Using HTTPS and HTTP/2, you can provide users with a more secure, faster, and smoother network experience.
Configure HTTPS
Introduction
Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) is a secure HTTP channel that uses the SSL or TLS protocol for encapsulation. ApsaraVideo Live provides HTTPS to securely accelerate content delivery. You can view, disable, enable, and edit certificates. If a certificate is correctly configured and enabled for a domain, both HTTP and HTTPS requests are supported. If the certificate does not match the domain or is disabled, only HTTP requests are supported.
Benefits of HTTPS
-
Encrypts sensitive information, such as session IDs and cookies, during transmission. This prevents security risks, such as information leakage, if the data is intercepted by attackers.
-
HTTPS verifies data integrity during transmission to protect against man-in-the-middle (MITM) attacks, such as DNS and content hijacking or tampering.
Usage notes
Configuration
|
Action |
Description |
|
Disable and Enable HTTPS |
|
|
View a certificate |
You can view certificate information. However, you cannot view the private key because it is sensitive. Make sure to store your certificate and private key securely. |
|
Edit a certificate |
You can edit a certificate. The change takes about five minutes to take effect. Proceed with caution. |
Certificates
-
ApsaraVideo Live supports two types of certificate deployment: certificates from Certificate Management Service and custom certificates.
-
To enable Enable HTTPS for a streaming domain, you must upload a certificate and its private key. Both must be in PEM format.
ApsaraVideo Live uses Tengine, which is based on Nginx. Therefore, it supports only Nginx-compatible certificate formats, such as PEM.
-
Only SSL or TLS handshakes that include Server Name Indication (SNI) are supported.
-
The certificate and private key that you upload must match. Otherwise, validation fails.
-
Certificate updates take about five minutes to take effect.
-
Password-protected private keys are not supported.
Procedure
Step 1: Purchase a certificate
To enable Enable HTTPS, you need a certificate that matches your streaming domain. If you do not have one, go to Certificate Management Service and click Buy Now. If you have a custom certificate, you can skip this step.
Step 2: Configure a streaming domain
-
Enable HTTPS.
-
Log on to the ApsaraVideo Live console.
-
In the left navigation pane, click Domain Names. The Domain Management page appears.
-
Find the streaming domain for which you want to configure HTTPS and click Domain Settings in the Actions column.
-
Click HTTPS Settings and turn on the HTTPS Certificate switch.
-
-
Select a certificate.
-
Certificate from Certificate Management Service: For Certificate Type, select Alibaba Cloud Security. Select the certificate that you purchased from Certificate Management Service. You can select it by name to match the streaming domain.
-
Custom certificate: For Certificate Type, select Others. Enter a certificate name, and then upload the certificate content and private key. The certificate is saved in the Certificate Management Service console and can be viewed in the My Certificates section.
NoteOnly certificates in PEM format are supported.
-
Step 3: Verify the configuration
The settings take about one minute to take effect across the network. To verify that the certificate has taken effect, access a resource by using an https:// URL. If a lock icon appears in your browser's address bar, the certificate is active and HTTPS is enabled.
Configure HTTP/2
Introduction
HTTP/2, also known as HTTP 2.0, introduces features such as multiplexing, header compression, request prioritization, and server push. It addresses the limitations of HTTP 1.1 to optimize request performance while remaining compatible with HTTP 1.1 semantics. Modern browsers such as Chrome, Edge, Safari, and Firefox support the HTTP/2 protocol.
Benefits of HTTP/2
-
Binary protocol: Unlike the text-based parsing of HTTP 1.x, HTTP/2 splits all transmitted information into smaller messages and frames, and encodes them in a binary format. This binary foundation allows for greater protocol extensibility, such as introducing frames to transport data and commands.
-
Multiplexing: In HTTP 1.x, performance optimizations often involve techniques like using image sprites and multiple domains because browsers limit the number of concurrent requests per domain. When a page needs to load many resources, head-of-line blocking can occur, which forces resources to wait for other requests to complete. In HTTP/2, the binary framing layer allows multiple requests and responses to be sent concurrently over a shared TCP connection. The recipient reassembles them by using stream identifiers and headers. This technique avoids the head-of-line blocking issue of older HTTP versions and greatly improves transmission performance.
-
Header compression: HTTP request headers contain a large amount of repetitive information. HTTP/2 uses the HPACK format for compression. Both the client and server maintain an index table of header fields. Identical headers are transmitted by using only their index numbers, which improves efficiency and speed.
-
Server push: A server can send multiple responses for a single client request. This allows the server to push resources to the client without the client explicitly requesting them.
Usage notes
Before you proceed, ensure that HTTPS is enabled.
-
If you are configuring an HTTPS certificate for the first time, you must wait for it to take effect before you can enable HTTP/2.
-
If you disable the HTTPS certificate feature, the HTTP/2 setting is dimmed and cannot be enabled.
-
If you enable HTTP/2 and then disable the HTTPS certificate feature, HTTP/2 is also automatically disabled.
Enable or disable HTTP/2
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the streaming domain that you want to configure and click Domain Settings in the Actions column.
-
In the left-side navigation pane for the domain, click HTTPS Settings.
-
In the HTTP/2 section, turn the HTTP/2 switch on or off.
Force redirect
Before you proceed, ensure that HTTPS is enabled.
Introduction
If you have enabled HTTPS for your streaming domain, you can configure a force redirect to automatically change the protocol of end-user requests.
For example, if you enable the HTTP > HTTPS redirect, when an end user makes an HTTP request, the server returns a 301 response that redirects the request to HTTPS. The following code provides an example.
$ curl http://xxx xxx xxx/' -i
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Mon, 03 Jun 2019 13:26:01 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: https://xxx xxx xxx/
Via: cache2.cn201[,0]
Timing-Allow-Origin: *
EagleId: 2a786b0215595683612635433e
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<h1>301 Moved Permanently</h1>
<p>The requested resource has been assigned a new permanent URI.</p>
<hr/>Powered by Tengine</body>
</html>
Procedure
- Log on to the ApsaraVideo Live console.
In the left navigation pane, click Domain Names. The Domain Management page appears.
Find the streaming domain that you want to configure and click Domain Settings in the Actions column.
-
In the left-side navigation pane for the domain, click .
-
Click Change Settings.
The Modify Configuration button is in the Force Redirect section.
-
Select a Redirect Type.
After selecting a type, click OK.
Redirect type
Description
Default
Both HTTP and HTTPS requests are supported.
HTTPS > HTTP
Requests from clients to points of presence (POPs) are redirected to HTTP.
HTTP > HTTPS
Requests from clients to POPs are redirected to HTTPS to ensure secure access.
-
Click OK.
Certificate format description
This section describes the certificate formats that ApsaraVideo Live supports and how to convert certificates to the required format.
Certificates issued by a root CA
Certificates issued by a root certificate authority (CA) can be used for various types of server software, such as Apache, IIS, Nginx, and Tomcat. ApsaraVideo Live uses Nginx servers to process certificates. The certificate file usually has a .crt extension, and the private key file usually has a .key extension.
When you upload a certificate, follow these formatting rules:
Include the header
-----BEGIN CERTIFICATE-----and the footer-----END CERTIFICATE-----.Each line must contain 64 characters. The last line can contain fewer than 64 characters.
The following figure shows an example of a certificate in PEM format in a Linux environment.

Certificates issued by an intermediate authority
If your certificate is issued by an intermediate authority, the certificate file contains multiple certificates. You must combine the server certificate and the intermediate certificate into a single file before you upload it.
Concatenation rule: The server certificate must be placed before the intermediate certificate. The issuing authority typically provides instructions with the certificate. Make sure to follow the provided rules.
Certificate chain issued by an intermediate authority:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Certificate chain rules:
Do not include empty lines between certificates.
Each certificate must comply with the formatting requirements.
RSA private key format requirements
Follow these rules for RSA private keys:
To generate a private key locally, run the following command:
openssl genrsa -out privateKey.pem 2048. In this command,privateKey.pemis your private key file.The key must start with
-----BEGIN RSA PRIVATE KEY-----and end with-----END RSA PRIVATE KEY-----. Include these header and footer lines when you upload the key.Each line must contain 64 characters. The last line can contain fewer than 64 characters.

If you did not generate your private key using the method described above, and it is in a format that includes -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, you can convert it as follows:
openssl rsa -in old_server_key.pem -out new_server_key.pemThen, upload the content of new_server_key.pem together with the certificate.
Methods to convert certificate formats
HTTPS secure acceleration supports only certificates in PEM format. If your certificate is in a different format, you must convert it to PEM. You can use the OpenSSL tool to perform the conversion. The following table describes how to convert certificates from several common formats to the PEM format.
Conversion method | Description |
Convert DER to PEM | The DER format is common on the Java platform.
|
Convert P7B to PEM | The P7B format is common on Windows Server and Tomcat.
|
Convert PFX to PEM | The PFX format is common on Windows Server.
|