SaaS Manager-Edge Security Acceleration(ESA)-阿里云帮助中心

SaaS Manager in Edge Security Acceleration (ESA) allows you to connect your customers' custom domains, such as app.customer.com, to your existing ESA site. This lets you seamlessly extend your site's security and acceleration capabilities to your end customers, enhancing their brand trust while simplifying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate management and security policy configuration for numerous customer domains.

Benefits

Scalable service delivery: Configure a unique custom domain for each customer, enabling your SaaS platform to deliver branded services that enhance the customer experience.
Centralized security management: All customer domains inherit the security policy from your main ESA site. This includes WAF protection, Bot Management, and Access Control, which centralizes risk management and reduces operational complexity.
High-performance content acceleration: Leverage Alibaba Cloud's global network of points of presence (POPs) to provide low-latency, high-availability content delivery for customer domains. This significantly improves access speed for your end users.
Flexible certificate management: Choose from three SSL/TLS configuration options to balance convenience and compliance: use a free certificate (issued automatically by Let's Encrypt), upload a custom certificate, or select an existing Alibaba Cloud Certificate.
Automated validation: Use a DNS TXT record to easily and securely complete domain ownership validation.
Real-time status visibility: Track the real-time status of each custom domain. Available statuses include Pending Validation, Activated, Deactivated, and Conflicted, simplifying troubleshooting and management.
ICP filing compliance: For services targeting the Chinese mainland, a built-in ICP filing check ensures compliance with local regulations.

Use cases

SaaS Manager uses CNAME records to associate your end customers' custom domains with your existing site in ESA, routing traffic for these custom domains through ESA. Common use cases include:

Multi-tenant domain hosting for SaaS platforms: A CRM service provider wants to offer dedicated subdomains, such as customer-a.crm-platform.com, to its enterprise customers. The provider also needs to ensure these domains are protected with HTTPS encryption and are resilient to attacks. By using SaaS Manager, the provider can centrally configure the origin, certificates, and security policy for all customer domains.
Accelerate branded customer portals: An e-commerce SaaS provider builds personalized storefronts for its clients, such as shop-client.example-store.com, and needs to quickly enable content delivery network (CDN) acceleration and SSL encryption. With SaaS Manager, the provider can complete the deployment without changing the client's DNS configuration.
Secure proxy for third-party application integration: A developer tools platform offers an API gateway service that allows plugin developers to use their own domains. With SaaS Manager, the platform can enforce unified authentication, rate limiting, and traffic scrubbing for all connected domains.

Configure a custom domain for a SaaS customer

Follow this example to add a customer's custom domain with zero downtime.

Scenario

A SaaS provider has onboarded the site example.com to ESA and serves content from the origin origin.example.com. The provider now wants to add a customer's domain, custom.site.com, to improve the customer website's security and performance.

Procedure overview

Add the custom domain: In your ESA site, create a new SaaS Manager instance and add the customer's domain, custom.site.com.
Verify domain ownership: Provide your customer with the validation details. The customer must add a TXT record in their DNS settings to complete the domain ownership validation.
Configure the CNAME record: Provide your customer with the CNAME address. The customer must point their domain's DNS to this address to route traffic to ESA.
Verify the setup: After the configuration is complete, verify that traffic is flowing correctly.

Step 1: Add a custom domain

On the ESA console, select Websites. In the Website column, click the target site.
In the left-side navigation pane, click DNS > SaaS Manager > Add SaaS Manager.
On the Add SaaS Manager page, enter the following information:
- Domain Name: Enter your customer's custom domain. For this example, enter custom.site.com.
- SSL/TLS: Enable SSL/TLS for the custom domain. After you enable it, select a certificate type.
  - Certificate Type: Select Free Certificate. ESA automatically provisions and configures an edge certificate for the custom domain.
- DNS Record: Select the DNS record of your service to associate with the custom domain. For this example, select origin.example.com.

Step 2: Verify domain ownership

On the SaaS Manager page, click the icon next to the new custom domain to expand the validation details. Copy the Domain Validation TXT Name and Domain Validation TXT Value.
Go to your customer's DNS provider. Create a new TXT record using the copied Domain Validation TXT Name and Domain Validation TXT Value.
After adding the record, wait for the DNS changes to propagate. Then, return to the ESA console and click Verify. Wait for the Status to change to Activated.

Step 3: Configure the CNAME record

On the SaaS Manager page, click the icon next to the custom domain to expand the details. Copy the CNAME Address.
Go to the DNS service provider for your custom domain and add a CNAME record that points to the CNAME address that you copied in the previous step:
- Host Record: Enter the prefix of the custom domain. For this example, custom.
- Record Type: Select CNAME.
- Record Value: Paste the copied CNAME Address.

Step 4: Verify the setup

After the configuration is complete, you can open a browser and go to https://custom.site.com. If the website loads correctly, the custom domain has been successfully connected and is now served by ESA.

You must wait for the Certificate Status to show as Normal before you can access the site over HTTPS. While the certificate request is processing, you can test the connection by visiting http://custom.site.com.

SaaS Manager status

Status	Description
Pending Validation	You have not yet completed the domain ownership validation for the custom domain. Follow the instructions in Step 2: Verify domain ownership to complete the configuration, then click Verify to re-validate.
Activated	The SaaS Manager instance is active and serving traffic normally.
Deactivated	The service is offline. This status can occur for the following reasons: The system detected that the custom domain is being used for activities that violate the terms of service. The domain has been blocked. For sites accelerated in the Chinese mainland or globally (including the Chinese mainland), the domain is deactivated if either your primary site or the custom domain has not completed the required ICP filing. After the ICP filing is complete, click Verify to re-validate and restore the service.
Conflicted	DNS records on a primary site have a higher priority than those in SaaS Manager. If your domain is activated but one of the following conflicts exists, the status changes to Conflicted and the domain cannot serve traffic. A conflicting A, AAAA, or CNAME record exists on an activated site. This also applies to conflicts with an origin pool or load balancing configuration. For example, if you have an activated SaaS Manager domain `customer.example.com` and also an activated primary site `example.com`, the status of your SaaS Manager domain will change to Conflicted if you add a record for `customer.example.com` or `.example.com` to the primary site. To resolve this, delete the conflicting record from the primary site and then click Verify* to re-validate.

Availability by edition

Feature	Free Edition	Basic Edition	Standard Edition	Premium Edition	Enterprise Edition
Number of SaaS Manager instances	100	100	100	100	Contact sales for a custom plan