End-to-end data transfer over HTTPS-Edge Security Acceleration(ESA)-阿里云帮助中心

End-to-end HTTPS encryption protects all communications between clients and servers from man-in-the-middle attacks, eavesdropping, and tampering.

Why HTTPS

HTTPS protects communications from eavesdropping, tampering, impersonation, and hijacking. It encrypts sensitive data such as session IDs and cookies during transmission, minimizing the risk of information leaks.
HTTPS is the industry standard. Websites served over HTTP are flagged as insecure by browsers, which exposes them to security risks and degrades user experience.
Search engines rank HTTPS-enabled websites higher, improving their visibility in search results.

How it works

SSL/TLS configuration consists of two parts:

Access connection: the encrypted connection between clients and ESA. To implement this, configure an edge certificate and client certificate.
Origin connection: the encrypted connection between ESA and your origin. To implement this, configure an origin certificate.

The following figure shows encryption with edge certificates:

Deploy an SSL certificate and enable SSL/TLS on ESA POPs so that clients can access ESA over HTTPS.

The following figure shows encryption with client certificates:

If mutual Transport Layer Security (mTLS) is required between clients and ESA, use the ESA-managed certificate authority (CA) to generate a certificate and configure it on the client. With mTLS enabled, ESA requires the client to present a certificate for verification.

The following figure shows encryption with origin certificates:

Configure the following SSL/TLS features for the connection between ESA and your origin:

Origin Protocol and Port: the protocol (HTTP or HTTPS) used by ESA to access your origin and the corresponding port.
Enforce Validation of Origin Certificate: By default, the origin certificate is not validated for origin pulls over HTTPS. If you enable Enforce Validation of Origin Certificate, ESA will check the validity of the origin certificate, including its expiration and CA validation status. Any connections that fail the validation will be terminated.
Authenticated Origin Pulls: Guarantee that requests to your origin server are coming from ESA by verifying the certificate presented by ESA.