Deze pagina is nog niet beschikbaar in uw eigen taal. We werken er hard aan om meer taalversies toe te voegen. Bedankt voor uw steun.
Content Delivery Network
Content Delivery Network
- What's New
- Function Overview
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
- Domain Name Management
- Custom Domain Name Configuration
- Cache Prefetch and Purge
- Analytics
- Resource Package Management
- Log Management
- Domain Certificate Management
- Diagnosis
- Permissions Management
- Enterprise Projects
- Best Practices
- API Reference
-
FAQs
-
Functions and Usage
-
Functions
- What Service Types Does CDN Support?
- Which Protocols Does CDN Support?
- Does On-Demand Service Acceleration Support HLS and RTMP?
- Can CDN Identify Whether a User Is on a Desktop or Mobile Device?
- Does CDN Support Acceleration for a Single Web Page?
- Does CDN Support Binary File Acceleration?
- Does CDN Support Level-2 Domain Name Acceleration?
- Does CDN Accelerate POST Requests?
- What Origin Types Does CDN Support?
- Does Huawei Cloud CDN Support HTTP/3?
- Does Huawei Cloud CDN Support Content Encryption Before Distribution?
- Does Huawei Cloud CDN Support Intranet Acceleration?
-
Usage
- How Do I Grant CDN Permissions to IAM Users?
- How Do I Obtain the IP Address of a User?
- Does CDN Support Acceleration by Region?
- What Is the Conversion Rule for Traffic and Bandwidth?
- Does CDN Accelerate the Origin Server of a Website, or Accelerate the Domain Name?
- Can Wildcards Be Used as Part of an Acceleration Domain Name?
- Is CDN Necessary If My Services Are Deployed Within a City?
- How Does CDN Determine the Region to Which a User Belongs?
- How Do I Direct Traffic from a Third-party Platform to CDN?
- Can an Acceleration Domain Name Be Configured with Multiple Origin Servers?
- Can I Use CDN If the Origin Port Is Not 80?
- How Do I Configure an Origin Server When It Is a Non-Huawei Cloud Object Storage Bucket?
- Does CDN Accelerate User Access from a Specified Line?
- What Are the Differences Between an Acceleration Domain Name and an Origin Domain?
- Can CDN Provide Acceleration for a Domain Name That Houses Different Types of Services (Website, VOD, and File Download)?
-
Functions
- Purchase and Billing
-
Domain Name Settings
- Does CDN Support the Configuration of Domain Names with Ports?
- Can a Subdomain Name Be Used as an Acceleration Domain Name?
- Can the CNAME of an Acceleration Domain Name Be Directly Accessed?
- Do I Need to Configure a Certificate for the Origin Server After Adding a Security Certificate to CDN?
- How Do I Check Whether the CNAME Record Has Taken Effect?
- Can I Limit Access to Domain Names Based on QPS?
- Does Huawei Cloud CDN Accelerate Content Redirected from VPN?
- Does My Domain Name Have to Be Resolved on Huawei Cloud?
- Why Do My Domain Requests Still Go to CDN PoPs After My Domain Name Has Been Disabled and Domain Resolution Has Been Changed?
- How Do I Configure a Certificate If My Domain Name Is a Wildcard Domain?
- Does CDN Support Modification to Acceleration Service Types?
- Why Am I Seeing the "Incomplete certificate chain" Message?
- Why Am I Seeing a Message Indicating that the Certificate Format Is Incorrect?
- Are Self-Signed HTTPS Certificates Supported?
- Does CDN Support Force HTTPS?
- Can I Use HTTP After HTTPS Is Configured?
-
Cache Settings
- Will the Cache on CDN PoPs Be Updated in Real Time?
- Does CDN Cache Status Codes 404 and 403?
- What Are the Default Cache Rules? Can I Modify the Cache Age?
- Does the Path in Cache Settings Refer to a Web Address or File Path on the Server?
- Why Is the CDN Cache Hit Ratio Low?
- How Do I Cache the Homepage (Root Directory)?
- How Do I Check Whether a Cache Is Hit?
- Why Is the Latest Content Inaccessible Even When the Maximum Cache Age Is Set to 0?
- Does Huawei Cloud CDN Support Caching octet-stream Stream Files?
- Why Are Certain Files Not Downloadable Even Though They Have Not Expired (365 Days)?
- How Do I Configure Cache for Resources That Do Not Need to Be Cached?
- How Do I Synchronize Content Cached on CDN PoPs with That on the Origin Server?
- Why Does a Cache Rule Not Take Effect?
-
Troubleshooting
- Why Am I Seeing a Message Indicating that the Domain Name Already Exists When I Add a Domain Name for CDN Acceleration?
- Why Is My Domain Name Inaccessible After HTTPS Secure Acceleration Is Configured?
- Why Is Data Obtained from a CDN PoP Not the Updated Data?
- Why Is 304 Returned When a User Accesses a Resource Under My Acceleration Domain Name?
- Why Is the Accelerated Page Incorrect Even Though I Can Access the Origin Server?
- Why Can't a Web Page Be Properly Displayed After the Origin Server's IP Address Is Changed?
- Why Do I Get an Access Failure and Access-Control-Allow-Origin Error?
- Why Does the System Always Display "301" After HTTPS Is Configured for a Domain Name?
- Why Do I Get Request Timed Out When Trying to Ping an Acceleration Domain Name?
- Why Are Incorrect Resources Being Pulled from My Origin Server?
- Why Is My Site Slow the First Time I Access It After CDN Is Configured?
-
Cache Purge and Prefetch
- What Are the Differences Between Cache Purge and Cache Prefetch?
- Why Am I Seeing Insufficient Permission for Cache Purge and Prefetch?
- Why Does a Cache Prefetch Operation Fail?
- Does Cache Purge Refresh Content Cached on All PoPs?
- Should I Enter an Origin URL or Domain Name URL for Cache Purge and Prefetch?
- Why Does a Prefetch Task Remain in the Being Processed Status for a Long Time?
- How Do I Purge the CDN Cache Where the Domain Name Includes a Wildcard?
- Why Is the Content Not Updated Even After I Prefetched and Purged the Cache?
- Does CDN Support Directory Prefetch?
- Are Cache Purge and Prefetch Mandatory?
- Do I Need to Purge or Prefetch the Cache of Both HTTP and HTTPS URLs?
- Can I Prefetch M3U8 Files?
- Which Should I Do First, Purge or Prefetch, When I Want to Update Cache?
-
Security
- What Security Capabilities Does CDN Provide?
- Can I Configure Referer Validation to Prevent Hotlinking?
- Does CDN Support IP Address Filtering?
- How Does CDN Respond to CC Attacks?
- Does CDN Have Anti-DDoS Capabilities?
- Can Certificates Be Updated Without Service Interruption?
- Does CDN Detect Viruses in an Acceleration File?
- Can Multiple Certificates Be Configured for a Domain Name?
- Statistics and Logs
-
Origin Pull
- In What Scenarios Does CDN Pull Content from an Origin Server?
- What Do I Fix Origin Pull Failures?
- How Do I Check Whether Range Requests Are Supported for Origin Pull?
- If a Domain Name Is Attacked, Will Access Requests Be Directed to the Origin Server?
- What Are the Benefits of Configuring a Standby Origin Server?
- Does CDN Support Direct Origin Pull Through Crawler Access?
- What Is the Difference Between a Host and an Origin Server?
- How Is Origin Pull If the Origin Server Has Multiple IP Addresses?
- Why Are Incorrect Resources Being Pulled?
- How Do I View Origin Pull Records?
- Will CDN Download All Files If I Send a Status Code 206 to Request 100-Byte Content?
- Change History
-
Functions and Usage
-
Troubleshooting
- Why Can't I Access a Web Page or Play a Video After I Enable CDN?
- Why Is It Still Slow to Access a Domain Name That Has Been Added for CDN Acceleration?
- Why Is the Displayed or Downloaded Content Incorrect After CDN Acceleration Is Used?
- Why Is a 4XX Status Code Returned When I Request Resources from My Acceleration Domain Name?
- Why Is a 5XX Status Code Returned When I Request Resources from My Acceleration Domain Name?
- Why Does a 301/302 Redirect Loop Occur When I Request Resources from My Acceleration Domain Name?
- Status Code and Handling Suggestions
- Why Can't I Log In to My Domain Name or Why Is the Information of Other Users Displayed?
- How Do I Check Whether an Access Fault Is Caused by a CDN PoP or Origin Server?
- Why Is the Cache of a Resource Inconsistent on Different PoPs?
On this page
Help Center/
Content Delivery Network/
User Guide/
Custom Domain Name Configuration/
HTTPS Settings/
HSTS
HSTS
Updated on 2024-11-26 GMT+08:00
HTTP Strict Transport Security (HSTS) is a web security protocol promoted by Internet Engineering Task Force (IETF). HSTS forces clients (such as browsers) to use HTTPS to access your server, improving access security.
Working Principles
If HSTS is configured on CDN, when a client (such as a browser) uses HTTPS to access a CDN PoP for the first time, the PoP responds to the browser with the Strict-Transport-Security header. The browser caches this header if it supports HSTS and uses HTTPS to access CDN PoPs until the cache expires.
Precautions
- HSTS is valid when an international HTTPS certificate is configured.
- Use force redirect to redirect the first HTTP client request to HTTPS.
- To disable the HTTPS certificate, disable HSTS as well.
- When HSTS is enabled and a browser caches the Strict-Transport-Security header, force redirect to HTTP will lead to an infinite loop. As a result, the domain name cannot be accessed.
- To enable HSTS for domain names with special configuration, submit a service ticket.
- HSTS takes effect on clients. After HSTS is disabled, you need to refresh the browser cache. In this way, the next HTTP request from a client will not be automatically redirected to HTTPS.
Procedure
-
Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.
The CDN console is displayed.
- In the navigation pane, choose Domains.
- In the domain list, click the target domain name or click Configure in the Operation column.
- Click the HTTPS Settings tab.
- In the HSTS area, click Edit.
- Turn on the Status switch and set parameters.
Figure 1 HSTS
Table 1 Parameters Parameter
Description
Max Age
TTL of the response header Strict-Transport-Security on clients.
- The value ranges from 0 to 63,072,000, in seconds.
- If the TTL is too short, the client cache frequently expires, affecting HSTS. If the TTL is too long and the HTTPS certificate is canceled within the TTL, the domain name cannot be accessed, affecting businesses. The recommended TTL is 5,184,000 seconds, that is, 60 days.
Subdomain Names
Whether to enable HSTS for subdomain names.
- Excluded: HSTS is disabled for subdomain names.
- Included: HSTS is enabled for subdomain names. Check whether HTTPS certificates have been configured for all subdomain names. Subdomain names without a certificate cannot be accessed.
- Click OK.
Example
Assume that you have configured the following HSTS settings for the domain name www.example.com.
Result:
- When a client uses HTTPS to access the domain name for the first time, the CDN PoP returns the requested content with the Strict-Transport-Security header.
- If the client does not support HSTS, the protocol of client requests to CDN PoPs is not changed.
- If the client supports HSTS, the client caches the Strict-Transport-Security header. When the client accesses the domain name again, the browser automatically converts the HTTP request to an HTTPS request and sends the request to CDN.
- After the browser TTL expires, step 1 is performed again.
Parent topic: HTTPS Settings
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
The system is busy. Please try again later.
