Key concepts

Origin server

The server that hosts your content. Alibaba Cloud CDN fetches content from the origin server and caches it on points of presence (POPs) closer to your users.

Alibaba Cloud CDN supports the following origin server types: Object Storage Service (OSS) buckets, Function Compute, and your own servers (specified by IP address or domain name).

POP

A point of presence (POP) is consisted of geographically distributed cache nodes where Alibaba Cloud CDN stores copies of your origin content. When a user requests content, Alibaba Cloud CDN serves it from the nearest POP. If the content is not cached or has expired, the POP fetches it from the origin server.

Accelerated domain name

A domain name that Alibaba Cloud CDN is configured to accelerate. For example, if you add aliyundoc.com to Alibaba Cloud CDN, aliyundoc.com is the accelerated domain name. In CDN documentation, this is also referred to simply as a CDN domain name or domain name.

A domain name is an identification string that maps to one or more internet resources. It acts as a human-readable alias for a numerical IP address.

CNAME record

A CNAME record (also called an alias record) maps one domain name to another, which is then resolved to the IP address of the destination server.

After you add a domain name to Alibaba Cloud CDN, the service generates a CNAME record in the format *.*kunlun*.com and assigns it to your domain. Add this CNAME record at your DNS provider to route traffic through CDN POPs.

A CNAME record is required because POPs serving different regions and internet service providers (ISPs) have different IP addresses — a single A record cannot map to all of them. The CDN routing system selects the optimal POP based on the user's region, ISP, and current load, then resolves the CNAME to that POP's IP address.

Static content

Content or resource that is identical for every request. Examples include images, videos, HTML, CSS, and JavaScript files, software installation packages, APK files, and compressed archives.

Alibaba Cloud CDN caches static content on globally distributed POPs and serves it from the POP closest to the requesting user, reducing latency and improving user experience.

Dynamic content

Content that may differ between requests. Examples include ASP, JSP, PHP, PERL, and CGI files, API responses, and database query results.

For dynamic content acceleration, we recommend using Edge Security Acceleration (ESA).

DNS

Domain Name System (DNS) translates human-readable domain names into machine-readable IP addresses. For example, aliyundoc.com resolves to an IP address such as 10.10.10.10. This resolution happens automatically through DNS servers when a user enters a domain name in a browser.

Alibaba Cloud also provides a managed DNS service. For details, see What is Alibaba Cloud DNS.

SSL/TLS

Secure Sockets Layer (SSL) is a security protocol that protects data transmitted over the internet. Transport Layer Security (TLS) is its successor. Both operate between the TCP/IP stack and application layer protocols to encrypt communications. They are collectively referred to as SSL/TLS.

DNS time

The time from when a client initiates a request to when it receives the IP address of the destination host.

TCP time

The time required for a client to establish a TCP connection to the destination server.

SSL time

The time required for a client to complete an SSL handshake with a web server.

Delivery time

The time for a client to finish sending a request after the SSL handshake completes.

Connection time

The total time to establish a connection between a client and a POP.

• HTTP: DNS time + TCP time

• HTTPS: DNS time + TCP time + SSL time

Connection time reflects POP coverage and delivery capability.

Response time

The time for a web server to process an HTTP request and return a response to a client.

Download time

The time for a client to receive and download the first packet returned from a web server.

Time to first packet

The time from when a client sends a request to when it receives the first HTTP packet from the server. For content uploads and downloads, this equals: DNS time + TCP time + SSL time + request time + response time.

Time to first packet reflects the overall performance of POPs.

A newly registered domain name may take longer to resolve than established domain names. This does not affect cache retrieval time.

Initial load time

The time to complete loading the first frame of a stream. It is determined by DNS time, connection time, and time to first packet. A shorter initial load time indicates better performance.

Stalling rate

A metric for video and audio streaming. Calculated as: number of viewers who experience stalling events ÷ 100. A lower stalling rate indicates better performance.

Packet loss rate

The ratio of lost packets to total packets transmitted over a network connection.

Overall performance

The total time to upload or download an entire file.

Origin fetch

When a user requests content that is not cached on a POP or has expired, the POP retrieves the content directly from the origin server. This process is called an origin fetch.

Origin host

The domain name that POPs use when making origin fetch requests. This matters when multiple domain names are hosted on the same origin server — you need to specify which domain name the POP should target.

For example, if your accelerated domain name is www.aliyundoc.com but the origin server should respond to requests for aliyundoc.com, set the origin host to aliyundoc.com.

For details, see Configure the default origin host.

Origin protocol policy

The protocol (HTTP or HTTPS) that POPs use when fetching content from the origin server.

For example, if clients send requests to POPs over HTTPS but the origin server does not support HTTPS, set the origin protocol policy to HTTP. For details, see Configure the origin protocol policy.

Origin-fetch rate

A measure of how often POPs retrieve content from the origin server rather than serving it from cache. There are two types:

• Origin request rate — The ratio of requests for uncached, expired, or non-cacheable content to total requests sent to POPs. Calculated as: back-to-origin requests from POPs ÷ total requests to POPs. A lower rate indicates better cache efficiency. Note: if POPs split requests when fetching from the origin server, the back-to-origin request count can exceed the total number of client requests.

• Origin data transfer rate — The ratio of data fetched from the origin server to data served to clients. Calculated as: bytes returned from origin to POPs ÷ bytes returned from POPs to clients. A lower rate indicates better cache efficiency.

SNI

Server Name Indication (SNI) is an extension of SSL/TLS that allows a client to specify which domain name it is connecting to at the start of the TLS handshake. This enables a single HTTPS server (IP address) to host multiple domain names.

If your origin server's IP address is associated with multiple domain names and the origin protocol policy is set to HTTPS, configure SNI to specify the target domain name for origin fetch requests. For details, see Configure SNI.

Range origin fetch

A method of fetching only a specific byte range of a file from the origin server, using the HTTP Range header. For example, a POP can request only bytes 0–100 of a file rather than downloading the entire file.

Range origin fetch is useful for large file distribution scenarios such as on-demand video streaming and software package delivery. It increases cache hit ratios and reduces both origin traffic and load.

302 redirection

A feature that allows POPs to follow HTTP 302 redirects returned by the origin server rather than passing the 302 response back to clients. This simplifies the client request flow and speeds up content delivery.

Referer-based hotlink protection

An access control mechanism based on the HTTP Referer header, which identifies the source of a request (protocol, domain name, and query string). Configure a Referer whitelist to allow only specified sources, or a Referer blacklist to block specified sources.

For details, see Configure a Referer blacklist or whitelist.

Bandwidth cap

A configurable upper limit on the bandwidth consumed by an accelerated domain name. If the average bandwidth during any one-minute period reaches the cap, Alibaba Cloud CDN suspends the domain name and maps it to offline.***.com, making the domain temporarily inaccessible.

For details, see Configure bandwidth caps.

TTL

Time-to-live (TTL) defines how long a resource remains cached on POPs before it expires. Expired resources are evicted from POPs; requests for expired resources are considered cache misses and trigger an origin fetch, and the refreshed content is cached again.

For details, see Create a cache rule for resources.

Cache hit ratio

A measure of how effectively POPs serve content from cache without going back to the origin. A higher ratio indicates better performance. Alibaba Cloud CDN reports two types:

• Byte hit ratio

  Calculated as: (bytes returned from POPs to clients − bytes fetched from origin) ÷ bytes returned from POPs to clients. A lower byte hit ratio means more origin traffic, higher outbound bandwidth from the origin server, and heavier origin load.

• Request hit ratio

  Calculated as: (total requests to POPs − origin requests) ÷ total requests to POPs.

CORS

Cross-origin resource sharing (CORS) is an HTTP header-based access control mechanism. It allows a server to specify which origins (domain, protocol, and port) a browser may load resources from. For details, see Configure CORS.

ES

EdgeScript (ES) lets you customize CDN behavior by writing scripts that run on POPs, extending beyond the built-in configuration options.

ER

EdgeRoutine (ER) is a JavaScript runtime environment that runs on globally distributed POPs. It supports ES6 syntax and standard Web Service Worker APIs. Deploy your JavaScript code to ER, and it propagates across the entire Alibaba Cloud CDN network — allowing CDN to process requests at the POP closest to each client.

HSTS

HTTP Strict Transport Security (HSTS) is a policy mechanism that instructs browsers and other clients to connect only over HTTPS, rejecting all HTTP requests and untrusted SSL certificates.

Without HSTS, HTTP requests are redirected to HTTPS via 301 or 302 redirects — leaving the initial HTTP request exposed to potential hijacking or tampering. With HSTS enabled, clients connect directly over HTTPS from the first request, preventing man-in-the-middle (MITM) attacks.

For details, see Configure HSTS.

QUIC

Quick UDP Internet Connections (QUIC) is a transport layer protocol built on UDP. It provides the same security level as TLS/SSL while significantly reducing connection establishment time and transmission latency. QUIC also handles network congestion and maintains service availability in high packet loss or high-latency conditions.

Unlike TCP, QUIC implements congestion control at the application layer, allowing flexible algorithm adjustments based on business requirements without depending on the operating system or kernel. QUIC is a suitable alternative when TCP optimization reaches its limits.

HTTP status code

A three-digit numeric code that a server includes in its response to indicate the result of a client's request. HTTP status codes are grouped by type: