The origin protocol policy specifies the protocol a point of presence (POP) uses to fetch resources from an origin server. After you configure this feature, POPs fetch resources from the origin server using the specified protocol. You can also set custom ports for HTTP and HTTPS.
Feature overview
By default, the origin protocol policy feature is disabled. When this feature is disabled, the protocol for origin requests depends on the origin port that you set when you configure an origin server:
If the origin port is set to 443, POPs fetch resources over HTTPS.
If the origin port is set to 80 or another port, POPs fetch resources over HTTP.
After you configure the origin protocol policy, POPs fetch resources based on the specified protocol:
HTTP: POPs always use HTTP to fetch resources from the origin server.
HTTPS: POPs always use HTTPS to fetch resources from the origin server.
Follow:
If a user accesses CDN over HTTP, the POP uses HTTP to fetch resources from the origin server.
If a user accesses CDN over HTTPS, the POP uses HTTPS to fetch resources from the origin server.
HTTPS is designed to prevent data from being modified or recorded during transmission. HTTPS encryption consumes additional processing resources on your origin server. If you need to transmit only sensitive data, such as user authentication information, over HTTPS and use HTTP for non-sensitive data, such as images, we recommend that you set the origin protocol policy to Follow.
Relationship between origin Host and origin SNI
When you set the origin protocol policy to HTTPS, we recommend that you also check the default origin Host and origin SNI configurations. In scenarios where an origin server hosts multiple domains (for example, multiple HTTPS sites are deployed on a single server), a POP requires the correct Host header and SNI value to route an HTTPS origin request to the intended site:
Origin Host: Determines the value of the Host header in the HTTP request sent to the origin server. You can configure this in the Default Origin Host section by selecting accelerated domain name, origin domain name, or a custom domain.
Origin SNI: Determines the SNI value sent during the TLS handshake for an origin request. You can configure this in the origin SNI section by enabling the feature and providing an SNI value.
Recommendation: When configuring HTTPS for origin requests, especially on port 443, set both the origin Host and origin SNI to either the accelerated domain name or the origin domain name. If either setting is incorrect, origin request failures such as Bad Request or 502 errors can occur.
Procedure
-
Log on to the CDN console.
-
In the left navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Manage in the Actions column.
-
In the domain's navigation pane, click Origin Fetch.
In the Origin Protocol Policy section, turn on the Origin Protocol Policy switch.
In the Static Origin Protocol Policy dialog box, select a policy type: Follow, HTTP, or HTTPS.
NoteFor HTTP origin requests, port 80 is used by default. You can specify a custom port by configuring the HTTP Port.
For HTTPS origin requests, port 443 is used by default. You can specify a custom port by configuring the HTTPS Port.
Custom origin ports
Port range: The valid range for both HTTP Port and HTTPS Port is 1 to 65535.
Client access port limits: Client requests to CDN can only use standard ports (HTTP 80 and HTTPS 443). You cannot directly access an accelerated domain name by using a non-standard port such as 8080 or 60080. Custom origin ports are used only for connections between POPs and your origin server.
Use case: If your origin server listens for HTTP or HTTPS services on a non-standard port, such as 8150 or 60080, you must do the following:
In the Origin Protocol Policy section, turn on the switch.
Set the policy type to HTTP or HTTPS to match the protocol your origin server listens on.
In the corresponding port field, enter the custom port number that your origin server listens on.
Important: The origin protocol policy must match the protocol that your origin server uses. For example, if your origin server does not have an SSL certificate but you configure HTTPS for origin requests, the connection will fail. Ensure that your origin server is listening for requests on the specified port using the correct protocol.
Click OK.
FAQ
502 error with HTTPS origin
Symptom: Accessing your website through CDN returns a 502 error.
Possible cause: Your origin server supports only HTTP (it does not have an SSL certificate or is not listening for HTTPS connections), but the CDN origin protocol policy is set to HTTPS. This causes the origin server to reject the HTTPS connection attempt from the POP.
Solution:
Log on to the CDN console, and in the left-side navigation pane, click Domain Names.
Find the target domain name and click Manage.
In the left-side navigation pane, select Origin Fetch.
In the Origin Protocol Policy section, click Modify.
Change the policy type to HTTP, keep the HTTP port as 80 (or specify your custom origin port), and click OK.
If the 502 response was cached, refresh the URL to clear the cache.
301 redirect loop with HTTP origin
Symptom: Some images or resources fail to load when accelerated by CDN, and the browser console shows 301 redirect errors.
Possible cause: Your origin server is configured to enforce a redirect from HTTP to HTTPS (for example, with a 301 redirect rule in Baota Panel or a WAF). When a POP sends an origin request over HTTP to port 80, the origin server responds with a 301 redirect to HTTPS. The POP then caches this 301 response, causing a redirect loop.
Solution:
Change the origin port to 443 and the origin protocol policy to HTTPS.
In the Origin Protocol Policy section, click Modify.
Change the policy type to HTTPS, set the HTTPS port to 443, and click OK.
Configure a caching rule to ignore 301 and 302 responses.
In the left-side navigation pane, select Caching Configuration.
Configure a caching rule for the root directory to set the cache duration for 301 and 302 responses to 0 seconds, which disables caching for these status codes: / 301=0, 302=0.
Perform a directory refresh to clear the cached 301 responses from the POPs.
In the left-side navigation pane, select Refresh and Prefetch.
For the refresh type, select Directory Refresh. Enter http://your-accelerated-domain.com/ and ensure that there are no leading or trailing spaces. Click Submit.
If you use a website management tool like Baota Panel, you do not need to enforce HTTPS on the origin server. Instead, ensure that the CDN origin protocol policy matches the protocol that the origin server listens on.
CDN returns 404 but origin is accessible
Symptom: Accessing a resource through CDN returns a 404 error, but accessing the origin server directly works as expected.
Possible causes:
The origin server listens only on port 80 and not on port 443, but the CDN origin protocol policy is set to HTTPS.
The origin Host is not set correctly. If the origin server is specified by a domain name, the origin Host must be set to that origin domain name.
Stale cache has not been cleared.
Solution:
Confirm the protocol and port that your origin server listens on. If the origin server supports only HTTP on port 80, change the origin protocol policy to HTTP and set the port to 80.
If your origin server is specified by a domain name, configure the origin Host.
In the Default Origin Host section, click Modify.
Turn on the origin Host switch, select origin domain name as the domain type, and select the corresponding domain name from the origin list.
Perform a directory refresh to clear the stale cache.
Does the origin server require an SSL certificate when the origin protocol policy is set to HTTPS?
Yes. This requirement depends on the origin request protocol:
HTTPS origin requests (on port 443 or another HTTPS port): The POP connects to the origin server over HTTPS and validates its SSL certificate. In this case, the origin server must have a valid SSL certificate. Otherwise, the connection fails.
HTTP origin requests (on port 80 or another HTTP port): The POP connects to the origin server over HTTP and does not perform certificate validation. In this case, the origin server does not need an SSL certificate. You only need to maintain the certificate for the accelerated domain name in the CDN console.
Recommendation: If you only require HTTPS encryption between clients and POPs and the network between POPs and your origin server is trusted, you can change the origin protocol policy to HTTP. This simplifies origin server management because you only need to maintain the certificate in the CDN console.
What do I do if the origin server does not support HTTPS and the Follow policy causes access failures?
Description: When you select the Follow policy, the origin request protocol matches the client request protocol. If a client accesses CDN over HTTP, the POP uses HTTP for the origin request. If a client accesses CDN over HTTPS, the POP uses HTTPS for the origin request. If your origin server does not support HTTPS, origin requests will fail when clients access CDN over HTTPS.
Solution:
Option 1: Change the origin protocol policy from Follow to HTTP.
In the Origin Protocol Policy section, click Modify.
Change the policy type to HTTP and click OK.
This ensures that POPs always use HTTP for origin requests, regardless of the protocol used by the client.
Option 2: Configure an SSL certificate on your origin server to enable HTTPS support.