乐闻世界logo
搜索文章和话题

How to configure HTTPS on CDN? What are the HTTPS modes?

2月21日 16:59

Importance of CDN HTTPS Configuration

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP, encrypting communication through SSL/TLS protocols. Configuring HTTPS on CDN not only protects data transmission security but also improves SEO rankings and user trust.

CDN HTTPS Configuration Methods

1. Custom Certificate Upload

Upload your own SSL certificate to CDN:

Steps:

  1. Purchase or apply for SSL certificate
  2. Download certificate file (.crt) and private key file (.key)
  3. Upload certificate and private key in CDN console
  4. Configure HTTPS listening port (usually 443)

Advantages:

  • Full control over certificate
  • Support for wildcard and EV certificates
  • Suitable for enterprise applications

Disadvantages:

  • Need to manually manage certificate renewal
  • Need to purchase certificate (some CDNs offer free certificates)

2. Free Certificates Provided by CDN

Use free SSL certificates provided by CDN service providers:

Features:

  • Let's Encrypt: Supported by most mainstream CDNs
  • Auto-renewal: No manual operation required
  • Wildcard support: Some CDNs support *.example.com

Configuration example (Cloudflare):

bash
# Enable Universal SSL via API
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/ssl" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  -d '{"value":"flexible"}'

3. SNI (Server Name Indication) Support

SNI allows hosting multiple HTTPS websites on the same IP address:

How it works:

  • Client sends target domain during SSL handshake
  • Server returns corresponding certificate based on domain
  • CDN automatically handles SNI requests

Compatibility:

  • Fully supported by modern browsers
  • Not supported by old browsers (like IE6)

HTTPS Mode Selection

1. Flexible Mode

Flow: User → CDN (HTTPS) → Origin (HTTP)

Advantages:

  • Simple configuration, origin doesn't need SSL certificate
  • Suitable for quick deployment

Disadvantages:

  • Unencrypted from CDN to origin, security risk
  • Not suitable for sensitive data transmission

Use cases:

  • Static content delivery
  • Testing environment
  • Temporary solution

2. Full Mode

Flow: User → CDN (HTTPS) → Origin (HTTPS)

Advantages:

  • End-to-end encryption
  • High security

Disadvantages:

  • Origin needs SSL certificate configuration
  • Certificate must match CDN configuration

Use cases:

  • Production environment
  • Sensitive data transmission
  • Compliance requirements

3. Full (Strict) Mode

Flow: User → CDN (HTTPS) → Origin (HTTPS, strict verification)

Features:

  • Verify origin certificate validity
  • Check certificate chain integrity
  • Verify certificate matches domain

Advantages:

  • Highest security
  • Prevent man-in-the-middle attacks

Disadvantages:

  • Complex configuration
  • Certificate issues cause connection failure

Use cases:

  • High-security industries like finance, healthcare
  • Government agencies
  • Enterprise core business

HTTPS Configuration Best Practices

1. Force HTTPS Redirect

Automatically redirect HTTP requests to HTTPS:

http
# Configuration example
HTTP/1.1 301 Moved Permanently
Location: https://example.com$request_uri

Implementation methods:

  • CDN page rules
  • Origin configuration
  • HSTS (HTTP Strict Transport Security)

2. HSTS Configuration

HSTS forces browsers to use HTTPS:

http
Strict-Transport-Security: max-age=31536000; includeSubDomains

Parameter explanation:

  • max-age: HSTS validity period (seconds)
  • includeSubDomains: Include all subdomains
  • preload: Add to HSTS preload list

Notes:

  • Once enabled, cannot be disabled in short term
  • Ensure all subdomains support HTTPS

3. Optimize SSL/TLS Configuration

Choose appropriate cipher suites and protocols:

Recommended protocols and cipher suites:

nginx
# Only support TLS 1.2 and TLS 1.3
ssl_protocols TLSv1.2 TLSv1.3;

# Prioritize strong cipher suites
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

# Enable session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

4. OCSP Stapling

OCSP Stapling improves SSL handshake performance:

nginx
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.pem;

Advantages:

  • Reduce SSL handshake time
  • Reduce CA server load
  • Improve user privacy protection

5. Automatic Certificate Renewal

Use auto-renewal services like Let's Encrypt:

bash
# Auto-renewal using certbot
certbot renew --quiet --post-hook "systemctl reload nginx"

Scheduled task:

cron
# Check certificate renewal at 2 AM daily
0 2 * * * certbot renew --quiet --post-hook "systemctl reload nginx"

HTTPS Performance Optimization

1. Enable HTTP/2

HTTP/2 provides performance improvements on top of HTTPS:

nginx
listen 443 ssl http2;

Advantages:

  • Multiplexing: Reduce number of connections
  • Header compression: Reduce data transfer volume
  • Server push: Proactively push resources

2. Session Cache and Resumption

Reduce SSL handshake frequency:

nginx
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;

3. Optimize Certificate Chain

Use complete certificate chain:

  • Main certificate: Domain certificate
  • Intermediate certificate: CA intermediate certificate
  • Root certificate: CA root certificate (usually not needed)

Verify certificate chain:

bash
openssl s_client -connect example.com:443 -showcerts

Common Issues and Solutions

Issue 1: Mixed Content Warning

Cause: HTTPS page contains HTTP resources

Solutions:

  • Change all resources to HTTPS
  • Use relative paths
  • Use CSP (Content Security Policy)
http
Content-Security-Policy: upgrade-insecure-requests

Issue 2: Incomplete Certificate Chain

Cause: Missing intermediate certificate

Solutions:

  • Upload complete certificate chain
  • Use correct certificate order

Certificate chain order:

shell
Domain certificate → Intermediate certificate → Root certificate

Issue 3: Slow SSL Handshake

Cause:

  • Session cache not enabled
  • OCSP Stapling not enabled
  • Weak cipher suites used

Solutions:

  • Enable session cache and resumption
  • Enable OCSP Stapling
  • Use strong cipher suites

Issue 4: Certificate Expired

Cause: Forgot to renew certificate

Solutions:

  • Use auto-renewal tools
  • Set expiration reminders
  • Use CDN's free certificates (auto-renewal)

HTTPS Monitoring Metrics

1. Certificate Status

  • Certificate validity: Time until expiration
  • Certificate chain integrity: Whether complete
  • Certificate matching: Whether matches domain

2. SSL Handshake Performance

  • Handshake time: Average SSL handshake duration
  • Handshake success rate: Ratio of successful SSL handshakes
  • Session resumption rate: Ratio of session resumption

3. Cipher Suite Usage

  • Cipher suite distribution: Usage ratio of each cipher suite
  • Protocol version distribution: TLS 1.2 vs TLS 1.3
  • Weak cipher suites: Whether weak cipher suites are used

Interview Points

When answering this question, emphasize:

  1. Understanding of different HTTPS configuration methods and their pros/cons
  2. Ability to choose appropriate HTTPS mode based on business needs
  3. Mastery of HTTPS configuration best practices
  4. Understanding of HTTPS performance optimization methods
  5. Practical configuration and troubleshooting experience
标签:CDN
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(27)JavaScript(56)Linux(20)Rust(10)Docker(65)Mongoose(18)TypeScript(27)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)