Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the basic concepts, solutions and optimization practices of CDN HTTPS security acceleration. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

As we all know, HTTP itself is transmitted in clear text without any security treatment. The website HTTPS solution perfectly solves the security problem of the website by introducing certificate service on top of the HTTP protocol.

Those basic concepts about HTTPS

Demand drives the technological revolution, and so did the Internet, and so did HTTPS. People have the need to share and browse information on the Internet, so the information transmission technology is born and constantly upgraded. Later, people formulated some guidelines for the transmission of information on the Internet, that is, the network protocol HTTP. From the earliest version of HTTP/0.9 released in 1991 to the latest HTTP/2, the transmission speed is also being upgraded. Next, let's take a look at the basic concepts about HTTP.

What is HTTP?

HTTP is the most widely used network protocol on the Internet. It is a client-side and server-side request and reply standard (TCP), which is used to transfer hypertext from the WWW server to the local browser. It can make the browser more efficient and reduce the network transmission.

What is HTTPS?

HTTPS is a secure hypertext transfer protocol, English full name: Hyper Text Transfer Protocol over Secure Socket Layer, it is a security-oriented HTTP channel, simply speaking, it is the secure version of HTTP. Its working principle is to encapsulate HTTP with SSL/TLS protocol, and its main functions can be divided into two kinds: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

What is SSL?

SSL is an abbreviation for Secure Sockets Layer, which is a secure socket layer. A secure communication protocol based on TCP, which can effectively assist Internet applications to improve data integrity and security when communicating. Later, the standardized SSL name was changed to TLS (an abbreviation for "Transport Layer Security"), which is called "Transport layer Security Protocol" in Chinese. Many related articles refer to the two side by side (SSL/TLS) because they can be regarded as different stages of the same thing.

What is a handshake?

Before encrypting the transmission, the client and server must first establish a connection and exchange parameters, and then negotiate the key and transfer data after verification, a process called handshake.

What is encryption and decryption?

The process of "encryption" is the process of turning "plaintext" into "ciphertext"; on the contrary, the process of "decryption" is to change "ciphertext" into "plaintext". In both processes, a key thing-- called a "key"-- is needed to participate in mathematical operations.

Summary: to put it simply, HTTPS is the security enhanced version of HTTP, a combination of HTTP protocol and SSL encryption protocol, so it is also called HTTP over SSL.

Why use HTTPS

In fact, the concept of HTTPS has been put forward for many years, but it is not until the last two years that it has been applied by the mainstream. So, before we introduce you to the CDN HTTPS solution, we need to figure out why we chose to use HTTPS instead of HTTP.

First, HTTPS is a more secure transport protocol that can prevent websites from being tampered with and hijacked, which is the most basic function. Chrome and Firefox will mark HTTP as an insecure protocol in the future.

Second, Apple ATS requires that version 9.0 or 10.0 of IOS be transmitted using HTTPS.

Third, mainstream browsers already support TLS-based HTTP/2.

Fourth, Google will give search rankings to sites that use HTTPS, and encourage people to use it.

Fifth, the official websites of the US and British governments have turned to HTTPS.

We can see that from the needs of users to the general trend of the whole industry, we are pushing the application of HTTPS. So what is Aliyun CDN HTTPS's solution?

CDN HTTPS solution

HTTPS can effectively prevent website content from being tampered with and hijacked, which strengthens the security of the website. So in Aliyun's CDN content distribution network, we have introduced HTTPS security acceleration solution.

For example, in a CDN distribution architecture with two-level nodes, there are three TCP connections from Client to L1 node to L2 and back-to-origin server, each of which supports HTTPS. In the middle of this, the user's own certificate is required when the first section of Client goes to the L1 node. L1 to L2 nodes use our certificate to ensure data encryption. When we return to the origin server, if users also want to use HTTPS, we can also configure the HTTPS of the entire link to fully ensure the anti-tampering and anti-hijacking of the website content.

In the above scheme, the user needs to transfer the certificate and private key to the certificate management center of CDN to process the HTTPS request. At the same time, we have further plans. For users who are highly sensitive to their certificates and private keys, they want to keep the private keys on their servers to reduce the risk of disclosure. In view of this situation, we propose a non-private key solution. First of all, the user sets up a private key server. When a HTTPS handshake occurs between CDN and Client, SNI is extracted during CDN processing. After getting the domain name configuration, the user requests signature or decryption of the pre-master key from the private key server (KeyServer). In this scheme, we actually split off the part of the private key and implement it through KeyServer. Currently, Aliyun has implemented its own KeyServer. Users only need to install KeyServer rpm and configure it on their private key servers.

Aliyun CDN provides HTTPS security acceleration solution. You only need to enable the security acceleration mode and upload the accelerated domain name certificate / private key to achieve encrypted data transmission across the network.

Technical advantages of CDN HTTPS

? Support for HTTP/2 functionality

HTTP/2 is an enhancement to HTTP/1.x. Aliyun CDN now supports HTTP/2 on the whole platform. Using the domain name of Aliyun HTTPS acceleration service, you can enjoy HTTP/2 service free of charge. HTTP/2 is a binary protocol that supports header compression, multiplexing and server push, which can effectively improve transmission efficiency.

? Rich HTTPS configuration items

Ali Cloud CDN HTTPS can be set dynamically. For example, in practice, it is found that some users' APP implementation of the HTTP/2 protocol is not perfect. One solution is for users to modify their own APP to fix the problem. Another solution is that CDN turns off the HTTP/2 protocol of APP through configuration and uses the HTTP/1.1 protocol to give users enough choices.

KeyServer selfless key solution

As mentioned earlier, for users who are highly sensitive to their certificates and private keys, they can ensure the security of certificates and private keys, support self-built KeyServer, and provide KeyServer solutions and source code.

? Security function

HTTPS protocol is an encrypted transmission network protocol that requires identity authentication, which is constructed by the combination of HTTP+SSL protocols, which can ensure all-round security, prevent sensitive information from leaking, prevent traffic from being hijacked and tampered with, and ensure the integrity of data.

? Dynamic certificate

Dynamic certificates are supported. If a user wants to use HTTPS, the whole network will take effect in 1 minute after uploading the certificate and private key. Provide multi-specification certificate, support free certificate, certificate expiration reminder, certificate attribute preview. And with Aliyun Certificate Center CAS, you can apply for a free certificate.

? Flexible payment method

There are two forms of post-payment and prepaid, post-payment HTTPS 0.05RMB / 10,000 requests, prepaid request package also has 450,4000 yuan, 35000 yuan in various specifications, specifications are 100m, 1 billion, 10 billion (double 11 discount).

HTTPS has so many advantages over HTTP transport, does HTTPS also outperform HTTP in terms of performance? We know that Aliyun CDN HTTPS can reduce back-to-origin rate, improve communication efficiency, improve verification efficiency, and reduce jump time. What technologies are used to optimize these? Let's take a look at the optimization practice of CDN HTTPS.

CDN HTTPS optimization practice

First of all, we know that the key factor hindering the performance improvement of HTTPS is the slow transmission, because after the TCP connection handshake, there are SSL handshakes, multi-layer data encryption and decryption and certificate transmission.

So is HTTPS bound to slow down?

The following picture shows some performance improvement data after Taobao and Tmall used HTTPS. In fact, we can see that Taobao home page and search, Juhuashuanshu, Tmall and other pages, the performance is positive improvement. So next, let's take a look at what CDN HTTPS has done in terms of performance.

First, we know that SSL consumes a lot of resources during the handshake phase. SSL itself also supports session ID and session ticket. The first session ID stores the session ID on the client side. If the client carries the same ID on the next request, the previous session can be resumed, eliminating a lot of handshake. However, when a client accesses different sever, there exists the problem of ID sharing, which is more complicated to implement. The second kind of session ticket can send the session information to client,client to save the information, will not rely on a certain sever.

Second, we need to use the HTTP/2 protocol, multiplexing and header compression can improve the transmission efficiency.

Third, domain name merging, for the main station and user domain name is more, we tend to merge the domain name into a pan-domain name to do processing. This reduces SSL handshakes and increases reuse, which in turn increases efficiency.

Fourth, protocol stack optimization, which is a function that major CDN companies are doing. The traditional protocol stack is a process of gradually exploring and sending more and more data, and the initialization window will be relatively small. We will now make targeted adjustments and improve the efficiency of fast retransmissions.

Fifth, priority algorithm, priority prefabricated ECDSA algorithm, when producing the same encryption strength, the amount of data is less.

The above are some optimization practices carried out by CDN HTTPS in order to transmit more efficiently and reduce the amount of data.

In addition, in order to deal with the peak, in addition to our own HTTPS optimization, we also need to preheat the Cache system, and all of them are loaded to the first-level nodes, so there is no problem of origin-pull. In addition, in the scheduling system, our business system needs to give the forecast peak, and CDN needs to do the statistics of hot spots, share with the adjacent non-hot spots, and allocate according to the node capacity in proportion. Of course, for the peak situation, we also need to limit the current.

How to make better use of HTTPS

Having talked so much about the benefits of HTTPS, how can users make better use of HTTPS?

First, the application for certificates is based on the type of domain name. Aliyun also provides certificate services, which can issue Symantec, CFCA and GeoTrust certificates. There are three categories of certificates: DV, OV and EV. DV refers to the certificate based on the domain name level. Institutions only need to verify the owner of the domain name, and the security level is relatively low. OV and EV are enterprise-level certificates that verify enterprise information in addition to verifying the domain name owner. The certificate of EV, which can display the company name when visiting.

Second, the transformation of the origin server, including the transformation of page resources, the selection of TLS version above 1.0, the optimal configuration of session ID and session ticket, and the support of SHA256 on certificates. In addition, in practical application, there is a problem, when the user enters the domain name, we can configure to force HTTPS access.

On how to analyze the basic concepts of CDN HTTPS security acceleration, solutions and optimization practice is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.