The origin protocol policy controls how Alibaba Cloud CDN points of presence (POPs) connect to your origin server — whether over HTTP, HTTPS, or mirroring the protocol of the incoming client request.
The origin protocol policy only affects the connection between POPs and your origin server. The connection between clients and POPs is configured separately.
How it works
A CDN request involves two separate connections:
Client --(Connection 1)--> POP --(Connection 2)--> Origin serverThe origin protocol policy controls Connection 2 only. By default, the policy is disabled. The protocol for Connection 2 depends on the origin port configured in Configure an origin server:
Port 443: HTTPS
Port 80 or any other port: HTTP
After you enable the policy, POPs use the protocol you specify, regardless of the origin port.
Origin HOST and Origin SNI correlation:
When you configure the origin protocol as HTTPS, we recommend that you also verify your Origin HOST and Origin SNI settings. In scenarios where the origin server hosts multiple HTTPS sites (multiple domains on one server), the CDN POP needs the correct Host header and SNI value to route to the target site:
Origin HOST: Determines the Host header value in the HTTP request when the CDN fetches from the origin. Configured in the Origin HOST section. Options include Acceleration Domain, Origin Domain, or Custom Domain.
Origin SNI: Determines the Server Name Indication value sent during the TLS handshake when the CDN fetches from the origin. Configured in the Origin SNI section.
Recommendation: When configuring HTTPS origin fetch (especially on port 443), set both Origin HOST and Origin SNI to the acceleration domain or the origin domain. Incorrect configuration of either may result in Bad Request errors, 502 errors, or origin fetch failures.
Redirect types
Redirect type | Behavior | Use when | Limitations |
HTTP | POPs always connect to the origin over HTTP. Default port: 80. | Your origin supports HTTP only, and encryption between POPs and the origin is not required. | The origin-to-POP connection is unencrypted. Do not use this if you transmit sensitive data. |
HTTPS | POPs always connect to the origin over HTTPS. Default port: 443. | Your origin supports HTTPS and you need to encrypt all traffic between POPs and the origin. | HTTPS increases computing resource consumption on the origin server. |
Follow | POPs use the same protocol as the incoming client request: HTTP requests use HTTP, HTTPS requests use HTTPS. | You serve a mix of sensitive data (such as user credentials) and non-sensitive data (such as image files and video files). | Your origin must support both HTTP and HTTPS. |
Prerequisites
Before you begin, make sure that:
You have a domain name added to Alibaba Cloud CDN.
If you plan to use the HTTPS redirect type, your origin server supports HTTPS.
If you plan to use the Follow redirect type, your origin server supports both HTTP and HTTPS.
Configure the origin protocol policy
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name you want to manage and click Manage in the Actions column.
In the left-side navigation tree of the domain name, click Origin Fetch.
In the Origin Protocol Policy section, turn on Origin Protocol Policy.
In the Static Origin Protocol Policy dialog box, set Redirect Type to Follow, HTTP, or HTTPS.
HTTP Port: Available when Redirect Type is set to HTTP. Defaults to 80. You can specify a custom port in the range 1-65535.
HTTPS Port: Available when Redirect Type is set to HTTPS. Defaults to 443. You can specify a custom port in the range 1-65535.
Port range: Both HTTP Port and HTTPS Port accept values from 1 to 65535.
Client access port limitation: CDN client access only supports standard ports (HTTP 80 and HTTPS 443). You cannot access the CDN acceleration domain through non-standard ports (such as 8080 or 60080). Custom origin ports are only used for the connection between CDN POPs and the origin server.
Configuration scenarios: When your origin server listens on a non-standard port (such as 8150 or 60080), you need to:
Enable the origin protocol policy switch in the Origin Protocol Policy section.
Set the redirect type to HTTP or HTTPS (matching the protocol the origin actually listens on).
Enter the actual origin listening port in the corresponding port field.
Important: The origin protocol must match the protocol the origin server is actually listening on. For example, if the origin has no HTTPS certificate but you configure HTTPS origin fetch on the CDN, the connection will fail. Ensure the origin is listening on the configured port for the corresponding protocol.
Click OK.
Troubleshooting
502 error after configuring HTTPS origin fetch
Symptom: The website returns a 502 error after CDN acceleration.
Possible Cause: The origin server only supports HTTP (no SSL certificate or no HTTPS listener configured), but the CDN origin protocol is set to HTTPS. The CDN POP fails to establish an HTTPS connection to the origin.
Solution:
Log on to the Alibaba Cloud CDN console.
In the left-side navigation pane, click Domain Names.
Find the target domain and click Manage.
In the left-side navigation tree, click Origin Fetch.
In the Origin Protocol Policy section, click Modify.
Change the redirect type to HTTP, keep the default HTTP port 80 (or the actual origin listening port), and click OK.
If the 502 response is cached, perform a URL purge to clear the cache.
301 redirect loop when using HTTP origin fetch
Symptom: Some images or resources fail to load after CDN acceleration. The browser console shows a 301 redirect error.
Possible Cause: The origin server is configured to force HTTP-to-HTTPS redirects (for example, Baota panel or WAF configured 301 redirect), while CDN fetches from the origin using HTTP on the default port 80. The origin returns a 301 redirect to HTTPS, and CDN caches this 301 response, causing a redirect loop.
Solution:
Change the origin port to 443 and the origin protocol to HTTPS:
In the Origin Protocol Policy section, click Modify.
Set the redirect type to HTTPS, HTTPS port to 443, and click OK.
Configure a status code caching rule to exclude 301 and 302 responses:
In the left-side navigation pane, select Cache Settings.
Configure a root directory cache rule with
/ 301=0, 302=0(cache time 0, meaning do not cache).
Perform a directory purge to clear the cached 301 responses on edge nodes:
In the left-side navigation pane, select Purge and Prefetch.
Select Directory Purge, enter
http://your-acceleration-domain/(make sure there are no spaces before or after the URL), and click Submit.
Note: If you are using a site builder such as Baota panel, the origin does not need to force HTTPS. Just ensure the CDN origin protocol matches the origin listening protocol.
CDN returns 404 but the origin server is normal
Symptom: Accessing resources through CDN returns 404, but direct access to the origin server works.
Possible Cause:
The origin server only has port 80 open (not port 443), but the CDN origin protocol is set to HTTPS.
The origin HOST is not correctly configured (when the origin is a domain name, the origin HOST should be set to the origin domain).
Old cache is not cleared.
Solution:
Confirm the protocol and port the origin server is listening on. If the origin only supports HTTP port 80, change the origin protocol to HTTP with port 80.
If the origin is a domain name, configure the origin HOST:
In the Origin HOST section, click Modify.
Turn on the origin HOST switch, set the domain type to Origin Domain, and select the corresponding domain from the origin list.
Perform a directory purge to clear the old cache.
Do I need to configure an SSL certificate on the origin server when the origin protocol is set to HTTPS?
It depends on your origin fetch configuration:
HTTPS origin fetch (port 443 or other HTTPS port): The CDN POP connects to the origin over HTTPS and validates the origin's SSL certificate. In this case, the origin server must have a valid SSL certificate configured; otherwise, the origin fetch connection will fail.
HTTP origin fetch (port 80 or other HTTP port): The CDN POP connects to the origin over HTTP and does not validate any origin certificate. In this case, the origin server does not need an SSL certificate — you only need to maintain the certificate for the acceleration domain on the CDN side.
Recommendation: If you only need HTTPS encryption between the client and the CDN POP, and the network between the CDN POP and the origin is trusted, you can switch the origin protocol to HTTP. This simplifies origin server management by requiring certificate maintenance only on the CDN side.
What should I do if origin fetch fails when using "Follow" mode and the origin does not support HTTPS?
Explanation: In Follow mode, the CDN origin protocol matches the client access protocol — when the client uses HTTP, CDN fetches via HTTP; when the client uses HTTPS, CDN fetches via HTTPS. If your origin server does not support HTTPS, when a client accesses CDN via HTTPS, the CDN attempt to fetch via HTTPS will fail.
Solutions:
Option 1: Change the origin protocol from Follow to HTTP.
In the Origin Protocol Policy section, click Modify.
Change the redirect type to HTTP and click OK.
This ensures CDN always uses HTTP for origin fetch regardless of the client protocol.
Option 2: Configure an SSL certificate on the origin server to enable HTTPS support.