from different paths can trigger different functions. Function Compute supports exact matching and fuzzy matching for paths. The following items describe the matching rules:

  • Exact matching: A function is triggered only if the path of the request is exactly the same as the specified path.

    For example, you created a route whose path is /a, the corresponding function is Function 1, and the corresponding version is Version 1. In this case, only requests from the /a path can trigger Function 1 of Version 1.

  • Fuzzy matching: You can append an asterisk (*) as a wildcard to a path.

    For example, you created a route whose path is, /login/*, the corresponding function is Function 2, and the corresponding version is Version 1. Requests from paths that begin with /login/, such as /login/a and /login/b/c/d, can trigger Function 2 of Version 1.

Note
  • If multiple routes are configured for a custom domain name, exact matching takes precedence over fuzzy matching.

  • The longest prefix match (LPM) rule applies when fuzzy matching is performed.

    For example, the /login/a/* path and the /login/* path are configured for the custom domain name example.com, and the request URL is example.com/login/a/b. In this case, the request URL matches the configured paths. However, the /login/a/* path is used based on the LPM rule.

Example

The custom domain name is example.com. The following table describes five routing rules that are configured based on the steps described in this topic.

Routing rule

Path

Service name

Function name

Version

Routing rule 1

/

s1

f1

1

Routing rule 2

/*

s2

f2

2

Routing rule 3

/login

s3

f3

3

Routing rule 4

/login/a

s4

f4

4

Routing rule 5

/login/*

s5

f5

5

The following table describes the final matches.

Request URL

Matched service name

Matched function name

Matched version

Matched path

example.com

s1

f1

1

/

example.com/user

s2

f2

2

/*

example.com/login

s3

f3

3

/login

example.com/login/a

s4

f4

4

/login/a

example.com/login/a/b

s5

f5

5

/login/*

example.com/login/b

s5

f5

5

/login/*

Domain name matching rule

Function Compute matches a domain name based on the domain name information in your request and forwards the request to the function that corresponds to the matched domain name. Function Compute supports exact matching and fuzzy matching for domain names. The following items describe the matching rules:

  • Exact matching: The function that corresponds to the domain name can be triggered only if the domain name of the request exactly matches the custom domain name that you created.

  • Fuzzy matching: Wildcard domain names are supported. The function can be triggered if the domain name of the request matches the custom domain name that you created based on wildcards. A maximum of one wildcard character (*) can be contained in a domain name, and the wildcard character must be placed at the beginning of the domain name.

Note
  • If a request matches a single domain name and a wildcard domain name at the same time, the request is forwarded to the function that corresponds to the single domain name.

  • For fuzzy matching, a wildcard domain name can match only a domain name at the same level. For example, *.aliyun.com can match fc.aliyun.com, but not cn-hangzhou.fc.aliyun.com. The sample matching result shows that *.aliyun.com and fc.aliyun.com are third-level domains and cn-hangzhou.fc.aliyun.com is a fourth-level domain.

Example

The following table shows the matched domain names of the following existing domain names: fc.aliyun.com, *.aliyun.com, and *.fc.aliyun.com.

Request domain name

Matched domain name

fc.aliyun.com

fc.aliyun.com

fnf.aliyun.com

*.aliyun.com

cn-hangzhou.fc.aliyun.com

*.fc.aliyun.com

accountID.cn-hangzhou.fc.aliyun.com

None

FAQ

Can a public endpoint of an HTTP trigger be used in a production environment?

Website services can be provided only by using domain names for which ICP filings are obtained. You can configure a custom domain name, bind the domain name to your function, and then use the domain name to provide services.

What do I do if a 502 Bad Gateway error occurs when I access a custom domain name?

Check the Record Value parameter that you set when you configure domain name resolution. If you want to access the domain name over the Internet, set Record Value to a public endpoint of Function Compute. For more information, see Step 2: Configure domain name resolution.

What do I do if errors are reported when I use a domain name that contains Chinese characters to configure a custom domain name?

Domain names that contain Chinese characters are not supported in custom domain names of Function Compute.

How do I resolve the issue of forced downloads when I access a domain name through a browser?

By default, public endpoints generated by HTTP triggers do not have ICP filings. Forced downloads are triggered when public endpoints are accessed by using a browser. For more information about the solution, see Return results are forcibly downloaded when I access an HTTP function through a browser. How do I resolve this issue?

What do I do if a 301 redirect occurs when I access an accelerated domain name?

Check whether forced HTTPS redirection is enabled when you configure a custom domain name. If you do not want 301 redirects, disable this feature.

What can I do if I cannot select a service or function that I have created when I configure a route?

  • Make sure that the custom domain name and the service are in the same region.

  • You can select only a function for which an HTTP trigger is created in the route configuration.

What do I do if a function cannot be triggered by using a route?

Check whether the configured route is implemented in corresponding paths in the function. If not, requests fail.

Diagnostics

If an error occurs when you bind a custom domain name, the server returns an error message. The following table describes common error codes to help you quickly troubleshoot issues.

Error code

HTTP status code

Error message

Cause

InvalidICPLicense

400

domain name '%s' has not got ICP license, or the ICP license does not belong to Aliyun

The error message returned because the domain name does not have an ICP filing or the information in the ICP filing does not include Alibaba Cloud as a service provider. For more information, see Step 1: Obtain an ICP filing.

DomainNameNotResolved

400

domain name '%s' has not been resolved to your FC endpoint, the expected endpoint is '%s'

The error message returned because no CNAME is configured for the domain name to point to the specified endpoint. You can check the CNAME settings by running the dig command or logging on to the Domain Name System (DNS) server.

DomainRouteNotFound

404

no route found in domain '%s' for path '%s'

The error message returned because no function is configured for the specified path.

TriggerNotFound

404

trigger 'http' does not exist in service '%s' and function '%s'

The error message returned because no HTTP trigger is configured for the function that is bound to the custom domain name.

DomainNameNotFound

404

domain name '%s' does not exist

The error message returned because the domain name that you want to query does not exist.

DomainNameAlreadyExists

409

domain name '%s' already exists

The error message returned because the domain name that you want to bind already exists.

If your issues persist, join the DingTalk group 11721331 for technical support.