Edge Acceleration

Site Acceleration
- Overview
- Access Control
  - Token authentication
    - Token Authentication
    - Authentication Method A
    - Authentication Method B
    - Authentication Method C
    - Authentication Method D
    - Authentication Method V
- Smart Acceleration
- Cache configuration
  - Overview
  - EdgeOne caching rules introduction
    - Content Cache Rules
    - Cache Key Introduction
    - Vary Feature
  - Cache Configuration
    - Custom Cache Key
    - Node Cache TTL
    - Status Code Cache TTL
    - Browser Cache TTL
    - Offline Caching
    - Cache Prefresh
  - Clear and Preheat Cach
    - Cache Purge
    - URL Pre-Warming
    - Prefetch M3U8
  - How to improve the Cache Hit Rate of EdgeOne
- File Optimization
  - Content Compression
  - Smart Compression
- Network Optimization
  - HTTP/2
  - HTTP/3(QUIC)
    - Overview
    - Enable HTTP/3
    - QUIC SDK
      - SDK Overview
      - SDK Download and Integration
      - Sample Code
        Android
        iOS
      - API Documentation
        Android
        iOS
  - IPv6 Access
  - Maximum Upload Size
  - WebSocket
  - Client IP Geolocation Header
  - Client IP Geographical Location
  - gRPC
  - Network Error Logging
- URL Rewrite
  - Access URL Redirection
  - Origin-Pull URL Rewrite
- Modifying Header
  - Modifying HTTP Response Headers
  - Modifying HTTP Request Headers
- Modify response content
  - HTTP Response
  - Custom Error Page
- Rules Engine
  - Overview
  - Rule Management
  - variables
  - Supported Matching Types and Actions
- Image and video processing
  - Audio and Video Pre-pulling
  - Just-in-Time Image Processing
  - Video Just-In-Time Processing
  - VOD Media Origin
- Speed limit for single connection download
- Request and Response Actions
  - HTTP Response
  - Processing order
  - Default HTTP Headers of Origin-Pull Requests
  - Default HTTP Response Headers
  - HTTP Restrictions
- Media Services
  - Audio and Video Pre-pulling
  - Just-in-Time Image Processing
  - Just-in-Time Media Processing
  - VOD Media Origin
L4 Proxy
- Overview
- Creating an L4 Proxy Instance
- Modifying an L4 Proxy Instance
- Disabling or Deleting an L4 Proxy Instance
- Batch Configuring Forwarding Rules
- Obtaining Real Client IPs
  - Obtaining Real TCP Client IPs via TOA
  - Obtaining Real Client IPs Through Protocol V1/V2
    - Overview
    - Method 1: Obtaining Real Client IPs Through Nginx
    - Method 2: Parsing Real Client IPs on Application Server
    - Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
  - Transmitting Client Real IP via SPP Protocol
Domain name service and origin server configuration
- Domain Name Services
  - Overview
  - DNS resolution for managed domains
    - Modifying DNS Servers
    - Configuring DNS Records
    - Batch Importing DNS Records
    - Advanced DNS Configuration
  - Access accelerated domains
    - Adding A Domain Name for Acceleration
    - Ownership Verification
    - Modifying CNAME Records
    - Verify Business Access
  - Traffic scheduling
    - Traffic Scheduling Management
- HTTPS Certificate
  - Overview
  - Edge HTTPS Certificate
    - Overview
    - Deploying/Updating SSL Certificate for A Domain Name
    - Configuring A Free Certificate for A Domain Name
    - Using Keyless Certificate
  - Edge mTLS Authentication
  - Origin Certificate Validation
  - HTTPS configuration
    - Forced HTTPS Access
    - Enabling HSTS
    - SSL/TLS security configuration
      - Configuring SSL/TLS Security
      - TLS Versions and Cipher Suites
    - Enabling OCSP Stapling
  - Related References
    - Using OpenSSL to Generate Self-Signed Certificates
    - Certificate Format Requirements
    - The Difference Between one-way authentication and Mutual authentication
- Origin Configuration
  - Load Balancing
    - Overview
    - Quickly Create Load Balancers
    - Health Check Policies
    - Viewing the Health Status of Origin Server
    - Related References
      - Load Balancing-Related Concepts
      - Introduction to Request Retry Strategy
  - Origin Group Configuration
  - Origin configuration
    - Origin-Pull Timeout
    - Configuring Origin-Pull HTTPS
    - Host Header Rewrite
    - Controlling Origin-pull Requests
    - Redirect Following During Origin-Pull
    - HTTP/2 Origin-Pull
    - Range GETs
    - Modify Origin
    - Origin-pull Rate Limiting Policy
  - Origin Protection(Obtaining/Updating Origin IP Address Range)
  - Related References
    - ld Version Origin Group Compatible Related Issues

Overview

This document describes the advantages of HTTPS over HTTP, and the supported certificate types and encryption algorithms.
HTTPS Overview
As an extension of HTTP, HTTPS supports identity verification and encrypted transmission through the SSL protocol. SSL uses HTTPS certificates to verify the server's identity and establish an encrypted transmission channel between the client browser and the server. Compared to HTTP, HTTPS offers the following advantages:
Higher security: HTTPS encrypts the data exchanged between clients and servers to prevent the data from being hijacked, tampered, or listened to.
Increased website credibility: When users access a website over HTTPS, they can verify the website credibility based on its certificate. If the website is trustworthy, a green security identifier is displayed in the browser. This improves the website credibility and prevents users from accessing phishing websites.
Improved website SEO: Search engines prioritize trustworthy websites that support HTTPS. Enabling HTTPS access to a website can improve the website ranking in search engine results.
HTTPS Certificate Capabilities Supported by EdgeOne
Feature
Description
﻿Edge HTTPS Certificates﻿
Edge HTTPS certificates enable users to securely communicate with EdgeOne edge nodes via HTTPS when accessing the current domain name. Currently, EdgeOne supports configuring Edge HTTPS certificates in the following ways.
﻿Tencent Cloud SSL Certificates: If you already have a domain name certificate, you can deploy the certificate uploaded to the Tencent Cloud SSL console to an EdgeOne edge node. You can deploy at most one RSA, ECC, or SM2 certificate to the EdgeOne node simultaneously.
﻿Applying for Free Certificates: If you have not yet purchased SSL certificates, you can use EdgeOne to automatically complete the application, deployment, and renewal of free certificates, so as to reduce the operational workload. The currently applied free certificates are RSA certificates from TrustAsia or Let’s Encrypt.
﻿Keyless Certificate: Keyless certificate allows users to upload only the certificate public key to Tencent Cloud SSL Certificate, and maintain the certificate private key through deploying a private server, suitable for customers with stricter security requirements for certificate management.
﻿Edge Mutual Authentication﻿
Edge mutual authentication means that during the communication process, both the client and the server need to prove their identities to each other. This is typically used in scenarios with high security requirements, such as corporate internal networks or financial transactions. EdgeOne supports enabling mutual authentication within edge nodes and requires the client to carry a trusted client certificate for verification during access, so as to further enhance the security of communication.
﻿Origin Certificate Validation﻿
When using HTTPS handshake for origin-pull, you can customize the verification method for the origin server certificate, further enhancing the security of origin-pull HTTPS handshake and preventing traffic hijacking.
﻿Forced HTTPS Access﻿
Forced HTTPS access can redirect client HTTP requests to HTTPS via 301/302 and ultimately access EdgeOne via HTTPS, so as to ensure that all clients initiate requests to the EdgeOne node via HTTPS and ensure the security of communication.
﻿HSTS﻿
HTTP Strict Transport Security (HSTS) is a web security protocol promoted by the Internet Engineering Task Force (IETF). The protocol is used to instruct web browsers to access a site over the more secure HTTPS protocol. You can configure HSTS to improve the security and credibility of your website if you have any of the following needs: to prevent malicious attackers from stealing sensitive user information through man-in-the-middle attacks, to comply with data privacy protection regulations, or to enhance users' trust in your website.
﻿SSL/TLS Security Configuration﻿
When HTTPS access is enabled for your website, EdgeOne supports multiple SSL/TLS versions to ensure compatibility with different user terminals by default. Normally, you do not need to modify this configuration. However, if your website requires a high level of security and you need to prevent users from accessing your website through less secure SSL/TLS versions, you can customize this configuration by specifying the required SSL/TLS versions.
﻿OCSP stapling﻿
Online Certificate Status Protocol (OCSP) is provided by certificate authorities (CAs) to check the authenticity and validity of digital certificates. Whenever a user accesses a website over HTTPS, the browser initiates an OCSP query to verify whether the certificate of the website is still valid.
﻿
When OCSP stapling is enabled, EdgeOne performs OCSP queries and caches the results on servers. When a client initiates a TLS handshake with EdgeOne, EdgeOne responds with the OCSP information and certificate required for verification so that the client does not need to send a query request to the CA. This significantly improves the efficiency of the TLS handshake, reduces the time for verification, and improves the HTTPS request speed.
﻿
﻿

HTTPS Overview
HTTPS Certificate Capabilities Supported by EdgeOne

Feature	Description
Edge HTTPS Certificates	Edge HTTPS certificates enable users to securely communicate with EdgeOne edge nodes via HTTPS when accessing the current domain name. Currently, EdgeOne supports configuring Edge HTTPS certificates in the following ways. Tencent Cloud SSL Certificates: If you already have a domain name certificate, you can deploy the certificate uploaded to the Tencent Cloud SSL console to an EdgeOne edge node. You can deploy at most one RSA, ECC, or SM2 certificate to the EdgeOne node simultaneously. Applying for Free Certificates: If you have not yet purchased SSL certificates, you can use EdgeOne to automatically complete the application, deployment, and renewal of free certificates, so as to reduce the operational workload. The currently applied free certificates are RSA certificates from TrustAsia or Let’s Encrypt. Keyless Certificate: Keyless certificate allows users to upload only the certificate public key to Tencent Cloud SSL Certificate, and maintain the certificate private key through deploying a private server, suitable for customers with stricter security requirements for certificate management.
Edge Mutual Authentication	Edge mutual authentication means that during the communication process, both the client and the server need to prove their identities to each other. This is typically used in scenarios with high security requirements, such as corporate internal networks or financial transactions. EdgeOne supports enabling mutual authentication within edge nodes and requires the client to carry a trusted client certificate for verification during access, so as to further enhance the security of communication.
Origin Certificate Validation	When using HTTPS handshake for origin-pull, you can customize the verification method for the origin server certificate, further enhancing the security of origin-pull HTTPS handshake and preventing traffic hijacking.
Forced HTTPS Access	Forced HTTPS access can redirect client HTTP requests to HTTPS via 301/302 and ultimately access EdgeOne via HTTPS, so as to ensure that all clients initiate requests to the EdgeOne node via HTTPS and ensure the security of communication.
HSTS	HTTP Strict Transport Security (HSTS) is a web security protocol promoted by the Internet Engineering Task Force (IETF). The protocol is used to instruct web browsers to access a site over the more secure HTTPS protocol. You can configure HSTS to improve the security and credibility of your website if you have any of the following needs: to prevent malicious attackers from stealing sensitive user information through man-in-the-middle attacks, to comply with data privacy protection regulations, or to enhance users' trust in your website.
SSL/TLS Security Configuration	When HTTPS access is enabled for your website, EdgeOne supports multiple SSL/TLS versions to ensure compatibility with different user terminals by default. Normally, you do not need to modify this configuration. However, if your website requires a high level of security and you need to prevent users from accessing your website through less secure SSL/TLS versions, you can customize this configuration by specifying the required SSL/TLS versions.
OCSP stapling	Online Certificate Status Protocol (OCSP) is provided by certificate authorities (CAs) to check the authenticity and validity of digital certificates. Whenever a user accesses a website over HTTPS, the browser initiates an OCSP query to verify whether the certificate of the website is still valid. When OCSP stapling is enabled, EdgeOne performs OCSP queries and caches the results on servers. When a client initiates a TLS handshake with EdgeOne, EdgeOne responds with the OCSP information and certificate required for verification so that the client does not need to send a query request to the CA. This significantly improves the efficiency of the TLS handshake, reduces the time for verification, and improves the HTTPS request speed.