Mastering CDN HTTPS: Architecture, Optimization, and Best Practices

Most mainstream websites now depend on HTTPS (HTTP over TLS/SSL) for server authentication, data encryption, and integrity, while CDN is widely used to improve performance, reliability, and security; together they have become essential services for commercial sites.

Historically, HTTPS was designed as an end‑to‑end protocol, whereas CDN operates as a man‑in‑the‑middle, leaving the authorization, authentication, key exchange, and revocation processes between browsers, CDN nodes, and origin servers largely undocumented.

At the 2017 Alibaba Cloud Community Online Tech Summit, CDN expert Rong Ke analyzed the technical practice behind CDN HTTPS, covering SSL/TLS, HTTP/2, CDN HTTPS architecture, and optimization.

SSL/TLS and HTTP/2 Overview

HTTPS adds an SSL/TLS layer beneath HTTP. In the TCP/IP stack, the session layer hosts SSL/TLS, while HTTP resides in the application layer; without SSL/TLS, HTTP traffic is plaintext.

SSL (Secure Socket Layer) evolved into TLS (Transport Layer Security); TLS 1.2 is widely used today, with TLS 1.3 still in draft.

The SSL/TLS handshake proceeds after a TCP connection is established: the client sends supported protocol versions, cipher suites, and random numbers; the server selects a version and cipher suite, returns its certificate, and both sides negotiate a symmetric key for subsequent encryption.

HTTP/2 Features

HTTP/2, standardized in 2015, improves upon HTTP/1.x with binary framing, header compression, multiplexing, and server push, enhancing both efficiency and security.

Header compression builds an index of repeated headers, reducing transmission size at the cost of additional memory for the index tables.

Multiplexing introduces the concept of streams, allowing multiple concurrent requests over a single TCP connection, unlike the limited keep‑alive or pipeline mechanisms of HTTP/1.x.

CDN HTTPS Architecture

HTTPS prevents content tampering and hijacking. Modern browsers and platforms increasingly require HTTPS (e.g., Chrome/Firefox marking HTTP as unsafe, Apple ATS, HTTP/2 over TLS, SEO benefits, government mandates).

In Alibaba Cloud CDN, the architecture uses LVS for layer‑4 load balancing, Tengine for layer‑7, and a custom cache engine (Swift). When HTTPS is needed, a certificate management center stores user certificates and private keys, which are dynamically loaded into each node’s memory in an obfuscated form.

During an SSL handshake, Tengine extracts the SNI (domain name) from the client, retrieves the corresponding certificate and key, completes the handshake, and then processes the HTTP request.

Full‑Link HTTPS Support

For a two‑level CDN, three TCP connections exist: client‑to‑L1, L1‑to‑L2, and L2‑to‑origin. Each segment can use HTTPS, with the first segment using the user’s certificate, the second using CDN‑issued certificates, and the third requiring the origin to support HTTPS.

Key‑Server (No‑Private‑Key) Solution

To protect private keys, users can deploy a private KeyServer. During the handshake, Tengine forwards the data needing the private key to the KeyServer, which performs decryption or signing and returns the result, allowing the private key to remain on the user’s infrastructure.

CDN HTTPS Features

Dynamic certificates with sub‑minute propagation.

Support for SPDY and HTTP/2.

Rich, dynamically configurable settings.

KeyServer integration for no‑private‑key service.

Integration with Alibaba Cloud Certificate Service (CAS) for free certificates.

HTTPS Optimization Practices

Although HTTPS introduces extra handshake overhead, performance can be maintained or improved through:

Reducing handshakes via SSL Session ID/Ticket and TCP KeepAlive.

Leveraging HTTP/2 multiplexing and header compression.

Domain consolidation to reuse sessions.

TCP stack tuning (initial window, fast retransmit).

Prioritizing ECDSA over RSA.

For peak traffic, Alibaba Cloud employs cache pre‑warming, intelligent scheduling, and rate limiting.

How to Use HTTPS Effectively

Certificates : Choose appropriate certificates (single‑domain, multi‑domain, wildcard) from Alibaba Cloud CAS or other providers; options include DV, OV, and EV levels.

Origin Upgrade : Update origin servers to support TLS 1.0+, SNI, SHA‑256, and enable HSTS for forced HTTPS.

When users type a domain, browsers may initially request HTTP; a 302 redirect to HTTPS combined with an HSTS header ensures subsequent direct HTTPS access.

By following these guidelines, operators can securely and efficiently deliver content over HTTPS across the entire CDN chain.