Recently, someone always ask me, high defense CDN in the end support HTTPS, this question asked me straight scratch my head - are 2024, actually there are still people think that high defense CDN just simply carry DDoS brown man?<\/p>\n
I've seen too many teams in the project before the launch of the fire in a hurry to find a solution, the first time I heard of high-defense CDN immediately associated with the \u201ctraffic cleaning\u201d, \u201chard to carry the attack\u201d, but completely ignored the fatal part of the transmission encryption. The result? Attacks are prevented, but the data is naked, the intermediary to steal a light also have to take the blame themselves.<\/p>\n
To tell you the truth, now any decent high-defense CDN service providers, HTTPS has long been not \u201csupport or not support\u201d problem, but \u201chow to let you use more silky smooth\u201d problem. Even some vendors such as CDN5 and CDN07, have been able to automatically apply for, deploy and renew SSL certificates, you do not even have to care what the certificate looks like.<\/p>\n
But don't think all vendors are on the same level. I have tested seven or eight, some say support on the surface, the actual configuration can make you vomit blood three liters: either the certificate is uploaded to take effect as slow as a snail, or the configuration interface hidden deeper than a black hole, there are even do not support SNI, multi-domain configuration directly on the street.<\/p>\n
Why high defense CDN must support HTTPS?The reason is as simple as drinking water - you can't just leave your house unlocked because you're wearing a bulletproof vest.DDoS protection is to protect against external violent impacts, and HTTPS is to protect against data eavesdropping and tampering, which is not at all an alternative relationship, but a golden combination.<\/p>\n
Especially now Google Chrome such browsers, HTTP sites have long been marked as \u201cunsafe\u201d. You have worked hard with a high-defense CDN to carry the 500G traffic attack, the results of users to open the site to see the browser reported red box, turn around and go, this wave of blood loss in the end, who is it?<\/p>\n
I've been using a high-defense CDN in my production environment since 2017, and in the early days, I did have to toss certificates manually: buy them myself, pass them on myself, and keep an eye on the expiration time renew, which was a pain in the ass. But now? Oh, automation has been rolled to even the click of a button to save - you just need to DNS resolution step in the CNAME record with the past, the certificate is automatically in place.<\/p>\n
For example, CDN5 this, I last month to help customers migrate to the test: add a domain name when checking the \u201cautomatic SSL\u201d, it directly linked to Let's Encrypt, within 15 minutes to automatically issue and deploy certificates, but also comes with HTTP \/ 2 and TLS 1.3 support. Can you believe it? It's a much more comfortable experience than rubbing certificates by hand on Nginx myself.<\/p>\n
CDN07 even supports customized certificates + auto-renewal hybrid mode - if you already have an enterprise-level certificate (such as DigiCert or Sectigo), you can upload your own private key and certificate chain, and at the same time turn on auto-renewal to avoid business interruption due to the expiration of the certificate. This kind of detail is really only understood by veterans who have stepped in the pits.<\/p>\n
But don't believe in the marketing hype of \u201cfully automated and unbeatable\u201d. Some small vendors' automatic SSL features are half-baked, such as not supporting wildcard certificates, not supporting multilevel domain name flood resolution, and even some do not even submit the Certificate Transparency (CT) logs, resulting in the rejection of certificates on iOS devices. I stepped into this pit last year and was woken up in the middle of the night by an alarm text message, it was a nightmare.<\/p>\n
At the configuration level, most high-defense CDNs now offer two modes: an \u201cedge certificate\u201d (hosted and automatically managed by the CDN vendor) and a \u201ccustom certificate\u201d (which you upload yourself). I strongly recommend using edge certificates unless you have strict compliance requirements - it saves effort and is free.<\/p>\n
For example, suppose you use 08Host's high-defense CDN (this CC attack resistance is strong), the configuration process is probably long like this:<\/p>\n
Done. After that, 30 days before the certificate expires, the system will automatically renew it, and you don't even have to read the reminder email.<\/p>\n
But if you have an iron head and have to pass the certificate yourself, that's fine. But note: the private key has to be in PEM format and must contain the complete certificate chain. Many people fall in this step, passed the certificate but missed the intermediate chain, resulting in a certificate error on the Android device.<\/p>\n
The OpenSSL command I commonly use to generate the full chain:<\/p>\n
Then upload this fullchain.pem along with the private key, steady as an old dog.<\/p>\n
Another tawdry operation is HSTS Preload (HSTS Preload). If you are using CDN5 or CDN07 vendors that support HSTS, it is highly recommended to turn it on - it forces the browser to only connect to your domain via HTTPS, even the first jump is saved, completely eliminating SSL stripping attacks. However, this step is a double-edged sword, be sure to confirm that all sub-domains have been HTTPS-enabled before configuring, or directly lock access.<\/p>\n
Performance-wise, I know many people are worried that TLS encryption and decryption will increase latency. But to be honest, now the mainstream high-defense CDN edge nodes are hardware SSL acceleration card, that little overhead is almost negligible. I have tested an e-commerce project, the latency increase is less than 3ms after HTTPS is turned on, but the security enhancement is exponential.<\/p>\n
Even some vendors such as 08Host, but also did the TLS session ticket (Session Ticket) multiplexing, the same user a short period of time to repeat the connection does not require a complete handshake, direct multiplexing of the cache key, faster than HTTP (after all, HTTP\/2 multiplexing is also fragrant ah).<\/p>\n
Lastly, I'd like to say: these days, even CDNs have to \u201cprevent teammates\u201d. Some small vendors under the banner of high-defense CDN, in fact, the SSL private key actually exists on the central server, the edge nodes have to go back to the source of each decryption to pull the key - this is not to take off their pants fart? If you really want to do this, not to mention the delay explosion, the risk of key leakage directly to the sky.<\/p>\n
So when picking a vendor, be sure to ask about their SSL key management mechanism. A reliable program is to store the private key locally in the edge node and memory encryption, or even support key rotation (Key Rotation) like CDN07, which automatically changes the private key once a quarter, to prevent ghosts and infiltration.<\/p>\n
In short (tsk, can not help but say the summary word again), high-defense CDN and HTTPS has long been the standard of the standard. What you need is not the answer of \u201csupport or not\u201d, but the experience of \u201chow to choose not to step on the pit\u201d. Automatic certificate can save heart, but the core is to see the vendor's underlying implementation - otherwise the surface is bright, behind all the thunder.<\/p>\n
Next time who asked you high defense CDN support or not support HTTPS, directly to this article dumped to him: not only support, but also to play out the flowers.<\/p>","protected":false},"excerpt":{"rendered":"
Recently, someone always ask me, high defense CDN support HTTPS in the end, this question asked me straight scratching my head - 2024, there are still people who think that high defense CDN is simply carry DDoS brown man? I've seen too many teams in the project before the launch of the fire to find a solution, the first time I heard of high-defense CDN immediately associated with the \u201ctraffic cleaning\u201d, \u201chard to carry the attack\u201d, but completely ignored the fatal part of the transmission encryption. The result? Attacks are prevented, but the data is naked, the intermediary to steal a light also have to take the blame. To tell you the truth, but now any decent high-defense CDN service providers, HTTPS has long been not \u201csupport or not support\u201d problem, but \u201chow to let you use more silky smooth\u201d problem. Even some vendors, such as CDN5 and CDN07, have already been able to do automatic application of<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"gallery","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[150],"tags":[],"collection":[],"class_list":["post-1043","post","type-post","status-publish","format-gallery","hentry","category-updates","post_format-post-format-gallery"],"_links":{"self":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/comments?post=1043"}],"version-history":[{"count":1,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1043\/revisions"}],"predecessor-version":[{"id":1082,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/posts\/1043\/revisions\/1082"}],"wp:attachment":[{"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/media?parent=1043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/categories?post=1043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/tags?post=1043"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/www.ddosgj.com\/en\/wp-json\/wp\/v2\/collection?post=1043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}