This topic describes how HTTPS secure acceleration works, its benefits, use cases, and how to enable it. You can enable HTTPS secure acceleration to encrypt requests between clients and points of presence (POPs) to ensure data security in transit. ApsaraVideo VOD uses a content delivery network (CDN) for acceleration.
Background
You can configure HTTPS secure acceleration in the ApsaraVideo VOD console to encrypt requests between clients and points of presence (POPs).
When a POP returns resources from an origin server to a client, the POP follows the origin server's configuration. We recommend that you configure and enable HTTPS on your origin server to implement end-to-end encryption.
How it works
The following figure shows the HTTPS encryption process.
-
A client sends an HTTPS request.
-
The server generates a public key and a private key. You can create the keys or request them from a certificate authority (CA).
-
The server sends the public key certificate to the client.
-
The client verifies the certificate.
-
If the certificate is valid, the client generates a random number (key), encrypts it by using the public key, and then sends the encrypted number to the server.
-
If the certificate is invalid, the SSL handshake fails.
NoteValidation includes the following checks: the certificate is not expired, the certificate authority (CA) that issued the server certificate is trusted, the issuer's public key can verify the digital signature on the server certificate, and the domain name on the server certificate matches the actual domain name of the server.
-
-
The server uses the private key to decrypt the message and obtain the random number (key).
-
The server uses the key to encrypt the data for transmission.
-
The client uses the key to decrypt the encrypted data from the server and obtain the requested data.
Benefits
HTTPS secure transmission offers the following benefits:
-
Secure data transmission over HTTPS prevents eavesdropping, tampering, impersonation, and hijacking risks that can occur with plaintext HTTP transmission.
-
Your critical information is encrypted during transmission to prevent sensitive data leaks, such as when attackers capture session IDs or cookie content.
-
Data integrity is verified during transmission to prevent man-in-the-middle (MITM) attacks, such as DNS or content hijacking and tampering by third parties.
-
Using HTTPS is now standard practice. Major browsers mark HTTP sites as insecure. Continuing to use HTTP creates security vulnerabilities and browser warnings that can deter users and reduce traffic.
-
Major browsers boost the search ranking for HTTPS websites and support HTTP/2, which requires HTTPS. The widespread adoption of HTTPS also benefits security, marketing, and user experience. Therefore, we strongly recommend upgrading your access protocol to HTTPS.
Use cases
The following table describes the main use cases for HTTPS secure transmission.
|
Use case |
Description |
|
Enterprise applications |
If a website contains confidential enterprise information, such as CRM or ERP data, hijacking or intercepting this information during access can be catastrophic for the enterprise. |
|
Government information |
Information on government websites must be authoritative and accurate. It is essential to prevent phishing, fraud, and information hijacking to prevent information hijacking or leaks that could cause a crisis of public trust. |
|
Payment systems |
The payment process involves sensitive information such as names and phone numbers. To prevent information hijacking and fraudulent impersonation, you must enable HTTPS encryption. This prevents scenarios where customers, after placing an order, receive fraudulent messages with their personal and order details, asking for a second payment due to a "stuck order". Such scams can cause significant losses for both the customer and the business. |
|
API |
HTTPS protects the transmission of sensitive information and critical operational commands, preventing data from being hijacked. |
|
Enterprise websites |
Using HTTPS displays the green security lock icon (for DV or OV certificates) or the company name in the address bar (for EV certificates), which gives potential customers a more trustworthy and secure browsing experience. |
Procedure
-
Purchase a certificate.
To enable HTTPS secure acceleration, you need a certificate that matches your accelerated domain name. In SSL Certificate Service, you can apply for a free personal test certificate or purchase a commercial certificate based on your business needs.
On the purchase page, configure parameters based on your business needs, such as Domain Type (wildcard or single domain), Certificate Type (OV Enterprise SSL or DV Domain SSL), Certificate Level (for example, Professional, which supports multiple algorithms such as RSA, ECC, and SM2), and Certificate Brand (GlobalSign, GeoTrust, CFCA (for use in China), and DigiCert (formerly Symantec)).
-
Configure the HTTPS certificate.
-
In the left-side navigation pane, choose Configuration Management.
-
Click to go to the Domain Names page.
-
Find the domain name that you want to configure and click Configure in the Actions column.
-
Click the HTTPS tab. In the HTTPS Certificate section, click Modify.
-
Modify the configuration.
NoteAn expired or invalid HTTPS certificate may cause playback failures. Make sure your certificate is valid and not expired.
Parameter
Description
Certificate Type
-
Certificate Management Service
You can apply for certificates of various brands and types in the SSL Certificate Service console. For more information, see Apply for a certificate.
After you apply for a free personal test certificate, set Certificate Type to Certificate Management Service and select the free test certificate that you applied for.
-
A free personal test certificate is typically issued within one to two business days. During this period, you can choose to upload a custom certificate or a different certificate from Certificate Management Service.
NoteCertificate issuance time varies by CA and can take from several hours to two business days.
-
A free personal test certificate is valid for three months. If you disable HTTPS secure acceleration and then re-enable it while the certificate is still valid, the system reuses the certificate. If the certificate has expired when you re-enable the feature, you must apply for a new one.
-
-
Custom
If no suitable certificate is available in the certificate list, you can choose this option to upload a custom certificate. You must specify a certificate name and then paste the certificate content and private key. The certificate is saved in Alibaba Cloud Certificate Management Service. You can view the certificate on the My Certificates page.
NoteIf a "duplicate certificate name" error occurs when you upload a Custom certificate, rename the certificate and try again.
Certificate Name
This parameter is required when Certificate Type is set to Certificate Management Service or Custom.
Content
This parameter is required when Certificate Type is set to Custom. For the required format, refer to the PEM Encoding Example below the Content input box.
Private Key
This parameter is required when Certificate Type is set to Custom. For the required format, refer to the PEM Encoding Example below the Private Key input box.
-
-
Click OK to save the configuration.
Next steps
The updated HTTPS certificate takes effect globally in about one minute. You can verify that the certificate has taken effect by accessing your resources over HTTPS. Check that the URL in your browser's address bar starts with https:// and that a lock icon appears to the left of the address bar. This indicates a secure connection.