HTTPS settings

更新时间:
复制 MD 格式

Using HTTPS and HTTP/2, you can provide users with a more secure, faster, and smoother network experience.

Configure HTTPS

Introduction

Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) is a secure HTTP channel that uses the SSL or TLS protocol for encapsulation. ApsaraVideo Live provides HTTPS to securely accelerate content delivery. You can view, disable, enable, and edit certificates. If a certificate is correctly configured and enabled for a domain, both HTTP and HTTPS requests are supported. If the certificate does not match the domain or is disabled, only HTTP requests are supported.

Benefits of HTTPS

  • Encrypts sensitive information, such as session IDs and cookies, during transmission. This prevents security risks, such as information leakage, if the data is intercepted by attackers.

  • HTTPS verifies data integrity during transmission to protect against man-in-the-middle (MITM) attacks, such as DNS and content hijacking or tampering.

Usage notes

Configuration

Action

Description

Disable and Enable HTTPS

  • After the feature is Disable, HTTPS requests will not be supported and certificate or private key information will no longer be retained.

  • To Enable HTTPS, you must upload the certificate and private key again.

View a certificate

You can view certificate information. However, you cannot view the private key because it is sensitive. Make sure to store your certificate and private key securely.

Edit a certificate

You can edit a certificate. The change takes about five minutes to take effect. Proceed with caution.

Certificates

  • ApsaraVideo Live supports two types of certificate deployment: certificates from Certificate Management Service and custom certificates.

  • To enable Enable HTTPS for a streaming domain, you must upload a certificate and its private key. Both must be in PEM format.

Note

ApsaraVideo Live uses Tengine, which is based on Nginx. Therefore, it supports only Nginx-compatible certificate formats, such as PEM.

  • Only SSL or TLS handshakes that include Server Name Indication (SNI) are supported.

  • The certificate and private key that you upload must match. Otherwise, validation fails.

  • Certificate updates take about five minutes to take effect.

  • Password-protected private keys are not supported.

Procedure

Step 1: Purchase a certificate

To enable Enable HTTPS, you need a certificate that matches your streaming domain. If you do not have one, go to Certificate Management Service and click Buy Now. If you have a custom certificate, you can skip this step.

Step 2: Configure a streaming domain

  1. Enable HTTPS.

    1. Log on to the ApsaraVideo Live console.

    2. In the left navigation pane, click Domain Names. The Domain Management page appears.

    3. Find the streaming domain for which you want to configure HTTPS and click Domain Settings in the Actions column.

    4. Click HTTPS Settings and turn on the HTTPS Certificate switch.

  2. Select a certificate.

    • Certificate from Certificate Management Service: For Certificate Type, select Alibaba Cloud Security. Select the certificate that you purchased from Certificate Management Service. You can select it by name to match the streaming domain.

    • Custom certificate: For Certificate Type, select Others. Enter a certificate name, and then upload the certificate content and private key. The certificate is saved in the Certificate Management Service console and can be viewed in the My Certificates section.

      Note

      Only certificates in PEM format are supported.

Step 3: Verify the configuration

The settings take about one minute to take effect across the network. To verify that the certificate has taken effect, access a resource by using an https:// URL. If a lock icon appears in your browser's address bar, the certificate is active and HTTPS is enabled.

Configure HTTP/2

Introduction

HTTP/2, also known as HTTP 2.0, introduces features such as multiplexing, header compression, request prioritization, and server push. It addresses the limitations of HTTP 1.1 to optimize request performance while remaining compatible with HTTP 1.1 semantics. Modern browsers such as Chrome, Edge, Safari, and Firefox support the HTTP/2 protocol.

Benefits of HTTP/2

  • Binary protocol: Unlike the text-based parsing of HTTP 1.x, HTTP/2 splits all transmitted information into smaller messages and frames, and encodes them in a binary format. This binary foundation allows for greater protocol extensibility, such as introducing frames to transport data and commands.

  • Multiplexing: In HTTP 1.x, performance optimizations often involve techniques like using image sprites and multiple domains because browsers limit the number of concurrent requests per domain. When a page needs to load many resources, head-of-line blocking can occur, which forces resources to wait for other requests to complete. In HTTP/2, the binary framing layer allows multiple requests and responses to be sent concurrently over a shared TCP connection. The recipient reassembles them by using stream identifiers and headers. This technique avoids the head-of-line blocking issue of older HTTP versions and greatly improves transmission performance.

  • Header compression: HTTP request headers contain a large amount of repetitive information. HTTP/2 uses the HPACK format for compression. Both the client and server maintain an index table of header fields. Identical headers are transmitted by using only their index numbers, which improves efficiency and speed.

  • Server push: A server can send multiple responses for a single client request. This allows the server to push resources to the client without the client explicitly requesting them.

Usage notes

Before you proceed, ensure that HTTPS is enabled.

Note
  • If you are configuring an HTTPS certificate for the first time, you must wait for it to take effect before you can enable HTTP/2.

  • If you disable the HTTPS certificate feature, the HTTP/2 setting is dimmed and cannot be enabled.

  • If you enable HTTP/2 and then disable the HTTPS certificate feature, HTTP/2 is also automatically disabled.

Enable or disable HTTP/2

  1. Log on to the ApsaraVideo Live console.
  2. In the left navigation pane, click Domain Names. The Domain Management page appears.

  3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

  4. In the left-side navigation pane for the domain, click HTTPS Settings.

  5. In the HTTP/2 section, turn the HTTP/2 switch on or off.

Force redirect

Important

Before you proceed, ensure that HTTPS is enabled.

Introduction

If you have enabled HTTPS for your streaming domain, you can configure a force redirect to automatically change the protocol of end-user requests.

For example, if you enable the HTTP > HTTPS redirect, when an end user makes an HTTP request, the server returns a 301 response that redirects the request to HTTPS. The following code provides an example.

$ curl http://xxx xxx xxx/' -i
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Mon, 03 Jun 2019 13:26:01 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: https://xxx xxx xxx/
Via: cache2.cn201[,0]
Timing-Allow-Origin: *
EagleId: 2a786b0215595683612635433e
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<h1>301 Moved Permanently</h1>
<p>The requested resource has been assigned a new permanent URI.</p>
&lt;hr/&gt;Powered by Tengine</body>
</html>

Procedure

  1. Log on to the ApsaraVideo Live console.
  2. In the left navigation pane, click Domain Names. The Domain Management page appears.

  3. Find the streaming domain that you want to configure and click Domain Settings in the Actions column.

  4. In the left-side navigation pane for the domain, click Streaming Management > HTTPS Settings.

  5. Click Change Settings.

    The Modify Configuration button is in the Force Redirect section.

  6. Select a Redirect Type.

    After selecting a type, click OK.

    Redirect type

    Description

    Default

    Both HTTP and HTTPS requests are supported.

    HTTPS > HTTP

    Requests from clients to points of presence (POPs) are redirected to HTTP.

    HTTP > HTTPS

    Requests from clients to POPs are redirected to HTTPS to ensure secure access.

  7. Click OK.

Certificate format description

This section describes the certificate formats that ApsaraVideo Live supports and how to convert certificates to the required format.

Certificates issued by a root CA

Certificates issued by a root certificate authority (CA) can be used for various types of server software, such as Apache, IIS, Nginx, and Tomcat. ApsaraVideo Live uses Nginx servers to process certificates. The certificate file usually has a .crt extension, and the private key file usually has a .key extension.

When you upload a certificate, follow these formatting rules:

  • Include the header -----BEGIN CERTIFICATE----- and the footer -----END CERTIFICATE-----.

  • Each line must contain 64 characters. The last line can contain fewer than 64 characters.

The following figure shows an example of a certificate in PEM format in a Linux environment.

image

Certificates issued by an intermediate authority

If your certificate is issued by an intermediate authority, the certificate file contains multiple certificates. You must combine the server certificate and the intermediate certificate into a single file before you upload it.

Note

Concatenation rule: The server certificate must be placed before the intermediate certificate. The issuing authority typically provides instructions with the certificate. Make sure to follow the provided rules.

Certificate chain issued by an intermediate authority:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Certificate chain rules:

  • Do not include empty lines between certificates.

  • Each certificate must comply with the formatting requirements.

RSA private key format requirements

Follow these rules for RSA private keys:

  • To generate a private key locally, run the following command: openssl genrsa -out privateKey.pem 2048. In this command, privateKey.pem is your private key file.

  • The key must start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. Include these header and footer lines when you upload the key.

  • Each line must contain 64 characters. The last line can contain fewer than 64 characters.

image

If you did not generate your private key using the method described above, and it is in a format that includes -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, you can convert it as follows:

openssl rsa -in old_server_key.pem -out new_server_key.pem

Then, upload the content of new_server_key.pem together with the certificate.

Methods to convert certificate formats

HTTPS secure acceleration supports only certificates in PEM format. If your certificate is in a different format, you must convert it to PEM. You can use the OpenSSL tool to perform the conversion. The following table describes how to convert certificates from several common formats to the PEM format.

Conversion method

Description

Convert DER to PEM

The DER format is common on the Java platform.

  • Certificate conversion:

    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Private key conversion:

    openssl rsa -inform DER -outform pem -in privatekey.der -out privatekey.pem

Convert P7B to PEM

The P7B format is common on Windows Server and Tomcat.

  • Certificate conversion:

    openssl pkcs7 -print_certs -in incertificat.p7b -out outcertificate.cer

    Get the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from outcertificat.cer and upload it as the certificate.

  • Private key conversion: P7B certificates do not have a private key. You only need to enter the certificate content in the console. You do not need to enter a private key.

Convert PFX to PEM

The PFX format is common on Windows Server.

  • Certificate conversion:

    openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  • Private key conversion:

    openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes