Every player who tosses around a home NAS (GroupHub, Weilian) or private cloud service will eventually face a question of elegance or lack thereof: the access address.
When connecting back to the private cloud via DDNS, the address has to be followed by a small tail, such as :9416 or :8080, which is not only hard to remember, but also blocked by some company's intranet firewalls.
Today I'm sharing an ultimate solution using AliCloud ESA (Edge Security Acceleration): say goodbye to non-standard ports and realize HTTPS full domain opening in seconds. The end of the article summarizes the details of avoiding pitfalls that took 3 days to get through, so I recommend collecting it.
I. Why ESA?
Traditional CDNs can only accelerate 80 or 443, but with our home broadband, these two ports are usually blocked. The core black technology of AliCloud ESA is: back to source port rewriting. It allows users to access your standard domain name (port 443) externally, and then at Ali's edge nodes, it automatically forwards the request to a non-standard port at your home. The whole process is transparent to the user, no need to enter the port number again.
II. Practical Steps: From “Tailed” to “Port-Free”
1. Hosted domain names
Change your domain DNS to the servers provided by Aliyun ESA. Turn on “Proxy Status” (small orange cloud) in the control panel.
2. Configure “rewrite back to source” rules (core)
Go to “Rule Settings” -> “Back to Source Configuration” in the ESA:
Match conditions: hostname equal to music.yourdomain.com (for your service), multiple second-level domain names in order to saveThe number of return rule entries can be set to select all incoming requests as shown in the illustration:
Back to the source protocol: It is recommended to choose “HTTP” (most of the home intranet services do not have TLS, and ESA is responsible for the encryption of the extranet).
Back to source port rewrite: turn on and fill in your real intranet port (such as 9416 or 8080 which is the port of each of your QunHui services).
3. Setting the SSL/TLS mode
In SSL/TLS -> Overview, set the encryption mode to “Full” or “Flexible”, which is the default for the free version. Then you can securely access your home private cloud via https://.
III. In-depth pothole avoidance guide (dry goods, must see!)
Many students found that after the configuration of the “still can not open” or “frequent timeout”, the probability is that they fell into the following three pits:
Pit 1: Rule Priority (Priority)
Phenomenon: The forwarding of domain A is configured, but the result is that the service jumps to the domain B. Countermeasure: The rules of ESA are executed in order. If you have more than one subdomain, please make sure to click “Sort” to put the forwarding rule specific to the subdomain on the top.
Pit 2: WebSocket Master Switch
Phenomenon: The web page can be opened, but the service can't establish a long connection (e.g. some admin panels can't be logged in). Countermeasure: Nowadays private cloud services use WebSocket a lot, you have to manually search for and enable “WebSocket” option in “Rule Settings” -> “Site Settings” of ESA. "This is one of the most overlooked points. This is the most overlooked point!
Pitfall 3: Return Source Protocol Conflict (Error 521)
Phenomenon: Browser prompts HTTP ERROR 521. Countermeasure: Check your back-origin rules. If ESA tries to connect to your home HTTP port using HTTPS protocol, the connection will be rejected. For home broadband, make sure to manually specify HTTP as the return protocol.
4. 2.5G Broadband Test Experience
In Urumqi Unicom's 2.5G broadband environment, the improvement after ESA acceleration is very obvious:
Eliminate Latency: Ali Edge nodes automatically find the optimal path, and the latency of cross-carrier access is significantly reduced.
Aesthetics and security: the real port is hidden and only a standard HTTPS URL is shown to the public.
Stability: Even if the IP of the home public network changes, as long as the DDNS synchronization is successful, the connection on the ESA side is almost senseless.
Conclusion
The joy of tossing around the digitalization of the home lies in the technical means to make complex networks simple and usable.
If you also encountered “522 Connection Timed Out” or “Invalid Certificate” during the configuration process, welcome to leave a message in the comment section.
