Configuring the Domain Name for Calling APIs

Constraints

• By default, the debugging domain name of an API group can only be resolved to a server in the same VPC as the gateway. If you want to resolve the domain name to a public network, bind an EIP to the gateway.
• The debugging domain name cannot be used for production services and can be used only for application debugging.
• Groups under the same gateway cannot be bound with a same independent domain name.
• If a domain name is already bound to a port, it cannot be bound to the same port again.
• If different ports are used for the same domain name, all ports take effect no matter whether any of them are bound to, modified, or unbound from the SSL certificate or whether client authentication is enabled or disabled.
• If you access backend services through a load balance channel, the port bound to the independent domain name must be the same as the access port of the backend server in the load balance channel.
• After an independent domain name is bound to a port, if you use an IP address to access an API, you need to add the header parameter host to the request. The host value should include the port number for the access protocol, unless you are using the default ports 80 or 443, in which case the host value is not necessary.
• Accessing APIs by IP address is not advised, it requires IP certificates for SSL. Otherwise, the connection may be insecure.
• HTTP-to-HTTPS redirection is only suitable for GET and HEAD requests. Redirecting other requests may cause data loss due to browser restrictions. Redirection takes effect only when the API request protocol is HTTPS or HTTP&HTTPS and an SSL certificate has been bound to the independent domain name.

Obtaining Domain Names

1. Apply for a domain name.
   • To enable a service system on the cloud service platform to access APIs, obtain a private domain name as an independent domain name. For details, see Creating a Private Zone.
   • To enable a service system outside the cloud service platform to access APIs, obtain a public domain name as an independent domain name. Apply it from Domain Registration.

2. Add an A record set of the VPC access address. For details, see Adding an A Record Set.

   Configure a CNAME record set of the API group debugging domain name. For details, see Adding a CNAME Record Set.

3. If the API group contains HTTPS-compatible APIs, add an SSL certificate for the independent domain name bound to the group. Obtain the content and keys of the SSL certificate and create an SSL certificate in advance.

Binding an Independent Domain Name

1. Go to the APIG console.
2. Select a dedicated gateway at the top of the navigation pane.
3. Choose API Management > API Groups.
4. Click a group name to go to the Group Information page.
5. In the Independent Domain Names area, click Bind Independent Domain Name.
6. Set the parameters according to the following table.

   Table 1 Independent domain name configuration

   Parameter	Description
   Domain Name	Domain name to be bound to the API group.
   Minimum TLS Version	TLS is a security protocol used to ensure security and data integrity for Internet communication. Options: TLS1.1, TLS1.2 (recommended). TLS1.0 and TLS1.3 are not supported. This parameter applies only to HTTPS and does not take effect for HTTP and other access modes. Configure HTTPS cipher suites using the ssl_ciphers parameter on the Parameters tab.
   HTTP-to-HTTPS Auto Redirection	HTTP APIs are insecure in transmission and authentication. You can upgrade them for access over HTTPS while ensuring HTTP compatibility. Redirection takes effect only when the API request protocol is HTTPS or HTTP&HTTPS and an SSL certificate has been bound to the independent domain name. Redirection is only suitable for GET and HEAD requests. Redirecting other requests may cause data loss due to browser restrictions.
   HTTP Port	The default value is 80, which is the default HTTP port number. You can customize the inbound port. For details, see Customizing Gateway Inbound Ports. If the HTTP port is not used, select suspend.
   HTTPS Port	The default value is 443, which is the default HTTPS port. You can customize the inbound port. For details, see Customizing Gateway Inbound Ports. If the HTTPS port is not used, select suspend.

7. Click OK.

   If the domain name is no longer needed, click Unbind Domain Name to unbind it from the API group.

(Optional) Binding an SSL Certificate

If the API group contains HTTPS APIs, bind an SSL certificate to the independent domain name.

1. In the row that contains the domain name, click Select SSL Certificate.
2. Select an SSL certificate and click OK.
   • If a CA certificate has been uploaded for the SSL certificate, you can enable client authentication (HTTPS two-way authentication). Enabling or disabling client authentication will affect the existing services. Exercise caution when performing this operation.
   • If no SSL certificate is available, click Create SSL Certificate to create one. For details, see Adding an SSL Certificate for an API.

Troubleshooting

• Failure in binding a domain name: The domain name is not resolved or the domain name already exists.
• Failure in binding an SSL certificate: The domain name used to generate the SSL certificate is different from the target independent domain name.